mirror of
https://github.com/yokoffing/NextDNS-Config.git
synced 2025-11-08 11:23:50 -05:00
Compare commits
8 Commits
624ad12f83
...
6fa3329df7
| Author | SHA1 | Date | |
|---|---|---|---|
|
6fa3329df7 | ||
|
|
b6e8daba66 | ||
|
|
150cb097ee | ||
|
|
f84eeab0d4 | ||
|
|
4baa33770c | ||
|
|
a80252cf12 | ||
|
|
cf2cb31e06 | ||
|
|
c5672fedc8 |
74
README.md
74
README.md
@@ -125,17 +125,20 @@ We recommend you **remove** the [NextDNS Ads & Trackers Blocklist](https://githu
|
||||
|
||||
A great question to ask is: "How much do I want to deal with the inconveniences of [false positives](https://csrc.nist.gov/glossary/term/false_positive)?"
|
||||
|
||||
Here are the suggested blocklists, based on past [issues](https://github.com/hagezi/dns-blocklists/issues?q=author%3Ayokoffing) and observations:
|
||||
Here are the suggested blocklists, based on past issues and observations:
|
||||
|
||||
| **Blocklist** | **Rationale** |
|
||||
| **Blocklists** | **Rationale** |
|
||||
|:--------------------:|:--------------------------------------------------------------------------------------:|
|
||||
| HaGeZi - Multi **NORMAL**<sup>[1](https://github.com/hagezi/dns-blocklists/blob/main/statistics.md#multi)</sup> | Block tracker, ad, and badware requests without issues ([set-and-forget](https://glosbe.com/en/en/set-and-forget)). |
|
||||
| HaGeZi - Multi **PRO**<sup>[2](https://github.com/hagezi/dns-blocklists/blob/main/statistics.md#pro)</sup> | Block more requests, usually without issues (recommended). |
|
||||
| HaGeZi - Multi **PRO++**<sup>[3](https://github.com/hagezi/dns-blocklists/blob/main/statistics.md#proplus)</sup> | Block more requests at the risk of site breakage. <br> [Report](https://github.com/hagezi/dns-blocklists/issues/new/choose) occasional site and app issues. |
|
||||
| HaGeZi - <br>Multi **NORMAL**<sup>[1](https://github.com/hagezi/dns-blocklists/blob/main/statistics.md#multi)</sup> <p><p>OISD</p> | Block tracker, ad, and badware requests without issues ([set-and-forget](https://glosbe.com/en/en/set-and-forget)). |
|
||||
| HaGeZi - <br>Multi **PRO**<sup>[2](https://github.com/hagezi/dns-blocklists/blob/main/statistics.md#pro)</sup> <p><p>OISD</p> | Block more requests, usually without issues (recommended). |
|
||||
| HaGeZi - <br>Multi **PRO++**<sup>[3](https://github.com/hagezi/dns-blocklists/blob/main/statistics.md#proplus)</sup> <p><p>OISD</p> | Block more requests at the risk of site breakage. <br> [Report](https://github.com/hagezi/dns-blocklists/issues/new/choose) occasional site and app issues. |
|
||||
|
||||
> [!TIP]
|
||||
> Use different blocklists on separate DNS profiles (e.g., NORMAL for your router and PRO++ for your web browser).
|
||||
|
||||
> [!NOTE]
|
||||
> NextDNS does not offer Hagezi's Threat Intelligence Feed (TIF). We suggest using the OISD list, which includes which contains some TIF sources missing from NextDNS security features.
|
||||
|
||||
You can also check out Hagezi's own [recommendations](https://github.com/hagezi/dns-blocklists/tree/main#whatshouldiuse).
|
||||
|
||||
### Why Hagezi?
|
||||
@@ -171,7 +174,7 @@ Add all the device brands you use.
|
||||
> Your IP address will automatically be hidden (via [TCP](https://educba.com/what-is-tcp-ip) [proxying](https://en.wikipedia.org/wiki/Proxy_server#/media/File:Proxy_concept_en.svg)) to preserve your privacy.<p>
|
||||
|
||||
> [!WARNING]
|
||||
> Disabling this setting causes prevent site navgiation when opening some email links.
|
||||
> Disabling this setting prevents some email links from opening properly.
