NextDNS is a very powerful filtering solution that I have started using on many of devices, this is not a VPN but a DNS based filtering solution with some very powerful features, the website for this cloud based firewall is https://nextdns.io/
The actual company tagline is this:
NextDNS protects you from all kinds of security threats, blocks ads and trackers on websites and in apps and provides a safe and supervised Internet for kids — on all devices and on all networks.
NOTE : NextDNS can only be used if you are not using a proxy solution between your device and the internet, if you are using a proxy you will get the proxy DNS provider, as you can see below this is a client with the NextDNS setup and using a proxy pointing at OpenDNS:
However, I have found it does way more than that, however you can checkout the website, I do not need to repeat that on this blog entry, however it is managed from https://my.nextdns.io once in you get the option to create profiles as you can see below:
Then once you have the profile created you get the endpoint connection details, yes my profile ID has been redacted as this is not a public profile whatsoever, these are the settings you need to give your clients, the profile ID is used for the NextDNS application which is available on all platforms.
Endpoints
Linked IP and Dynamic DNS
Then under the Linked IP you get the DNS servers you need to use and the linked IP which only works for static addresses, if you have a dynamic IP you can use DDNS, or like I do you can run a curl job to call the URL to update this from your dynamic IP, nice!
If you wish to link devices then for Windows 11 you have native configuration support build in which is nice, to accomplish that follow these settings:
- Open the Settings app.
- Go to Network & internet.
- Click on Wi-Fi (or Ethernet).
- Click on Hardware properties, or ignore this step if you clicked on Ethernet.
- Click the Edit button next to DNS server assignment.
- Select Manual.
- Enable IPv4.
- Enter 45.90.28.0 as Preferred DNS, then select On (manual template) and enter https://dns.nextdns.io/<profile_id>.
- Enter 45.90.30.0 as Alternate DNS, then select On (manual template) and enter https://dns.nextdns.io/<profile_id>.
- Click Save.
Security
Well this is quite in-depth and this is where you can set various options, the first section is about threats, AI threat detection and Google safe browsing which you can force on:
Then we move on to Cyptojacking protection, DNS rebind protection and IDN protection as you can see all this is on:
Next is Typo squatting protection, this is very handy where you can enter goole.com or gooogle.com, instead of the real URL, then you have DGA protection for malware based sites and NRD (newly registered domains) protection, this is off for my scenario as I have registering domains all the time.
Then we move on to blocking DDNS names like from no-ip.com and parked domain blocking as many of those are adverts to click on, then you can also block TLD (top level domains) which is the ending of the domain like .co.uk
This shows the TLD block, with all the suspicious ones blocked:
Then the last security option blocks against child sexual abuse material which unfortunately is required in this day and age.
Privacy
This is actually more helpful that the security in many regards, the first option on the list is block lists where you can add all the trackers and ad-blockers which is very helpful:
When you block these trackers and ad sites you definitely get your share of blocks so they do work, this is a list of all the blocking of trackers I have done in the last 30 days....
Then we move on to native tracking, this is more at the device level, here I have blocked devices I do not have or require to "talk home":
Then the last section is about blocking disguised tracker which plugins like Privacy Badger will do for you, and then the option to block links for people trying to give you a referral link, very neat feature that!
Parental Controls
Well this is quite in-depth and this is where you can set various options, the first section is about threats, AI threat detection and Google safe browsing which you can force on:
Then we move on to Cyptojacking protection, DNS rebind protection and IDN protection as you can see all this is on:
Next is Typo squatting protection, this is very handy where you can enter goole.com or gooogle.com, instead of the real URL, then you have DGA protection for malware based sites and NRD (newly registered domains) protection, this is off for my scenario as I have registering domains all the time.
Then we move on to blocking DDNS names like from no-ip.com and parked domain blocking as many of those are adverts to click on, then you can also block TLD (top level domains) which is the ending of the domain like .co.uk
This shows the TLD block, with all the suspicious ones blocked:
Then the last security option blocks against child sexual abuse material which unfortunately is required in this day and age.
