[](https://github.com/yokoffing/NextDNS-Config/issues)
[](https://github.com/yokoffing/NextDNS-Config/issues?q=is%3Aissue+is%3Aclosed)
[](https://hits.seeyoufarm.com)
***
# Guidelines :bookmark:
1) Prevent overblocking by utilizing the [law of diminishing returns](https://pmctraining.com/site/wp-content/uploads/2018/04/Law-of-Diminishing-Returns-CHART.png) (e.g., using [sane](https://www.privacyguides.org/basics/threat-modeling/), quality [blocklists](https://github.com/yokoffing/NextDNS-Config#blocklists-1); allowing most [TLDs](https://github.com/yokoffing/NextDNS-Config#block-top-level-domains-tlds-1-2-3-4-5); etc.).
2) Pass the [girlfriend test](https://www.urbandictionary.com/define.php?term=Grandma%20Test) with few exceptions. These deviations are documented throughout the guide.
***
# Security :policeman:
Security settings protect your data from harm, theft, and unauthorized use.
### Threat Intelligence Feeds [1](https://github.com/nextdns/metadata/blob/master/security/threat-intelligence-feeds.json)
 Use Threat Intelligence Feeds
### AI-Driven Threat Detection
 Enable AI-Driven Threat Detection
### Google Safe Browsing [1](https://user-images.githubusercontent.com/11689349/107696360-d8dde800-6c7f-11eb-9882-cccc8d2065c5.jpg) [2](https://the8-bit.com/apple-proxies-google-safe-browsing-privacy/) [3](https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)#services-we-proxy-through-brave-servers)
 Enable Google Safe Browsing
### Cryptojacking Protection [1](https://github.com/nextdns/metadata/blob/master/security/cryptojacking.json)
 Enable Cryptojacking Protection
### DNS Rebinding Protection [1](https://help.nextdns.io/t/35hmval/what-is-dns-rebinding-protection) [2](https://www.reddit.com/r/nextdns/comments/t0ne8r/does_dns_rebinding_protection_block_remote_access/?context=3)
 Enable DNS Rebinding Protection
### IDN Homograph Attacks Protection
 Enable Homograph Attacks Protection
### Typosquatting Protection [1](https://github.com/nextdns/metadata/blob/master/security/typosquatting/protected-domains)
 Enable Typosquatting Protection
### Domain Generation Algorithms (DGAs) Protection
 Enable DGA Protection
### Block Newly Registered Domains (NRDs) [1](https://www.malwarebytes.com/glossary/phishing) [2](https://old.reddit.com/r/uBlockOrigin/comments/w64sqt/comment/ihboutk/?context=3) [3](https://www.boldgrid.com/instagram-influencer-accounts-are-being-hacked-phishing-attacks/)
:warning: Blocking NRDs may cause [false positives](https://csrc.nist.gov/glossary/term/false_positive) [occasionally](https://old.reddit.com/r/InternetIsBeautiful/comments/w2wdro/comment/iguvg8y/?context=3). Be selective when adding NRDs to your allowlist; and, if you do, **NEVER** give [sensitive information](https://www.egnyte.com/guides/governance/sensitive-information) to a NRD. *If you plan to [set-and-forget](https://glosbe.com/en/en/set-and-forget) your configuration, disable this setting.*
 Block Newly Registered Domains (NRDs)
### Block Dynamic DNS Hostnames [1](https://github.com/nextdns/metadata/blob/master/security/ddns/suffixes) [2](https://twitter.com/NextDNS/status/1541740963760144386?cxt=HHwWhIC8iZ7PruUqAAAA) [3](https://www.phishing.org/what-is-phishing)
 Enable Block Dynamic DNS Hostnames
### Block Parked Domains [1](https://github.com/nextdns/metadata/blob/master/security/parked-domains-cname)
 Block Parked Domains
### Block Top-Level Domains (TLDs) [1](https://webtribunal.net/blog/tld-statistics/) [2](https://www.spamhaus.org/statistics/tlds/) [3](https://www.bleepingcomputer.com/news/security/verified-twitter-accounts-hacked-to-send-fake-suspension-notices/) [4](https://github.com/iam-py-test/my_filters_001/blob/main/enhanced_protection.txt)
:warning: Blocking [TLDs](https://www.geeksforgeeks.org/components-of-a-url/) will cause [false positives](https://csrc.nist.gov/glossary/term/false_positive). However, blocking the entries below should allow for everyday browsing while offering protection against commonly abused TLDs. You may still need to [allowlist](https://github.com/yokoffing/NextDNS-Config#allowlist-white_check_mark) sites on occasion. *If you plan to [set-and-forget](https://glosbe.com/en/en/set-and-forget) your configuration, skip this setting.*
```
.work
.fit
.surf
.tokyo
.cn
-
.agency
.associates
.bid
.buzz
.cam
.casa
.cf
.ci
.cricket
.discount
.financial
.fit
.fun
.ga
.gq
.icu
.live
.loan
.ml
.monster
.online
.ooo
.rest
.shop
.tk
.top
.wang
.webcam
.win
```
### Block Child Sexual Abuse Material
 Block Child Sexual Abuse Material
***
# Privacy :lock:
Privacy features block certain requests so that companies cannot track your information and browsing history.
