OPNsense – DNS over TLS, Block ads and trackers, and Parent Control with NextDNS


➡️ Introduction

NextDNS protects you from all kinds of security threats, blocks ads and trackers on websites and in apps and provides a safe and supervised Internet for kids — on all devices and on all networks. NextDNS use the most popular ads & trackers blocklists — millions of domains all updated in real-time. With Native Tracking Protection, block wide spectrum trackers that record your activity on a device at the operating system level. Detect and block third-party trackers disguising themselves as first-party to circumvent browsers’ privacy protections like ITP. Enjoy the privacy and security benefits of DNS-over-HTTPS and DNS-over-TLS — the modern and encrypted DNS protocols. Cover all networks — at home, on cellular, at work and on public Wi-Fi. Zero impact on your CPU, memory or battery life — it’s all done at the DNS level, not on your device.

You can check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:

If you think the article is helpful and want to support the blog for more contents, please consider purchase your subscriptions with the below affiliated link.

➡️ Affiliated Link: https://nextdns.io/?from=btsm4vsx 

➡️ Pricing:

The above image shows the price at the time of this post was written. For current pricing, please visit: https://nextdns.io/pricing

➡️ My thoughts:

Michael Bazzell, who investigated computer crimes on behalf of the government for over 20 years recommended NextDNS in one of his podcast. This is how I get to learn about NextDNS. If you want to learn more about how to protect your privacy, please check out one of Michael’s best selling, “Extreme Privacy: What It Takes to Disappear

What are the benefit?

NextDNS is highly customizable based on your need. It’s suitable for all type of settings; whether for business environment or for personal use. You can tailor it to your needs. Most importantly, you have some control over what your children is browsing or watching on the internet.

It would reduce the load from your Firewall. Yes, you can do the same thing with Pi-hole or using the built-in Unbound DNS on OPNsense, but that would add extra work and unnecessary load on your firewall. Think of NextDNS as Pi-hole on the cloud. NextDNS handled all blocklist update, you just have to tailor it to suite your needs or your organization requirements.

Lastly, you can implement NextDNS on individual device or on your existing network. You don’t need to have OpenWRT, pfSense, or OPNSense to deploy NextDNS. This is benefit many of the users, who don’t have the technical knowledge to setup and manage their own DNS Server or as simple as Pi-hole.

➡️ Step 1: Obtain a free account or a subscription based account

With the free account, NextDNS allow 300,000 queries/month with unlimited devices, unlimited configurations and access to all features.

Pro, Business, or Education will give you the same features, but come with unlimited queries.

➡️ Step 2: Deploy NextDNS on OPNSense

2.1. System ‣ General ‣ Networking

Ensure “Allow DNS server list to be overridden by DHCP/PPP on WAN” and “Do not use the local DNS service as a nameserver for this system” are unchecked.

2.2. Services ‣ UnboundDNS ‣ DNS over TLS

Click the plus sign to add a new DNS server

2.2.a. Enabled: checked

2.2.b. Domain: Skip

2.2.c. Server IP: (repeat for secondary IPv4 and IPv6 (if applicable))

2.2.d. Server Port: 853

2.2.e. Verify CN: YourRouterNameNextDnsID.dns.nextdns.io

Replace YourRouterName and NextDnsID with your actual name and ID. You can obtain the NextDNS ID from the Setup Page. Your router name is only needed if you want to filter the traffic. Otherwise it won’t be necessary.


You can skip IPv6 if your IPv6 is not available with your service provider (rarely now a day, but some part of the world still doesn’t support IPv6 yet).

Do not forget to Click Apply when complete the above steps.

➡️ Step 3: Recommended Configurations for NextDNS

3.1. Settings

3.1.a. Name: If you have multiple sites, you should give each one a unique name to identify them.

3.1.b. Logs: Enabled logs if you want to track and analyze DNS queries. Disabled if you don’t want to keep logs.

3.1.c. Privacy adjustments: Enable/Disable Log clients IP/Log Domains (You decide what works for you).

Generally, I would recommend to enable log for home user, especially if you use it to monitor your kid activity. Additionally, it would help you diagnose the issue with some of the blocklist. You can disabled logging completely once everything is in place.

3.1.d. Retention: Select the length you want to keep the logs.

Minimum is 1 hours and maximum is 2 years.

3.1.e. Storage Location: You have 3 options:

United States 🇺🇸

European Union 🇪🇺

Switzerland 🇨🇭

I recommend Switzerland as it knows for it strong privacy laws.

3.1.f. Anonymized EDNS Client Subnet: Enable

3.1.g. CNAME Flattening: Enable

Below are the sample of my recommended settings. It’s self-explained, so I won’t beat the death horse on this.

3.2. Security

3.3. Privacy

I recommended to add a single blocklists at a time. Test it out, if nothing is broken, then you can move on and add a new one. Adding multiple can cause some issues and difficult to troubleshooting and isolating the root issue.

3.4. Parent Control

Block whatever suite you. Keep in my that this will affecting every device using this same profile. I would build a separate profile for my kids. Block Bypass methods only really works if you installed NextDNS on an individual devices. VPN can still bypass your DNS server. Now a day, kid can learn low to bypass these just by searching for instruction from YouTube. It’s best just to monitor their usage, rather than blocking. Blocking works best for younger kids, who may have unintended stumbling upon an unsuitable contents for them.

3.5. Deny list

This is where you can add any domain that you want to block. Keep in mind that it will also block subdomain for that domain.

3.6. Allow list

This is for you to allow a site that you want to access or for it to be functioning properly if that’s site was on one of the blocklist under Security tab. Allowing a domain will automatically allow all its subdomains. Allowing takes precedence over everything else, including security features.

3.7. Analystics

This is your Dashboard

3.8. Logs

This is where all the DNS queries get logged. Depending on your Setting, it would show IP/System name/domain name. You can always filter out by devices.

➡️ If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or by using the affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:

🚀 NextDNS: https://nextdns.io/?from=btsm4vsx 

🚀 Things I used for my server: https://amzn.to/3hudohP

🚀 Tools I used: https://amzn.to/3uXaSUr

🚀 Devices I used: https://amzn.to/3FYlfxk

🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0

🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »