NextDNS: DNS filtering to protect your business and home network

Every device on your network — PC, smartphone, smart TV, Wi-Fi thermostat — makes a DNS query before opening any connection: it asks “what is the IP address of this domain?” NextDNS intercepts that request. If the domain is on a blocklist, it replies “doesn’t exist” and the connection never starts. No malware downloaded, no trackers collecting data, no invasive ads — across all devices, without installing anything on each one.

How DNS blocking works

The advantage of DNS filtering is that it operates at the network level, not the application level. You don’t need a browser extension on every PC, you don’t need an MDM profile on every smartphone. Configure DNS in the router and every device that connects to the network is filtered automatically — including ones you can’t install software on (TVs, IoT devices, consoles).

When a device looks up tracker.doubleclick.net or malware-cdn.ru, NextDNS checks its blocklists (updated in real time) and responds with NXDOMAIN. The browser or app receives “domain not found” and stops. No data is ever transmitted to the malicious server.

Setup in 3 minutes

1. Create a free account at nextdns.io
2. Go to Setup → copy your custom DNS addresses (assigned to your account, e.g. 45.90.28.XXXX and 45.90.30.XXXX)
3. Log into your router’s admin panel → DNS section → replace your ISP’s DNS servers with NextDNS ones

From that moment, all devices on the network are filtered. On iOS and macOS you can also download the NextDNS configuration profile to enable filtering on the go (outside your home network).

To verify it’s working: go to test.nextdns.io from any browser. It should say “You are using NextDNS”.

Useful configuration

The NextDNS dashboard gives you granular control:

• Blocklists: enable with one click the most effective lists — NextDNS Ads & Trackers Blocklist, OISD, uBlock filters. These three block 95% of trackers and ads.
• Allowlist: if a legitimate domain gets blocked by mistake (false positive), add it here. Happens rarely, but it does happen — especially with some corporate CDNs.
• Parental controls: block entire categories (gaming, social media, adult content) and apply them by time of day. “No YouTube after 10pm” takes 30 seconds to configure.
• Privacy: disable DoH (DNS over HTTPS) in browsers to force them to use the system DNS — otherwise Chrome and Firefox bypass your filter entirely.

Logs and analytics: the Logs tab shows every DNS query in real time, with the device name, domain queried, and whether it was blocked or allowed. Useful for discovering what an IoT device is doing — many of them call telemetry servers dozens of times a day.

Cost and alternatives

The free plan covers 300,000 queries/month — a family with 5 active devices uses roughly 50-100k queries/month, so the limit is never an issue. The Pro plan costs €2/month for unlimited queries and extended logs (7 days instead of 24 hours).

If you want more control and have a spare Raspberry Pi: Pi-hole is self-hosted, no external service dependencies, but requires manual blocklist management and has no mobile app for filtering outside the network. AdGuard Home is similar to Pi-hole with a better UI and more frequent updates — both are free and excellent for those who want full control.

For business use without dedicated infrastructure, NextDNS Pro is hard to beat on simplicity-to-cost ratio.

What to do

• Set up NextDNS on your router now: it takes 3 minutes and the free plan is enough for a home network or small office
• Enable the NextDNS Ads & Trackers Blocklist + OISD blocklists as a starting point, then watch the logs for 24 hours before adding more aggressive lists
• If you have children at home, configure the Parental Controls profile with time-based blocking — it’s more effective than any parental control app installed on the individual device