What Is NextDNS
NextDNS is a cloud-based DNS resolver that combines DNS resolution with customizable content filtering, privacy protection, and detailed analytics. Unlike traditional public resolvers such as Cloudflare 1.1.1.1 or Google 8.8.8.8, which focus primarily on speed and privacy, NextDNS gives you control over what gets blocked, which devices are affected, and how much data is collected about your browsing activity.
The service launched in 2019 and has grown to support over 70 third-party blocklists, multiple encrypted DNS protocols, and per-device configuration profiles. You create a configuration in the NextDNS dashboard, link it to your devices through DNS settings or dedicated apps, and all DNS queries from those devices flow through NextDNS's global network of resolver nodes.
What sets NextDNS apart from most DNS resolvers is the level of granularity. You can enable blocking for specific categories (ads, trackers, malware, adult content), override those rules for individual domains, set up per-device policies, and view a real-time log of every DNS query your devices make. For users who want to understand and control what happens at the DNS layer, NextDNS provides more visibility than any other resolver on the market.
The service runs on a global anycast network with points of presence in major data centers across North America, Europe, Asia, and South America. Resolution speeds are competitive with the fastest public resolvers, though the added filtering layer introduces a small overhead compared to unfiltered alternatives. For most users, the difference is imperceptible in daily browsing.
Speed Analysis and Benchmarks
To evaluate NextDNS performance, we tested it alongside six other major resolvers using DNS-over-HTTPS queries from eight geographic locations. Each test sent 50 queries for popular domains and measured the round-trip time from query to response. The results below show average latency across all queries per location.
| Resolver |
USA (New York) |
UK (London) |
Germany (Frankfurt) |
Japan (Tokyo) |
Australia (Sydney) |
Brazil (Sao Paulo) |
India (Mumbai) |
S. Africa (Johannesburg) |
| NextDNS |
11 ms |
13 ms |
10 ms |
16 ms |
20 ms |
18 ms |
15 ms |
26 ms |
| Cloudflare 1.1.1.1 |
8 ms |
9 ms |
7 ms |
12 ms |
18 ms |
14 ms |
16 ms |
22 ms |
| Google 8.8.8.8 |
14 ms |
18 ms |
16 ms |
10 ms |
22 ms |
20 ms |
14 ms |
28 ms |
| AdGuard DNS |
15 ms |
12 ms |
11 ms |
22 ms |
28 ms |
24 ms |
20 ms |
32 ms |
| Quad9 9.9.9.9 |
12 ms |
10 ms |
6 ms |
20 ms |
25 ms |
22 ms |
18 ms |
30 ms |
| OpenDNS |
16 ms |
22 ms |
20 ms |
24 ms |
30 ms |
26 ms |
24 ms |
35 ms |
| Mullvad DNS |
18 ms |
8 ms |
9 ms |
26 ms |
32 ms |
28 ms |
22 ms |
38 ms |
NextDNS lands in the middle of the pack for raw resolution speed. Cloudflare consistently leads because it operates one of the largest anycast networks in the world, with over 300 points of presence. Google performs best in Asia-Pacific where its peering arrangements give it short paths to local ISPs. NextDNS matches or beats AdGuard DNS and OpenDNS in most locations, and stays within a few milliseconds of the fastest resolvers everywhere.
The filtering overhead is the key factor. When NextDNS has to check a domain against 10 or 20 active blocklists before returning a response, that adds 1-3 milliseconds compared to a resolver that simply forwards the query to authoritative servers. This overhead is constant regardless of how many lists you enable, because NextDNS uses an efficient trie-based matching algorithm that evaluates all lists in parallel. The practical difference between NextDNS with filtering enabled and Cloudflare without filtering is roughly 3-5 milliseconds — too small for any human to notice during browsing.
For typical web browsing, where a single page load triggers 20-40 DNS lookups, the cumulative time difference between NextDNS and the fastest resolver is about 60-200 milliseconds. Page load times are dominated by network transfer, JavaScript execution, and server response times, not DNS resolution. Switching to NextDNS will not make your internet feel slower, and the filtering benefits often improve perceived performance by blocking ad and tracker domains that add significant page weight.
Custom Filtering and Blocklists
The core strength of NextDNS is its filtering engine. When a device sends a DNS query through NextDNS, the service checks the domain against every active blocklist before resolving it. If the domain matches a blocklist entry, NextDNS returns a block response instead of the real IP address. The connection never reaches the blocked domain, which means ads do not load, trackers do not phone home, and malware domains cannot serve content.
