[](https://github.com/yokoffing/NextDNS-Config/issues)
[](https://github.com/yokoffing/NextDNS-Config/issues?q=is%3Aissue+is%3Aclosed)
[](https://hits.seeyoufarm.com)
***
# Guidelines :bookmark:
1) Prevent overblocking by utilizing the [law of diminishing returns](https://pmctraining.com/site/wp-content/uploads/2018/04/Law-of-Diminishing-Returns-CHART.png) (e.g., using [sane](https://www.privacyguides.org/basics/threat-modeling/), quality [blocklists](https://github.com/yokoffing/NextDNS-Config#blocklists-1); allowing most [TLDs](https://github.com/yokoffing/NextDNS-Config#block-top-level-domains-tlds-1-2-3-4-5); etc.).
2) Pass the [girlfriend test](https://www.urbandictionary.com/define.php?term=Grandma%20Test) with few exceptions. These deviations are documented throughout the guide.
***
# Security :policeman:
Security settings protect your data from harm, theft, and unauthorized use.
### Threat Intelligence Feeds [1](https://github.com/nextdns/metadata/blob/master/security/threat-intelligence-feeds.json)
 Use Threat Intelligence Feeds
### AI-Driven Threat Detection
 Enable AI-Driven Threat Detection
### Google Safe Browsing [1](https://user-images.githubusercontent.com/11689349/107696360-d8dde800-6c7f-11eb-9882-cccc8d2065c5.jpg) [2](https://the8-bit.com/apple-proxies-google-safe-browsing-privacy/) [3](https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)#services-we-proxy-through-brave-servers)
 Enable Google Safe Browsing
### Cryptojacking Protection [1](https://github.com/nextdns/metadata/blob/master/security/cryptojacking.json)
 Enable Cryptojacking Protection
### DNS Rebinding Protection [1](https://help.nextdns.io/t/35hmval/what-is-dns-rebinding-protection) [2](https://www.reddit.com/r/nextdns/comments/t0ne8r/does_dns_rebinding_protection_block_remote_access/?context=3)
 Enable DNS Rebinding Protection
### IDN Homograph Attacks Protection
 Enable Homograph Attacks Protection
### Typosquatting Protection [1](https://github.com/nextdns/metadata/blob/master/security/typosquatting/protected-domains)
 Enable Typosquatting Protection
### Domain Generation Algorithms (DGAs) Protection
 Enable DGA Protection
### Block Newly Registered Domains (NRDs) [1](https://www.malwarebytes.com/glossary/phishing) [2](https://old.reddit.com/r/uBlockOrigin/comments/w64sqt/comment/ihboutk/?context=3) [3](https://www.boldgrid.com/instagram-influencer-accounts-are-being-hacked-phishing-attacks/)
:warning: Blocking NRDs may cause [false positives](https://csrc.nist.gov/glossary/term/false_positive) [occasionally](https://old.reddit.com/r/InternetIsBeautiful/comments/w2wdro/comment/iguvg8y/?context=3). Be selective when adding NRDs to your allowlist; and, if you do, **NEVER** give [sensitive information](https://www.egnyte.com/guides/governance/sensitive-information) to a NRD. *If you plan to [set-and-forget](https://glosbe.com/en/en/set-and-forget) your configuration, disable this setting.*
 Block Newly Registered Domains (NRDs)
### Block Dynamic DNS Hostnames [1](https://github.com/nextdns/metadata/blob/master/security/ddns/suffixes) [2](https://twitter.com/NextDNS/status/1541740963760144386?cxt=HHwWhIC8iZ7PruUqAAAA) [3](https://www.phishing.org/what-is-phishing)
 Enable Block Dynamic DNS Hostnames
### Block Parked Domains [1](https://github.com/nextdns/metadata/blob/master/security/parked-domains-cname)
 Block Parked Domains
