mirror of
https://github.com/yokoffing/NextDNS-Config.git
synced 2025-11-18 08:03:38 -05:00
191 lines
6.0 KiB
Markdown
191 lines
6.0 KiB
Markdown
***
|
||
# Guidelines
|
||
1) Must pass the "[girlfriend test](https://www.urbandictionary.com/define.php?term=Grandma%20Test)"
|
||
2) Minimal allowlisting
|
||
|
||
***
|
||
|
||
# Security
|
||
### Threat Intelligence Feeds
|
||
 Use Threat Intelligence Feeds
|
||
### AI-Driven Threat Detection
|
||
 Enable AI-Driven Threat Detection
|
||
### Google Safe Browsing
|
||
 Enable Google Safe Browsing
|
||
### Cryptojacking Protection
|
||
 Enable Cryptojacking Protection → :radioactive: *Enabling may cause breakage (unlikely)*
|
||
### DNS Rebinding Protection
|
||
 Enable DNS Rebinding Protection → :radioactive: *Enabling may cause breakage (unlikely)*
|
||
### IDN Homograph Attacks Protection
|
||
 Enable Homograph Attacks Protection
|
||
### Typosquatting Protection
|
||
 Enable Typosquatting Protection
|
||
### Domain Generation Algorithms (DGAs) Protection
|
||
 Enable DGA Protection
|
||
### Block Newly Registered Domains (NRDs)
|
||
 Block Newly Registered Domains (NRDs) → :radioactive: *Enabling may cause breakage*
|
||
<br>
|
||
<br> While there are legitimate NRDs, many are nefarious. Here's a recent (June 2022) incident of a scam NRD ([example](https://old.reddit.com/r/GaySoundsShitposts/comments/vr4fjf/be_gay_do_crime/) | commentary [1](https://old.reddit.com/r/gaybros/comments/vqb2q9/comment/iepjd69/) [2](https://old.reddit.com/r/gaybros/comments/vqb2q9/comment/ieoyygw/)). Another example is social media hacks where users click on links in there messages. Those are usually rogue NRDs.
|
||
|
||
This is marked as disabled because it will cause false positives. However, if you are comfortable allowlisting occasionally, **it is strongly encouraged that you enable this**. Selectively add NRDs to your allowlist; and if you add certain ones to your allowlist, **NEVER give sensitive information to a NRD!**
|
||
|
||
### Block Dynamic DNS Hostnames
|
||
 Enable Block Dynamic DNS Hostnames
|
||
### Block Parked Domains
|
||
 Block Parked Domains
|
||
|
||
### Block Top-Level Domains (TLDs)
|
||
```
|
||
agency
|
||
asia
|
||
bar
|
||
bid
|
||
buzz
|
||
cam
|
||
casa
|
||
cf
|
||
club
|
||
cricket
|
||
date
|
||
email
|
||
fail
|
||
fit
|
||
fun
|
||
ga
|
||
gdn
|
||
ge
|
||
gq
|
||
guru
|
||
help
|
||
host
|
||
icu
|
||
info
|
||
ir
|
||
link
|
||
live
|
||
loan
|
||
ltda
|
||
men
|
||
ml
|
||
nagoya
|
||
nf
|
||
okinawa
|
||
online
|
||
ooo
|
||
press
|
||
pw
|
||
recipes
|
||
rest
|
||
rodeo
|
||
ryukyu
|
||
shop
|
||
site
|
||
space
|
||
su
|
||
support
|
||
surf
|
||
tk
|
||
tokyo
|
||
top
|
||
ug
|
||
vip
|
||
wang
|
||
webcam
|
||
website
|
||
win
|
||
work
|
||
ws
|
||
```
|
||
|
||
### Block Child Sexual Abuse Material
|
||
 Block Child Sexual Abuse Material
|
||
|
||
***
|
||
|
||
# Privacy
|
||
### Blocklists
|
||
NextDNS Ads & Trackers Blocklist
|
||
AdGuard DNS filter
|
||
oisd
|
||
1Hosts (Lite)
|
||
### Native Tracking Protection
|
||
:radioactive: *Enabling may cause breakage (unlikely)*
|
||
|
||
Add these brands according to what devices you use. There's no advantage in adding brands you don't own; however, there’s not a strong reason to omit unused brands either.
|
||
|
||
Xiaomi
|
||
Huawei
|
||
Samsung
|
||
Amazon Alexa
|
||
Windows
|
||
Apple
|
||
Roku
|
||
Sonos
|
||
### Block Disguised Third-Party Trackers
|
||
 Block Disguised Third-Party Trackers
|
||
### Allow Affiliate & Tracking Links
|
||
 Allow Affiliate & Tracking Links
|
||
|
||
***
|
||
|
||
# Parental Control
|
||
### YouTube Restricted Mode
|
||
 Enforce YouTube Restricted Mode → :radioactive: *Enabling may cause breakage*
|
||
|
||
### Block Bypass Methods
|
||
 Block Bypass Methods → :radioactive: *Enabling may cause breakage*
|
||
|
||
***
|
||
|
||
# Denylist
|
||
(optional) Most of these are blocked under [Block Dynamic DNS Hostnames](https://github.com/yokoffing/NextDNS-Config/edit/main/README.md#block-dynamic-dns-hostnames) (see [here](https://github.com/nextdns/metadata/blob/master/security/ddns/suffixes)).
|
||
|
||
pubnub.com
|
||
ddns.net
|
||
duckdns.org
|
||
hopto.org
|
||
linkpc.net
|
||
myddns.me
|
||
myftp.biz
|
||
myftp.org
|
||
ngrok.io
|
||
no-ip.biz
|
||
no-ip.org
|
||
portmap.host
|
||
portmap.io
|
||
publicvm.com
|
||
sytes.net
|
||
zapto.org
|
||
|
||
***
|
||
|
||
# Allowlist
|
||
if using Facebook and Instagram:
|
||
|
||
graph.facebook.com
|
||
graph.instagram.com
|
||
|
||
breaks CBS News (NextDNS Ads & Trackers Blocklist):
|
||
|
||
production-cmp.isgprivacy.cbsi.com
|
||
***
|
||
|
||
# Settings
|
||
### Block Page
|
||
 Enable Block Page → :radioactive: *Enabling may cause breakage if the NextDNS Root CA is not on your devices*
|
||
### Anonymized EDNS Client Subnet
|
||
 Enable Anonymized EDNS Client Subnet
|
||
### Cache Boost
|
||
 Enable Cache Boost
|
||
### CNAME Flattening
|
||
 Enable CNAME Flattening
|
||
### Web3 (optional)
|
||
 Enable Web3
|
||
|
||
***
|
||
|
||
# Credit
|
||
Forked from the [crssi](https://github.com/crssi/NextDNS-Config#readme) config. Some inputs came from the [scafroglia93](https://github.com/scafroglia93/nextdns-setting]) config while other changes are my own.
|
||
|
||
***
|