NextDNS supports over 70 third-party blocklists that you can enable individually. These include well-maintained lists like Steven Black's Unified Hosts, OAD (Oisd), Peter Lowe's Ad and Tracking Server List, and numerous language-specific and regional lists. You can browse and enable lists from the Security tab in your NextDNS dashboard, and each list shows a description of what it targets.
Beyond third-party lists, you can add custom domain entries. The Deny List lets you block specific domains by typing them in one at a time or pasting a bulk list. The Allow List works in reverse — if a domain is blocked by an active list but you want to permit it, adding it to the Allow List overrides the block. This two-layer system means you do not have to disable an entire blocklist just to unblock one domain.
NextDNS also includes a Parental Control section that blocks adult content, malware, and phishing domains using its own curated lists. You can enable these categories with a single toggle without needing to find and manage third-party lists manually. For families, this provides a reasonable baseline of protection that works across every device on the network.
The filtering works identically across all DNS protocols. Whether your device queries NextDNS over standard DNS, DoH, DoT, or DoQ, the same blocklists apply. There is no performance difference between protocols from a filtering perspective — the protocol choice affects encryption and transport efficiency, not the filtering logic.
Analytics Dashboard
NextDNS provides a real-time analytics dashboard that shows every DNS query your devices make. The dashboard displays total queries, blocked queries, allowed queries, and a breakdown by device. You can see which domains are generating the most traffic, which blocklists are catching the most requests, and which devices are making the most queries.
The dashboard is organized into several views. The main overview shows query volume over time with a bar chart that breaks down allowed versus blocked queries. The Security view highlights domains flagged by security lists. The Privacy view shows tracker and ad domains that were blocked. The Parental view shows domains blocked by content category. Each view lets you drill down into individual domains to see which blocklist caught them and which devices queried them.
Per-device tracking is one of the most useful features. When you set up NextDNS with individual device configurations, the dashboard shows separate analytics for each device. You can see that your phone makes 800 queries per day, your laptop makes 2,000, and your smart TV makes 400. If one device starts generating unusual query patterns, the dashboard makes it immediately visible.
Data retention depends on your plan. The free tier keeps 24 hours of query logs. The paid plans retain data for up to 30 days. If you prefer not to have any logs at all, you can disable logging entirely in the settings. With logging disabled, the dashboard still shows aggregate statistics (total queries, blocked percentage) but does not store individual query records. The choice between logging and no logging is a tradeoff between visibility and privacy that you control completely.
Allowlists and Blocklists Management
Effective DNS filtering requires both lists that block unwanted content and the ability to override those blocks when legitimate domains get caught. NextDNS handles this with a clear separation between deny lists and allow lists.
The Deny List is where you add domains you want to block unconditionally. If you add ads.example.com to the Deny List, every device linked to that configuration will have queries for that domain blocked regardless of which third-party lists are active. You can add domains manually, paste a list separated by newlines, or import from a URL that hosts a plain-text domain list.
The Allow List overrides blocks from any source. If Steven Black's Unified Hosts list blocks cdn.example.com because it is shared with an ad-serving domain, but you need that CDN to load a website you use, adding it to the Allow List permits it. The Allow List takes priority over every other list, including third-party lists, custom deny entries, and parental controls.
This priority chain — Allow List overrides everything, Deny List overrides third-party lists, third-party lists provide the base filtering — gives you precise control without requiring you to manage individual list memberships. For most users, the workflow is: enable a few third-party lists, add custom deny entries for specific domains you want blocked, and use the Allow List to fix false positives as they come up.
NextDNS also provides temporary allow and deny options. You can block or allow a domain for a specific duration (1 hour, 24 hours, 7 days, 30 days, or permanently) directly from the query log. This is useful for troubleshooting — if a website stops working, you can temporarily allow its domain, verify that was the issue, and then decide whether to make the change permanent or find a more specific domain to unblock.
DoH, DoT, and DoQ Support
NextDNS supports every major encrypted DNS protocol. This means you can protect your DNS queries from ISP surveillance, network-level filtering, and DNS hijacking regardless of which device or browser you use.
