NextDNS-Config/README.md

---

Guidelines

1. Must pass the "girlfriend test".
2. Follow the law of diminishing returns by not overblocking (e.g., using Energized Ultimate or 1Hosts Xtra, blocking too many TLDs, etc.).

---

Security

Threat Intelligence Feeds ¹

Use Threat Intelligence Feeds

AI-Driven Threat Detection

Enable AI-Driven Threat Detection

Google Safe Browsing

Enable Google Safe Browsing

Cryptojacking Protection ¹

Enable Cryptojacking Protection

DNS Rebinding Protection

Enable DNS Rebinding Protection → ☢️ Enabling may cause breakage (unlikely)

IDN Homograph Attacks Protection

Enable Homograph Attacks Protection

Typosquatting Protection ¹

Enable Typosquatting Protection

Domain Generation Algorithms (DGAs) Protection

Enable DGA Protection

Block Newly Registered Domains (NRDs) ^{1 2 3}

Block Newly Registered Domains (NRDs) → ☢️ Enabling may cause breakage

Blocking NRDs will cause false positives occasionally; however, if you are comfortable allowlisting, it is strongly encouraged that you enable this. Add NRDs to your allowlist selectively; and if you do, NEVER give sensitive information to a NRD.

Block Dynamic DNS Hostnames ^{1 2 3}

Enable Block Dynamic DNS Hostnames

Block Parked Domains ¹

Block Parked Domains

Block Top-Level Domains (TLDs) ^{1 2 3 4}

☢️ Enabling may cause breakage

.work
.fit
.surf
.info
.cam
.ci
.cf
.cn
.ga
.gq
.ml
.online
.tk
.top

Block Child Sexual Abuse Material

Block Child Sexual Abuse Material

---

Privacy

Blocklists ¹

NextDNS Ads & Trackers Blocklist
oisd
1Hosts (Lite)

Use 1Hosts (Pro) instead of (Lite) if you don't mind allowlisting occasionally and reporting false positives.

Native Tracking Protection ¹

☢️ Enabling may cause breakage (unlikely)

Add these brands according to what devices you use. There's no advantage in adding brands you don't own; however, there’s no disadvantage in adding unused brands either.

Xiaomi
Huawei
Samsung
Amazon Alexa
Windows
Apple
Roku
Sonos

Block Disguised Third-Party Trackers ^{1 2}

Block Disguised Third-Party Trackers

Allow Affiliate & Tracking Links ^{1 2}

Allow Affiliate & Tracking Links

---

Parental Control

YouTube Restricted Mode

Enforce YouTube Restricted Mode → ☢️ Enabling may cause breakage

Block Bypass Methods ¹

Block Bypass Methods → ☢️ Enabling may cause breakage

---

Denylist

N/A

---

Allowlist

Facebook

graph.facebook.com

Apple device updates ¹ | Apple Music ²

xp.apple.com

Apple iMessage GIFs ¹ | Spotlight Search ²

smoot.apple.com

Zoom ^{1 2}

Zoom untrusted certificate error messages when Block Page is enabled.

logfiles.zoom.us
us04logfiles.zoom.us
us04zpns.zoom.us

CBS News livestream ¹

production-cmp.isgprivacy.cbsi.com

Microsoft Office 365 ^{1 2}

Disclaimer: You may only want to allowlist these requests if you're using the file collaboration features.

self.events.data.microsoft.com
mobile.pipe.aria.microsoft.com

Xbox Live achievements ^{1 2} | Microsoft "Your Phone" ³

Disclaimer: I don't use these, so I can't confirm these entries.

v10.events.data.microsoft.com
v20.events.data.microsoft.com

---

Settings

Block Page

Enable Block Page → ☢️ Enabling may cause breakage if the NextDNS Root CA is not on your devices

Anonymized EDNS Client Subnet

Enable Anonymized EDNS Client Subnet

Cache Boost

Enable Cache Boost

CNAME Flattening

Enable CNAME Flattening

Web3 ¹

Enable Web3

(optional)

---

Credit

Forked from the crssi config. Some inspiration came from the scafroglia93 config while other ideas are my own.

---

23 July 2022