NextDNS UI Skills

Version 1.0.0
NextDNS Skills
March 2026

Note:
This document is mainly for agents and LLMs to follow when maintaining,
generating, or refactoring NextDNS Web UI configuration and dashboard management. Humans
may also find it useful, but guidance here is optimized for automation
and consistency by AI-assisted workflows.

Abstract

Best practices and guidelines for NextDNS Web UI configuration and dashboard management, ordered by impact.

Table of Contents

1. Capability rules — MEDIUM
   • 1.1 Analytics and Logs
   • 1.2 Configuration Management
   • 1.3 Denylist and Allowlist
   • 1.4 Device Management
   • 1.5 DNS Rewrites
   • 1.6 Linked IP and DDNS
   • 1.7 Parental Control
   • 1.8 Privacy Settings
   • 1.9 Root CA Certificate Installation
   • 1.10 Security Settings
   • 1.11 Web3 Settings
2. Efficiency rules — MEDIUM
   • 2.1 Multiple Profiles Strategy
   • 2.2 Recommended Configuration Guidelines
   • 2.3 Setup Optimization
   • 2.4 Threat Modeling & Strategy
   • 2.5 Troubleshooting via Web UI

1. Capability rules

Impact: MEDIUM

1.1 Analytics and Logs

Impact: MEDIUM (Monitoring network activity and identifying blocked queries)

Visibility and troubleshooting tools

Visibility and troubleshooting tools

Monitor your network activity and troubleshoot issues through real-time logs and detailed analytics.

• Real-time Monitoring: See every DNS query hitting the NextDNS resolver.

• Search and Filter:

  • Blocked Queries Only: Quickly identify what is being blocked.

  • Raw DNS Logs: View absolute DNS record details.

• Identification: To find out why a domain is blocked, hover over the information icon

  (ⓘ) next to the query. It will tell you the specific blocklist or security feature

  responsible.

• Direct Action: You can allow or block domains directly from the log entry using the checkmark

  or cross icons.

• Reloading: Use the reload icon to check for the most recent queries after making configuration

  changes.

• Global Overview: Track total queries and the percentage of blocked requests.

• Insights:

  • Top Domains: Identify the most requested domains.

  • Top Reasons: See which rules are triggering the most blocks.

  • Top Clients: Identify which devices are the most active on your network.

• Retention: Data in the Analytics tab respects your chosen retention period in Settings.

• Periodically check the Blocked Queries Only filter to ensure no essential services are being

  blocked.

• Use the Analytics to understand the traffic patterns on your network and identify potential

  issues (like a device making excessive requests).

• NextDNS Help Center

1.2 Configuration Management

Impact: MEDIUM (Global profile settings, log retention, and performance optimization)

System-level profile settings and performance

System-level profile settings and performance

Manage your NextDNS profile settings, log storage, and performance optimizations.

• Profile Name: Use descriptive names like "Router - Stable" or "Browser - Aggressive".

• Logs Enabled: Toggle on/off log recording.

• Log Retention: Choose how long to keep logs (from 1 hour to 3 months).

• Log Storage Location: Switzerland is often recommended by privacy enthusiasts due to their

  strong data protection laws.

• Block Page: Display a dedicated page when a site is blocked.

  • Caution: This setting can break PayPal 2FA, iCloud Private Relay, **Microsoft

    Teams**, and Yahoo! Mail. Only enable if you have installed the NextDNS Root CA.

• Anonymized EDNS Client Subnet: Often enabled by default to improve CDN routing without

  exposing your full IP.

• Cache Boost: Recommended for performance. It tells clients to keep DNS answers longer.

• CNAME Flattening: Reduces the number of DNS queries.

  • Warning: May break compatibility with services like Yahoo! Mail.

• Rewrites: Manually redirect any domain or subdomain (for example, local.home to 192.168.1.1).

• Bypass Age Verification: Allows accessing content that requires age verification via DNS

  identification.

• Web3: Enable resolution of decentralised domains (HNS, ENS, and more).