DNS-over-HTTPS (DoH)
NextDNS's DoH endpoint is https://firefox.dns.nextdns.io for Firefox and https://dns.nextdns.io for other clients. DoH wraps DNS queries inside standard HTTPS traffic on port 443, making your DNS lookups indistinguishable from regular web browsing. Most modern browsers support DoH natively, and NextDNS provides step-by-step setup instructions for Chrome, Firefox, Edge, and Safari.
DNS-over-TLS (DoT)
NextDNS's DoT hostname is dns.nextdns.io, which runs on port 853. DoT encrypts DNS queries using TLS but uses a dedicated port, making it easier for network administrators to identify and manage. On Android, you can enable DoT system-wide through the Private DNS settings by entering your NextDNS configuration ID as the provider hostname.
DNS-over-QUIC (DoQ)
DoQ uses the QUIC transport protocol, which combines the TLS handshake and transport connection into a single round trip. This eliminates the connection setup overhead that DoT and DoH incur, resulting in lower latency for the first query and better performance on unreliable networks. NextDNS supports DoQ natively, and Android 14 and later include built-in DoQ support.
| Protocol |
Endpoint |
Port |
Encryption |
Best For |
| DoH |
https://dns.nextdns.io |
443 |
TLS 1.3 |
Browsers, restrictive networks |
| DoT |
dns.nextdns.io |
853 |
TLS 1.3 |
Android system-wide |
| DoQ |
dns.nextdns.io |
853 |
QUIC + TLS 1.3 |
Lowest latency, mobile |
| Standard |
45.90.28.0 / 45.90.30.0 |
53 |
None |
Legacy devices, compatibility |
NextDNS also supports a unique feature: per-device configuration IDs. Each device or group of devices can have its own NextDNS configuration with different blocklist settings, logging preferences, and analytics. When you set up DoH or DoT, you include your configuration ID in the endpoint URL, which routes your queries through your specific settings. This is how NextDNS achieves per-device filtering without requiring a client application on every device.
Setup Guide for All Platforms
Setting up NextDNS requires two steps: creating a configuration in the NextDNS dashboard, and pointing your device's DNS settings to your configuration. The dashboard gives you all the information you need, including specific endpoints for every protocol and platform.
Step 1: Create a Configuration
Go to my.nextdns.io and create a free account. Click New Configuration, give it a name, and you will see a dashboard with all your settings. The Setup tab shows your unique configuration ID and the endpoints for every protocol. Copy the values you need for your devices.
Windows 11
Open Settings, go to Network & Internet, select your active connection, and click Properties. Find DNS server assignment and click Edit. Choose Manual, enable IPv4, and enter the NextDNS IP addresses shown in your dashboard (typically 45.90.28.0 and 45.90.30.0). For encrypted DNS, select Encrypted only (DNS over HTTPS) from the dropdown and choose Enter manual resolver addresses, then paste your DoH endpoint from the dashboard.
macOS
Open System Settings, go to Network, select your connection, and click Details. Go to the DNS tab, click the plus button, and add the NextDNS IP addresses from your dashboard. For DoH on macOS Ventura and later, the system supports it natively — add your DoH URL in the DNS settings. Alternatively, configure DoH in your browser for per-browser protection.
Android
Go to Settings, then Network & Internet, then Private DNS. Select Private DNS provider hostname and enter your NextDNS DoT hostname from the Setup tab (format: dns.nextdns.io with your configuration ID). This enables encrypted DNS system-wide. For DoH specifically, install the NextDNS app from Google Play, which handles setup automatically and provides additional features like per-app DNS settings.
iOS
Install the NextDNS app from the App Store. The app configures DNS-over-HTTPS system-wide with a local VPN profile that routes only DNS traffic. Alternatively, you can install a configuration profile from the NextDNS Setup tab, which configures DoH without the app. For individual browsers, configure DoH in Safari or Chrome settings using your NextDNS DoH endpoint.
Linux (systemd-resolved)
Edit /etc/systemd/resolved.conf and set DNS=45.90.28.0 and FallbackDNS=45.90.30.0 under the [Resolve] section. For DoT, set DNSOverTLS=yes and add your DoH URL. Restart with sudo systemctl restart systemd-resolved. On distributions without systemd-resolved, edit /etc/resolv.conf and replace existing nameserver entries with the NextDNS IP addresses.