|
||||
|
||||
 Allow Affiliate & Tracking Links
|
||||
|
||||
@@ -181,6 +184,7 @@ Add all the device brands you use.
|
||||
## YouTube Restricted Mode
|
||||
 Enforce YouTube Restricted Mode
|
||||
## Block Bypass Methods <sup><sup>[1](https://github.com/nextdns/dns-bypass-methods)</sup></sup>
|
||||
Block tools that can bypass NextDNS filtering, such as VPNs, proxies, Tor software, and encrypted DNS services.
|
||||
> [!CAUTION]
|
||||
> Enabling this setting causes unintended behavior.
|
||||
|
||||
@@ -190,33 +194,16 @@ Add all the device brands you use.
|
||||
|
||||
# Denylist :no_entry:
|
||||
|
||||
Denylist entries are always blocked. The entries below may further harden some profiles while not interfering with everyday browsing.
|
||||
Denylist entries are always blocked. These entries may further harden some profiles while not interfering with everyday browsing.
|
||||
|
||||
<details>
|
||||
### iCloud Private Relay
|
||||
|
||||
### Apple tracking domains <sup><sup>[1](https://unofficialbird.com/mysk_co/status/1588308341780262912) [2](https://github.com/nextdns/metadata/pull/1132) [3](https://github.com/badmojr/1Hosts/issues/536) [4](https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558)</sup></sup>
|
||||
Not currently in NextDNS's [Native Tracking Protection](https://github.com/yokoffing/NextDNS-Config#native-tracking-protection-1) [list](https://github.com/nextdns/native-tracking-domains/blob/main/domains/apple): <sup>[1](https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/native.apple.txt)</sup>
|
||||
[iCloud Private Relay](https://support.apple.com/en-us/102602) can override DNS settings on devices, preventing NextDNS from protecting them.
|
||||
|
||||
xp.apple.com (unblock for device updates!)
|
||||
acfeedbackws.icloud.com
|
||||
api-adservices.apple.com
|
||||
feedbackws.fe.apple-dns.net
|
||||
feedbackws.icloud.com
|
||||
iadsdk.apple.com
|
||||
notes-analytics-events.apple.com
|
||||
notes-analytics-events.news.apple-dns.net
|
||||
weather-analytics-events.apple.com
|
||||
weather-analytics-events.news.apple-dns.net
|
||||
Some DoH providers block this feature automatically.
|
||||
|
||||
### Twitter tracker
|
||||
mask.icloud.com
|
||||
|
||||
syndication.twitter.com
|
||||
|
||||
### NVIDIA Gefore Experience <sup><sup>[1](https://github.com/badmojr/1Hosts/issues/650)</sup></sup>
|
||||
|
||||
events.gfe.nvidia.com
|
||||
|
||||
</details>
|
||||
|
||||
***
|
||||
|
||||
@@ -224,14 +211,14 @@ Not currently in NextDNS's [Native Tracking Protection](https://github.com/yokof
|
||||
|
||||
Allowlist entries always resolve. These entries may be needed for aggressive DNS profiles to relax their rules.
|
||||
|
||||
<details>
|
||||
|
||||
### NextDNS
|
||||
|
||||
Just in case a filterlist goes [haywire](https://help.nextdns.io/t/m1hs207/energized-ultimate-lists-blocking-nextdns) and blocks your access
|
||||
Allow NextDNS itself in case a filterlist goes [haywire](https://help.nextdns.io/t/m1hs207/energized-ultimate-lists-blocking-nextdns) and blocks your access.
|
||||
|
||||
nextdns.io
|
||||
|
||||
<details><summary>Click here to view more entries</summary>
|
||||
|
||||
### Facebook / Instagram <sup><sup>[1](https://github.com/jerryn70/GoodbyeAds/issues/309)</sup></sup>
|
||||
|
||||
graph.facebook.com
|
||||
@@ -249,7 +236,7 @@ If you're still having issues, try [these](https://raw.githubusercontent.com/hag
|
||||
|
||||
### Apple device updates <sup><sup>[1](https://github.com/badmojr/1Hosts/issues/536) [2](https://github.com/badmojr/1Hosts/issues/562) [3](https://github.com/nextdns/metadata/pull/1132#issuecomment-1331733770)
|
||||
|
||||
A [known tracking domain](https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558), but it's needed for device updates
|
||||
A [known tracking domain](https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558), but it's needed for device updates.
