FlooydDNS+ Setup guide

Follow the instructions below to set up FlooydDNS+ on your device, browser or router.

Android

Private DNS Android 9 or higher

  1. Go to Settings → Network and internet → Advanced → Private DNS.

  2. Select the Private DNS provider hostname option.

  3. Enter 37b96c.dns.nextdns.io and tap Save.

iOS

Configuration profile iOS 14 or higher

  1. Use https://apple.nextdns.io/?profile=37b96c

  2. Select FlooydDNS+ or FlooydDNS+ Kids

Windows

DNS over HTTPS for Windows 11

  1. Open the Settings app.

  2. Go to Network & internet.

  3. Click on Wi-Fi (or Ethernet).

  4. Click on Hardware properties, or ignore this step if you clicked on Ethernet.

  5. Click the Edit button next to DNS server assignment.

  6. Select Manual.

  7. Enable IPv4.

  8. Enter 45.90.28.0 as Preferred DNS, then select On (manual template) and enter https://dns.nextdns.io/37b96c.

  9. Enter 45.90.30.0 as Alternate DNS, then select On (manual template) and enter https://dns.nextdns.io/37b96c.

  10. Click Save.

IPv6 Support for Windows

  1. Click on the Start menu, then click on Control Panel.

  2. Click Network and Internet, then click Network and Sharing Center.

  3. Click Change adapter settings.

  4. Right-click on the Wi-Fi network you are connected to and click Properties.

  5. Select TCP/IP Protocol Version 6 (TCP/IPv6).

  6. Click on Properties.

  7. Click Use the following DNS server addresses.

  8. Replace the current addresses (if any) with 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c.

  9. Click OK, then Close. You may need to restart your browser.

IPv4 (with linked IP)

  1. Click on the Start menu, then click on Control Panel.

  2. Click Network and Internet, then click Network and Sharing Center.

  3. Click Change adapter settings.

  4. Right-click on the Wi-Fi network you are connected to and click Properties.

  5. Select TCP/IP Protocol Version 4 (TCP/IPv4).

  6. Click on Properties.

  7. Click Use the following DNS server addresses.

  8. Replace the current addresses (if any) with 45.90.28.139 and 45.90.30.139.

  9. Click OK, then Close. You may need to restart your browser.

macOS

Configuration profile macOS Big Sur or higher

  1. Use https://apple.nextdns.io/?profile=37b96c

  2. Select FlooydDNS+ or FlooydDNS+ Kids

IPv6 Support for macOS

  1. Open System Preferences and click on Network.

  2. Select the network you are connected to and click on the Advanced button.

  3. Go to the DNS section.

  4. In the list of DNS servers, remove all addresses (if any) and add 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c .

  5. Click OK and then Apply.

IPv4 (with linked IP)

  1. Open System Preferences and click on Network.

  2. Select the network you are connected to and click on the Advanced button.

  3. Go to the DNS section.

  4. In the list of DNS servers, remove all addresses (if any) and add 45.90.28.139 and 45.90.30.139 .

  5. Click OK and then Apply.

Linux

systemd-resolved

Use the following in /etc/systemd/resolved.conf

[Resolve]
DNS=45.90.28.0#37b96c.dns.nextdns.io
DNS=2a07:a8c0::#37b96c.dns.nextdns.io
DNS=45.90.30.0#37b96c.dns.nextdns.io
DNS=2a07:a8c1::#37b96c.dns.nextdns.io
DNSOverTLS=yes

or IPv6 Support for Linux

Change your DNS servers to 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c.

or IPv4 (with linked IP)

Change your DNS servers to 45.90.28.139 and 45.90.30.139.

