mirror of
https://github.com/yokoffing/NextDNS-Config.git
synced 2025-11-18 08:03:38 -05:00
173 lines
8.2 KiB
Markdown
173 lines
8.2 KiB
Markdown
***
|
||
# Guidelines
|
||
1) Must pass the "[girlfriend test](https://www.urbandictionary.com/define.php?term=Grandma%20Test)".
|
||
2) Follow the [law of diminishing returns](https://pmctraining.com/site/wp-content/uploads/2018/04/Law-of-Diminishing-Returns-CHART.png) by not overblocking (e.g., using [Energized Ultimate](https://old.reddit.com/r/nextdns/comments/v0wwjf/does_energized_ultimate_blocklist_contain/iak0a79/) or [1Hosts Xtra](https://old.reddit.com/r/nextdns/comments/vz9kla/at_last_nextdns_added_the_1host_xtra/ig7fkia/?context=3), blocking too many [TLDs](https://github.com/yokoffing/NextDNS-Config#block-top-level-domains-tlds), etc.).
|
||
|
||
***
|
||
|
||
# Security
|
||
### Threat Intelligence Feeds
|
||
 Use Threat Intelligence Feeds
|
||
### AI-Driven Threat Detection
|
||
 Enable AI-Driven Threat Detection
|
||
### Google Safe Browsing
|
||
 Enable Google Safe Browsing
|
||
### Cryptojacking Protection
|
||
 Enable Cryptojacking Protection
|
||
### DNS Rebinding Protection
|
||
 Enable DNS Rebinding Protection → :radioactive: *Enabling may cause breakage (unlikely)*
|
||
### IDN Homograph Attacks Protection
|
||
 Enable Homograph Attacks Protection
|
||
### Typosquatting Protection
|
||
 Enable Typosquatting Protection
|
||
### Domain Generation Algorithms (DGAs) Protection
|
||
 Enable DGA Protection
|
||
### Block Newly Registered Domains (NRDs)
|
||
 Block Newly Registered Domains (NRDs) → :radioactive: *Enabling may cause breakage*
|
||
<br>
|
||
<br> Criminals register [thousands](https://www.reddit.com/r/uBlockOrigin/comments/w64sqt/nearly_a_thousand_of_fake_urls_have_been_created) of fake domains every day. Many NRDs are nefarious while a few are legitimate.
|
||
|
||
[Here](https://old.reddit.com/r/GaySoundsShitposts/comments/vr4fjf/be_gay_do_crime/) is a recent [phishing](https://www.malwarebytes.com/glossary/phishing) scam using a NRD (commentary [1](https://old.reddit.com/r/gaybros/comments/vqb2q9/comment/iepjd69/) [2](https://old.reddit.com/r/gaybros/comments/vqb2q9/comment/ieoyygw/)). Another example is social media [account hacks](https://www.boldgrid.com/instagram-influencer-accounts-are-being-hacked-phishing-attacks/) where users click on links in their private messages.
|
||
|
||
Blocking NRDs will cause false positives [occasionally](https://old.reddit.com/r/InternetIsBeautiful/comments/w2wdro/comment/iguvg8y/?context=3); however, if you are comfortable allowlisting, it is **strongly encouraged** that you enable this. Selectively add NRDs to your allowlist; and if you do, **NEVER** give sensitive information to a NRD.
|
||
|
||
### Block Dynamic DNS Hostnames
|
||
 Enable Block Dynamic DNS Hostnames
|
||
<br>
|
||
<br> Widely used in [phishing campaigns](https://www.phishing.org/what-is-phishing), DDNS lets malicious actors quickly set up hostnames for free and without any validation or identity verification (see the list [here](https://github.com/nextdns/metadata/blob/master/security/ddns/suffixes)).
|
||
|
||
### Block Parked Domains
|
||
 Block Parked Domains
|
||
|
||
### Block Top-Level Domains (TLDs)
|
||
:radioactive: *Enabling may cause breakage*
|
||
|
||
```
|
||
.work
|
||
.fit
|
||
.surf
|
||
.info
|
||
.cam
|
||
.ci
|
||
.cf
|
||
.cn
|
||
.ga
|
||
.gq
|
||
.ml
|
||
.online
|
||
.tk
|
||
.top
|
||
```
|
||
|
||
References: [1](https://www.gomyitguy.com/blog-news-updates/malicious-domain-extensions) [2](https://www.spamhaus.org/statistics/tlds/) [3](https://thrivemyway.com/info-websites/) [4](https://www.bleepingcomputer.com/news/security/verified-twitter-accounts-hacked-to-send-fake-suspension-notices/)
|
||
|
||
### Block Child Sexual Abuse Material
|
||
 Block Child Sexual Abuse Material
|
||
|
||
***
|
||
|
||
# Privacy
|
||
### Blocklists
|
||
NextDNS Ads & Trackers Blocklist
|
||
oisd
|
||
1Hosts (Lite)
|
||
|
||
Use **1Hosts (Pro)** instead of **(Lite)** if you don't mind allowlisting occasionally and [reporting]() false positives.