### Block Top-Level Domains (TLDs) [1](https://webtribunal.net/blog/tld-statistics/) [2](https://www.spamhaus.org/statistics/tlds/) [3](https://www.bleepingcomputer.com/news/security/verified-twitter-accounts-hacked-to-send-fake-suspension-notices/) [4](https://github.com/iam-py-test/my_filters_001/blob/main/enhanced_protection.txt) [5](https://github.com/DandelionSprout/adfilt/blob/master/Dandelion%20Sprout's%20Anti-Malware%20List.txt)
:warning: Blocking [TLDs](https://www.geeksforgeeks.org/components-of-a-url/) will cause [false positives](https://csrc.nist.gov/glossary/term/false_positive). However, the entries below should allow for everyday browsing while offering protection against **commonly abused** TLDs. You may need to [allowlist](https://github.com/yokoffing/NextDNS-Config#allowlist-white_check_mark) sites on a rare occasion. *If you plan to [set-and-forget](https://glosbe.com/en/en/set-and-forget) your configuration, skip this setting.*
```
optional = greater likelihood of breaking legitimate sites
.work
.fit
.surf
.tokyo
.cn
-
.agency
.associates
.bid
.buzz
.cam
.casa
.cf (optional)
.ci
.cricket
.discount
.financial
.fit
.fun
.ga (optional)
.gdn
.gq
.icu
.live
.loan
.ml (optional)
.monster (optional)
.online
.ooo
.pw (optional)
.rest
.sbs
.shop
.tk (optional)
.top (optional)
.wang
.webcam
.win
```
### Block Child Sexual Abuse Material
 Block Child Sexual Abuse Material
***
# Privacy :lock:
Privacy features block certain requests so that companies cannot track your information and browsing history.
Privacy is a [spectrum](https://blog.thenewoil.org/the-privacy-myth-binary-vs-spectrum). What you need varies on your [threat model](https://thenewoil.org/threatmodel.html), interest, and skillset. (You can watch [this short video](https://youtu.be/Wpkh-hfULgE) to understand the difference between security and privacy.)
### Blocklists [1](https://github.com/nextdns/metadata/tree/master/privacy/blocklists)
Blocklists are community generated lists that block ads and [trackers](https://www.freecodecamp.org/news/what-you-should-know-about-web-tracking-and-how-it-affects-your-online-privacy-42935355525/). Filters can be categorized into five tiers of coverage:
1) **None**: no breakage; NextDNS still protects against malicious threats (à la [security settings](https://github.com/yokoffing/NextDNS-Config#security-cop)) but will allow ads and trackers
2) **Basic**: rare breakage; prioritizes functionality over blocking; *very* forgiving; ideal for router profiles
3) **Balanced**: minimal breakage; should not interfere with everyday browsing; largely [set-and-forget](https://glosbe.com/en/en/set-and-forget) but you may need to allowlist occasionally
4) **Strict**: moderate breakage; prioritizes privacy over user experience; must [manage your allowlist](https://github.com/yokoffing/NextDNS-Config#allowlist-white_check_mark) regularly
5) **Aggressive**: excessive breakage; use on a separate profile to [lockdown single-purpose devices](https://old.reddit.com/r/nextdns/comments/uqap3n/comment/i8q8alf/?context=3)
Here's a compliation of popular blocklists available in NextDNS:
| Basic | Balanced | Strict | Aggressive |
|:---------------------------------: |:---------------------------------: |:------------------------------: |:----------------------------------------: |
| 1Hosts (mini) | 1Hosts (Lite) | 1Hosts (Pro) | 1Hosts (Xtra) |
| oisd | oisd | NextDNS Ads & Trackers Blocklist | Goodbye Ads |
| | NoTrack Tracker Blocklist | Lightswitch05 - Ads & Tracking | Energized Ultimate |
:bulb: The **Balanced** tier is recommended for the average user, based on my testing and user feedback.[1](https://old.reddit.com/r/nextdns/comments/s2gzc5/oisd_vs_1hostsminiliteproxtra/hsgmp5n/) [2](https://old.reddit.com/r/nextdns/comments/xoyyw2/nextdns_as_a_set_it_and_forget_it_solution/iq1k6tx/) [3](https://old.reddit.com/r/nextdns/comments/vuon2a/one_profile_for_lan_devices_another_profile_for/iffegc5/?context=2) [4](https://old.reddit.com/r/nextdns/comments/vn8olr/please_could_someone_recommend_me_a_good/ie5meel/?context=2)
### Native Tracking Protection [1](https://github.com/nextdns/metadata/tree/master/privacy/native)
Add all the device brands that you use. There's no advantage in adding brands you don't have; however, there’s no disadvantage in adding unused brands, either.