or dnsmasq

Use the following in dnsmasq.conf

no-resolv
bogus-priv
strict-order
server=2a07:a8c1::
server=45.90.30.0
server=2a07:a8c0::
server=45.90.28.0
add-cpe-id=37b96c

or Stubby

Use the following in stubby.yml

round_robin_upstreams: 1
upstream_recursive_servers:
  - address_data: 45.90.28.0
    tls_auth_name: "37b96c.dns.nextdns.io"
  - address_data: 2a07:a8c0::0
    tls_auth_name: "37b96c.dns.nextdns.io"
  - address_data: 45.90.30.0
    tls_auth_name: "37b96c.dns.nextdns.io"
  - address_data: 2a07:a8c1::0
    tls_auth_name: "37b96c.dns.nextdns.io"

⚠️ Make sure that Stubby is linked to OpenSSL 1.1.1 or higher, as earlier versions will not work with FlooydDNS+

or DNSCrypt

Use the following in dnscrypt-proxy.toml

server_names = ['NextDNS-37b96c']

[static]
  [static.'NextDNS-37b96c']
  stamp = 'sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HLzM3Yjk2Yw'

or Knot Resolver

Use the following in /etc/kresd/custom.conf

policy.add(policy.all(policy.TLS_FORWARD({
  {'45.90.28.0', hostname='37b96c.dns.nextdns.io'},
  {'2a07:a8c0::', hostname='37b96c.dns.nextdns.io'},
  {'45.90.30.0', hostname='37b96c.dns.nextdns.io'},
  {'2a07:a8c1::', hostname='37b96c.dns.nextdns.io'}
})))

or cloudflared

Use the following in /usr/local/etc/cloudflared/config.yml

proxy-dns: true
proxy-dns-upstream:
 - https://dns.nextdns.io/37b96c

or Unbound

Use the following in unbound.conf

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#37b96c.dns.nextdns.io
  forward-addr: 2a07:a8c0::#37b96c.dns.nextdns.io
  forward-addr: 45.90.30.0#37b96c.dns.nextdns.io
  forward-addr: 2a07:a8c1::#37b96c.dns.nextdns.io

⚠️ As a recursive resolver, Unbound looks for CNAMEs. This can result in unexpected behavior when used in conjunction with a blocking DNS resolver like FlooydDNS+. See github.com/NLnetLabs/unbound/issues/132

Chrome OS

Secure DNS

  1. Open the Settings app.

  2. Go to Security and Privacy.

  3. Enable Use secure DNS.

  4. Select With: Custom, then enter https://dns.nextdns.io/37b96c.

IPv6 Support for Chrome OS

Change your DNS servers to 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c.

IPv4 (with linked IP)

Change your DNS servers to 45.90.28.139 and 45.90.30.139.

Browsers

Google Chrome

  1. Go to Settings.

  2. In the Privacy and security section, click Security.

  3. In the Advanced section, enable Use secure DNS.

  4. Select With: Custom and enter https://dns.nextdns.io/37b96c.

Firefox

  1. Open Preferences.

  2. Scroll down to the Network Settings section and click Settings.

  3. Scroll down and check Enable DNS over HTTPS.

  4. Select Custom, enter https://dns.nextdns.io/37b96c and click OK.

  5. Enter "about:config" in the address bar (and click I accept the risk! if prompted).

  6. Set network.trr.mode to 3.

Microsoft Edge

  1. Open Settings.

  2. Go to the privacy, search and services section.

  3. Under Security, enable Use secure DNS to specify how to look up the network address of websites.

  4. Choose a service provider, type https://dns.nextdns.io/37b96c.

Brave

  1. Open Settings.

  2. In the Privacy and security section (under Additional settings), go to Security.

  3. In the Advanced section, turn on Use secure DNS.

  4. Select With: Custom and enter https://dns.nextdns.io/37b96c.

Routers

IPv6 Support for Routers

  1. Open your router's preferences. You can usually access them from your browser via a URL (such as http://192.168.0.1/ or http://192.168.1.1/).

  2. Locate the DNS settings within the interface.

  3. Remove all addresses (if any) and add 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c.

  4. Click Save (or similar).

⚠️ Some routers may not support the IPv6 notation above. In this case, use 2a07:a8c0:0000:0000:0000:0037:b96c and 2a07:a8c1:0000:0000:0000:0037:b96c.

