 Enable Google Safe Browsing
-### Cryptojacking Protection [1](https://github.com/nextdns/metadata/blob/6f9b6cd0670e7e31ad2ca716742088c2fc0616c2/security/cryptojacking.json)
+## Cryptojacking Protection [1](https://github.com/nextdns/metadata/blob/6f9b6cd0670e7e31ad2ca716742088c2fc0616c2/security/cryptojacking.json)
:warning: If you use something other than the [recommended blocklists](https://github.com/yokoffing/NextDNS-Config#privacy-lock), then you should [leave this enabled](https://github.com/yokoffing/NextDNS-Config/issues/31).
 Enable Cryptojacking Protection
-### DNS Rebinding Protection [1](https://help.nextdns.io/t/35hmval/what-is-dns-rebinding-protection) [2](https://www.reddit.com/r/nextdns/comments/t0ne8r/does_dns_rebinding_protection_block_remote_access/?context=3)
+## DNS Rebinding Protection [1](https://help.nextdns.io/t/35hmval/what-is-dns-rebinding-protection) [2](https://www.reddit.com/r/nextdns/comments/t0ne8r/does_dns_rebinding_protection_block_remote_access/?context=3)
 Enable DNS Rebinding Protection
-### IDN Homograph Attacks Protection [1](https://blog.riotsecurityteam.com/idn-homograph-attacksprevention) [2](https://akamai.com/blog/security/watch-your-step-the-prevalence-of-idn-homograph-attacks)
+## IDN Homograph Attacks Protection [1](https://blog.riotsecurityteam.com/idn-homograph-attacksprevention) [2](https://akamai.com/blog/security/watch-your-step-the-prevalence-of-idn-homograph-attacks)
 Enable Homograph Attacks Protection
-### Typosquatting Protection [1](https://github.com/nextdns/metadata/blob/6f9b6cd0670e7e31ad2ca716742088c2fc0616c2/security/typosquatting/protected-domains)
+## Typosquatting Protection [1](https://github.com/nextdns/metadata/blob/6f9b6cd0670e7e31ad2ca716742088c2fc0616c2/security/typosquatting/protected-domains)
 Enable Typosquatting Protection
-### Domain Generation Algorithms (DGAs) Protection
+## Domain Generation Algorithms (DGAs) Protection
 Enable DGA Protection
-### Block Newly Registered Domains (NRDs) [1](https://boldgrid.com/instagram-influencer-accounts-are-being-hacked-phishing-attacks)
+## Block Newly Registered Domains (NRDs) [1](https://boldgrid.com/instagram-influencer-accounts-are-being-hacked-phishing-attacks)
:warning: Blocking NRDs may cause [false positives](https://csrc.nist.gov/glossary/term/false_positive) [occasionally](https://www.reddit.com/r/InternetIsBeautiful/comments/w2wdro/comment/iguvg8y/?context=3). Be selective when adding NRDs to your allowlist; and, if you do, **NEVER** give [sensitive information](https://egnyte.com/guides/governance/sensitive-information) to a NRD. *If you plan to [set-and-forget](https://glosbe.com/en/en/set-and-forget) your configuration, disable this setting.*
 Block Newly Registered Domains (NRDs)
-### Block Dynamic DNS Hostnames [1](https://github.com/nextdns/ddns-domains/blob/main/suffixes) [2](https://unofficialbird.com/NextDNS/status/1541740963760144386)
+## Block Dynamic DNS Hostnames [1](https://github.com/nextdns/ddns-domains/blob/main/suffixes) [2](https://unofficialbird.com/NextDNS/status/1541740963760144386)
:warning: This feature is still in beta and may cause [false positives](https://csrc.nist.gov/glossary/term/false_positive).
:bulb: If you are using Dynamic DNS (DDNS), this setting will **not** block the DDNS services' own website or their update API.
