Question NextDNS setups

Please provide comments and solutions that are helpful to the author of this topic.
Brahman said:
In my experience the setting "DNS rebinding Protection" doesn't cause any real issues with browsing. But I advise you to enable the logs, use the settings one by one, give enough time with each setting, check the logs for any fase positive blocks and unblock if necessary. I would suggest to switch off any other filtering apps / add-ons till you are comfortable with what nextdns provides, once you have created your own "allowlist" which removes all false positives, you can re-enable all add-ons and other filtering apps. Always remember "less is more better" 😉
Click to expand...

Thank you, Brahman for the reply I appreciate it, as I was wondering about that when I saw some connections from my apps being blocked. Time to do a little research :)

blocked.png
blocked2.png

community.avast.com

What is ncc.avast.com ?

Hello, It is used for network connectivity testing only. ncc (Network Connectivity Check)
community.avast.com community.avast.com


SeriousHoax said:
"Block Newly Registered Domains" only caused issue for me when I watch pirated sports streams and "DNS Rebinding Protection" sometimes blocks seeders/peers when I download things from torrents. So, for these two reasons alone I keep them off. Anyone who doesn't do what I do probably should have these on.

For adblocking filters, I recommend, AdGuard DNS filter, OISD (big) and Hagezi Multi Pro++.
NextDNS have their own threat intelligence option but it doesn't have Hagezi Threat Intelligence filter (TIF). So Hagezi himself said that anyone who cannot use his TIF filter should use OISD along with their preferred Hagezi filter as OISD apparently can block a few more malicious/phishing sites.
AdGuard DNS is already part of Hagezi Pro filters, but I still use it in NextDNS because AdGuard and OISD updates many times throughout the day while Hagezi filters update twice or sometimes once a day.
So, using AdGuard + OISD means you stay more up to date.
Do not use NextDNS's own Ads & Trackers Blocklist. It's not good to begin with and they usually don't fix false positives.
Click to expand...

And thank you too, SeriousHoax :) I appreciate your insightful post. It's, NextDNS a new adventure for me, in a good way :)
 
Last edited:
  • Like
Reactions: oldschool, Capiche, rashmi and 2 others
What I do like about the logs in NextDNS, is that they're static, as I can easily review them in my for now, one week retention settings. With the Glasswire free version I can't block anything without buying the premium version . And in reviewing them in NextDNS, I didn't realize I had this option enabled in Brave.

ping brave.png

From Brave Leo:
The usage ping does not contain personal data or personally identifying information. Users can disable this feature by going to Brave Settings > Privacy and security and disabling "Automatically send daily usage ping to Brave".
Click to expand...
 
Last edited:
  • Like
Reactions: oldschool, Capiche, rashmi and 3 others
Jonny Quest said:
This has been a very insightful and helpful thread :) Please feel free for anyone to answer this....

I just signed up with a free nextdns account, should I disable TrafficLight and let nextdns work alone, or won't it matter in that they may work in different ways? Or what about Osprey's ad blocker/web protection being used with nextdns, or could that cause overlaps, FP's and surfing slow downs?

In the Security settings I enabled "Block Newly Registered Domains", should "DNS Rebinding Protection" be enabled also, or could that cause webpage issues?
Click to expand...
NextDNS and similar services work fine with security extensions.

I have new domains, DNS rebinding, and parked domains all set up, with no issues. The new domains setting might stop you from downloading/watching pirated movies, but it is also useful for blocking scams, malware, and adult sites.

An ad-blocking browser extension is sufficient for me on the laptop, so I do not bother with NextDNS filters. On the phone/iPad, AdGuard DNS Filter seems to work pretty well. Add more filters if you like; check logs to remove redundant filters. I would use a maximum of two or three filters.
 