Xiaomi
Huawei
Samsung
Amazon Alexa
Windows
Apple
Roku
Sonos
### Block Disguised Third-Party Trackers [1](https://github.com/nextdns/cname-cloaking-blocklist/blob/master/domains) [2](https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a) [3](https://arxiv.org/pdf/2102.09301.pdf) [4](https://tma.ifip.org/2020/wp-content/uploads/sites/9/2020/06/tma2020-camera-paper66.pdf)
 Block Disguised Third-Party Trackers
### Allow Affiliate & Tracking Links [1](https://github.com/nextdns/metadata/blob/master/privacy/affiliate-tracking-domains) [2](https://twitter.com/NextDNS/status/1539229377560461312)
:bulb: Your IP address will automatically be hidden (via [TCP](https://www.educba.com/what-is-tcp-ip/) [proxying](https://en.wikipedia.org/wiki/Proxy_server#/media/File:Proxy_concept_en.svg)) to preserve your privacy.
 Allow Affiliate & Tracking Links
***
# Parental Control :family_man_woman_boy:
### YouTube Restricted Mode
 Enforce YouTube Restricted Mode
### Block Bypass Methods [1](https://github.com/nextdns/metadata/tree/master/parentalcontrol)
 Block Bypass Methods
***
# Denylist :no_entry:
Denylist entries block any requests from that source.
### Junk surveillance software
spappmonitoring.com
a-spy.com
alltracker.org
aispyer.com
***
# Allowlist :white_check_mark:
Allowlist entries override any blocks. Entries below may be needed for `Strict` and `Aggressive` [blocklists](https://github.com/yokoffing/NextDNS-Config#blocklists-1).
### Facebook / Instagram [1](https://github.com/jerryn70/GoodbyeAds/issues/309)
graph.facebook.com
graph.instagram.com
i.instagram.com
### YouTube history [1](https://blocklist-tools.developerdan.com/entries/search?q=s.youtube.com)
s.youtube.com
### Apple device updates [1](https://github.com/badmojr/1Hosts/issues/536) / Apple Music [2](https://old.reddit.com/r/nextdns/comments/vz9kla/at_last_nextdns_added_the_1host_xtra/ig8zsnn/)
xp.apple.com
### Apple iMessage GIFs [1](https://github.com/badmojr/1Hosts/issues/560) / Spotlight Search [2](https://github.com/badmojr/1Hosts/issues/562)
smoot.apple.com
### Xiaomi device updates [1](https://blocklist-tools.developerdan.com/entries/search?q=update.intl.miui.com)
update.intl.miui.com
### Zoom [1](https://oisd.nl/excludes.php?w=log.zoom.us) [2](https://oisd.nl/excludes.php?w=us04logfiles.zoom.us)
logfiles.zoom.us
us04logfiles.zoom.us
us04zpns.zoom.us
### Epic Games Launcher [1](https://github.com/badmojr/1Hosts/issues/643)
eulatracking-public-service-prod06.ol.epicgames.com
### NVIDIA Gefore Experience [1](https://github.com/badmojr/1Hosts/issues/650)
gfe.nvidia.com
nvgs.nvidia.cn
### [imgur](https://imgur.com/) [1](https://github.com/lightswitch05/hosts/issues/358)
js.media-lab.ai
### [Spectrum](https://www.spectrum.net) login [1](https://github.com/badmojr/1Hosts/issues/640)
pov.spectrum.net
### [CBS](https://www.cbsnews.com/live/#x) News livestream [1](https://github.com/nextdns/metadata/issues/1030)
production-cmp.isgprivacy.cbsi.com
### [FiveThirtyEight](https://fivethirtyeight.com/) videos / [National Geographic](https://www.nationalgeographic.com/) website
dcf.espn.com
### [Men's Health](https://www.menshealth.com/nutrition/a40868905/chris-hemsworth-chicken-pasta-bake-recipe-centr/) videos [1](https://github.com/badmojr/1Hosts/issues/651)
glimmer.hearstapps.com
***
# Settings :gear:
### Block Page
 Enable Block Page → :warning: *Enabling may cause breakage if the [NextDNS Root CA](https://help.nextdns.io/t/g9hmv0a/how-to-install-and-trust-nextdns-root-ca) is not on your devices*
### Anonymized EDNS Client Subnet [1](https://help.nextdns.io/t/m1hmv04/what-is-edns-client-subnet-ecs)
 Enable Anonymized EDNS Client Subnet
### Cache Boost [1](https://old.reddit.com/r/nextdns/comments/girmcf/new_setting_cache_boost/)
 Enable Cache Boost
### CNAME Flattening [1](https://medium.com/nextdns/nextdns-added-cname-uncloaking-support-becomes-the-first-cross-platform-solution-to-the-problem-e3f437f84342) [2](https://developers.cloudflare.com/dns/additional-options/cname-flattening) [3](https://advancedweb.hu/what-is-cname-flattening-and-how-it-helps-redirecting-the-apex-domain/)
 Enable CNAME Flattening
### Web3 [1](https://twitter.com/NextDNS/status/1491034351391305731) [2](https://gabygoldberg.notion.site/f7050e62461143d49345e7b46eb5576b)
 Enable Web3
(optional)
