NextDNS-Config/README.md

---

Guidelines

1. Must pass the "girlfriend test".
2. Follow the law of diminishing returns by not overblocking (e.g., using Energized Ultimate or 1Hosts Xtra, blocking too many TLDs, etc.).

---

Security

Threat Intelligence Feeds ¹

Use Threat Intelligence Feeds

AI-Driven Threat Detection

Enable AI-Driven Threat Detection

Google Safe Browsing ^{1 2 3 4}

Enable Google Safe Browsing

Cryptojacking Protection ¹

Enable Cryptojacking Protection

DNS Rebinding Protection ¹

Enable DNS Rebinding Protection → ☢️ Enabling may cause breakage (unlikely)

IDN Homograph Attacks Protection

Enable Homograph Attacks Protection

Typosquatting Protection ¹

Enable Typosquatting Protection

Domain Generation Algorithms (DGAs) Protection

Enable DGA Protection

Block Newly Registered Domains (NRDs) ^{1 2 3}

Block Newly Registered Domains (NRDs) → ☢️ Enabling may cause breakage

Blocking NRDs will cause false positives occasionally; however, if you are comfortable allowlisting, it is strongly encouraged that you enable this. Add NRDs to your allowlist selectively; and if you do, NEVER give sensitive information to a NRD.

Block Dynamic DNS Hostnames ^{1 2 3}

Enable Block Dynamic DNS Hostnames

Block Parked Domains ¹

Block Parked Domains

Block Top-Level Domains (TLDs) ^{1 2 3 4}

☢️ Enabling may cause breakage

.work
.fit
.surf
.info
.cam
.ci
.cf
.cn
.ga
.gq
.ml
.online
.tk
.top

Block Child Sexual Abuse Material

Block Child Sexual Abuse Material

---

Privacy

Blocklists ¹

Use 1Hosts (Lite) instead of 1Hosts (Pro) if you do not report false positives and add to the allowlist.

NextDNS Ads & Trackers Blocklist
oisd
1Hosts (Pro)

Native Tracking Protection ¹

☢️ Enabling may cause breakage (unlikely)

Add these brands according to what devices you use. There's no advantage in adding brands you don't own; however, there’s no disadvantage in adding unused brands either.

Xiaomi
Huawei
Samsung
Amazon Alexa
Windows
Apple
Roku
Sonos

Block Disguised Third-Party Trackers ^{1 2 3 4}

Block Disguised Third-Party Trackers

Allow Affiliate & Tracking Links ^{1 2}

Allow Affiliate & Tracking Links

---

Parental Control

YouTube Restricted Mode

Enforce YouTube Restricted Mode → ☢️ Enabling may cause breakage

Block Bypass Methods ¹

Block Bypass Methods → ☢️ Enabling may cause breakage

---

Denylist

N/A

---

Allowlist

Facebook

graph.facebook.com

Apple device updates ¹ / Apple Music ²

xp.apple.com

Apple iMessage GIFs ¹ / Spotlight Search ²

smoot.apple.com

Zoom ^{1 2}

Zoom untrusted certificate error messages when Block Page is enabled.

logfiles.zoom.us
us04logfiles.zoom.us
us04zpns.zoom.us

CBS News livestream ¹

production-cmp.isgprivacy.cbsi.com

Microsoft Office 365 ^{1 2}

Disclaimer: You may only want to allowlist these requests if you're using the file collaboration features.

self.events.data.microsoft.com
mobile.pipe.aria.microsoft.com

Xbox Live achievements ^{1 2} / Microsoft "Your Phone" ³

Disclaimer: I don't use these, so I can't confirm these entries.

v10.events.data.microsoft.com
v20.events.data.microsoft.com

---

Settings

Block Page

Enable Block Page → ☢️ Enabling may cause breakage if the NextDNS Root CA is not on your devices

Anonymized EDNS Client Subnet ¹

Enable Anonymized EDNS Client Subnet

Cache Boost

Enable Cache Boost

CNAME Flattening ^{1 2 3}

Enable CNAME Flattening

Web3 ¹

Enable Web3

(optional)

---

Credit

Forked from the crssi config. Some inspiration came from the scafroglia93 config while other ideas are my own.

---

23 July 2022