• Set-and-Forget: If you want a trouble-free experience, stick to the NORMAL or PRO

  blocklists and avoid aggressive security settings like "Block Newly Registered Domains".

• NextDNS Help Center

1.3 Denylist and Allowlist

Impact: MEDIUM (Manual management of domain-specific accessibility rules)

Selective domain blocking and allowing

Selective domain blocking and allowing

Manually manage specific domains that should always be blocked or always allowed.

Use the Denylist to explicitly block domains that bypass your DNS settings or facilitate

tracking.

Prevents NextDNS from protecting iOS/macOS devices by overriding DNS settings. To force NextDNS

filtering, block:

• mask.icloud.com

• mask-h2.icloud.com

• mask-canary.icloud.com

Use the Allowlist to ensure essential services function correctly even with aggressive

blocklists.

• nextdns.io: Prevent blocking access to the NextDNS dashboard itself.

• Apple Updates: xp.apple.com (Needed for device updates).

• Apple Features: smoot.apple.com (Spotlight Search, iMessage GIFs).

• Windows Features: settings-win.data.microsoft.com (Blocked by native Windows tracking list).

• Social Media Fixes:

  • graph.facebook.com, graph.instagram.com (If app issues occur).

• Video Services:

  • s.youtube.com (If YouTube history is not working).

  • imasdk.googleapis.com, pubads.g.doubleclick.net (May be needed for Paramount+ or CBS

    livestream).

Only add domains to the Allowlist if you encounter a specific issue. Over-allowing can compromise

the effectiveness of your security and privacy filters.

• NextDNS Help Center

1.4 Device Management

Impact: MEDIUM (Unidentified devices appear as anonymous IPs in logs, making it impossible to troubleshoot per-device issues or apply device-specific filtering)

Identify, name, and manage devices in the NextDNS dashboard for precise per-device visibility

Identify, name, and manage devices in the NextDNS dashboard for precise per-device visibility

The NextDNS dashboard can display each device by name (for example, "Alice's iPhone", "Smart TV") in

the Logs and Analytics tabs. Device identification depends on the DNS protocol the device uses to

reach NextDNS.

Understanding which protocol each device uses determines how you can identify it and whether you can

apply device-specific profiles.

| Protocol | Device visible in Logs | Per-device Profile | Client name shown |

|----------|----------------------|-------------------|-------------------|

| DoH (DNS-over-HTTPS) | ✅ | ✅ | ✅ (from device ID in URL) |

| DoT (DNS-over-TLS) | ✅ | ✅ | ✅ (from TLS hostname) |

| NextDNS CLI / App | ✅ | ✅ | ✅ (from -report-client-info) |

| Linked IP (plain DNS) | ⚠️ By IP only | ❌ | ❌ (IP address only) |

1. Navigate to https://my.nextdns.io/{profile-id}/setup

2. Scroll to Devices

3. Devices that have sent queries will appear in the list

4. Click the pencil icon next to any device to rename it

5. Navigate to the Logs tab

6. Click on a query row

7. In the expanded view, click Edit next to the device name

8. Enter a friendly name and save

Devices that use the router's DNS (Linked IP setup) appear only as IP addresses. To improve

visibility, install the NextDNS CLI on the router with -report-client-info:

This enables the CLI to report the hostname and MAC address of each LAN client to NextDNS.

Android's Private DNS (DoT) uses the profile-specific hostname:

This associates the device with your profile and makes it identifiable by its Android device name.

Install the NextDNS profile from https://my.nextdns.io/{profile-id}/setup → iOS. The profile

includes a DoH or DoT configuration with your profile ID embedded, enabling per-device

identification.

Navigate to Analytics → Devices to see:

• Query count per device over the selected time period

• Percentage of blocked queries per device

• Device model (when reported by the NextDNS app or CLI)

• Name devices immediately after they first appear in Logs — it is easier while the context is

  fresh.

• Use descriptive names that include the owner and device type: "Bob - iPad Pro", "Living Room

  TV".

