m/NextDNS-Config
1
0
Fork 0
mirror of https://github.com/yokoffing/NextDNS-Config.git synced 2025-11-17 15:43:39 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
d9c17db690d03e65a2f10eb276b36bb5850292b5
NextDNS-Config/README.md
yokoffing d9c17db690 Update README.md
2022-07-04 13:51:51 -04:00

6.0 KiB
Raw Blame History

Guidelines

  1. Must pass the "girlfriend test"
  2. Minimal allowlisting

Security

Threat Intelligence Feeds

Enabled Use Threat Intelligence Feeds

AI-Driven Threat Detection

Enabled Enable AI-Driven Threat Detection

Google Safe Browsing

Enabled Enable Google Safe Browsing

Cryptojacking Protection

Enabled Enable Cryptojacking Protection → ☢️ Enabling may cause breakage (unlikely)

DNS Rebinding Protection

Enabled Enable DNS Rebinding Protection → ☢️ Enabling may cause breakage (unlikely)

IDN Homograph Attacks Protection

Enabled Enable Homograph Attacks Protection

Typosquatting Protection

Enabled Enable Typosquatting Protection

Domain Generation Algorithms (DGAs) Protection

Enabled Enable DGA Protection

Block Newly Registered Domains (NRDs)

Disabled Block Newly Registered Domains (NRDs) → ☢️ Enabling may cause breakage

While there are legitimate NRDs, many are nefarious. Here's a recent (June 2022) incident of a scam NRD (example | commentary 1 2). Another example is social media hacks where users click on links in there messages. Those are usually rogue NRDs.

This is marked as disabled because it will cause false positives. However, if you are comfortable allowlisting occasionally, it is strongly encouraged that you enable this. Selectively add NRDs to your allowlist; and if you add certain ones to your allowlist, NEVER give sensitive information to a NRD!

Block Dynamic DNS Hostnames

Enabled Enable Block Dynamic DNS Hostnames

Block Parked Domains

Enabled Block Parked Domains

Block Top-Level Domains (TLDs)

agency
asia
bar
bid
buzz
cam
casa
cf
club
cricket
date
email
fail
fit
fun
ga
gdn
ge
gq
guru
help
host
icu
info
ir
link
live
loan
ltda
men
ml
nagoya
nf
okinawa
online
ooo
press
pw
recipes
rest
rodeo
ryukyu
shop
site
su
support
surf
tk
tokyo
top
ug
vip
wang
webcam
website
win
work
ws

Block Child Sexual Abuse Material

Enabled Block Child Sexual Abuse Material

Privacy

Blocklists

NextDNS Ads & Trackers Blocklist
AdGuard DNS filter
oisd
1Hosts (Lite)

Native Tracking Protection

☢️ Enabling may cause breakage (unlikely)

Add these brands according to what devices you use. There's no advantage in adding brands you don't own; however, theres not a strong reason to omit unused brands either.

Xiaomi
Huawei
Samsung
Amazon Alexa
Windows
Apple
Roku
Sonos

Block Disguised Third-Party Trackers

Enabled Block Disguised Third-Party Trackers

Allow Affiliate & Tracking Links

Enabled Allow Affiliate & Tracking Links

Parental Control

YouTube Restricted Mode

Disabled Enforce YouTube Restricted Mode → ☢️ Enabling may cause breakage

Block Bypass Methods

Disabled Block Bypass Methods → ☢️ Enabling may cause breakage

Denylist

(optional) Most of these are blocked under Block Dynamic DNS Hostnames (see here).

pubnub.com
ddns.net
duckdns.org
hopto.org
linkpc.net
myddns.me
myftp.biz
myftp.org
ngrok.io
no-ip.biz
no-ip.org
portmap.host
portmap.io
publicvm.com
sytes.net
zapto.org

Allowlist

if using Facebook and Instagram:

graph.facebook.com
graph.instagram.com

breaks CBS News (NextDNS Ads & Trackers Blocklist):

production-cmp.isgprivacy.cbsi.com

Settings

Block Page

Enabled Enable Block Page → ☢️ Enabling may cause breakage if the NextDNS Root CA is not on your devices

Anonymized EDNS Client Subnet

Enabled Enable Anonymized EDNS Client Subnet

Cache Boost

Enabled Enable Cache Boost

CNAME Flattening

Enabled Enable CNAME Flattening

Web3 (optional)

Disabled Enable Web3

Credit

Forked from the crssi config. Some inputs came from the scafroglia93 config while other changes are my own.