***
# FAQ :question:
### How do I signup for NextDNS?
Click [here](https://nextdns.io/?from=xujj63g5)!
### Can I block YouTube ads with NextDNS only?
No, [you can't](https://discourse.pi-hole.net/t/how-do-i-block-ads-on-youtube/253/2) block them using only DNS-level blocking (see below).
### Do I still need an adblocker with NextDNS? [1](https://help.nextdns.io/t/x2hzbps/using-nextdns-why-is-ublock-origin-still-catching-lots-of-ads)
Yes. On desktops, [Firefox](https://www.mozilla.org/en-US/firefox/new/) with [uBlock Origin](https://addons.mozilla.org/blog/ublock-origin-everything-you-need-to-know-about-the-ad-blocker/) is highly recommended:
* [Cosmetic filters](https://github.com/gorhill/uBlock/wiki/Does-uBlock-Origin-block-ads-or-just-hide-them%3F#cosmetic-filters) to hide first-party ads (e.g., [YouTube ads](https://discourse.pi-hole.net/t/how-do-i-block-ads-on-youtube/253)), [ad-placeholders](https://www.dslreports.com/forum/r33005057-How-to-block-the-spaces-taken-up-by-blocked-ads), web [annoyances]((https://old.reddit.com/r/nextdns/comments/t8qn8c/comment/hzqrrfa/?context=3)), etc.
* [Block DNS requests](https://old.reddit.com/r/firefox/comments/l7xetb/network_priority_for_firefoxs_enhanced_tracking/gle2mqn/?web2x=&context=3) from being sent in the first place ([Firefox only](https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#disable-prefetching)) [1](https://help.nextdns.io/t/x2hzbps/using-nextdns-why-is-ublock-origin-still-catching-lots-of-ads)
* Read the full list of advantages [here](https://github.com/gorhill/uBlock/wiki/About-%22Why-uBlock-Origin-works-so-much-better-than-Pi%E2%80%91hole-does%3F%22)
***
# Mentions :books:
User Comments:
[1](https://old.reddit.com/r/moddedandroidapps/comments/wbud1e/aerowitter_twifucker_non_root_twitter_mod/iiloq0p/?context=2)
[2](https://old.reddit.com/r/nextdns/comments/xoyyw2/nextdns_as_a_set_it_and_forget_it_solution/?context=3)
#### Guides
* [FMHY DNS Adblocking](https://github.com/nbats/FMHYedit/blob/main/AdblockVPNGuide.md#-dns-adblocking)
#### Contributor
* [1Hosts](https://github.com/badmojr/1Hosts/issues?q=is%3Aissue+author%3Ayokoffing+)
* [Easylist](https://github.com/easylist/easylist/issues?q=is%3Aissue+author%3Ayokoffing+)
* [AdGuard](https://github.com/AdguardTeam/AdguardFilters/issues?q=is%3Aissue+author%3Ayokoffing+)
* [uBlock Origin](https://github.com/uBlockOrigin/uAssets/issues?q=is%3Aissue+author%3Ayokoffing+)
***
23 July 2022