• Enable -report-client-info on the NextDNS CLI for network-wide installations to identify

  devices without requiring per-device configuration.

• Check the __UNIDENTIFIED__ filter periodically to catch new devices on your network that

  have not been named yet.

Cause: The device uses Linked IP (plain DNS) without client info reporting.

Solution: Install NextDNS CLI on the router with -report-client-info, or configure the

device to use DoH/DoT with your profile ID in the URL/hostname.

Cause: Different devices were given the same hostname, or the same device changed its IP.

Solution: Rename one device from the Devices list in the Setup tab, using more specific names.

• NextDNS Help Center — Device Identification

• NextDNS CLI — Report Client Info

• NextDNS Dashboard — Setup

Incorrect:

❌ Do not rely on Linked IP alone for per-device visibility
   Plain DNS (port 53) via linked IP only identifies the network, not individual devices.

❌ Do not use the same DoH URL for multiple devices without the profile ID
   Generic DoH URLs like https://dns.nextdns.io/ without a profile suffix cannot identify
   which profile or device the query came from.

1.5 DNS Rewrites

Impact: MEDIUM ()

Override DNS resolution for specific hostnames from the NextDNS web dashboard

Override DNS resolution for specific hostnames from the NextDNS web dashboard

The Rewrites tab of a NextDNS profile lets you define custom DNS records that take precedence

over all other resolution — including blocklists, security rules, and upstream DNS answers.

Navigate to my.nextdns.io → [Profile] → Rewrites to manage rewrite records.

Common use cases:

• Access local devices by friendly hostname (for example, nas.home → 192.168.1.50)

• Block a specific hostname by returning 0.0.0.0

• Create a CNAME alias for a self-hosted service

• Rewrites override everything: A rewrite takes precedence over blocklists, security rules, and

  allowlists for that exact hostname.

• Use .home or .lan for local devices: These TLDs are not publicly registered, reducing the

  chance of accidental conflicts with real domains.

• Prefer the Denylist for simple blocking: Only use a rewrite to block when you need a specific

  non-zero answer. For straightforward blocking, the Denylist is simpler and supports wildcards.

• Test resolution after adding: Run nslookup nas.home from a device using NextDNS to confirm

  the rewrite is active.

Symptoms: Device still gets the original IP or NXDOMAIN after adding a rewrite.

• NextDNS Help Center

• NextDNS API — Rewrites

Correct: Adding an a record IPv4

✅ Name:   nas.home
   Answer: 192.168.1.50       → Returns the specified IPv4 address

Correct: Adding an AAAA record IPv6

✅ Name:   nas.home
   Answer: fd00::1            → Returns the specified IPv6 address

Correct: Adding a CNAME

✅ Name:   blog.example.com
   Answer: myserver.example.com   → Returns CNAME pointing to the target

Correct: Blocking a specific hostname

✅ Name:   tracker.specific.com
   Answer: 0.0.0.0               → Blocks this exact hostname

Incorrect:

❌ Wildcard names such as *.example.com
   Rewrites apply to exact hostnames only.
   Use the Denylist tab for wildcard blocking.

❌ Rewriting nextdns.io or dns.nextdns.io
   This breaks DNS-over-HTTPS connectivity to NextDNS itself.

❌ Expecting rewrites to cascade
   A CNAME rewrite to myserver.example.com does not apply
   any rewrite you may have defined for myserver.example.com.

Solution:**

1. Confirm that the profile currently active on the device is the one where the rewrite was added.

2. Flush the local DNS cache on the querying device.

3. Check the Logs tab in the NextDNS dashboard to see what answer was returned.

Symptoms: A website or app becomes inaccessible after adding a rewrite entry.

Solution: The rewrite overrides the real DNS answer for that hostname. Remove or correct the

entry in the Rewrites tab.

1.6 Linked IP and DDNS

Impact: HIGH ()

Essential for router-level and legacy device support

Essential for router-level and legacy device support

For devices or networks that only support standard IPv4 DNS (port 53), you must link your public IP

address to your NextDNS profile.

