# FlooydDNS+ Setup guide
*** ### Android **Private DNS Android 9 or higher** 1. Go to Settings → Network and internet → Advanced → Private DNS. 2. Select the Private DNS provider hostname option. 3. Enter 37b96c.dns.nextdns.io and tap Save. *** ### iOS **Configuration profile iOS 14 or higher** 1. Use 2. Select FlooydDNS+ or FlooydDNS+ Kids *** ### Windows **DNS over HTTPS for Windows 11** 1. Open the Settings app. 2. Go to Network & internet. 3. Click on Wi-Fi (or Ethernet). 4. Click on Hardware properties, or ignore this step if you clicked on Ethernet. 5. Click the Edit button next to DNS server assignment. 6. Select Manual. 7. Enable IPv4. 8. Enter 45.90.28.139 as Preferred DNS, then select On (manual template) and enter . 9. Enter 45.90.30.139 as Alternate DNS, then select On (manual template) and enter . 10. Click Save. **IPv6 Support for Windows** 1. Click on the Start menu, then click on Control Panel. 2. Click Network and Internet, then click Network and Sharing Center. 3. Click Change adapter settings. 4. Right-click on the Wi-Fi network you are connected to and click Properties. 5. Select TCP/IP Protocol Version 6 (TCP/IPv6). 6. Click on Properties. 7. Click Use the following DNS server addresses. 8. Replace the current addresses (if any) with 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c. 9. Click OK, then Close. You may need to restart your browser. **IPv4 (with linked IP)** 1. Click on the Start menu, then click on Control Panel. 2. Click Network and Internet, then click Network and Sharing Center. 3. Click Change adapter settings. 4. Right-click on the Wi-Fi network you are connected to and click Properties. 5. Select TCP/IP Protocol Version 4 (TCP/IPv4). 6. Click on Properties. 7. Click Use the following DNS server addresses. 8. Replace the current addresses (if any) with 45.90.28.139 and 45.90.30.139. 9. Click OK, then Close. You may need to restart your browser. *** ### macOS **Configuration profile macOS Big Sur or higher** 1. Use 2. Select FlooydDNS+ or FlooydDNS+ Kids **IPv6 Support for macOS** 1. Open System Preferences and click on Network. 2. Select the network you are connected to and click on the Advanced button. 3. Go to the DNS section. 4. In the list of DNS servers, remove all addresses (if any) and add 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c . 5. Click OK and then Apply. **IPv4 (with linked IP)** 1. Open System Preferences and click on Network. 2. Select the network you are connected to and click on the Advanced button. 3. Go to the DNS section. 4. In the list of DNS servers, remove all addresses (if any) and add 45.90.28.139 and 45.90.30.139 . 5. Click OK and then Apply. *** ### Linux **systemd-resolved** Use the following in /etc/systemd/resolved.conf ``` [Resolve] DNS=45.90.28.139#37b96c.dns.nextdns.io DNS=2a07:a8c0::#37b96c.dns.nextdns.io DNS=45.90.30.139#37b96c.dns.nextdns.io DNS=2a07:a8c1::#37b96c.dns.nextdns.io DNSOverTLS=yes ``` **or IPv6 Support for Linux** Change your DNS servers to 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c. **or IPv4 (with linked IP)** Change your DNS servers to 45.90.28.139 and 45.90.30.139. **or dnsmasq** Use the following in dnsmasq.conf ``` no-resolv bogus-priv strict-order server=2a07:a8c1:: server=45.90.30.139 server=2a07:a8c0:: server=45.90.28.139 add-cpe-id=37b96c ``` **or Stubby** Use the following in stubby.yml ``` round_robin_upstreams: 1 upstream_recursive_servers: - address_data: 45.90.28.139 tls_auth_name: "37b96c.dns.nextdns.io" - address_data: 2a07:a8c0::0 tls_auth_name: "37b96c.dns.nextdns.io" - address_data: 45.90.30.139 tls_auth_name: "37b96c.dns.nextdns.io" - address_data: 