Privacy is a [spectrum](https://blog.thenewoil.org/the-privacy-myth-binary-vs-spectrum). What you need varies on your [threat model](https://thenewoil.org/threatmodel.html), interest, and skillset. (You can watch [this short video](https://youtu.be/Wpkh-hfULgE) to understand the difference between security and privacy.)
### Blocklists [1](https://github.com/nextdns/metadata/tree/master/privacy/blocklists)
Blocklists are community generated lists that block ads and [trackers](https://www.freecodecamp.org/news/what-you-should-know-about-web-tracking-and-how-it-affects-your-online-privacy-42935355525/). Filters can be categorized into five tiers of coverage:
1) **None**: no breakage; NextDNS still protects against malicious threats (à la [security settings](https://github.com/yokoffing/NextDNS-Config#security-cop)) but will allow ads and trackers
2) **Basic**: rare breakage; prioritizes functionality over blocking; *very* forgiving; ideal for router profiles
3) **Balanced**: minimal breakage; should not interfere with everyday browsing; largely [set-and-forget](https://glosbe.com/en/en/set-and-forget) but you may need to allowlist occasionally
4) **Strict**: moderate breakage; prioritizes privacy over user experience; must [manage your allowlist](https://github.com/yokoffing/NextDNS-Config#allowlist-white_check_mark) regularly
5) **Aggressive**: excessive breakage; use on a separate profile to [lockdown single-purpose devices](https://old.reddit.com/r/nextdns/comments/uqap3n/comment/i8q8alf/?context=3)
Here's a compliation of popular blocklists available in NextDNS:
| Basic | Balanced | Strict | Aggressive |
|:---------------------------------: |:---------------------------------: |:------------------------------: |:----------------------------------------: |
| 1Hosts (mini) | 1Hosts (Lite) | 1Hosts (Pro) | 1Hosts (Xtra) |
| oisd | oisd | NextDNS Ads & Trackers Blocklist | Goodbye Ads |
| | NoTrack Tracker Blocklist | Lightswitch05 - Ads & Tracking | Energized Ultimate |
:bulb: The **Balanced** tier is recommended for the average user, based on my testing and user feedback.[1](https://old.reddit.com/r/nextdns/comments/s2gzc5/oisd_vs_1hostsminiliteproxtra/hsgmp5n/) [2](https://old.reddit.com/r/nextdns/comments/xoyyw2/nextdns_as_a_set_it_and_forget_it_solution/iq1k6tx/) [3](https://old.reddit.com/r/nextdns/comments/vuon2a/one_profile_for_lan_devices_another_profile_for/iffegc5/?context=2) [4](https://old.reddit.com/r/nextdns/comments/vn8olr/please_could_someone_recommend_me_a_good/ie5meel/?context=2)
### Native Tracking Protection [1](https://github.com/nextdns/metadata/tree/master/privacy/native)
Add all the device brands that you use. There's no advantage in adding brands you don't have; however, there’s no disadvantage in adding unused brands, either.
Xiaomi
Huawei
Samsung
Amazon Alexa
Windows
Apple
Roku
Sonos
### Block Disguised Third-Party Trackers [1](https://github.com/nextdns/cname-cloaking-blocklist/blob/master/domains) [2](https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a) [3](https://arxiv.org/pdf/2102.09301.pdf) [4](https://tma.ifip.org/2020/wp-content/uploads/sites/9/2020/06/tma2020-camera-paper66.pdf)
 Block Disguised Third-Party Trackers
### Allow Affiliate & Tracking Links [1](https://github.com/nextdns/metadata/blob/master/privacy/affiliate-tracking-domains) [2](https://twitter.com/NextDNS/status/1539229377560461312)
:bulb: Your IP address will automatically be hidden (via [TCP](https://www.educba.com/what-is-tcp-ip/) [proxying](https://en.wikipedia.org/wiki/Proxy_server#/media/File:Proxy_concept_en.svg)) to preserve your privacy.