 Enable Block Dynamic DNS Hostnames
-### Block Parked Domains [1](https://github.com/nextdns/metadata/blob/6f9b6cd0670e7e31ad2ca716742088c2fc0616c2/security/parked-domains-cname)
+## Block Parked Domains [1](https://github.com/nextdns/metadata/blob/6f9b6cd0670e7e31ad2ca716742088c2fc0616c2/security/parked-domains-cname)
 Block Parked Domains
-### Block Top-Level Domains (TLDs) [1](https://webtribunal.net/blog/tld-statistics/) [2](https://www.spamhaus.org/statistics/tlds/) [3](https://bleepingcomputer.com/news/security/verified-twitter-accounts-hacked-to-send-fake-suspension-notices/) [4](https://github.com/DandelionSprout/adfilt/blob/master/Dandelion%20Sprout's%20Anti-Malware%20List.txt) [5](https://github.com/DandelionSprout/adfilt/issues/659#issuecomment-1284845803)
+## Block Top-Level Domains (TLDs) [1](https://webtribunal.net/blog/tld-statistics/) [2](https://www.spamhaus.org/statistics/tlds/) [3](https://bleepingcomputer.com/news/security/verified-twitter-accounts-hacked-to-send-fake-suspension-notices/) [4](https://github.com/DandelionSprout/adfilt/blob/master/Dandelion%20Sprout's%20Anti-Malware%20List.txt) [5](https://github.com/DandelionSprout/adfilt/issues/659#issuecomment-1284845803)
:warning: Blocking [TLDs](https://geeksforgeeks.org/components-of-a-url) may cause [false positives](https://csrc.nist.gov/glossary/term/false_positive) since this feature blocks both site nagviations and subrequests. However, the entries below should allow for everyday browsing while offering protection against commonly abused TLDs since they have no known legitimate uses.
```
-
.cfd
.discount
.gdn
@@ -102,7 +101,7 @@ Security settings protect your data from harm, theft, and unauthorized use.
:memo: If you would rather block TLDs with an adblocker (e.g., easier to troubleshoot breakage), add the first two filterlists [here](https://github.com/yokoffing/filterlists#security).
-### Block Child Sexual Abuse Material
+## Block Child Sexual Abuse Material
 Block Child Sexual Abuse Material
***
@@ -112,13 +111,13 @@ Privacy features limit the amount of data companies can collect about you.
Because privacy is a [spectrum](https://blog.thenewoil.org/the-privacy-myth-binary-vs-spectrum), what you need varies on your [threat model](https://thenewoil.org/en/guides/prologue/threatmodel), interest, and skillset.^[*why should I care? I have nothing to hide*](https://medium.com/@FabioAEsteves/i-have-nothing-to-hide-why-should-i-care-about-my-privacy-f488281b8f1d)
-### Blocklists [1](https://github.com/nextdns/blocklists/tree/main/blocklists)
+## Blocklists [1](https://github.com/nextdns/blocklists/tree/main/blocklists)
Blocklists filter out ads, [trackers](https://freecodecamp.org/news/what-you-should-know-about-web-tracking-and-how-it-affects-your-online-privacy-42935355525/), and malicious sites. Hundreds of volunteers contribute to these lists in the [open-source](https://opensource.com/resources/what-open-source) community, and they are the undercover heroes who make blocking ads at scale possible.
We recommend you remove the [NextDNS Ads & Trackers Blocklist](https://github.com/nextdns/blocklists/blob/main/blocklists/nextdns-recommended.json) and select the [minimum](https://www.reddit.com/r/nextdns/comments/1048xeg/do_you_use_nextdns_blocklist_as_the_primary/j33wnz2/?context=3) number of useful lists.
-#### Which blocklist should I use?
+### Which blocklist should I use?
A great question to ask is: "How much do I want to deal with the inconveniences of [false positives](https://csrc.nist.gov/glossary/term/false_positive)?"
@@ -133,7 +132,7 @@ Here are the suggested blocklists:
:bulb: Use different blocklists on separate DNS profiles (e.g., LIGHT for your router and PRO++ for your web browser).
-#### Why Hagezi?
+### Why Hagezi?