2a07:a8c1::0 tls_auth_name: "37b96c.dns.nextdns.io" ``` :warning: Make sure that Stubby is linked to OpenSSL 1.1.1 or higher, as earlier versions will not work with FlooydDNS+ **or DNSCrypt** Use the following in dnscrypt-proxy.toml ``` server_names = ['NextDNS-37b96c'] [static] [static.'NextDNS-37b96c'] stamp = 'sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HLzM3Yjk2Yw' ``` **or Knot Resolver** Use the following in /etc/kresd/custom.conf ``` policy.add(policy.all(policy.TLS_FORWARD({ {'45.90.28.139', hostname='37b96c.dns.nextdns.io'}, {'2a07:a8c0::', hostname='37b96c.dns.nextdns.io'}, {'45.90.30.139', hostname='37b96c.dns.nextdns.io'}, {'2a07:a8c1::', hostname='37b96c.dns.nextdns.io'} }))) ``` **or cloudflared** Use the following in /usr/local/etc/cloudflared/config.yml ``` proxy-dns: true proxy-dns-upstream: - https://dns.nextdns.io/37b96c ``` **or Unbound** Use the following in unbound.conf ``` forward-zone: name: "." forward-tls-upstream: yes forward-addr: 45.90.28.139#37b96c.dns.nextdns.io forward-addr: 2a07:a8c0::#37b96c.dns.nextdns.io forward-addr: 45.90.30.139#37b96c.dns.nextdns.io forward-addr: 2a07:a8c1::#37b96c.dns.nextdns.io ``` :warning: As a recursive resolver, Unbound looks for CNAMEs. This can result in unexpected behavior when used in conjunction with a blocking DNS resolver like FlooydDNS+. See [github.com/NLnetLabs/unbound/issues/132](https://github.com/NLnetLabs/unbound/issues/132) *** ### Chrome OS **Secure DNS** 1. Open the Settings app. 2. Go to Security and Privacy. 3. Enable Use secure DNS. 4. Select With: Custom, then enter . **IPv6 Support for Chrome OS** Change your DNS servers to 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c. **IPv4 (with linked IP)** Change your DNS servers to 45.90.28.139 and 45.90.30.139. *** ### Browsers **Google Chrome** 1. Go to Settings. 2. In the Privacy and security section, click Security. 3. In the Advanced section, enable Use secure DNS. 4. Select With: Custom and enter . **Firefox** 1. Open Preferences. 2. Scroll down to the Network Settings section and click Settings. 3. Scroll down and check Enable DNS over HTTPS. 4. Select Custom, enter and click OK. 5. Enter "about:config" in the address bar (and click I accept the risk! if prompted). 6. Set network.trr.mode to 3. **Microsoft Edge** 1. Open Settings. 2. Go to the privacy, search and services section. 3. Under Security, enable Use secure DNS to specify how to look up the network address of websites. 4. Choose a service provider, type . **Brave** 1. Open Settings. 2. In the Privacy and security section (under Additional settings), go to Security. 3. In the Advanced section, turn on Use secure DNS. 4. Select With: Custom and enter . *** ### Routers **IPv6 Support for Routers** 1. Open your router's preferences. You can usually access them from your browser via a URL (such as or ). 2. Locate the DNS settings within the interface. 3. Remove all addresses (if any) and add 2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c. 4. Click Save (or similar). :warning: Some routers may not support the IPv6 notation above. In this case, use 2a07:a8c0:0000:0000:0000:0037:b96c and 2a07:a8c1:0000:0000:0000:0037:b96c. **IPv4 (with linked IP)** 1. Open your router's preferences. You can usually access them from your browser via a URL (such as or ). 2. Locate the DNS settings within the interface. 3. Remove all addresses (if any) and add 45.90.28.139 and 45.90.30.139. 