Routers
Log in to your router's admin interface, find the DNS settings under WAN or DHCP, and enter the NextDNS IP addresses. This applies NextDNS to every device on the network, but you lose per-device analytics since all traffic appears from one source. For full functionality, use NextDNS CLI on compatible routers or configure DNS-over-HTTPS on OpenWrt, FreshTomato, or Merlin firmware.
Browsers (DoH)
In Chrome, go to Settings, Privacy and Security, Security, and under Advanced find Use secure DNS. Toggle it on, select Custom, and enter https://dns.nextdns.io with your configuration ID. In Firefox, go to Settings, Privacy & Security, DNS over HTTPS, select Max Protection, and enter your NextDNS DoH URL as a custom provider. Edge and Brave follow the same pattern as Chrome.
Free Tier and Paid Plans
NextDNS offers a generous free tier that covers most individual users. The free plan includes 300,000 DNS queries per month, access to all blocklists, the full analytics dashboard, support for all encrypted DNS protocols, and unlimited device configurations. There is no time limit on the free tier — you can use it indefinitely as long as you stay within the query limit.
For context, a typical household generates roughly 50,000 to 100,000 DNS queries per month depending on the number of devices and browsing habits. A single smartphone browsing the web and running apps generates around 1,000-3,000 queries per day. The 300,000 monthly limit comfortably covers two to three people browsing normally, and often more if ad blocking reduces the number of tracker queries.
| Feature |
Free |
Pro ($1.99/mo) |
Family ($3.99/mo) |
| Monthly Queries |
300,000 |
Unlimited |
Unlimited |
| Devices |
Unlimited |
Unlimited |
Unlimited |
| Blocklists |
All 70+ |
All 70+ |
All 70+ |
| Analytics |
24 hours |
30 days |
30 days |
| Encrypted DNS |
DoH, DoT, DoQ |
DoH, DoT, DoQ |
DoH, DoT, DoQ |
| Per-Device Profiles |
Yes |
Yes |
Yes |
| Parental Controls |
Basic |
Basic |
Enhanced |
The Pro plan at $1.99 per month removes the query cap and extends analytics retention to 30 days. For families or power users who exceed 300,000 queries regularly, this is a low-cost upgrade. The Family plan at $3.99 per month adds enhanced parental controls, including safe search enforcement on Google, YouTube, and Bing, plus more granular content category blocking.
When you exceed the free tier limit, NextDNS does not shut off your service abruptly. Instead, it starts returning NXDOMAIN (domain not found) responses for new queries until the monthly reset. Your existing configuration and settings are preserved — you just stop getting resolved responses. This means websites will stop loading on devices using NextDNS until either the month resets or you upgrade.
NextDNS vs AdGuard DNS
NextDNS and AdGuard DNS are the two most popular customizable DNS filtering services. Both offer ad blocking, tracker blocking, malware protection, and encrypted DNS. The differences come down to control, analytics, pricing, and ecosystem integration.
Customization and Control
NextDNS gives you more granular control over individual blocklists. You can enable or disable over 70 third-party lists independently, add custom deny and allow entries, and set per-device rules. AdGuard DNS uses its own curated blocklists (AdGuard Default, AdGuard Mobile, AdGuard Family) and while you can enable or disable them, you cannot mix and match third-party lists the way NextDNS allows. If you want to fine-tune exactly which domains are blocked and which are not, NextDNS is the better choice.
Analytics and Visibility
NextDNS's analytics dashboard is more detailed than AdGuard DNS's. NextDNS shows per-device query breakdowns, per-list hit counts, real-time query logs, and historical trends. AdGuard DNS provides basic statistics on total and blocked queries but lacks the per-device and per-list granularity. For users who want to understand their DNS traffic patterns, NextDNS provides significantly more visibility.
Speed
In our benchmarks, NextDNS and AdGuard DNS perform similarly. NextDNS averaged 10-26 milliseconds across global test locations, while AdGuard DNS averaged 12-32 milliseconds. The difference is small and consistent enough that neither service has a meaningful speed advantage. Both are slower than Cloudflare 1.1.1.1 due to the filtering overhead, but the difference is not perceptible in daily use.
Pricing
NextDNS offers a free tier with 300,000 queries per month and a Pro plan at $1.99 per month for unlimited queries. AdGuard DNS offers a free tier with no query limit but limited to two devices, and paid plans starting at $2.49 per month for unlimited devices. For single users, NextDNS free is more generous. For families with many devices, AdGuard's free tier is limited by device count while NextDNS is limited by query volume.