Privacy
This is actually more helpful that the security in many regards, the first option on the list is block lists where you can add all the trackers and ad-blockers which is very helpful:
When you block these trackers and ad sites you definitely get your share of blocks so they do work, this is a list of all the blocking of trackers I have done in the last 30 days....
Then we move on to native tracking, this is more at the device level, here I have blocked devices I do not have or require to "talk home":
Then the last section is about blocking disguised tracker which plugins like Privacy Badger will do for you, and then the option to block links for people trying to give you a referral link, very neat feature that!
Parental Controls
First up is websites, application and games, where you get to choose from a list that you would like to block, is is separate from categorisation which is not in this section,
To add or remove from the block list, you click the Add button, then to remove you click the Remove button, simples, here you can see Hulu is blocked but WhatsApp and Steam are not:
Categories
You do not get all the useless categories but only the ones you might want to block, which is a great idea, so none of this Tobacco, Swimwear, Lingerie and other pointless categories, the full list is below:
To add or remove from the block list, you click the Add button, then to remove you click the Remove button, simples, here you can see Hulu is blocked but WhatsApp and Steam are not:
Categories
Then you get on to Categories which is a bracket of websites you do not want access to view
You do not get all the useless categories but only the ones you might want to block, which is a great idea, so none of this Tobacco, Swimwear, Lingerie and other pointless categories, the full list is below:
Moving along, nicely you have next recreation time where the blocks will not apply- this is more for kids and younger adults, this is disabled in all my policies, then you have Safe search which is a good idea to keep on to start with, this enforces it, the you have YouTube restricted mode which will hide comments and "mature" content - but be careful with this one sometimes it blocks normal videos for no reason, that is why it is off here:
Then this one I like, it does a good job of running a VPN to try a bypass, this includes web based proxies out there on the internet:
Then this one I like, it does a good job of running a VPN to try a bypass, this includes web based proxies out there on the internet:
Deny list
Simple, this is sites that override all the other rules if they are listed here at a root domain you get no access once added:
Allow List
On the flip side you also have an allow list, for this example I use Google Analytics so I allow them (as they would otherwise be blocked with the privacy blocking)
Analytics
This is where it gets powerful, you get a real-time flow of all your data and what has been allowed and denied then you get a % of blocked, which is a very nice feature:
It does not stop there, then you get a list of resolved v blocked domains by numbers, so you can tell where you are getting issues if indeed you get any at all:
Next up the block reasons, this will translate you what you set in privacy and parental controls, as you can see TikTok is being blocked with 76 requests to videos that look like YouTube videos:
Then you get a breakdown of your root domains, no shocker there that its Apple and Google for me, having Google accounts and Apple products:
Still going with the cool analytics, then you get the GAFAM dominance which is the main service provides, Apple makes sense for me as my devices are Apple, but it shows you the type of devices you use as well - as in Android or iOS.
Then you have your Encrypted DNS queries which should be very near 100% as NextDNS is all secure DNS, then finally your DNSSEC compliance which is usually low depending on what you connect to:
Next up is your world map domination for website destination, this map does not shock me at all, being all UK, USA and Alaska (yes I have many services here)
Logs
If the above was no enough, you also get logs and this is pretty much real-time here you can see my iPhone doing some DNS request
Then if you come across a blocked entry it will be highlighted in red, if you click on it, you will then see a breakdown of what it is. as below:
Log Locations
You can also control the logs, down to if you log at all, then do you log the IP and domains, right down to retention and storage location of the logs:
Block Page
Now, if you come across a website that is blocked, it will just return a "page cannot be displayed" as it drops the DNS request, but if you would like a more engaged "user experience" then you can turn on the block page as below:
If you turn on the Block page you need to trust the NextDNS Root CA, this will prevent certificate errors on blocked sites, this can be deployed with many options, and on phones there is a very nice way to deploy this which we will cover later on.
