***
# Guidelines
1) Must pass the "[girlfriend test](https://www.urbandictionary.com/define.php?term=Grandma%20Test)"
2) Minimal allowlisting
***
# Security
### Threat Intelligence Feeds
 Use Threat Intelligence Feeds
### AI-Driven Threat Detection
 Enable AI-Driven Threat Detection
### Google Safe Browsing
 Enable Google Safe Browsing
### Cryptojacking Protection
 Enable Cryptojacking Protection → :radioactive: *Enabling may cause breakage (unlikely)*
### DNS Rebinding Protection
 Enable DNS Rebinding Protection → :radioactive: *Enabling may cause breakage (unlikely)*
### IDN Homograph Attacks Protection
 Enable Homograph Attacks Protection
### Typosquatting Protection
 Enable Typosquatting Protection
### Domain Generation Algorithms (DGAs) Protection
 Enable DGA Protection
### Block Newly Registered Domains (NRDs)
 Block Newly Registered Domains (NRDs) → :radioactive: *Enabling may cause breakage*
While there are legitimate NRDs, many are nefarious. Here's a recent (June 2022) incident of a scam NRD ([example](https://old.reddit.com/r/GaySoundsShitposts/comments/vr4fjf/be_gay_do_crime/) | commentary [1](https://old.reddit.com/r/gaybros/comments/vqb2q9/comment/iepjd69/) [2](https://old.reddit.com/r/gaybros/comments/vqb2q9/comment/ieoyygw/)). Another example is social media hacks where users click on links in there messages. Those are usually rogue NRDs.
This is marked as disabled because it will cause false positives. However, if you are comfortable allowlisting occasionally, **it is strongly encouraged that you enable this**. Selectively add NRDs to your allowlist; and if you add certain ones to your allowlist, **NEVER give sensitive information to a NRD!**
### Block Dynamic DNS Hostnames
 Enable Block Dynamic DNS Hostnames
### Block Parked Domains
 Block Parked Domains
### Block Top-Level Domains (TLDs)
```
.work
.fit
.surf
.asia
.tokyo
.info
.online
```
### Block Child Sexual Abuse Material
 Block Child Sexual Abuse Material
***
# Privacy
### Blocklists
NextDNS Ads & Trackers Blocklist
AdGuard DNS filter
oisd
1Hosts (Lite)
### Native Tracking Protection
:radioactive: *Enabling may cause breakage (unlikely)*
Add these brands according to what devices you use. There's no advantage in adding brands you don't own; however, there’s not a strong reason to omit unused brands either.
Xiaomi
Huawei
Samsung
Amazon Alexa
Windows
Apple
Roku
Sonos
### Block Disguised Third-Party Trackers
 Block Disguised Third-Party Trackers
### Allow Affiliate & Tracking Links
 Allow Affiliate & Tracking Links
***
# Parental Control
### YouTube Restricted Mode
 Enforce YouTube Restricted Mode → :radioactive: *Enabling may cause breakage*
### Block Bypass Methods
 Block Bypass Methods → :radioactive: *Enabling may cause breakage*
***
# Denylist
(optional) Most of these are blocked under [Block Dynamic DNS Hostnames](https://github.com/yokoffing/NextDNS-Config/edit/main/README.md#block-dynamic-dns-hostnames) (see [here](https://github.com/nextdns/metadata/blob/master/security/ddns/suffixes)).
pubnub.com
ddns.net
duckdns.org
hopto.org
linkpc.net
myddns.me
myftp.biz
myftp.org
ngrok.io
no-ip.biz
no-ip.org
portmap.host
portmap.io
publicvm.com
sytes.net
zapto.org
***
# Allowlist
if using Facebook and Instagram:
graph.facebook.com
graph.instagram.com
breaks CBS News (NextDNS Ads & Trackers Blocklist):
production-cmp.isgprivacy.cbsi.com
***
# Settings
### Block Page
 Enable Block Page → :radioactive: *Enabling may cause breakage if the NextDNS Root CA is not on your devices*
### Anonymized EDNS Client Subnet
 Enable Anonymized EDNS Client Subnet
### Cache Boost
 Enable Cache Boost
### CNAME Flattening
 Enable CNAME Flattening
### Web3 (optional)
 Enable Web3
***
# Credit
Forked from the [crssi](https://github.com/crssi/NextDNS-Config#readme) config. Some inputs came from the [scafroglia93](https://github.com/scafroglia93/nextdns-setting]) config while other changes are my own.
***