Tutorial NextDNS: a DoH/ DoT guide

As Lenny_Fox request a NextDNS guide with pictures, here we go - based on Your NextDNS settings thread.

First, info about NextDNS can be read at: official Website & GitHub

I use and recommend using their service in easiest way you can implement. For me that is on router level so i don't need any software on Clients.

Spoiler

Setup Webinterface:



The red marked is the one i use in my Fritzbox router DNS settings. Also you should add both DNSv4 from right side ("DNS Servers") and DNSv6 from left side ("IPv6") into your router if for some reason the encrypted DNS has problems.
If that's done, take a look at top and if "All good!" is listed, your setup is finished!

Now we will increase the setup to maximum protection

Security Webinterface:



Privacy Webinterface:



Parental Control Webinterface:



Denylist Webinterface:



Allowlist Webinterface:



Settings Webinterface:



Done!

Also don't forget to activate 2FA for your account!:

___________________________________________

Update February 2021:

Changes:

• moving from NextDNS default list + Unchecky filterlist to "OISD" filterlist for less false positives and better maintained list
• enable "Allow Affiliate & Tracking Links"
• add "Dating" to Parental Control

Since Lenny_Fox asked for a NextDNS tutorial with pictures, here it goes - based on the thread Q&A - Your NextDNS settings

Information about NextDNS can be read on the official website and GitHub on.

I use and recommend implementing NextDNS in the simplest way possible in your own setup. For me, it's at the router level, so I don't need any software on the clients.

Spoiler

NextDNS web interface -> Setup:



The data marked in red are the ones I use in the DNS settings of my Fritzbox router.

Both DNSv4 from the right side ("DNS Servers") and DNSv6 from the left side ("IPv6") should be configured in the router if for some reason the encrypted DNS causes problems. This way you have a fallback.
Once this is done, the web interface should say "All good!" at the top and the basic setup is complete!

Now we will increase the whole thing to maximum protection:

NextDNS web interface -> Security:



NextDNS web interface -> Privacy:



NextDNS web interface -> Parental Control:



NextDNS web interface -> Denylist:



NextDNS web interface -> Allowlist:



NextDNS web interface -> Settings:



Done!

You should also activate two-factor authentication (2FA) for your account!:

 

[blackice]

I know this doesn't block everything, but I could almost run with just NextDNS with OISD or, NextDNS list + AdGuard (with strict tracker blocking in Edge/Firefox) and not use any adblocker extensions. I tried surfing around with uBO turned off and saw zero ads.

 

[SecurityNightmares]

I know this doesn't block everything, but I could almost run with just NextDNS with OISD or, NextDNS list + AdGuard (with strict tracker blocking in Edge/Firefox) and not use any adblocker extensions. I tried surfing around with uBO turned off and saw zero ads.

Yes. Only disadvantage is some missed cosmetic filtering

 

[Morro]

Yes. Only disadvantage is some missed cosmetic filtering

And having to watch the ads inside Youtube Videos, uBlock Origin blocked those.

 

[SecurityNightmares]

And having to watch the ads inside Youtube Videos, uBlock Origin blocked those.

As i own a XBOX this is already the case for long time already

 

[Morro]

As i own a XBOX this is already the case for long time already

Yeah then you are used to it.

 

[Jan Willy]

I'm not a big fan of browser-extensions, but this one can be practical to handle the NextDNS-webinterface a little bit better:

Spoiler

https://www.reddit.com/r/nextdns/comments/lu7o86

Edit: it's not bug-free.

 

[SFox]

Which blocklists do you activate? I wanted to connect the Windows Spy blocklist in the Privacy, but I thought that suddenly some problems with system updates would start or Internet access would be blocked altogether

 

[SpiderWeb]

NextDNS iOS app uses DoH apparently, not DoT according to their own logs. I see the benefit of this. DoT has a dedicated port that can easily be blocked. DoH blends in with all other HTTPS traffic.