If your network uses standard DNS servers (for example, 45.90.28.16), NextDNS needs to know your public

IP to apply your custom settings.

• Link IP: Click the "Link IP" button in the Setup tab of the dashboard.

• Dynamic IPs: If your ISP changes your IP frequently (for example, when the modem restarts), the link

  will break, and your custom filtering will stop working.

To solve the dynamic IP issue, you can use a DDNS service like NOIP.

1. Get a DDNS Hostname: Register a free hostname at noip.com.

2. Setup DDNS on Router: Configure your modem/router to update the DDNS hostname whenever your

   public IP changes.

3. Link to NextDNS:

   • In the NextDNS Dashboard (Setup tab), click Show advanced options under the Linked IP

     section.

   • Enter your DDNS hostname (for example, myhome.ddns.net) into the configuration field.

4. Verification: NextDNS will now automatically update your Linked IP by resolving your DDNS

   hostname.

If modern protocols (DoH/DoT) aren't available, use these addresses:

• IPv4: 45.90.28.16 and 45.90.30.16.

• IPv6: 2a07:a8c0::af:1fd7 and 2a07:a8c1::af:1fd7.

Linked IP is the "backup" method. Whenever possible, use the **NextDNS CLI, Apps, or Private DNS

(Android)** as they do not require IP linking and support naming devices in logs.

• NextDNS Help Center

1.7 Parental Control

Impact: HIGH (Management of content filtering, app restrictions, and schedules)

Content filtering and usage monitoring for family members

Content filtering and usage monitoring for family members

Configure restrictions to manage and protect children's internet access.

• Websites, Apps and Games: Restrict access to specific popular services. Supported apps include:

  • Social Media: Facebook, TikTok, Instagram, Snapchat, Reddit, Twitter, Tumblr, Pinterest.

  • Gaming: Roblox, Minecraft, Fortnite, League of Legends, Steam, Blizzard.

  • Messaging: Messenger, WhatsApp, Discord, Telegram, Skype.

  • Streaming: YouTube, Netflix, Disney+, Hulu, Spotify, Twitch, Vimeo, Prime Video.

  • Others: Tinder, eBay, Amazon, Zoom, 9GAG.

• Categories: Block entire categories of content:

  • Porn: Adult and pornographic content (for example, Pornhub).

  • Gambling: Gambling and betting sites.

  • Dating: Dating apps and websites.

  • Piracy: P2P sites and copyright-infringing content.

  • Social Networks: All social media platforms.

• Recreation Time: Set specific time windows for each day of the week (Monday to Sunday) when

  certain apps or categories are allowed. For example, allowing Facebook only from 6 PM to 8 PM

  on Tuesdays.

• SafeSearch: Enforce SafeSearch on major search engines to filter explicit images and videos.

• YouTube Restricted Mode: Filter mature videos on YouTube and hide all comments.

• Block Bypass Methods: Essential feature to block VPNs, proxies, and Tor used to bypass

  filtering.

The Recreation Time feature is one of the most effective tools for balancing screen time and

study time for children. Always enable Block Bypass Methods to ensure the rules cannot be easily

circumvented by savvy users.

• NextDNS API - Profile Settings

1.8 Privacy Settings

Impact: HIGH (Management of privacy blocklists and anti-tracking features)

Core privacy and tracking protection settings

Core privacy and tracking protection settings

Manage blocklists and tracking protection to enhance your online privacy.

Blocklists filter out ads, trackers, and malicious sites. We recommend using a minimum number of

useful lists to prevent overblocking.

HaGeZi is the recommended maintainer as he handles false

positives quickly and communicates with other maintainers.

| Selection | Rationale |

| -------------------------------- | --------------------------------------------------------------------------- |

| HaGeZi - Multi NORMAL + OISD | For routers. "Set-and-forget" with almost no issues. |

| HaGeZi - Multi PRO | Recommended for most users. Blocks more without major issues. |

| HaGeZi - Multi PRO++ | For web browsers. Aggressive blocking, may require occasional allowlisting. |

• hostsVN: Highly recommended for Vietnamese users to effectively block local ads.

