Tutorial NextDNS: a DoH/ DoT guide

As Lenny_Fox request a NextDNS guide with pictures, here we go - based on Your NextDNS settings thread.

First, info about NextDNS can be read at: official Website & GitHub

I use and recommend using their service in easiest way you can implement. For me that is on router level so i don't need any software on Clients.

Setup Webinterface:

setup.png

The red marked is the one i use in my Fritzbox router DNS settings. Also you should add both DNSv4 from right side ("DNS Servers") and DNSv6 from left side ("IPv6") into your router if for some reason the encrypted DNS has problems.
If that's done, take a look at top and if "All good!" is listed, your setup is finished! (y)

Now we will increase the setup to maximum protection

Security Webinterface:

security.png

Privacy Webinterface:

privacy.png

Parental Control Webinterface:

parental control.png

Denylist Webinterface:

denylist.png

Allowlist Webinterface:

allowlist.png

Settings Webinterface:

settings.png

Done!

Also don't forget to activate 2FA for your account!:

account.png
___________________________________________

Update February 2021:

Changes:
  • moving from NextDNS default list + Unchecky filterlist to "OISD" filterlist for less false positives and better maintained list
  • enable "Allow Affiliate & Tracking Links"
  • add "Dating" to Parental Control

Since Lenny_Fox asked for a NextDNS tutorial with pictures, here it goes - based on the thread Q&A - Your NextDNS settings

Information about NextDNS can be read on the official website and GitHub on.

I use and recommend implementing NextDNS in the simplest way possible in your own setup. For me, it's at the router level, so I don't need any software on the clients.

NextDNS web interface -> Setup:

Setup.png

The data marked in red are the ones I use in the DNS settings of my Fritzbox router.

Both DNSv4 from the right side ("DNS Servers") and DNSv6 from the left side ("IPv6") should be configured in the router if for some reason the encrypted DNS causes problems. This way you have a fallback.
Once this is done, the web interface should say "All good!" at the top and the basic setup is complete! (y)

Now we will increase the whole thing to maximum protection:

NextDNS web interface -> Security:

Security.png

NextDNS web interface -> Privacy:

Privacy.png

NextDNS web interface -> Parental Control:

Parental Control.png

NextDNS web interface -> Denylist:

Denylist.png

NextDNS web interface -> Allowlist:

Allowlist.png

NextDNS web interface -> Settings:

Settings.png

Done!

You should also activate two-factor authentication (2FA) for your account!:

2FA.png
 
Last edited by a moderator:

SecurityNightmares

Level 37
Verified
Jan 9, 2020
2,659
I know this doesn't block everything, but I could almost run with just NextDNS with OISD or, NextDNS list + AdGuard (with strict tracker blocking in Edge/Firefox) and not use any adblocker extensions. I tried surfing around with uBO turned off and saw zero ads.
Yes. Only disadvantage is some missed cosmetic filtering
 
  • Like
Reactions: Nevi and blackice

SFox

Level 4
Verified
Jun 11, 2019
160
Which blocklists do you activate? I wanted to connect the Windows Spy blocklist in the Privacy, but I thought that suddenly some problems with system updates would start or Internet access would be blocked altogether :)
 
  • Like
Reactions: Nevi

SpiderWeb

Level 4
Aug 21, 2020
190
NextDNS iOS app uses DoH apparently, not DoT according to their own logs. I see the benefit of this. DoT has a dedicated port that can easily be blocked. DoH blends in with all other HTTPS traffic.
 
  • +Reputation
Reactions: Nevi and Opc9

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,058
I have found a good working Next DNS setup, which I combine with Edge ant-tracking in strict and (depending on my mood AG/uBO/ABP with only my filterlists (link) to deal with website annoyances.

Using @SecurityNightmares setup as explained in this thread with NextDNS as only blocklist while allowing affiliate and tracking links (so ads and promoted links are not blocked on Google search results page). I have discovered that Next DNS's (personal) blacklist works very well against pesky popunders using cname cloaking.

And despite not liking to add certificates, I have installed Next Dns certificate on my desktop and my girlfriend's laptop (as adviced by @Jan Willy ), to get a decent block screen. For my girlfriend the different blockscreens could be a bit confusing (Next DNS, TrendMicro in the Router and Smartscreen), but she probably won't run in all three of them.
 
Last edited:

Jan Willy

Level 6
Jul 5, 2019
295
I have discovered that Next DNS's (personal) blacklist works very well against pesky popunders using cname cloaking.
By far the major part (possibly up to 90%) of the rules in NextDNS default filterlist concists of rules from Steven Black. The rest refers to Asian sites. See nextdns/metadata
I think that Steven Blacks filter list itself would be enough. I don't know how far this list is responsable for blocking pesky popunders using cname cloaking. My guess is that it's the disguised trackers protection in NextDNS.

Edit:
Steven Blacks filter list offers also protection against cname trackers. See StevenBlack/hosts

1618939821750.png
 
Last edited:

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,058
By far the major part (possibly up to 90%) of the rules in NextDNS default filterlist concists of rules from Steven Black. The rest refers to Asian sites. See nextdns/metadata
I think that Steven Blacks filter list itself would be enough. I don't know how far this list is responsable for blocking pesky popunders using cname cloaking. My guess is that it's the disguised trackers protection in NextDNS.

Edit:
Steven Blacks filter list offers also protection against cname trackers. See StevenBlack/hosts

View attachment 257150
Thanks will try that out (using Steven Blacks Host file). What are you thoughts on Energized Spark blocklist?


No by adding them manually to your (account) blocklist

1618947507668.png
 
Last edited by a moderator:

SecurityNightmares

Level 37
Verified
Jan 9, 2020
2,659
Is NextDNS link considered private? Lets say I share https://dns.nextdns.io/123456, can someone else use it or is the usage linked to my IP only?
Configurations aren't private yet. This is at least the case for non-linked setups.

Linked IP settings are only for devices which doesn't support DoH or DoT and isn't also
encrypted.
 

Thales

Level 11
Nov 26, 2017
549
I know this doesn't block everything, but I could almost run with just NextDNS with OISD or, NextDNS list + AdGuard (with strict tracker blocking in Edge/Firefox) and not use any adblocker extensions. I tried surfing around with uBO turned off and saw zero ads.
I did the same but I installed adblock for youtube.
Everything is faster pages loads instantly. No ads at all.
 
  • Like
Reactions: blackice
Top