IPv4 (with linked IP)

  1. Open your router's preferences. You can usually access them from your browser via a URL (such as http://192.168.0.1/ or http://192.168.1.1/).

  2. Locate the DNS settings within the interface.

  3. Remove all addresses (if any) and add 45.90.28.139 and 45.90.30.139.

  4. Click Save (or similar).

dnsmasq

Use the following in dnsmasq.conf

no-resolv
bogus-priv
strict-order
server=2a07:a8c1::
server=45.90.30.0
server=2a07:a8c0::
server=45.90.28.0
add-cpe-id=37b96c

Stubby

Use the following in stubby.yml

round_robin_upstreams: 1
upstream_recursive_servers:
  - address_data: 45.90.28.0
    tls_auth_name: "37b96c.dns.nextdns.io"
  - address_data: 2a07:a8c0::0
    tls_auth_name: "37b96c.dns.nextdns.io"
  - address_data: 45.90.30.0
    tls_auth_name: "37b96c.dns.nextdns.io"
  - address_data: 2a07:a8c1::0
    tls_auth_name: "37b96c.dns.nextdns.io"

⚠️ Make sure that Stubby is linked to OpenSSL 1.1.1 or higher, as earlier versions will not work with FlooydDNS+.

pfSense

  1. Go to Services → DNS resolver and on the General settings tab scroll down to the Custom options box.

  2. Enter the following lines

server:
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#37b96c.dns.nextdns.io
    forward-addr: 2a07:a8c0::#37b96c.dns.nextdns.io
    forward-addr: 45.90.30.0#37b96c.dns.nextdns.io
    forward-addr: 2a07:a8c1::#37b96c.dns.nextdns.io

DNSCrypt

Use the following in dnscrypt-proxy.toml

server_names = ['NextDNS-37b96c']

[static]
  [static.'NextDNS-37b96c']
  stamp = 'sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HLzM3Yjk2Yw'

Knot Resolver

Use the following in /etc/kresd/custom.conf

policy.add(policy.all(policy.TLS_FORWARD({
  {'45.90.28.0', hostname='37b96c.dns.nextdns.io'},
  {'2a07:a8c0::', hostname='37b96c.dns.nextdns.io'},
  {'45.90.30.0', hostname='37b96c.dns.nextdns.io'},
  {'2a07:a8c1::', hostname='37b96c.dns.nextdns.io'}
})))

Unbound

Use the following in unbound.conf

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#37b96c.dns.nextdns.io
  forward-addr: 2a07:a8c0::#37b96c.dns.nextdns.io
  forward-addr: 45.90.30.0#37b96c.dns.nextdns.io
  forward-addr: 2a07:a8c1::#37b96c.dns.nextdns.io

⚠️ As a recursive resolver, Unbound looks for CNAMEs. This can result in unexpected behavior when used in conjunction with a blocking DNS resolver like FlooydDNS+. See https://github.com/NLnetLabs/unbound/issues/132

MikroTik

Run the following

/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem
/ip dns set servers=""
/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA
/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA
/ip dns set use-doh-server=“https://dns.nextdns.io/37b96c” verify-doh-cert=yes

Use FlooydDNS+ as a global nameserver

Use FlooydDNS+ as a global nameserver to route DNS queries from all devices on your tailnet to NextDNS.

To add FlooydDNS+ as a global nameserver:

  1. Open the DNS page of the admin console.

  2. Go to Nameservers, then select NextDNS from the Add nameserver drop-down list.

  3. Enter 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c for your NextDNS profile. This address is available in the Endpoints section of the setup tab of the NextDNS web console.

  4. Click Save. The NextDNS profile will save as a global nameserver for your profile ID. One NextDNS IPv6 address will automatically add all IPv6 addresses for that profile.

  5. Select Override local DNS to force devices to use NextDNS as a global nameserver instead of what is locally configured on each device.

Last updated