Add the brand names of all devices you use on your network (for example, Apple, Samsung, Xiaomi, Huawei,

Windows, Amazon Alexa, Roku, Sonos).

Automatically detect and block trackers that masquerade as first-party via CNAME cloaking.

• Note: NextDNS blocks CNAME records by default even if this list is disabled. This specific

  list hasn't been updated in years and might block some referral domains incorrectly.

Allow links on shopping sites or in emails to open properly. NextDNS uses a TCP proxy to hide your

real IP address when clicking these links, preserving your privacy.

If you use extremely aggressive lists (like 1Hosts Pro), you will likely experience breakage in

services like:

• Google Analytics

• Google Tag Manager

• Google Optimize

• Email links (if affiliate links are blocked)

• NextDNS API - Profile Settings

1.9 Root CA Certificate Installation

Impact: HIGH (Without the NextDNS Root CA installed, enabling Block Page causes HTTPS certificate warnings on every blocked site instead of showing the block page)

Install the NextDNS Root CA certificate to enable HTTPS block pages without browser security warnings

Install the NextDNS Root CA certificate to enable HTTPS block pages without browser security warnings

When NextDNS blocks a domain requested over HTTPS, it intercepts the connection. To display a

friendly block page instead of a confusing browser error (ERR_SSL_PROTOCOL_ERROR or similar), the

NextDNS Root CA must be trusted by the device's certificate store.

Without the Root CA, enabling the Block Page feature in Settings causes every blocked HTTPS site to

display a browser certificate warning, which is confusing and alarming for users.

**Block Page should only be enabled after installing the Root CA on all devices that will use the

profile.**

Download from the NextDNS dashboard:

1. Navigate to https://my.nextdns.io/{your-profile-id}/setup

2. Scroll to Root CA section

3. Download the certificate file: nextdns.crt

Or download directly:

Or via GUI:

1. Double-click nextdns.crt

2. Click Install Certificate

3. Select Local Machine → Place all certificates in the following store

4. Browse → Trusted Root Certification Authorities

5. Click Finish → Yes to the security prompt

Or via Keychain Access:

1. Open Keychain Access → System keychain

2. Drag nextdns.crt into the window

3. Double-click the NextDNS certificate → expand Trust

4. Set When using this certificate to Always Trust

5. Send nextdns.crt to the device (AirDrop, email attachment, or Safari download)

6. Tap the file — a prompt appears: Profile Downloaded

7. Open Settings → General → VPN and Device Management

8. Tap the NextDNS profile → Install → enter device passcode

9. Critical final step: Open Settings → General → About → **Certificate Trust

   Settings**

10. Toggle NextDNS under Enable Full Trust for Root Certificates → Continue

11. Transfer nextdns.crt to the device

12. Open Settings → Security → Encryption and credentials

    (Path varies by manufacturer: Samsung uses Biometrics and Security → **Install from

    device storage**)

13. Tap Install a certificate → CA Certificate

14. Tap Install Anyway on the warning

15. Select the nextdns.crt file

Firefox maintains its own certificate store, separate from the OS. Install manually:

1. Open Settings → Privacy and Security → Certificates → View Certificates

2. Click Authorities tab → Import

3. Select nextdns.crt

4. Check Trust this CA to identify websites → OK

After installing the Root CA on all devices:

1. Navigate to https://my.nextdns.io/{your-profile-id}/settings

2. Under Block Page, toggle Enable

3. Test by navigating to a blocked domain — you should see the NextDNS block page, not a browser

   error

Even with the Root CA installed, these services do not tolerate certificate interception and may

stop working:

• PayPal 2FA — uses certificate pinning

• iCloud Private Relay — must be blocked via denylist instead

• Microsoft Teams — some features use certificate pinning

• Yahoo! Mail — certificate validation issues

If these services break, keep Block Page disabled and rely on NXDOMAIN responses instead.

