Every time you type a URL or click a link, your device asks a DNS server one question: what’s the IP address for this domain? That question happens before any data transfers, before any connection is made, before any encryption kicks in.

Your ISP’s DNS server receives every single one of those requests. Every website you visit. Every app that phones home. Every search you run. All logged, timestamped, and tied to your account.

In the US, ISPs can legally sell that data. Many do.

NextDNS solves this — and does a lot more — in about ten minutes of setup.

What DNS Is and Why It Matters

The Domain Name System is the internet’s phone book. When your browser needs to reach google.com, it asks a DNS resolver to look up the address. The resolver answers, the connection proceeds.

The problem: your DNS resolver sees all of your traffic metadata before any encryption protects it. HTTPS encrypts the content of your web requests, but it doesn’t hide the fact that you made a DNS query for mentalhealth.gov, cancer.org, or divorcelawyer.com. Your ISP’s resolver sees all of that in plaintext.

Standard DNS also has no verification. Responses can be forged, redirected, or intercepted — a technique called DNS hijacking. Your ISP can and does redirect failed domain lookups to their own search pages. Some ISPs inject ads into responses.

NextDNS fixes the resolver problem, the logging problem, the hijacking problem, and several others simultaneously.

What NextDNS Does

NextDNS is a cloud-based DNS resolver with several key properties:

Encrypted DNS. It supports DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) — your DNS queries are encrypted in transit. Your ISP can see that you’re talking to NextDNS, but not what you’re asking.

Ad and tracker blocking at the DNS level. Before your device even connects to a tracker domain, NextDNS blocks the lookup. The tracker never loads. This works in apps too, not just browsers — something browser extensions can’t do.

Malware and threat blocking. NextDNS maintains real-time threat intelligence feeds. Known malicious domains get blocked before your device connects.

Configurable blocklists. You choose which blocklists to enable. Popular options include NextDNS Ads & Trackers Blocklist, OISD, and Steven Black’s Hosts. Each blocks millions of known ad and tracking domains.

Query logging you control. By default NextDNS logs your queries, but you can disable this entirely. Or keep 1-hour retention just for troubleshooting. You decide.

Works everywhere. Configure it on your router and it covers every device on your network automatically. Configure it per-device and it follows you on cellular. Both. Either.

Setup: Router Level (Covers Everything)

This is the most powerful approach — every device on your network gets protected without touching individual devices.

  1. Create a free account at nextdns.io
  2. Note your unique NextDNS ID (looks like abc123)
  3. Log into your router admin panel (usually 192.168.1.1 or 192.168.0.1)
  4. Find DNS settings — usually under WAN, Internet, or Advanced
  5. Replace your ISP’s DNS servers with your NextDNS addresses:
    • Primary: 45.90.28.0 (or your profile-specific IP from the NextDNS dashboard)
    • Secondary: 45.90.30.0
  6. For encrypted DNS (DoH/DoT), enter your NextDNS hostname: [your-id].dns.nextdns.io

Not all ISP-provided routers support DoH/DoT. If yours doesn’t, the IP-based setup still works and still routes through NextDNS — it just won’t be encrypted at the network level. Per-device app setup (below) handles encryption on each device.

Setup: Per Device (iPhone)

Goes to Settings → General → VPN & Device Management → DNS, or use the NextDNS app:

  1. Install the NextDNS app from the App Store
  2. Open it and tap the toggle — that’s it
  3. Or go to nextdns.io/ios and tap the configuration profile to install it system-wide without an app

The iOS profile approach is cleaner — it configures DoH at the OS level and works even when the app isn’t running.

Setup: Per Device (Mac)

Install the NextDNS CLI or use the configuration profile:

sh -c "$(curl -sL https://nextdns.io/install)"

Or go to nextdns.io/mac and download the profile directly.

The Settings That Matter

Once you’re in the NextDNS dashboard, a few settings are worth configuring immediately:

Security tab:

  • Enable Threat Intelligence Feeds — on
  • Enable DNS Rebinding Protection — on
  • Enable Cryptojacking Protection — on
  • Enable Typosquatting Protection — on

Privacy tab:

  • Add blocklists: NextDNS Ads & Trackers Blocklist, OISD (full)
  • Enable Native Tracking Protection — this specifically blocks Apple, Google, and Microsoft’s own tracking domains that other lists miss
  • Enable Blocklist for Affiliate & Tracking Links

Logs tab:

  • Set log retention to “No logs” or “1 hour” — your preference
  • If you keep logs, enable anonymization

What NextDNS Doesn’t Do

Be clear on the limits:

It doesn’t replace a VPN. NextDNS encrypts your DNS queries but not your actual web traffic. Your ISP still sees that you’re connecting to IP addresses, just not which domains you looked up first. For full traffic encryption, VPN + NextDNS together is the right combination.

It doesn’t block everything. Trackers that operate from the same domain as the site itself (first-party tracking) bypass DNS blocking entirely. Browser extensions like uBlock Origin are still necessary for thorough ad blocking on the web.

It doesn’t protect against compromised sites. NextDNS blocks known malicious domains, but zero-days and newly registered malicious sites may not be in the feeds yet.

Free tier has query limits. 300,000 queries per month free. Heavy users with many devices may hit this. Paid plans are $2/month (personal) or $20/year — extremely reasonable for what you get.

Why This Over Pi-hole

Pi-hole is the classic self-hosted DNS blocking solution and it’s excellent. The tradeoff: it requires a Raspberry Pi or server running 24/7, maintenance, updates, and only works on your home network.

NextDNS works on every device everywhere, requires no hardware, takes ten minutes to set up, and the dashboard is dramatically better. The privacy tradeoff is that NextDNS sees your queries (unless you disable logging) where Pi-hole only you do.

For most people, NextDNS is the right answer. For the truly paranoid who want zero third-party DNS visibility: Pi-hole at home plus Mullvad DNS on the road.

The Practical Reality

Most people reading this are on their ISP’s default DNS with no blocking, no encryption, and a complete log of every domain they’ve ever visited sitting on Comcast or Verizon’s servers.

Switching to NextDNS takes ten minutes. It costs nothing to start. It blocks thousands of tracking domains before they ever load, encrypts your DNS queries so your ISP loses visibility, and gives you a dashboard that shows exactly what your devices are trying to connect to.

It’s one of the highest-leverage, lowest-effort privacy wins available right now.

Do it today.