12 KiB
Guidelines🔖
- Must pass the girlfriend test with few exceptions. These deviations are documented throughout the guide.
- Prevent overblocking by utilizing the law of diminishing returns (e.g., using overly aggressive blocklists, restricting too many TLDs, etc.).
Security👮
Threat Intelligence Feeds 1
Use Threat Intelligence Feeds
AI-Driven Threat Detection
Enable AI-Driven Threat Detection
Google Safe Browsing 1 2 3 4
Enable Google Safe Browsing
Cryptojacking Protection 1
Enable Cryptojacking Protection
DNS Rebinding Protection 1
Enable DNS Rebinding Protection
IDN Homograph Attacks Protection
Enable Homograph Attacks Protection
Typosquatting Protection 1
Enable Typosquatting Protection
Domain Generation Algorithms (DGAs) Protection
Enable DGA Protection
Block Newly Registered Domains (NRDs) 1 2 3
Block Newly Registered Domains (NRDs) → ☢️ Enabling may cause breakage
⚠️ Blocking NRDs will cause false positives occasionally. Be selective when adding NRDs to your allowlist; and, when you do this, NEVER give sensitive information to a NRD. If you would rather set-and-forget your configuration, disable this setting.
Block Dynamic DNS Hostnames 1 2 3
Enable Block Dynamic DNS Hostnames
Block Parked Domains 1
Block Parked Domains
Block Top-Level Domains (TLDs) 1 2 3 4
☢️ Enabling may cause breakage
.work
.fit
.surf
.info
.cam
.ci
.cf
.cn
.ga
.gq
.ml
.online
.tk
.top
Block Child Sexual Abuse Material
Block Child Sexual Abuse Material
Privacy🔒
Blocklists 1
NextDNS Ads & Trackers Blocklist
oisd
1Hosts (Pro)
Here's a compliation of popular blocklists available in NextDNS:
- Balanced: no breakage; set-and-forget; doesn't interfere with user experience
- Strict: minimal breakage; prioritizes privacy over user experience; you may allowlist occasionally
- Aggressive: excessive breakage; may be used on a separate profile to lockdown isolated devices
| Balanced | Strict | Aggressive |
|---|---|---|
| 1Hosts (Lite) | 1Hosts (Pro) | 1Hosts (Xtra) |
| oisd | Lightswitch05 - Ads & Tracking | Energized Ultimate |
| notracking | Lightswitch05 - Tracking Aggressive | Goodbye Ads |
| NoTrack Tracker Blocklist | ||
| AdGuard DNS filter |
Native Tracking Protection 1
☢️ Enabling may cause breakage (unlikely)
Add these brands according to what devices you use. There's no advantage in adding brands you don't own; however, there’s no disadvantage in adding unused brands either.
Xiaomi
Huawei
Samsung
Amazon Alexa
Windows
Apple
Roku
Sonos
Block Disguised Third-Party Trackers 1 2 3 4
Block Disguised Third-Party Trackers
Allow Affiliate & Tracking Links 1 2
Allow Affiliate & Tracking Links → ☢️ Disabling may cause breakage
⚠️ If you would rather set-and-forget your configuration, enable this setting.
Parental Control👴
YouTube Restricted Mode
Enforce YouTube Restricted Mode → ☢️ Enabling may cause breakage
Block Bypass Methods 1
Block Bypass Methods → ☢️ Enabling may cause breakage
Denylist ⛔
N/A
Allowlist✅
Facebook / Instagram
graph.facebook.com
graph.instagram.com
i.instagram.com
Apple device updates 1 / Apple Music 2
xp.apple.com
Apple iMessage GIFs 1 / Spotlight Search 2
smoot.apple.com
Zoom 1 2
logfiles.zoom.us
us04logfiles.zoom.us
us04zpns.zoom.us
CBS News livestream 1
production-cmp.isgprivacy.cbsi.com
Microsoft Office 365 1 2
🗒️ Blocking these requests may only break Office collaboration features. Only allowlist them if you experience breakage.
self.events.data.microsoft.com
mobile.pipe.aria.microsoft.com
Xbox Live achievements 1 2 / Microsoft "Your Phone" 3
⚠️ I don't use these, so I can't confirm the requests. Only allowlist them if you experience breakage.
v10.events.data.microsoft.com
v20.events.data.microsoft.com
Settings⚙️
Block Page
Enable Block Page → ☢️ Enabling may cause breakage if the NextDNS Root CA is not on your devices
Anonymized EDNS Client Subnet 1
Enable Anonymized EDNS Client Subnet
Cache Boost
Enable Cache Boost
CNAME Flattening 1 2 3
Enable CNAME Flattening
Web3 1 2
Enable Web3
(optional)
Credit📚
Forked from the crssi config. Some inspiration came from the scafroglia93 config while other ideas are my own.