Solution: The certificate must be downloaded in Safari (not a third-party browser) for the

profile install prompt to appear correctly.

Solution: Clear the browser's HSTS cache. For Chrome: navigate to

chrome://net-internals/#hsts and delete the domain. For Firefox, clear site data in

Preferences → Privacy.

• NextDNS Help Center — Block Page

• NextDNS Dashboard — Setup

• Apple — Certificate Trust Settings

1.10 Security Settings

Impact: HIGH (Configuration of advanced threat protection and security features)

Advanced threat protection and security configuration

Advanced threat protection and security configuration

Configure advanced security features to protect your network from various online threats.

• Threat Intelligence Feeds: Block domains identified as distributing malware, launching

  phishing attacks, or hosting command and control servers using highly reputable intelligence feeds

  updated in real-time.

• AI-Driven Threat Detection (Beta): Analyzes DNS queries and answers in real-time to detect and

  block malicious behavior.

• Google Safe Browsing: Use Google's technology to block malware and phishing domains.

  • Caution: It wasn't designed as a DNS-level blocker and may flag legitimate CNAME domains as

    scams. It can take months to remove a false positive.

• Cryptojacking Protection: Prevent unauthorized use of your devices to mine cryptocurrency.

• DNS Rebinding Protection: Prevent attackers from taking control of local devices over the

  Internet by automatically blocking DNS responses containing private IP addresses.

• IDN Homograph Attacks Protection: Block domains that impersonate other domains by misusing

  characters from different scripts (for example, replacing Latin "e" with Cyrillic "е").

• Typosquatting Protection: Block domains registered by malicious actors targeting users who

  mistype website addresses (for example, gooogle.com instead of google.com).

• Domain Generation Algorithms (DGAs) Protection: Block domains generated by algorithms used by

  malware to communicate with command and control servers.

• Block Newly Registered Domains (NRDs): Block domains registered less than 30 days ago.

  • Caution: This may cause occasional false positives. If you plan to "set-and-forget",

    consider disabling this.

• Block Dynamic DNS Hostnames: Block hostnames from DDNS services. Note that DDNS services can

  still access their own update APIs.

• Block Parked Domains: Block single-page websites that often contain ads and low-value or

  potentially malicious content.

• Block Top-Level Domains (TLDs): Block all domains under specific TLDs known for high malicious

  activity.

Blocking these commonly abused TLDs offers protection without much risk to everyday browsing:

1. .autos

2. .best

3. .bid

4. .boats

5. .boston

6. .boutique

7. .charity

8. .christmas

9. .dance

10. .fishing

11. .hair

12. .haus

13. .loan

14. .loans

15. .men

16. .mom

17. .name

18. .review

19. .rip

20. .skin

21. .support

22. .tattoo

23. .tokyo

24. .voto

• Prevent Overblocking: Avoid blocking features that have a high rate of false positives unless

  your threat model requires it.

• Grandma Test: A configuration is successful if it passes the "Grandma Test"—it should work for

  a typical user without constant manual intervention.

• NextDNS API - Profile Settings

• NextDNS Help - Security

1.11 Web3 Settings

Impact: LOW (Enable resolution for decentralized blockchain domains)

NextDNS supports the resolution of decentralized domains (Web3) based on blockchain technologies.

NextDNS supports the resolution of decentralized domains (Web3) based on blockchain technologies.

Located in the Settings tab of your NextDNS dashboard:

1. Navigate to the Settings tab.

2. Find the Web3 section.

3. Toggle the switch to Enabled.

When enabled, NextDNS can resolve:

• ENS (Ethereum Name Service): Domains ending in .eth.

• Unstoppable Domains: Domains ending in .crypto, .nft, .x, and more

• Handshake (HNS): A decentralized naming protocol.

• IPFS Integration: Facilitates access to content stored on the InterPlanetary File System.

• ✅ Native Resolution: Access decentralized websites directly in any browser without needing

  special extensions (MetaMask, and more) for DNS resolution.