With the block page turn on it you get block pages like this, which nicer than the "page cannot be diaplyed" error.:
Performance
Yes, more settings to tune your experience, these should be enabled unless you have a specific reason to disable them:
Web3 Support
Yes, it even supports Web3, this is where you can buy a custom TLD that is not resolved by custom DNS servers, you need to support Web3 - something that could be big in the future, but not that common now (at the time of writing)
Rewrites
This is the one of the last website based party tricks, and its is exactly what it sounds like, its a rewrite:
Plan Usage
Now, I am on the Free plan which allows for 300,000 DNS requests per month, which after a whole month of hammering it for a couple of phones and home Wifi is quite hard to do as you can see here:
However if you need more queries than that - then you can can Subscribe for unlimited queries for your queries and I find for a "family" I find the prices very reasonable, please note that in the words of NextDNS: *Pro plans are for personal (and close family) use only.
iOS Application : NextHub
data here
Simple, this is sites that override all the other rules if they are listed here at a root domain you get no access once added:
Allow List
On the flip side you also have an allow list, for this example I use Google Analytics so I allow them (as they would otherwise be blocked with the privacy blocking)
Analytics
This is where it gets powerful, you get a real-time flow of all your data and what has been allowed and denied then you get a % of blocked, which is a very nice feature:
It does not stop there, then you get a list of resolved v blocked domains by numbers, so you can tell where you are getting issues if indeed you get any at all:
Next up the block reasons, this will translate you what you set in privacy and parental controls, as you can see TikTok is being blocked with 76 requests to videos that look like YouTube videos:
Then you get a breakdown of your root domains, no shocker there that its Apple and Google for me, having Google accounts and Apple products:
Still going with the cool analytics, then you get the GAFAM dominance which is the main service provides, Apple makes sense for me as my devices are Apple, but it shows you the type of devices you use as well - as in Android or iOS.
Then you have your Encrypted DNS queries which should be very near 100% as NextDNS is all secure DNS, then finally your DNSSEC compliance which is usually low depending on what you connect to:
Next up is your world map domination for website destination, this map does not shock me at all, being all UK, USA and Alaska (yes I have many services here)
Logs
If the above was no enough, you also get logs and this is pretty much real-time here you can see my iPhone doing some DNS request
Then if you come across a blocked entry it will be highlighted in red, if you click on it, you will then see a breakdown of what it is. as below:
Log Locations
You can also control the logs, down to if you log at all, then do you log the IP and domains, right down to retention and storage location of the logs:
Block Page
Now, if you come across a website that is blocked, it will just return a "page cannot be displayed" as it drops the DNS request, but if you would like a more engaged "user experience" then you can turn on the block page as below:
If you turn on the Block page you need to trust the NextDNS Root CA, this will prevent certificate errors on blocked sites, this can be deployed with many options, and on phones there is a very nice way to deploy this which we will cover later on.
With the block page turn on it you get block pages like this, which nicer than the "page cannot be diaplyed" error.:
Performance
Yes, more settings to tune your experience, these should be enabled unless you have a specific reason to disable them:
Web3 Support
Yes, it even supports Web3, this is where you can buy a custom TLD that is not resolved by custom DNS servers, you need to support Web3 - something that could be big in the future, but not that common now (at the time of writing)
Rewrites
This is the one of the last website based party tricks, and its is exactly what it sounds like, its a rewrite:
And you can do exactly what it sounds like, you can take a website and allow the service to write another response:
Plan Usage
Now, I am on the Free plan which allows for 300,000 DNS requests per month, which after a whole month of hammering it for a couple of phones and home Wifi is quite hard to do as you can see here:
However if you need more queries than that - then you can can Subscribe for unlimited queries for your queries and I find for a "family" I find the prices very reasonable, please note that in the words of NextDNS: *Pro plans are for personal (and close family) use only.
data here
iOS MDM Provisioning
data here
data here
Windows Provisioning
data here
data here
NextDNS Root CA
data here