Guidelines 🔖
- Prevent overblocking by utilizing the law of diminishing returns (e.g., using sane, quality blocklists; allowing most TLDs; etc.).
- Pass the girlfriend test with few exceptions. These deviations are documented throughout the guide.
Security 👮
Threat Intelligence Feeds 1
Use Threat Intelligence Feeds
AI-Driven Threat Detection
Enable AI-Driven Threat Detection
Google Safe Browsing 1 2 3 4
Enable Google Safe Browsing
Cryptojacking Protection 1
Enable Cryptojacking Protection
DNS Rebinding Protection 1 2
Enable DNS Rebinding Protection
IDN Homograph Attacks Protection
Enable Homograph Attacks Protection
Typosquatting Protection 1
Enable Typosquatting Protection
Domain Generation Algorithms (DGAs) Protection
Enable DGA Protection
Block Newly Registered Domains (NRDs) 1 2 3
⚠️ Blocking NRDs will cause false positives occasionally. Be selective when adding NRDs to your allowlist; and, when you do this, NEVER give sensitive information to a NRD. If you plan to set-and-forget your configuration, disable this setting.
Block Newly Registered Domains (NRDs)
Block Dynamic DNS Hostnames 1 2 3
Enable Block Dynamic DNS Hostnames
Block Parked Domains 1
Block Parked Domains
Block Top-Level Domains (TLDs) 1 2 3 4 5
⚠️ If you plan to set-and-forget your configuration, skip this setting.
.work
.fit
.surf
.cn
.info
-
.agency
.bid
.cam
.cf
.ci
.cricket
.fun
.ga
.gq
.loan
.ml
.online
.ooo
.tk
.top
.win
Block Child Sexual Abuse Material
Block Child Sexual Abuse Material
Privacy 🔒
Blocklists 1
Here's a compliation of popular blocklists available in NextDNS:
- Balanced: no breakage; set-and-forget; doesn't interfere with user experience
- Strict: minimal breakage; prioritizes privacy over user experience; allowlist occasionally
- Aggressive: excessive breakage; use on a separate profile to lockdown single-purpose devices
| Balanced | Strict | Aggressive |
|---|---|---|
| 1Hosts (Lite) | 1Hosts (Pro) | 1Hosts (Xtra) |
| oisd | Lightswitch05 - Ads & Tracking | Energized Ultimate |
| NextDNS Ads & Trackers Blocklist | Lightswitch05 - Tracking Aggressive | Goodbye Ads |
| notracking | ||
| NoTrack Tracker Blocklist | ||
| AdGuard DNS filter |
Highly Recommended:
Native Tracking Protection 1
Add these brands according to what devices you use. There's no advantage in adding brands you don't own; however, there’s no disadvantage in adding unused brands either.
Xiaomi
Huawei
Samsung
Amazon Alexa
Windows
Apple
Roku
Sonos
Block Disguised Third-Party Trackers 1 2 3 4
Block Disguised Third-Party Trackers
Allow Affiliate & Tracking Links 1 2
⚠️ If you plan to set-and-forget your configuration, enable this setting.
Allow Affiliate & Tracking Links
Parental Control 👪
YouTube Restricted Mode
Enforce YouTube Restricted Mode
Block Bypass Methods 1
Block Bypass Methods
Denylist ⛔
N/A
Allowlist ✅
Facebook / Instagram
graph.facebook.com
graph.instagram.com
i.instagram.com
Apple device updates 1 / Apple Music 2
xp.apple.com
Apple iMessage GIFs 1 / Spotlight Search 2
smoot.apple.com
Zoom 1 2
logfiles.zoom.us
us04logfiles.zoom.us
us04zpns.zoom.us
CBS News livestream 1
production-cmp.isgprivacy.cbsi.com
Microsoft Office 365 1 2
⚠️ Blocking these requests may only break Office collaboration features. Only allowlist them if you experience breakage.
self.events.data.microsoft.com
mobile.pipe.aria.microsoft.com
Xbox Live achievements 1 2 / Microsoft "Your Phone" 3
⚠️ I don't use these, so I can't confirm the requests. Only allowlist them if you experience breakage.
v10.events.data.microsoft.com
v20.events.data.microsoft.com
Settings ⚙️
Block Page
Enable Block Page → ☢️ Enabling may cause breakage if the NextDNS Root CA is not on your devices
Anonymized EDNS Client Subnet 1
Enable Anonymized EDNS Client Subnet
Cache Boost 1
Enable Cache Boost
CNAME Flattening 1 2 3
Enable CNAME Flattening
Web3 1 2
Enable Web3
(optional)
Credit 📚
Forked from the crssi config. Some inspiration came from the scafroglia93 config while other ideas are my own.