[Hagezi](https://github.com/hagezi/dns-blocklists) block ads, trackers, native device trackers, badware, and more. He maintains a sensible allowlist, handles false positives quickly, an communicates known issues to blocklists maintainers. Hagezi's primary DNS lists combine respected community blocklists like [OISD](https://oisd.nl/), [Steven Black](https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts), [1Hosts](https://github.com/badmojr/1Hosts#safeguard-your-devices-against-pesky-ads-trackers-and-malware), [notrack](https://gitlab.com/quidsup/notrack#notrack), and [more](https://github.com/hagezi/dns-blocklists/blob/main/sources.md).
:question: You may wonder why other lists are not utilized. This is because many list maintainers:
@@ -141,7 +140,7 @@ Here are the suggested blocklists:
* already [aggregate](https://www.reddit.com/r/nextdns/comments/ys3s1s/confused_about_blocklists/ivxdcd2/?context=3) common blocklists into their own list (Easylist/Fanboy, AdGuard, Steven Black, etc.) [1](https://github.com/badmojr/1Hosts/blob/master/-data/lists/assets.txt) [2](https://oisd.nl/includedlists/big/0) [3](https://github.com/jerryn70/GoodbyeAds/blob/master/Docs/Sources.md) [4](https://github.com/hagezi/dns-blocklists/blob/main/usedsources.md#proplus)
* offer no meaningful additional coverage when compared with the chart combinations above
-### Native Tracking Protection [1](https://github.com/nextdns/native-tracking-domains/tree/main/domains)
+## Native Tracking Protection [1](https://github.com/nextdns/native-tracking-domains/tree/main/domains)
Add all the device brands you use. There's no advantage in adding brands you don't have; however, there’s no disadvantage in adding unused brands, either.
@@ -158,10 +157,10 @@ Add all the device brands you use. There's no advantage in adding brands you don
-### Block Disguised Third-Party Trackers [1](https://github.com/nextdns/cname-cloaking-blocklist/blob/master/domains) [2](https://www.reddit.com/r/nextdns/comments/10nenu3/disguised_trackers_are_blocked_regardless_of) [3](https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a) [4](https://arxiv.org/pdf/2102.09301.pdf) [5](https://tma.ifip.org/2020/wp-content/uploads/sites/9/2020/06/tma2020-camera-paper66.pdf)
+## Block Disguised Third-Party Trackers [1](https://github.com/nextdns/cname-cloaking-blocklist/blob/master/domains) [2](https://www.reddit.com/r/nextdns/comments/10nenu3/disguised_trackers_are_blocked_regardless_of) [3](https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a) [4](https://arxiv.org/pdf/2102.09301.pdf) [5](https://tma.ifip.org/2020/wp-content/uploads/sites/9/2020/06/tma2020-camera-paper66.pdf)
 Block Disguised Third-Party Trackers
-### Allow Affiliate & Tracking Links [1](https://github.com/nextdns/click-tracking-domains) [2](https://unofficialbird.com/NextDNS/status/1539229377560461312)
+## Allow Affiliate & Tracking Links [1](https://github.com/nextdns/click-tracking-domains) [2](https://unofficialbird.com/NextDNS/status/1539229377560461312)
:bulb: Your IP address will automatically be hidden (via [TCP](https://educba.com/what-is-tcp-ip) [proxying](https://en.wikipedia.org/wiki/Proxy_server#/media/File:Proxy_concept_en.svg)) to preserve your privacy.
:warning: Disabling causes [false positives](https://csrc.nist.gov/glossary/term/false_positive) when opening some email links.
 Allow Affiliate & Tracking Links
@@ -169,9 +168,9 @@ Add all the device brands you use. There's no advantage in adding brands you don
***
# Parental Control :family_man_woman_boy:
-### YouTube Restricted Mode
+## YouTube Restricted Mode
 Enforce YouTube Restricted Mode
-### Block Bypass Methods [1](https://github.com/nextdns/dns-bypass-methods)
+## Block Bypass Methods [1](https://github.com/nextdns/dns-bypass-methods)
:warning: Enabling may cause unintended breakage.