4. Click Save (or similar). **dnsmasq** Use the following in dnsmasq.conf ``` no-resolv bogus-priv strict-order server=2a07:a8c1:: server=45.90.30.139 server=2a07:a8c0:: server=45.90.28.139 add-cpe-id=37b96c ``` **Stubby** Use the following in stubby.yml ``` round_robin_upstreams: 1 upstream_recursive_servers: - address_data: 45.90.28.139 tls_auth_name: "37b96c.dns.nextdns.io" - address_data: 2a07:a8c0::0 tls_auth_name: "37b96c.dns.nextdns.io" - address_data: 45.90.30.139 tls_auth_name: "37b96c.dns.nextdns.io" - address_data: 2a07:a8c1::0 tls_auth_name: "37b96c.dns.nextdns.io" ``` :warning: Make sure that Stubby is linked to OpenSSL 1.1.1 or higher, as earlier versions will not work with FlooydDNS+. **pfSense** 1. Go to Services → DNS resolver and on the General settings tab scroll down to the Custom options box. 2. Enter the following lines ``` server: forward-zone: name: "." forward-tls-upstream: yes forward-addr: 45.90.28.139#37b96c.dns.nextdns.io forward-addr: 2a07:a8c0::#37b96c.dns.nextdns.io forward-addr: 45.90.30.139#37b96c.dns.nextdns.io forward-addr: 2a07:a8c1::#37b96c.dns.nextdns.io ``` **DNSCrypt** Use the following in dnscrypt-proxy.toml ``` server_names = ['NextDNS-37b96c'] [static] [static.'NextDNS-37b96c'] stamp = 'sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HLzM3Yjk2Yw' ``` **Knot Resolver** Use the following in /etc/kresd/custom.conf ``` policy.add(policy.all(policy.TLS_FORWARD({ {'45.90.28.139', hostname='37b96c.dns.nextdns.io'}, {'2a07:a8c0::', hostname='37b96c.dns.nextdns.io'}, {'45.90.30.139', hostname='37b96c.dns.nextdns.io'}, {'2a07:a8c1::', hostname='37b96c.dns.nextdns.io'} }))) ``` **Unbound** Use the following in unbound.conf ``` forward-zone: name: "." forward-tls-upstream: yes forward-addr: 45.90.28.139#37b96c.dns.nextdns.io forward-addr: 2a07:a8c0::#37b96c.dns.nextdns.io forward-addr: 45.90.30.139#37b96c.dns.nextdns.io forward-addr: 2a07:a8c1::#37b96c.dns.nextdns.io ``` :warning: As a recursive resolver, Unbound looks for CNAMEs. This can result in unexpected behavior when used in conjunction with a blocking DNS resolver like FlooydDNS+. See **MikroTik** Run the following ``` /tool fetch url=https://curl.se/ca/cacert.pem /certificate import file-name=cacert.pem /ip dns set servers="" /ip dns static add name=dns.nextdns.io address=45.90.28.139 type=A /ip dns static add name=dns.nextdns.io address=45.90.30.139 type=A /ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA /ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA /ip dns set use-doh-server=“https://dns.nextdns.io/37b96c” verify-doh-cert=yes ``` ![Tailscale](https://my.nextdns.io/static/media/tailscale.8054ae11bfee5defae4f9d59ec8df272.svg) #### Use FlooydDNS+ as a global nameserver Use FlooydDNS+ as a global nameserver to route DNS queries from all devices on your tailnet to NextDNS. To add FlooydDNS+ as a global nameserver: 1. Open the [**DNS**](https://login.tailscale.com/admin/dns) page of the admin console. 2. Go to **Nameservers**, then select **NextDNS** from the **Add nameserver** drop-down list. 3. Enter **2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c** for your NextDNS profile. This address is available in the **Endpoints** section of the [setup tab](https://my.nextdns.io/setup) of the NextDNS web console.
A screenshot of entering the NextDNS profile IPv6 address as a custom global nameserver.

2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c

4. Click **Save**. The NextDNS profile will save as a global nameserver for your profile ID. One NextDNS IPv6 address will automatically add all IPv6 addresses for that profile. 5. Select **Override local DNS** to force devices to use NextDNS as a global nameserver instead of what is locally configured on each device.
A screenshot of global nameservers, showing the NextDNS profile `abc123`.

2a07:a8c0::37:b96c and 2a07:a8c1::37:b96c