|
||
|
||
### Native Tracking Protection
|
||
:radioactive: *Enabling may cause breakage (unlikely)*
|
||
|
||
Add these brands according to what devices you use. There's no advantage in adding brands you don't own; however, there’s no disadvantage in adding unused brands either.
|
||
|
||
Xiaomi
|
||
Huawei
|
||
Samsung
|
||
Amazon Alexa
|
||
Windows
|
||
Apple
|
||
Roku
|
||
Sonos
|
||
|
||
### Block Disguised Third-Party Trackers
|
||
 Block Disguised Third-Party Trackers
|
||
### Allow Affiliate & Tracking Links
|
||
 Allow Affiliate & Tracking Links
|
||
|
||
***
|
||
|
||
# Parental Control
|
||
### YouTube Restricted Mode
|
||
 Enforce YouTube Restricted Mode → :radioactive: *Enabling may cause breakage*
|
||
|
||
### Block Bypass Methods
|
||
 Block Bypass Methods → :radioactive: *Enabling may cause breakage*
|
||
|
||
***
|
||
|
||
# Denylist
|
||
|
||
N/A
|
||
|
||
***
|
||
|
||
# Allowlist
|
||
### Facebook
|
||
|
||
graph.facebook.com
|
||
|
||
### Apple device updates / Spotlight Search / Apple Music | [1](https://github.com/badmojr/1Hosts/issues/562) [2](https://github.com/badmojr/1Hosts/issues/536) [3](https://old.reddit.com/r/nextdns/comments/vz9kla/at_last_nextdns_added_the_1host_xtra/ig8zsnn/)
|
||
|
||
xp.apple.com
|
||
|
||
### Apple iMessage GIFs | [1](https://oisd.nl/excludes.php?w=smoot.apple.com) [2](https://github.com/badmojr/1Hosts/issues/560)
|
||
|
||
smoot.apple.com
|
||
|
||
### Microsoft Edge updates | [1](https://oisd.nl/excludes.php?w=browser.events.data.msn.com)
|
||
|
||
browser.events.data.msn.com
|
||
|
||
### Microsoft Office 365 | [1](https://github.com/badmojr/1Hosts/issues/565) [2](https://oisd.nl/excludes.php?w=mobile.pipe.aria.microsoft.com)
|
||
Disclaimer: You may only want to allowlist these requests if you're using the file collaboration features.
|
||
|
||
self.events.data.microsoft.com
|
||
mobile.pipe.aria.microsoft.com
|
||
|
||
### Xbox Live achievements / Microsoft "Your Phone" app | [1](https://github.com/lightswitch05/hosts/issues/161#issuecomment-614973289) [2](https://discourse.pi-hole.net/t/commonly-whitelisted-domains/212#xbox-live-18)
|
||
Disclaimer: I don't use Xbox, so I can't confirm these entries.
|
||
|
||
v10.events.data.microsoft.com
|
||
v20.events.data.microsoft.com
|
||
|
||
### [CBS News](https://www.cbsnews.com/live/#x) streaming
|
||
|
||
production-cmp.isgprivacy.cbsi.com
|
||
|
||
***
|
||
|
||
# Settings
|
||
### Block Page
|
||
 Enable Block Page → :radioactive: *Enabling may cause breakage if the NextDNS Root CA is not on your devices*
|
||
### Anonymized EDNS Client Subnet
|
||
 Enable Anonymized EDNS Client Subnet
|
||
### Cache Boost
|
||
 Enable Cache Boost
|
||
### CNAME Flattening
|
||
 Enable CNAME Flattening
|
||
### Web3
|
||
 Enable Web3
|
||
<br>
|
||
<br> (optional)
|
||
|
||
***
|
||
|
||
# Credit
|
||
Forked from the [crssi](https://github.com/crssi/NextDNS-Config#readme) config. Some inspiration came from the [scafroglia93](https://github.com/scafroglia93/nextdns-setting/blob/master/nextdns-setting.txt) config while other ideas are my own.
|
||
|
||
***
|
||
|
||
<div align='center'><a href='https://www.websitecounterfree.com'><img src='https://www.websitecounterfree.com/c.php?d=9&id=19651&s=1' border='0' alt='Free Website Counter'></a><br / ></div>
|
||
<div align='center'>23 July 2022</div>
|
||
|
||
|