Tutorial NextDNS: a DoH/ DoT guide

As Lenny_Fox request a NextDNS guide with pictures, here we go - based on Your NextDNS settings thread.

First, info about NextDNS can be read at: official Website & GitHub

I use and recommend using their service in easiest way you can implement. For me that is on router level so i don't need any software on Clients.

Setup Webinterface:

setup.png

The red marked is the one i use in my Fritzbox router DNS settings. Also you should add both DNSv4 from right side ("DNS Servers") and DNSv6 from left side ("IPv6") into your router if for some reason the encrypted DNS has problems.
If that's done, take a look at top and if "All good!" is listed, your setup is finished! (y)

Now we will increase the setup to maximum protection

Security Webinterface:

security.png

Privacy Webinterface:

privacy.png

Parental Control Webinterface:

parental control.png

Denylist Webinterface:

denylist.png

Allowlist Webinterface:

allowlist.png

Settings Webinterface:

settings.png

Done!

Also don't forget to activate 2FA for your account!:

account.png
___________________________________________

Update February 2021:

Changes:
  • moving from NextDNS default list + Unchecky filterlist to "OISD" filterlist for less false positives and better maintained list
  • enable "Allow Affiliate & Tracking Links"
  • add "Dating" to Parental Control

Since Lenny_Fox asked for a NextDNS tutorial with pictures, here it goes - based on the thread Q&A - Your NextDNS settings

Information about NextDNS can be read on the official website and GitHub on.

I use and recommend implementing NextDNS in the simplest way possible in your own setup. For me, it's at the router level, so I don't need any software on the clients.

NextDNS web interface -> Setup:

Setup.png

The data marked in red are the ones I use in the DNS settings of my Fritzbox router.

Both DNSv4 from the right side ("DNS Servers") and DNSv6 from the left side ("IPv6") should be configured in the router if for some reason the encrypted DNS causes problems. This way you have a fallback.
Once this is done, the web interface should say "All good!" at the top and the basic setup is complete! (y)

Now we will increase the whole thing to maximum protection:

NextDNS web interface -> Security:

Security.png

NextDNS web interface -> Privacy:

Privacy.png

NextDNS web interface -> Parental Control:

Parental Control.png

NextDNS web interface -> Denylist:

Denylist.png

NextDNS web interface -> Allowlist:

Allowlist.png

NextDNS web interface -> Settings:

Settings.png

Done!

You should also activate two-factor authentication (2FA) for your account!:

2FA.png
 
Last edited by a moderator:
  • Like
  • +Reputation
  • Applause
Reactions: Stopspying, JB007, Morro and 27 others
Click to expand...
blackice

blackice

Level 32
Verified
Apr 1, 2019
2,164
I know this doesn't block everything, but I could almost run with just NextDNS with OISD or, NextDNS list + AdGuard (with strict tracker blocking in Edge/Firefox) and not use any adblocker extensions. I tried surfing around with uBO turned off and saw zero ads.
 
Last edited:
  • Like
  • Applause
Reactions: Thales, Nevi, SecurityNightmares and 2 others
SecurityNightmares

SecurityNightmares

Level 37
Verified
Jan 9, 2020
2,661
blackice said:
I know this doesn't block everything, but I could almost run with just NextDNS with OISD or, NextDNS list + AdGuard (with strict tracker blocking in Edge/Firefox) and not use any adblocker extensions. I tried surfing around with uBO turned off and saw zero ads.
Click to expand...
Yes. Only disadvantage is some missed cosmetic filtering
 
  • Like
Reactions: Nevi and blackice
SFox

SFox

Level 4
Verified
Jun 11, 2019
160
Which blocklists do you activate? I wanted to connect the Windows Spy blocklist in the Privacy, but I thought that suddenly some problems with system updates would start or Internet access would be blocked altogether :)
 
  • Like
Reactions: Nevi
SpiderWeb

SpiderWeb

Level 4
Aug 21, 2020
190
NextDNS iOS app uses DoH apparently, not DoT according to their own logs. I see the benefit of this. DoT has a dedicated port that can easily be blocked. DoH blends in with all other HTTPS traffic.
 
