It's always DNS. Even when it's not.

The issue

As we know, the internet is full of potentially malicious sites, which our users, families and significant others can navigate to at any moment. It is important that, where possible, we mitigate this risk.

There are a number of ways to do this, from DNS sinkholes to manual host file amendments, to firewalls, and everything in between. One of the other options, is DNS Protection, which is what we will review today.

NextDNS

NextDNS is a very popular solution for protective DNS, and allows us to set multiple different categories and features for protection or blocking. Lets review that now.

Configuring NextDNS

First, let's navigate to https://nextdns.io/ and click on Try it Now.

In here, we'll create a new NextDNS login. Fill out your desired credentials and press Sign up.

Once complete, navigate to the dashboard and select Security. In here, we will configure:

  • Use Threat Intelligence Feeds: ON
  • Enable AI-Driven Threat Detection: ON
  • Enable Google Safe Browsing: ON
  • Enable Cryptojacking Protection: ON
  • DNS Rebinding Protection: ON
  • Homograph Attacks Protection: ON
  • DGA Protection: ON
  • Dynamic DNS Hostnames: ON
  • Park Domains: ON
  • Block TLDs: ON
  • Block Child Sexual Abuse Material (CSAM): ON
  • Configure the following TLDs: 
.ru
.click
.aaa
.aarp
.ad
.ads
.pw
.tk
.cf
.sex
.gay
.free
.autos
.best
.bid
.bio
.boats
.boston
.boutique
.charity
.christmas
.dance
.fishing
.hair
.haus
.loan
.loans
.men
.mom
.name
.review
.rip
.skin
.support
.tattoo
.tokyo
.voto

You can find additional spam/untrustworthy TLDs here: https://github.com/hagezi/dns-blocklists/blob/main/controld/spam-tlds-folder.json

Once done, navigate to the Privacy section and configure as follows:

  • Blocklists:
    • NextDNS Ads and Trackers blocklist
    • OISD
  • Native Tracking Protection:
    • Windows
    • Apple
    • (Add others as applicable)
  • Block disguised third-party trackers: ON

Under Parental Control, you will need to amend to suit your requirements, but due to risks I am blocking the following apps:

  • TikTok,
  • BeReal,
  • Telegram,
  • DailyMotion,
  • Fortnite,
  • Roblox,
  • VK,
  • Snapchat,
  • 9Gag,
  • Tumblr,
  • Tinder

In a work environment, you may choose to block more and also include a block of ChatGPT in here, however I am using this for my home environment. With regards to categories, this is mostly up to you but due to risks of certain categories, I am blocking:

  • Pornography,
  • Gambling,
  • Dating,

In here, I also enforce:

  • Safesearch
  • Block Bypass Methods

You can use the Allowlist to block anything that you find is incorrectly denied by NextDNS. I also advise blocking known malicious sites using the Denylist - Jay Kerai (https://github.com/Jkerai1) has some great resources for this here: https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs

Next, in the Settings area, select whether or not you wish to enable logs (for privacy reasons, you may choose to turn this off). I also advise turning on the Block Page, Enable Anonymized EDNS Client Subnet, and enabling CNAME Flattening.

Configuring your DNS

Now that you have configured your settings, you will need to configure your systems to look to NextDNS for its requests. I won't go over the full specifics of how to do this, but you can find the DNS details under the Setup tab.

At the top of the page, you will see whether the device is using NextDNS or not:

Device NOT using NextDNS, but using Cloudflare DNS.
Device using NextDNS successfully.

Once completed, you will start to see your DNS requests in Logs (if enabled):

💡
It is advised that you use DNS-over-TLS for your configuration.

Backing up NextDNS configuration

It may be prudent to back up your NextDNS configuration. Unfortunately, at the time of writing NextDNS themselves do not make this particularly easy to do, but fear not!

What we can do is use a tamper script to enable us to download (and import) the configuration file as we like.

First, download and install the NXEnhanced extension. Here it is for Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/nx-enhanced-official/gkgbmecdljkkgcngomnahechobbbcihh

Once installed, you will be able to navigate to Settings within your NextDNS profile and export the configuration:

When you export your config, you will receive a JSON download:

This can be stored on Github for backup.

To import it, select the Import a config option and select your JSON - You will see a popup saying import in progress.

Download or contribute to my configuration here:

NextDNS-Backup/NextDNSConfig-Backup-Export.json at main · Marshyp/NextDNS-Backup
Contribute to Marshyp/NextDNS-Backup development by creating an account on GitHub.
GitHubMarshyp