• ✅ Developer Workflow: Simplifies testing for decentralized applications (dApps).

Web3 domains are not governed by ICANN. While NextDNS attempts to apply standard security filters,

the decentralized nature of these domains means they may carry different risk profiles than

traditional TLDs.

• NextDNS Twitter Announcement

2. Efficiency rules

Impact: MEDIUM

2.1 Multiple Profiles Strategy

Impact: MEDIUM (Using a single profile for all devices causes over-blocking on some devices and under-protection on others, with no way to tune without affecting everyone)

Organise multiple NextDNS profiles to give each device category the right level of protection

Organise multiple NextDNS profiles to give each device category the right level of protection

A single NextDNS profile applied to all devices is a compromise that satisfies no one — too

aggressive for IoT devices that break, too lenient for children's devices that need filtering. The

recommended approach is to create distinct profiles for each category of device and assign them

appropriately via the NextDNS CLI, apps, or per-device configuration.

Used by: Smart TVs, game consoles, IoT devices, guest network — anything that cannot run the

NextDNS app.

Used by: Personal laptops, phones, tablets of adults.

Used by: Children's tablets, phones, gaming devices.

Used by: Temporary visitors, untrusted devices.

Segment your network with VLANs and assign a different DNS server (NextDNS linked IP or CLI

profile) per VLAN — children's devices on VLAN 20, personal on VLAN 10, IoT on VLAN 30.

On each personal device, install the NextDNS app and configure it with the appropriate profile ID.

This overrides any router-level DNS.

Use consistent naming to avoid confusion in the dashboard:

| Pattern | Example |

|---------|---------|

| [Location] - [Level] | Router - Stable, Office - Advanced |

| [Person] - [Device] | Alice - Phone, Bob - Laptop |

| [Purpose] - [Age] | Kids - Under12, Teen - 13to17 |

• Start with fewer profiles and split only when needed — each profile requires separate

  maintenance.

• Share blocklists across profiles but adjust security features individually per profile.

• Use the Kids profile as a template — duplicate it with the profile copy pattern and adjust

  recreation time per child.

• Review profiles quarterly — children grow up, IoT devices change, and blocklists improve.

• Keep one "break glass" profile with minimal blocking that you can switch to quickly when

  troubleshooting breakage.

Navigate to Logs in the NextDNS dashboard → filter by client IP or device name → the Profile

column shows which profile handled each query.

The device may have cached the old DNS assignment. Force a DHCP renewal or reconnect to Wi-Fi to

pick up the new profile assignment.

• NextDNS CLI — Conditional Profile

• NextDNS-Config Guidelines

2.2 Recommended Configuration Guidelines

Impact: HIGH (Strategic configuration to maximize protection while minimizing breakage)

Based on the NextDNS-Config guidelines, these

Based on the NextDNS-Config guidelines, these

settings provide an optimal balance between security, privacy, and usability.

A successful configuration should generally work without intervention ("pass the Grandma test").

• Threat Intelligence: ✅ Enabled.

• AI-Driven Detection: ⚠️ Disabled (Beta, potential for false positives).

• Google Safe Browsing: ❌ Disabled (Not designed for DNS-level, slow to clear false

  positives).

• NRDs (Newly Registered Domains): ✅ Enabled, but disable if you don't plan to maintain

  your allowlist.

Avoid adding dozens of blocklists. Diminishing returns lead to higher latency and frequent breakage.

| Profile Type | Strategy | Recommended Lists |

| :-------------------------- | :----------------- | :--------------------------- |

| Router (Default) | High Compatibility | HaGeZi - Multi NORMAL + OISD |

| Personal (Advanced) | High Privacy | HaGeZi - Multi PRO |

| Hardened (Experimental) | Aggressive | HaGeZi - Multi PRO++ |

Always block Apple's Private Relay if you want NextDNS to see individual device traffic:

• mask.icloud.com

• mask-h2.icloud.com

• ✅ Cache Boost: Enabled. High TTL values for cache-friendly responses.