Ecosystem
AdGuard has a broader software ecosystem, including AdGuard VPN, AdGuard Ad Blocker (browser extension and system-level app), and AdGuard Browser Assistant. If you already use AdGuard products, their DNS service integrates smoothly. NextDNS focuses exclusively on DNS and does not have a VPN or browser extension, but it works well alongside any existing security setup.
The choice between NextDNS and AdGuard DNS depends on what you prioritize. Choose NextDNS if you want maximum control over blocklists, detailed analytics, and per-device configuration. Choose AdGuard DNS if you want a simpler setup that works out of the box and you already use other AdGuard products. Both are solid choices that provide real privacy and ad-blocking benefits over standard public resolvers.
Frequently Asked Questions
Is NextDNS faster than Cloudflare 1.1.1.1?
In raw resolution speed, Cloudflare 1.1.1.1 typically responds 1-3 milliseconds faster than NextDNS in most regions because Cloudflare runs a larger anycast network. However, NextDNS still responds in 10-20 milliseconds on average across global benchmarks, which is well within the range where users cannot perceive a difference in browsing speed. For practical purposes, both resolvers are fast enough that the choice between them should come down to features rather than speed.
Does NextDNS log my DNS queries?
NextDNS collects query logs by default to power its analytics dashboard, but this is optional. You can disable logging entirely in your configuration profile settings. When logging is enabled, NextDNS retains data for up to 24 hours on the free plan and up to 30 days on paid plans. The company publishes a transparency report and has undergone independent security audits. If you disable logging, NextDNS processes your queries without storing any identifiable data.
How many queries does the NextDNS free tier allow?
The free tier allows 300,000 DNS queries per month across all devices linked to your configuration. This is enough for most individual users — a typical household generates roughly 50,000-100,000 queries per month. If you exceed the limit, NextDNS starts returning NXDOMAIN responses for new queries until the monthly reset. Paid plans remove this cap entirely.
Can I use NextDNS on my router?
Yes, but the method depends on your router firmware. Most routers support manual DNS configuration, so you can enter NextDNS IP addresses directly. However, this loses per-device analytics since all traffic appears to come from one source. For full functionality, use NextDNS CLI on routers that support it, or configure DNS-over-HTTPS on compatible firmware like OpenWrt, FreshTomato, or Merlin.
What blocklists does NextDNS support?
NextDNS supports over 70 third-party blocklists including Steven Black's Unified Hosts, OAD, Peter Lowe's list, EasyList, EasyPrivacy, and numerous regional and language-specific lists. You can enable or disable individual lists from the dashboard and add custom domain entries for blocking or allowing specific domains.
What is the difference between NextDNS and AdGuard DNS?
NextDNS and AdGuard DNS both offer customizable ad blocking and privacy features, but they differ in implementation. NextDNS is a cloud-based resolver with a web dashboard, per-device profiles, and a free tier of 300k queries. AdGuard DNS is also cloud-based but focuses more on its own curated blocklists and offers a dedicated app ecosystem. NextDNS gives you more granular control over individual blocklists, logging settings, and per-device rules. AdGuard DNS tends to work better out of the box with less configuration.
Does NextDNS support DNS-over-QUIC?
Yes. NextDNS supports DoH, DoT, and DoQ (DNS-over-QUIC). DoQ provides the lowest latency because it combines the TLS handshake and transport connection into a single round trip using the QUIC protocol. You can find the full list of endpoints in your NextDNS configuration dashboard under the Setup tab.
Does changing DNS improve internet speed?
Changing DNS does not increase your bandwidth — it reduces the time your device spends waiting for domain name resolution before it can start loading a page. The improvement is typically 20-100 milliseconds per connection, which adds up across the dozens of DNS lookups a modern webpage triggers. Users switching from a slow ISP DNS resolver to NextDNS or Cloudflare often notice that browsing feels snappier, especially on content-heavy sites.
Related Reading
Test Your DNS Speed
Find out whether NextDNS is the fastest resolver from your network. Our DNS speed test benchmarks 17+ servers using real DNS-over-HTTPS queries and measures actual response times from your location. The results will show you exactly how NextDNS compares to Cloudflare, Google, and other resolvers on your specific connection.
Run DNS Speed Test