Guidelines
- Must pass the "girlfriend test".
- Follow the law of diminishing returns by not overblocking (e.g., using Energized Ultimate or 1Hosts Xtra, blocking too many TLDs, etc.).
Security
Threat Intelligence Feeds
Use Threat Intelligence Feeds
AI-Driven Threat Detection
Enable AI-Driven Threat Detection
Google Safe Browsing
Enable Google Safe Browsing
Cryptojacking Protection
Enable Cryptojacking Protection
DNS Rebinding Protection
Enable DNS Rebinding Protection → ☢️ Enabling may cause breakage (unlikely)
IDN Homograph Attacks Protection
Enable Homograph Attacks Protection
Typosquatting Protection
Enable Typosquatting Protection
Domain Generation Algorithms (DGAs) Protection
Enable DGA Protection
Block Newly Registered Domains (NRDs)
Block Newly Registered Domains (NRDs) → ☢️ Enabling may cause breakage
Criminals register thousands of fake domains every day. Many NRDs are nefarious while a few are legitimate.
Here is a recent phishing scam using a NRD (commentary 1 2). Another example is social media account hacks where users click on links in their private messages.
Blocking NRDs will cause false positives occasionally; however, if you are comfortable allowlisting, it is strongly encouraged that you enable this. Selectively add NRDs to your allowlist; and if you do, NEVER give sensitive information to a NRD.
Block Dynamic DNS Hostnames
Enable Block Dynamic DNS Hostnames
Widely used in phishing campaigns, DDNS lets malicious actors quickly set up hostnames for free and without any validation or identity verification (see the list here).
Block Parked Domains
Block Parked Domains
Block Top-Level Domains (TLDs)
☢️ Enabling may cause breakage
.work
.fit
.surf
.info
.cam
.ci
.cf
.cn
.ga
.gq
.ml
.online
.tk
.top
Block Child Sexual Abuse Material
Block Child Sexual Abuse Material
Privacy
Blocklists
NextDNS Ads & Trackers Blocklist
oisd
1Hosts (Lite)
Use 1Hosts (Pro) instead of (Lite) if you don't mind allowlisting occasionally and reporting false positives.
Native Tracking Protection
☢️ Enabling may cause breakage (unlikely)
Add these brands according to what devices you use. There's no advantage in adding brands you don't own; however, there’s no disadvantage in adding unused brands either.
Xiaomi
Huawei
Samsung
Amazon Alexa
Windows
Apple
Roku
Sonos
Block Disguised Third-Party Trackers
Block Disguised Third-Party Trackers
Allow Affiliate & Tracking Links
Allow Affiliate & Tracking Links
Parental Control
YouTube Restricted Mode
Enforce YouTube Restricted Mode → ☢️ Enabling may cause breakage
Block Bypass Methods
Block Bypass Methods → ☢️ Enabling may cause breakage
Denylist
N/A
Allowlist
graph.facebook.com
Apple device updates / Spotlight Search / Apple Music | 1 2 3
xp.apple.com
Apple iMessage GIFs | 1 2
smoot.apple.com
Microsoft Edge updates | 1
browser.events.data.msn.com
Microsoft Office 365 | 1 2
Disclaimer: You may only want to allowlist these requests if you're using the file collaboration features.
self.events.data.microsoft.com
mobile.pipe.aria.microsoft.com
Xbox Live achievements / Microsoft "Your Phone" app | 1 2
Disclaimer: I don't use Xbox, so I can't confirm these entries.
v10.events.data.microsoft.com
v20.events.data.microsoft.com
CBS News streaming
production-cmp.isgprivacy.cbsi.com
Settings
Block Page
Enable Block Page → ☢️ Enabling may cause breakage if the NextDNS Root CA is not on your devices
Anonymized EDNS Client Subnet
Enable Anonymized EDNS Client Subnet
Cache Boost
Enable Cache Boost
CNAME Flattening
Enable CNAME Flattening
Web3
Enable Web3
(optional)
Credit
Forked from the crssi config. Some inspiration came from the scafroglia93 config while other ideas are my own.