 

[Morro]

Which blocklists do you activate? I wanted to connect the Windows Spy blocklist in the Privacy, but I thought that suddenly some problems with system updates would start or Internet access would be blocked altogether

Well personally I use the one Securitynightmares mentioned, namely OISD. It gets updated a lot.

 

[SecurityNightmares]

Because of some known and unknown problems, I recommend disable all options in "Performance" under NextDNS web interface -> Settings.

I don't see any performance change.

 

[blackice]

Because of some known and unknown problems, I recommend disable all options in "Performance" under NextDNS web interface -> Settings.

I don't see any performance change.

I was skeptical of these.

 

[Lenny_Fox]

I have found a good working Next DNS setup, which I combine with Edge ant-tracking in strict and (depending on my mood AG/uBO/ABP with only my filterlists (link) to deal with website annoyances.

Using @SecurityNightmares setup as explained in this thread with NextDNS as only blocklist while allowing affiliate and tracking links (so ads and promoted links are not blocked on Google search results page). I have discovered that Next DNS's (personal) blacklist works very well against pesky popunders using cname cloaking.

And despite not liking to add certificates, I have installed Next Dns certificate on my desktop and my girlfriend's laptop (as adviced by @Jan Willy ), to get a decent block screen. For my girlfriend the different blockscreens could be a bit confusing (Next DNS, TrendMicro in the Router and Smartscreen), but she probably won't run in all three of them.

 

[Jan Willy]

I have discovered that Next DNS's (personal) blacklist works very well against pesky popunders using cname cloaking.

By far the major part (possibly up to 90%) of the rules in NextDNS default filterlist concists of rules from Steven Black. The rest refers to Asian sites. See nextdns/metadata
I think that Steven Blacks filter list itself would be enough. I don't know how far this list is responsable for blocking pesky popunders using cname cloaking. My guess is that it's the disguised trackers protection in NextDNS.

Edit:
Steven Blacks filter list offers also protection against cname trackers. See StevenBlack/hosts

 

[Lenny_Fox]

By far the major part (possibly up to 90%) of the rules in NextDNS default filterlist concists of rules from Steven Black. The rest refers to Asian sites. See nextdns/metadata
I think that Steven Blacks filter list itself would be enough. I don't know how far this list is responsable for blocking pesky popunders using cname cloaking. My guess is that it's the disguised trackers protection in NextDNS.

Edit:
Steven Blacks filter list offers also protection against cname trackers. See StevenBlack/hosts

View attachment 257150

Thanks will try that out (using Steven Blacks Host file). What are you thoughts on Energized Spark blocklist?


No by adding them manually to your (account) blocklist

 

[Jan Willy]

What are you thoughts on Energized Spark blocklist?

Never used it. There is a separate thread: Updates - Energized Protection

 

[TairikuOkami]

Is NextDNS link considered private? Lets say I share https://dns.nextdns.io/123456, can someone else use it or is the usage linked to my IP only?

 

[Morro]

Is NextDNS link considered private? Lets say I share https://dns.nextdns.io/123456, can someone else use it or is the usage linked to my IP only?

I could be wrong but considering that for me your DoH url gives a blank page, and that I have a different DoH url address would mean it is for your IP only.

 

[SecurityNightmares]

Is NextDNS link considered private? Lets say I share https://dns.nextdns.io/123456, can someone else use it or is the usage linked to my IP only?

Configurations aren't private yet. This is at least the case for non-linked setups.

Linked IP settings are only for devices which doesn't support DoH or DoT and isn't also
encrypted.

 

[Thales]

I know this doesn't block everything, but I could almost run with just NextDNS with OISD or, NextDNS list + AdGuard (with strict tracker blocking in Edge/Firefox) and not use any adblocker extensions. I tried surfing around with uBO turned off and saw zero ads.

I did the same but I installed adblock for youtube.
Everything is faster pages loads instantly. No ads at all.