 Block Bypass Methods
@@ -336,53 +335,53 @@ User data is [removed](https://0x65.dev/blog/2019-12-04/human-web-proxy-network-
# Settings :gear:
-### Logs
+## Logs
**Storage location** → Switzerland
-### Block Page
+## Block Page
:warning: Enabling may cause breakage if the [NextDNS Root CA](https://help.nextdns.io/t/g9hmv0a/how-to-install-and-trust-nextdns-root-ca) is not on your devices. This setting also [breaks](https://help.nextdns.io/t/g9hdska) iCloud [Private Relay](https://support.apple.com/en-us/HT212614), [Yahoo! Mail](https://github.com/hagezi/dns-blocklists/issues/269#issuecomment-1409644343), and the [NAVER](https://channelsearch.naver.com) app.
 Enable Block Page
-### Anonymized EDNS Client Subnet [1](https://help.nextdns.io/t/m1hmv04/what-is-edns-client-subnet-ecs)
+## Anonymized EDNS Client Subnet [1](https://help.nextdns.io/t/m1hmv04/what-is-edns-client-subnet-ecs)
 Enable Anonymized EDNS Client Subnet
-### Cache Boost [1](https://www.reddit.com/r/nextdns/comments/girmcf/new_setting_cache_boost/)
+## Cache Boost [1](https://www.reddit.com/r/nextdns/comments/girmcf/new_setting_cache_boost/)
 Enable Cache Boost
-### CNAME Flattening [1](https://medium.com/nextdns/nextdns-added-cname-uncloaking-support-becomes-the-first-cross-platform-solution-to-the-problem-e3f437f84342) [2](https://developers.cloudflare.com/dns/additional-options/cname-flattening) [3](https://advancedweb.hu/what-is-cname-flattening-and-how-it-helps-redirecting-the-apex-domain)
+## CNAME Flattening [1](https://medium.com/nextdns/nextdns-added-cname-uncloaking-support-becomes-the-first-cross-platform-solution-to-the-problem-e3f437f84342) [2](https://developers.cloudflare.com/dns/additional-options/cname-flattening) [3](https://advancedweb.hu/what-is-cname-flattening-and-how-it-helps-redirecting-the-apex-domain)
:warning: Enabling may cause [breakage with Yahoo! Mail](https://github.com/hagezi/dns-blocklists/issues/269#issuecomment-1409644343) and cause issues with some blocklists.
 Enable CNAME Flattening
-### Web3 [1](https://unofficialbird.com/NextDNS/status/1491034351391305731) [2](https://gabygoldberg.notion.site/f7050e62461143d49345e7b46eb5576b)
+## Web3 [1](https://unofficialbird.com/NextDNS/status/1491034351391305731) [2](https://gabygoldberg.notion.site/f7050e62461143d49345e7b46eb5576b)
 Enable Web3 → (optional)
***
# FAQ :question:
-### How do I signup for NextDNS?
+## How do I signup for NextDNS?
Click [here](https://nextdns.io/?from=xujj63g5)!
-### Should I pay for NextDNS?
+## Should I pay for NextDNS?
For the rich features it provides, [NextDNS](https://nextdns.io/?from=xujj63g5) is very affordable at $19.90/year for unlimited devices. NextDNS pays for itself if it saves my family from a malicious incident.
-### Why am I still seeing ads?
+## Why am I still seeing ads?
Not all ads can be blocked at the DNS level.[1](https://www.reddit.com/r/nextdns/comments/14nsfhv/comment/jq982bi/?context=3) [2](https://www.reddit.com/r/nextdns/comments/13urdda/ads_on_manga_sites/) You will need an [ad blocker](https://github.com/yokoffing/NextDNS-Config#i-need-a-browser-with-ad-blocking-which-one-should-i-choose) to block what's leftover.
This is because not all ads come from third-party domains; some ads come directly from the site you're visiting, like [YouTube](https://discourse.pi-hole.net/t/how-do-i-block-ads-on-youtube/253/2). DNS blockers [stop](https://github.com/hagezi/dns-blocklists/discussions/1030#discussioncomment-5884270) the resolution of a domain, and content blockers filter page content. Click [here](https://github.com/yokoffing/NextDNS-Config/tree/main#i-need-a-browser-with-ad-blocking-which-one-should-i-choose) to easily install a lightweight ad blocker.