  • Hundred Points
  • Like
  • Thanks
Reactions: oldschool, Jonny Quest, Brahman and 2 others
1751191982869.png

You're right to ask for a direct link, as information can get nuanced and change over time. My
previous statement was based on the general understanding within the NextDNS community
and HaGeZi's own descriptions of his lists and their relationship to OISD.
However, after reviewing the recent search results, it seems the recommendation regarding
OISD and HaGeZi's lists on NextDNS has evolved, and there's a more current consensus.
The most recent information, including statements attributed to HaGeZi himself,
suggests that if you are using HaGeZi Pro, Pro++, or Ultimate lists on NextDNS, adding
OISD separately is generally considered redundant.
Here's why, based on recent Reddit discussions:
● HaGeZi's higher-tier lists (Pro, Pro++, Ultimate) already incorporate many TIF
(Threat Intelligence Feed) sources, including those that OISD also uses for its
malicious/phishing blocking.
● HaGeZi himself (as quoted by "doesitrungoogle" in one of the Reddit threads) has
clarified that the only reason to keep OISD alongside his Pro/Pro++/Ultimate lists
would be for redundancy/backup in case one list goes down, but given his active
maintenance, this is unlikely to be necessary.
● The older recommendation to use OISD for TIF coverage in NextDNS specifically
stemmed from a time when NextDNS's own TIF or HaGeZi's higher-tier lists might
not have covered as many sources, or when HaGeZi's dedicated TIF was not
available as a separate list in NextDNS. It appears this situation has changed, and
HaGeZi's comprehensive lists now provide excellent TIF coverage on their own within
NextDNS.
Here are some relevant Reddit threads/comments that reflect this updated
understanding:
● "Blocklist recommendations for NextDNS" thread:

dns/
○ Look for comments by doesitrungoogle (around 5 months ago from current date,
and then another one 3 months ago). This user explicitly states: "I asked Hagezi
himself the other day, and he clarified in this comment thread that even when
referencing Yokoffing's NextDNS Guide, if you're using Hagezi Pro/Pro++/Ultimate
on NextDNS, you do not need to add OISD (AKA redundant) separately; and the
only reason he recommends why one would keep OISD alongside Hagezi Pro Also,
regarding the OISD recommendation for NextDNS users, Yokoffing clarified that it
was old leftover text, and he removed that old recommendation from his guide!"
○ This is the most direct and recent clarification I could find, quoting HaGeZi himself.
● "Hi! I'm a new NextDNS user. I care a lot about adblock, so I want to ask, is this
excessive? I heard that only Hagexi + OISD is enough, but that said, what do you
think?" thread:

a_lot_about/
○ Again, the user doesitrungoogle provides the same clarification regarding HaGeZi's
current stance.
Therefore, to directly answer your question with the most up-to-date information:
While there was a period where HaGeZi or community members recommended OISD as a
complement for TIF coverage with HaGeZi lists on NextDNS, the current stance, as clarified
by HaGeZi himself, is that OISD is generally redundant if you are using HaGeZi Pro++ (or
Pro/Ultimate) in NextDNS, because those lists already incorporate the necessary TIF
sources that OISD would provide.
You should rely on HaGeZi Pro++ alone for a strong balance of ad/tracker blocking and threat
intelligence. If you still feel a need for an additional layer for specific threats, NextDNS's built-in
"Security" features (Google Safe Browse, Threat Intelligence Feeds, AI-Driven Threat Detection,
etc.) are what you should enable, rather than a redundant third-party list like OISD.
Click to expand...

From @Illumination...
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: SeriousHoax, silversurfer, Berny and 5 others
harlan4096 said:
View attachment 289336


From @Illumination...
Click to expand...
Good find. I didn't know that the situation has changed.
But it made me curious and I wanted to know if OISD is really unnecessary with my preferred Hagezi Multi Pro++ filter?
So I just compared and at the time of posting the comment, OISD Big has 167,701 domains that are not part of Hagezi Multi Pro++.
So, OISD still should add some value even though many of the missing one here might get detected by NextDNS's TIF filter.
But I will still keep OISD as having it enabled in NextDNS doesn't have any performance/negative impact.
Screenshot_2025-06-30-03-51-33-81_6286c9febaeca36e51a6f011164cd2e8.jpg
 