• ✅ ECS: Enabled (Anonymized). Improves performance with Anycast networks/CDNs.

• ❌ CNAME Flattening: Disabled by default. Can break compatibility with Yahoo Mail and

  certain complex records.

1. Use 1-2 high-quality blocklists (HaGeZi/OISD).

2. Enable essential security features (Rebinding, Homographs, Typosquatting).

3. Allow "Affiliate and Tracking Links" to prevent email/browsing breakage.

4. Enable "Cache Boost".

• NextDNS-Config Guidelines

2.3 Setup Optimization

Impact: LOW (Efficiency best practices for dashboard configuration and performance)

Performance and management efficiency

Performance and management efficiency

Tips for getting the best performance and reliability out of your NextDNS configuration.

• Enable Cache Boost: This reduces the number of queries your devices need to make by telling

  them to remember DNS answers for longer.

• Use CNAME Flattening: This streamlines the DNS resolution process for domains that use many

  CNAME aliases.

• Select Local Storage: For the best latency in dashboard interactions, choose a log storage

  location near you, though this is primarily for compliance.

• Create separate profiles for different use cases (for example, "Parental Control" for kids' devices,

  "Minimal" for gaming PCs) to avoid one-size-fits-all frustration.

• Regularly audit your Allowlist to remove entries that are no longer needed.

• NextDNS Help Center

2.4 Threat Modeling & Strategy

Impact: LOW ()

Efficient approach to long-term DNS management

Efficient approach to long-term DNS management

DNS configuration is a spectrum between absolute security/privacy and complete usability. Use these

guidelines to find your balance.

A DNS configuration is considered "stable" if it passes the Grandma Test:

• The user shouldn't have to troubleshoot the network for everyday tasks.

• Major apps (Bank, Teams, Netflix) should work without manual adjustment.

• Websites should load correctly without HTTPS warnings.

Avoid "overblocking." Adding more and more blocklists doesn't necessarily make you more secure but

significantly increases the risk of "breakage" (legitimate sites not working).

• Stick to 1-2 high-quality maintained lists (like HaGeZi and OISD).

• Prefer a "NORMAL" profile for network-wide (Router) use.

• Use an "AGGRESSIVE" profile only on individual devices where you can easily toggle it off or fix

  it.

Instead of one massive profile, divide your configurations

• Profile A (Stable): Minimal blocking. Used on Routers and IoT devices.

• Profile B (Personal): Moderate blocking. Used on personal laptops/phones.

• Profile C (Kids): High parental control and category blocking.

1. Periodically check your Analytics to see if specific rules are over-blocking.

2. Review the Allowlist and remove entries that were only meant to be temporary.

3. Keep the NextDNS CLI and apps updated to the latest versions.

• NextDNS Help - Security

2.5 Troubleshooting via Web UI

Impact: MEDIUM (Debugging false positives and connectivity issues using dashboard tools)

Efficient resolution of blocked content and false positives

Efficient resolution of blocked content and false positives

How to identify and resolve issues when something isn't working as expected.

1. Verify the Issue: If a site is not loading, first check if it's a DNS issue by disabling

   NextDNS temporarily or checking if it works on a different network.

2. Check the Logs: Go to the Logs tab and refresh.

3. Filter by Blocked: Switch to "Blocked Queries Only".

4. Identify the Culprit: Look for the domain of the site you're trying to reach. Hover over the

   ⓘ icon to see which list is blocking it.

5. Quick Fix: Click the checkmark icon to add it to your Allowlist immediately.

6. Reload the Site: Flush your local DNS cache or restart your browser to see if the site now

   loads.

• HTTPS Warnings: Usually caused by the Block Page feature. If this is annoying, disable the

  "Block Page" in Settings.

• Latency: If DNS resolution feels slow, check if Anonymized EDNS Client Subnet is enabled.

• Missing Clients: If logs don't show device names, ensure you are using a protocol that

  supports client identification (DoH, DoT, or the NextDNS CLI/App).

• NextDNS Help Center