-### Does the amount of features enabled affect the speed of NextDNS?[1](https://github.com/yokoffing/NextDNS-Config/issues/12#issue-1465457977) [2](https://www.reddit.com/r/nextdns/comments/135utai/comment/jilbus8/?=&context=3)
+## Does the amount of features enabled affect the speed of NextDNS?[1](https://github.com/yokoffing/NextDNS-Config/issues/12#issue-1465457977) [2](https://www.reddit.com/r/nextdns/comments/135utai/comment/jilbus8/?=&context=3)
The number of settings you toggle on will not affect your DNS latency.
-### Do I need to set DoH at browser-level if I already use NextDNS at system-level?
+## Do I need to set DoH at browser-level if I already use NextDNS at system-level?
Unless you use a separate profile for the browser, it is [not neccessary](https://www.reddit.com/r/nextdns/comments/yfjvqy/is_it_redundant_to_set_at_doh_at_browserlevel_if/iu3vjzt/?context=3). However, I recommend [setting it in your web browser](https://itechtics.com/dns-over-https/#how-to-enable-or-disable-dns-over-https-in-your-browsers) anyway.
-### I have a router profile and a device profile. Which one does my device use?
+## I have a router profile and a device profile. Which one does my device use?
The device will use the profile set by the [NextDNS](https://nextdns.io/?from=xujj63g5) app or the installed [root CA](https://help.nextdns.io/t/g9hmv0a/how-to-install-and-trust-nextdns-root-ca). However, if the device has not been configured to use a separate profile, then it will use the wifi/router configuration.[1](https://www.reddit.com/r/nextdns/comments/yf4hnv/question_about_home_router_and_app_running_in/)
-### What is the difference between security, privacy, and anonymity?
+## What is the difference between security, privacy, and anonymity?
See [article](https://thenewoil.org/en/guides/prologue/secprivanon/) | [video](https://youtu.be/Wpkh-hfULgE)
-### Does NextDNS hide activity from my Internet Service Provider (ISP)?
+## Does NextDNS hide activity from my Internet Service Provider (ISP)?
[No](https://www.reddit.com/r/nextdns/comments/tavcgm/comment/i039u1r/?context=3). [NextDNS](https://nextdns.io/?from=xujj63g5) is only concerned about DNS traffic. You would need a [quality](https://www.youtube.com/watch?v=cK4MQv-OwyM) [VPN](https://www.ivpn.net/blog/why-you-dont-need-a-vpn/) to hide all activity from your ISP.
-### I need a browser with ad blocking. Which one should I choose?
+## I need a browser with ad blocking. Which one should I choose?
Choosing a browser is about as intimate as [choosing a starter Pokémon](https://youtu.be/F_8htiBjTCY), so here's a few caveats:
* The best browser on paper may not work well in real world usage (e.g., [Brave](https://brave.com/) is wonky with video playback on iOS).
* Browsers are tools! Use a variety of browsers depending on what you need to do.
@@ -392,14 +391,14 @@ We based the recommendations below on a combination of effectiveness, resource e
Here are the suggested browsers for each operating system (OS):
-#### Mobile
+### Mobile
| OS | Browser | Content Blocker | Notes |
|---|---|---|---|
| iOS | [Safari](https://www.apple.com/safari)
[Orion](https://browser.kagi.com/) | [Ghostery](https://www.ghostery.com/ghostery-ad-blocker-safari) | [AdGuard](https://adguard.com/en/adguard-ios/overview.html) allows you to add custom filterlists but it's resource intensive. |
| Android | Firefox | [Ghostery](https://www.ghostery.com/ghostery-ad-blocker-firefox) or [uBlock Origin](https://addons.mozilla.org/blog/ublock-origin-everything-you-need-to-know-about-the-ad-blocker/) | |
-#### Desktop
+### Desktop
| OS | Browser | Content Blocker |
|---|---|---|