 Allow Affiliate & Tracking Links
***
# Parental Control :family_man_woman_boy:
### YouTube Restricted Mode
 Enforce YouTube Restricted Mode
### Block Bypass Methods [1](https://github.com/nextdns/metadata/tree/master/parentalcontrol)
 Block Bypass Methods
***
# Denylist :no_entry:
Denylist entries block any requests from that source.
***
# Allowlist :white_check_mark:
Allowlist entries override any blocks.
### Facebook / Instagram
graph.facebook.com
graph.instagram.com
i.instagram.com
### Apple device updates [1](https://github.com/badmojr/1Hosts/issues/536) / Apple Music [2](https://old.reddit.com/r/nextdns/comments/vz9kla/at_last_nextdns_added_the_1host_xtra/ig8zsnn/)
xp.apple.com
### Apple iMessage GIFs [1](https://github.com/badmojr/1Hosts/issues/560) / Spotlight Search [2](https://github.com/badmojr/1Hosts/issues/562)
smoot.apple.com
### Zoom [1](https://oisd.nl/excludes.php?w=log.zoom.us) [2](https://oisd.nl/excludes.php?w=us04logfiles.zoom.us)
logfiles.zoom.us
us04logfiles.zoom.us
us04zpns.zoom.us
### Epic Games Launcher [1](https://github.com/badmojr/1Hosts/issues/643)
eulatracking-public-service-prod06.ol.epicgames.com
### NVIDIA Gefore Experience [1](https://github.com/badmojr/1Hosts/issues/650)
gfe.nvidia.com
nvgs.nvidia.cn
### [imgur](https://imgur.com/) [1](https://github.com/lightswitch05/hosts/issues/358)
js.media-lab.ai
### [Spectrum](https://www.spectrum.net) login [1](https://github.com/badmojr/1Hosts/issues/640)
pov.spectrum.net
### [CBS](https://www.cbsnews.com/live/#x) News livestream [1](https://github.com/nextdns/metadata/issues/1030)
production-cmp.isgprivacy.cbsi.com
### [FiveThirtyEight](https://fivethirtyeight.com/) videos / National Geographic website
dcf.espn.com
### [Men's Health](https://www.menshealth.com/nutrition/a40868905/chris-hemsworth-chicken-pasta-bake-recipe-centr/) videos [1](https://github.com/badmojr/1Hosts/issues/651)
glimmer.hearstapps.com
***
# Settings :gear:
### Block Page
 Enable Block Page → :warning: *Enabling may cause breakage if the [NextDNS Root CA](https://help.nextdns.io/t/g9hmv0a/how-to-install-and-trust-nextdns-root-ca) is not on your devices*
### Anonymized EDNS Client Subnet [1](https://help.nextdns.io/t/m1hmv04/what-is-edns-client-subnet-ecs)
 Enable Anonymized EDNS Client Subnet
### Cache Boost [1](https://old.reddit.com/r/nextdns/comments/girmcf/new_setting_cache_boost/)
 Enable Cache Boost
### CNAME Flattening [1](https://medium.com/nextdns/nextdns-added-cname-uncloaking-support-becomes-the-first-cross-platform-solution-to-the-problem-e3f437f84342) [2](https://developers.cloudflare.com/dns/additional-options/cname-flattening) [3](https://advancedweb.hu/what-is-cname-flattening-and-how-it-helps-redirecting-the-apex-domain/)
 Enable CNAME Flattening
### Web3 [1](https://twitter.com/NextDNS/status/1491034351391305731) [2](https://gabygoldberg.notion.site/f7050e62461143d49345e7b46eb5576b)
 Enable Web3
(optional)
***
# FAQ :question:
### How do I signup for NextDNS?
Click [here](https://nextdns.io/?from=xujj63g5)!
### Do I still need an adblocker with NextDNS?
Yes. [1](https://help.nextdns.io/t/x2hzbps/using-nextdns-why-is-ublock-origin-still-catching-lots-of-ads) [2](https://github.com/gorhill/uBlock/wiki/About-%22Why-uBlock-Origin-works-so-much-better-than-Pi%E2%80%91hole-does%3F%22) [3](https://old.reddit.com/r/nextdns/comments/t8qn8c/comment/hzqrrfa/?context=3)
***
# Mentions :books:
Here: [1](https://old.reddit.com/r/moddedandroidapps/comments/wbud1e/aerowitter_twifucker_non_root_twitter_mod/iiloq0p/?context=2) [2](https://old.reddit.com/r/nextdns/comments/xoyyw2/nextdns_as_a_set_it_and_forget_it_solution/?context=3)
***
23 July 2022