|
||||
|
||||
xp.apple.com
|
||||
|
||||
@@ -268,6 +255,11 @@ This [request](https://oisd.nl/excludes.php?w=settings-win.data.microsoft.com) i
|
||||
|
||||
settings-win.data.microsoft.com
|
||||
|
||||
### Xbox achievements
|
||||
|
||||
v10.events.data.microsoft.com
|
||||
v20.events.data.microsoft.com
|
||||
|
||||
### Xiaomi device updates
|
||||
|
||||
update.intl.miui.com
|
||||
@@ -431,22 +423,20 @@ The device will use the profile set by the [NextDNS](https://nextdns.io/?from=xu
|
||||
See [article](https://thenewoil.org/en/guides/prologue/secprivanon/) | [video](https://www.youtube.com/watch?v=Wpkh-hfULgE)
|
||||
|
||||
## Does NextDNS hide activity from my Internet Service Provider (ISP)?
|
||||
DNS protocols like DoH/DoT/DoQ are designed to increase privacy and security by encrypting DNS queries. They prevent your ISP from seeing your web searches and browsing history, which significantly contributes to protecting your privacy.
|
||||
Encrypted DNS queries boost privacy and security. This encryption stops your ISP from seeing what websites you search for and visit.
|
||||
|
||||
However, encrypted DNS does not hide the IP addresses of the websites you visit from your ISP. So while they cannot see the content of the encrypted DNS query (i.e., your ISP can't see what specific domain you're trying to access), they can see that you're making a request to a particular DNS server like Cloudflare or AWS. And if you're constantly sending packets to a particular IP address, it's likely that you're visiting a website hosted at that address.
|
||||
However, encrypted DNS does not hide website IP addresses from your ISP. While your ISP cannot see the specific domain you want to access, they can see that you contact DNS servers like Cloudflare or AWS. If you repeatedly send data to a certain IP address, your ISP can guess you are visiting a website at that address.
|
||||
|
||||
That being said, IVPN [argues](https://www.ivpn.net/blog/why-you-dont-need-a-vpn/) that you only need a VPN for three reasons:
|
||||
## Do I need a VPN?
|
||||
IVPN [argues](https://www.ivpn.net/blog/why-you-dont-need-a-vpn/) you only need a VPN for three reasons. Mainly, in order to:
|
||||
|
||||
<details>
|
||||
1. Hide your real IP address from websites and peer-to-peer networks, which prevents ISPs and mobile carriers from tracking your online activity.
|
||||
|
||||
1. Maintaining control over your privacy by hiding your real IP address from websites and peer-to-peer nodes, preventing ISPs and mobile network operators from tracking the domains and IPs you visit.
|
||||
2. Guard against [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) and other [common attacks](https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)) on public Wi-Fi networks in places like airports, hotels, cafes, and libraries.
|
||||
|
||||
2. Protecting your connection from [man in the middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) and other [common attacks](https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)) on untrusted networks, such as Wi-Fi in airports, hotels, cafes, and libraries.
|
||||
3. Bypass censorship or geographic restrictions, allowing you to access blocked websites and content.
|
||||
|
||||
3. Circumventing censorship or geographical blocks on websites and content, allowing you to retrieve otherwise inaccessible information and media.
|
||||
</details>
|
||||
|
||||
You don't need a VPN unless your [threat model](https://thenewoil.org/en/guides/prologue/threat-model/) demands it. Here are VPN suggestions from [Techlore](https://www.techlore.tech/vpn.html) and [Tom Spark Reviews](https://www.vpntierlist.com/vpn-tier-list-2024) if it does.
|
||||
Ultimately, you don't need a VPN unless your [threat model](https://thenewoil.org/en/guides/prologue/threat-model/) demands it. Here are VPN suggestions from [Techlore](https://www.techlore.tech/vpn.html) and [Tom Spark Reviews](https://www.vpntierlist.com/vpn-tier-list-2024) if it does.
|
||||
|
||||
***
|
||||
# Mentions :books:
|
||||
|
||||
Reference in New Issue
Block a user