  • Like
  • +Reputation
Reactions: Parkinsond, Capiche, oldschool and 5 others
Jan Willy said:
Possibly the difference between Hagezi and OISD isn't only caused by TIF sources.
Click to expand...
That is correct.
This time I combined Hagezi Pro++ and Hagezi TIF into a single file and compared to OISD Big.
OISD had 82,942 unique domains not present in those two Hagezi filters.
So, it's better to use OISD + Hagezi.
Screenshot_2025-06-30-15-06-13-50_6286c9febaeca36e51a6f011164cd2e8.jpg
 
  • Like
  • Hundred Points
Reactions: Capiche, oldschool, Jonny Quest and 2 others
Parkinsond said:
Yes, I know after being informed by @SeriousHoax and reading their info on github, but the Reddit post shared by @rashmi contained some different data; that why I have asked this question.
Click to expand...
The Reddit post is 2 years old so it's a bit outdated by now. OISD is not part of any Hagezi filter list anymore and full TIF is not part of any other list as mentioned by @Brahman above.
AdGuard DNS (account version) has full TIF. NextDNS has unnecessarily been stubborn in adding Hagezi TIF to the point that Hagezi has stopped recommending NextDNS on his GitHub.
But anyway, NextDNS is still amazing, very stable and useful with loaded features. AdGuard and ControlD are less stable. I often see users reporting server issue.
BTW, yokoffing the person with NextDNS guide doesn't really maintain the guide anymore (it doesn't need maintaining tbh). He now uses ControlD and also has a guide for that.
 
Last edited:
  • Like
  • +Reputation
  • Hundred Points
Reactions: Parkinsond, Capiche, oldschool and 3 others
Parkinsond said:
So, there is no need to add TIF if using Hagezi ultimate, as I was instructed before.
Click to expand...
Hagezi states he does not use any source or list in a one-to-one manner. Perhaps he fully includes some smaller lists.

Parkinsond said:
Yes, I know after being informed by @SeriousHoax and reading their info on github, but the Reddit post shared by @rashmi contained some different data; that why I have asked this question.
Click to expand...
Although two years old, the test shows the effectiveness of Hagezi's lists. The test remains relevant as it analyzes Hagezi's lists, which he still maintains with the same viewpoint; hence, their effectiveness would likely be comparable.

Also, aggressive lists may cause problems with ad-supported streaming.
 
Last edited:
  • Like
  • Hundred Points
  • Thanks
Reactions: Capiche, SeriousHoax, oldschool and 1 other person
As @Brahman stated I keep it simple myself with the blocking list only using NextDNS Ads & Trackers Blocklist and Hagezi - Multi Pro++. I have Nextdns TIF enabled as well as the AI-Driven TD , DNS Rebinding Protection, Blocking Newely Registered Domains, Parked Domains ECT as well as a list of (TLD's) Blocked Top-Level Domains I created by researching most commonly known abused TLD's with the exception of ones commonly used such as (.com).

I find this set up to cover all needs, it's light and flexible. As of this time I've had no FP's and not had to create any allow rules.
 
  • Like
  • Applause
Reactions: Capiche, TairikuOkami, harlan4096 and 3 others
rashmi said:
@SeriousHoax, I have AdGuard DNS and Hagezi Light filters set up in NextDNS for our kids' phones. I wonder if ad filters can affect Google Family Link functions. I don't think so. Can they?
Click to expand...
DNS-based content filters like AdGuard DNS and NextDNS's Hagezi Light filters don't directly interfere with Google Family Link. However, they could indirectly impact it if they block domains that Family Link needs to work.

That said, it's pretty rare, especially with well-maintained filters. Plus, NextDNS lets you adjust things manually if you run into an issue.
 
  • Like
Reactions: Capiche, rashmi, Parkinsond and 1 other person
Quick question and I know I could Google it, but why not ask the pros here :) Right now I'm using the desktop app, if I enable NextDNS on the router side, will that affect the wireless devices I have connected, Amazon Echo & Dot, my Samsung phone and a Roku Stick? Will I have to reset those devices somehow?

nextdns app.jpg
 
Last edited:
  • Like
Reactions: Capiche, rashmi and SeriousHoax

You may also like...