Guidelines
- Must pass the girlfriend test with few exceptions. These deviations are documented throughout the guide.
- Follow the law of diminishing returns by not overblocking (e.g., using overly aggressive blocklists, restricting too many TLDs, etc.).
Security
Threat Intelligence Feeds 1
Use Threat Intelligence Feeds
AI-Driven Threat Detection
Enable AI-Driven Threat Detection
Google Safe Browsing 1 2 3 4
Enable Google Safe Browsing
Cryptojacking Protection 1
Enable Cryptojacking Protection
DNS Rebinding Protection 1
Enable DNS Rebinding Protection → ☢️ Enabling may cause breakage (unlikely)
IDN Homograph Attacks Protection
Enable Homograph Attacks Protection
Typosquatting Protection 1
Enable Typosquatting Protection
Domain Generation Algorithms (DGAs) Protection
Enable DGA Protection
Block Newly Registered Domains (NRDs) 1 2 3
Block Newly Registered Domains (NRDs) → ☢️ Enabling may cause breakage
Disclaimer: Blocking NRDs will cause false positives occasionally. Be selective when adding NRDs to your allowlist; and, when you do this, NEVER give sensitive information to a NRD. If you would rather set-and-forget your configuration instead, disable this setting.
Block Dynamic DNS Hostnames 1 2 3
Enable Block Dynamic DNS Hostnames
Block Parked Domains 1
Block Parked Domains
Block Top-Level Domains (TLDs) 1 2 3 4
☢️ Enabling may cause breakage
.work
.fit
.surf
.info
.cam
.ci
.cf
.cn
.ga
.gq
.ml
.online
.tk
.top
Block Child Sexual Abuse Material
Block Child Sexual Abuse Material
Privacy
Blocklists 1
NextDNS Ads & Trackers Blocklist
oisd
1Hosts (Pro)
Here's a compliation of popular blocklists available in NextDNS:
- Balanced: set-and-forget; doesn't interfere with user experience
- Strict: minimal breakage; prioritizes privacy over user experience; you may allowlist occasionally
- Aggressive: not recommended for daily browsing; may be used on a separate profile for isolated devices
| Balanced | Strict | Aggressive |
|---|---|---|
| 1Hosts (Lite) | 1Hosts (Pro) | 1Hosts (Xtra) |
| oisd | Lightswitch05 - Ads & Tracking | Lightswitch05 - Tracking Aggressive |
| notracking | Energized Ultimate | |
| NoTrack Tracker Blocklist | Anudeep's Blacklist for ads and trackers | |
| AdGuard DNS filter | Goodbye Ads |
Native Tracking Protection 1
☢️ Enabling may cause breakage (unlikely)
Add these brands according to what devices you use. There's no advantage in adding brands you don't own; however, there’s no disadvantage in adding unused brands either.
Xiaomi
Huawei
Samsung
Amazon Alexa
Windows
Apple
Roku
Sonos
Block Disguised Third-Party Trackers 1 2 3 4
Block Disguised Third-Party Trackers
Allow Affiliate & Tracking Links 1 2
Allow Affiliate & Tracking Links
Parental Control
YouTube Restricted Mode
Enforce YouTube Restricted Mode → ☢️ Enabling may cause breakage
Block Bypass Methods 1
Block Bypass Methods → ☢️ Enabling may cause breakage
Denylist
N/A
Allowlist
graph.facebook.com
Apple device updates 1 / Apple Music 2
xp.apple.com
Apple iMessage GIFs 1 / Spotlight Search 2
smoot.apple.com
Zoom 1 2
logfiles.zoom.us
us04logfiles.zoom.us
us04zpns.zoom.us
CBS News livestream 1
production-cmp.isgprivacy.cbsi.com
Microsoft Office 365 1 2
Note: Blocking these requests may only break Office collaboration features. Only allowlist them if you experience breakage.
self.events.data.microsoft.com
mobile.pipe.aria.microsoft.com
Xbox Live achievements 1 2 / Microsoft "Your Phone" 3
Disclaimer: I don't use these, so I can't confirm the requests. Only allowlist them if you experience breakage.
v10.events.data.microsoft.com
v20.events.data.microsoft.com
Settings
Block Page
Enable Block Page → ☢️ Enabling may cause breakage if the NextDNS Root CA is not on your devices
Anonymized EDNS Client Subnet 1
Enable Anonymized EDNS Client Subnet
Cache Boost
Enable Cache Boost
CNAME Flattening 1 2 3
Enable CNAME Flattening
Web3 1 2
Enable Web3
(optional)
Credit
Forked from the crssi config. Some inspiration came from the scafroglia93 config while other ideas are my own.