  • +Reputation
Reactions: Nevi and Opc9
Lenny_Fox

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,060
I have found a good working Next DNS setup, which I combine with Edge ant-tracking in strict and (depending on my mood AG/uBO/ABP with only my filterlists (link) to deal with website annoyances.

Using @SecurityNightmares setup as explained in this thread with NextDNS as only blocklist while allowing affiliate and tracking links (so ads and promoted links are not blocked on Google search results page). I have discovered that Next DNS's (personal) blacklist works very well against pesky popunders using cname cloaking.

And despite not liking to add certificates, I have installed Next Dns certificate on my desktop and my girlfriend's laptop (as adviced by @Jan Willy ), to get a decent block screen. For my girlfriend the different blockscreens could be a bit confusing (Next DNS, TrendMicro in the Router and Smartscreen), but she probably won't run in all three of them.
 
Last edited:
  • Like
Reactions: Stopspying, Gandalf_The_Grey, Nevi and 3 others
Jan Willy

Jan Willy

Level 6
Jul 5, 2019
295
Lenny_Fox said:
I have discovered that Next DNS's (personal) blacklist works very well against pesky popunders using cname cloaking.
Click to expand...
By far the major part (possibly up to 90%) of the rules in NextDNS default filterlist concists of rules from Steven Black. The rest refers to Asian sites. See nextdns/metadata
I think that Steven Blacks filter list itself would be enough. I don't know how far this list is responsable for blocking pesky popunders using cname cloaking. My guess is that it's the disguised trackers protection in NextDNS.

Edit:
Steven Blacks filter list offers also protection against cname trackers. See StevenBlack/hosts

1618939821750.png
 
Last edited:
  • Like
Reactions: Nevi, Stopspying and blackice
Lenny_Fox

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,060
Jan Willy said:
By far the major part (possibly up to 90%) of the rules in NextDNS default filterlist concists of rules from Steven Black. The rest refers to Asian sites. See nextdns/metadata
I think that Steven Blacks filter list itself would be enough. I don't know how far this list is responsable for blocking pesky popunders using cname cloaking. My guess is that it's the disguised trackers protection in NextDNS.

Edit:
Steven Blacks filter list offers also protection against cname trackers. See StevenBlack/hosts

View attachment 257150
Click to expand...
Thanks will try that out (using Steven Blacks Host file). What are you thoughts on Energized Spark blocklist?


No by adding them manually to your (account) blocklist

1618947507668.png
 
Last edited by a moderator:
  • Like
Reactions: Nevi
Thales

Thales

Level 12
Nov 26, 2017
553
blackice said:
I know this doesn't block everything, but I could almost run with just NextDNS with OISD or, NextDNS list + AdGuard (with strict tracker blocking in Edge/Firefox) and not use any adblocker extensions. I tried surfing around with uBO turned off and saw zero ads.
Click to expand...
I did the same but I installed adblock for youtube.
Everything is faster pages loads instantly. No ads at all.
 
  • Like
Reactions: Gandalf_The_Grey, Nevi and blackice

Similar threads

SecurityNightmares
Q&A What is DNS over TLS (DoT), DNS over Quic (DoQ) and DNS over HTTPS (DoH & DoH3)?
Replies
0
Views
689
Privacy & VPN
SecurityNightmares
SecurityNightmares
SecurityNightmares
Q&A Your NextDNS settings
Replies
20
Views
4,626
Privacy & VPN
SecurityNightmares
SecurityNightmares
Gandalf_The_Grey
Updates AdGuard becomes the world's first public DNS-over-QUIC resolver!
Replies
6
Views
1,847
Privacy & VPN
SeriousHoax
SeriousHoax
Top