The ULTIMATE Guide to Mastering NextDNS!

Looking in Analytics, my devices seem to be contacting Yandex domains in Russia, and which might be from China. Not sure why but I assume it’s not good and I should block them right?

Try enabling the Nativing Tracking Protection for Samsung, Xiaomi and Huawei. It is possible that they also block some of the tracking for other Android device manufacturers. After you do that you can also try manually blocking domains from your denylist. If something breaks just revert the change.

1 Like

Thanks. Is it still worth turning those on if I don’t use Android and use Apple devices?

I have added several to the deny list so far.

I actually have everything from there turned on. They just add a few more tracker domains in your blocklist. I’m pretty sure there is no harm in enabling them. The domains of each device blocklist can be found here.


I don’t know much about technical details of DoH and DoT. But this DoT config works fine, System is using NextDNS, BUT I had problems initially with Mullvad browser because it by-default uses its own DNS for DoH, manually entering nextnds DoH endpoints there didn’t work for me too, Either everything was not working within Mullvad, just showed error for potential network security issue for almost everything i visit or was working very very slow because Portmaster blocks bypass by-default. But when I clicked on info of Block bypass option on portmaster, It asked me to turn off DoH on firefox first and let it handle them. So I turned it off from Mullvad and everything is working fine now! I don’t know yet what are the downsides of turning DoH off. Well I would wish if someone with good technical knowledge try to figure it out. I wanted to post it originally on my post of “Need Help with Fedora Cinnamon”, but then I didn’t

Really appreciate the links in the video back to the forum. As well as the videos being posted here for conversation, automagically :slight_smile:


@Henry and the rest of the team, thanks for this video super informative and well made. Not sure why I had never looked at NextDNS before, but I will be trying it out now.

An extra thought that I had. For anyone who has elderly family members the security features of NextDNS seem awesome. A great way to protect them from a lot of stuff they might come across.

1 Like

With respect to blocklists Henry’s refrain in the video is very true–more isn’t necessarily better–especially for people with less technical experience, less time, or less patience.

Most people are best off choosing a light touch DNS level blocklist (Hagezi Light or OISD) in combination with a browser based adblocker like uBlock Origin with the default lists.

This is as close to an optimal compromise as you can get with respect to minimum breakage + maximal protection.

With that said, I've got some links for my fellow tinkerers and data nerds:
  • Yokoffing’s guide, is a great resource for configuring NextDNS (and very likely a primary source for Henry’s video). If you prefer written guides, or want to go deeper, I suggest reading this. It guides you through the setup/config of NextDNS line for line. They also have a page for uBO, and uBO filterlists but it is not as streamlined/curated as the NextDNS guide so I don’t recommend it as a guide for beginners, but it is good reference material.
  • This is a great semi-scientific analysis of the efficacy of Hagezi’s blocklists, and the basis for my recommendation that most people stick with the ‘Light’ list.
  • Hagezi OISD are probably the two most popular up and coming meta blocklists in 2023. Don’t bother asking which is better, it is the wrong question, the main difference is focus/priority. Both list maintainers care about blocking as much as possible while breaking as little as possible, but OISD puts slightly more emphasis on not breaking things while Hagezi’s lists put slightly more emphasis on blocking more and being comprehensive. Both lists are regularly maintained and responsive to feedback.
  • This useful table of lists helps compare similarities, differences, and overlap between many of the major popular blocklists and meta blocklists. It is useful for choosing a list, also useful for optimizing the lists you use if you use more than one and eliminating redundancies.
  • NextDNS publishes there native tracking protection lists to their github You can see what each sublist (Apple, Roku, etc) includes. Some are super barebones and probably incomplete (Roku only has a single domain) others have more entries (Apple has about 15-20 entries).
1 Like

cool video !
i recently swapped to NextDNS because i needed to do away with my server that was among other things, running Pi-Hole

wait… at the end of the video “virtual hugs”

I also used NextDNS for a year or so, but stopped because I started having some doubts about it mainly due to lack of transparency about what NextDNS employees can see. I mean it is a USA company, Reddit discussion + source and since Henry helps us increase our online privacy, I don’t understand why we should be using NextDNS in the first place.

Surely it may protect us from other third party bad actors, but it has the potential to log every website we visit and this data could be accessed by three letters agencies. We do not know what code runs on NextDNS servers.

Ok please correct me if I wrong. Of course I do not have proof of those data being handled over and used, but like Rob Braxman always says: “if they have the technology to do it, they will eventually do it”.

Great videos! Thank you so much man. I didn’t know about IVPN and its features. I’m a NextDNS subscriber who would like it to be enforced 24/7 even when using a VPN. As you’ve mentioned Apple (unlike Android) decided that a VPN’s DNS should take priority over a native DNS profile even one where ’prohibit disablement’ is enabled… :man_shrugging:. My ideal scenario would be an always on VPN installed natively through a profile on iOS (without a client app). I’m pretty sure always on functionality is limited to IKEV2 which is fine, but then I don’t think Apple allows changing the DNS for IKEV2 connections so I’m not sure there’s a workable solution. :frowning:

Hi @Henry ,
Do you think it’s a good idea to create a different profile for everywhere you plan to use nextdns?

Example: 1 profile for your phone, 1 profile for your laptop, 1 for your console…

Valid points indeed. However, if you look at its privacy policy, it says it will never share any of your data. It does not say anything about handling legal request so I suppose they will also not share those.

But is is the same as with a VPN and encrypted email I suppose. They say they don’t track you and you just have to trust that based on their privacy policy.

If it’s a good idea is entirely your call if it fits any particular use-case for you. There’s nothing inherently good or bad about it outside the flexibility it offers. If you want more customization per-device then use it

1 Like

I went down the rabbit hole over NextDNS and Private Relay. The short version is that the NextDNS online status page has a bug. The reason you see it swapping between “all ok” and Cloudfare is that there is a double DNS lookup happening.

Private Relay uses your private DNS, then hits its own resolver as well afterward (as this happens as the second step in the ‘relay’). However, all domains blocked by NextDNS will remain blocked.

I recommend looking at this previous thread I started in February that thankfully got lots of good inputs from other tech lore members who walked me through the whole process:

NextDNS and Apple Private Relay


Anyone have a solution regarding why my android now says Private DNS couldnt connect to NextDNS? It worked for a good period of time after initial setup.

Could be because of a simple Wi-Fi connection issue. Just try disabling and re-enabling wifi. If it doesn’t work, try restarting your phone.

You can also try a DNS resolver app (like RethinkDNS or Nebulo or something similar) to see if the issue is with using NextDNS or your phone.

Hi there,

It seems that restarting my phone and turning on the WiFi after setting the private DNS as my NextDNS fixes the issue. Is there a specific reason for why this is happening and will I have to keep restarting my phone everytime this issue arises?


You probably won’t need to restart all the time. I suspect that it’s something to do with maybe a VPN kill switch or something similar.

Can I block these in my router settings or will that cause problems?