Use NextDNS
NextDNS is a personalized DNS nameserver, that can be used to increase the security of your network by blocking malicious domains, block ads and trackers, and limit the browsing experience users on your tailnet. Tailscale only uses NextDNS with DNS over HTTPS (DoH).
You can configure NextDNS as a global nameserver in Tailscale, and set different NextDNS profiles for different devices.
What information is shared with NextDNS?
By default, when using NextDNS with Tailscale, your device information is sent to your NextDNS logs so you can have detailed logs and analytics. This includes: device name, OS, Tailscale IP, and Tailscale node ID.
You can disable this metadata sharing.
Prerequisites
Using NextDNS with Tailscale requires Tailscale v1.32 or later.
You'll need a NextDNS profile. If you don't already have one, create a NextDNS profile.
Use NextDNS as a global nameserver
Use NextDNS as a global nameserver to route DNS queries from all devices on your tailnet to NextDNS.
To add NextDNS as a global nameserver:
-
Open the DNS page of the admin console.
-
Go to Nameservers, then select NextDNS from the Add nameserver drop-down list.
-
Enter the IPv6 address for your NextDNS profile. This address is available in the Endpoints section of the setup tab of the NextDNS web console.
-
Select Save. The NextDNS profile will save as a global nameserver for your profile ID. One NextDNS IPv6 address will automatically add all IPv6 addresses for that profile.
-
Select Override local DNS to force devices to use NextDNS as a global nameserver instead of what is locally configured on each device.
If you configure NextDNS as a global nameserver, you should not configure another global nameserver for your tailnet. This is because queries denied by NextDNS could be answered by other nameservers, accidentally circumventing privacy or content restrictions. Additionally, NextDNS cannot be used as a split DNS server.
Use different NextDNS profiles for different devices
NextDNS lets you create multiple profiles (also known as configurations) to protect different devices differently. For example, you might create a administrator control profile and a user control profile for your devices.
You must be using NextDNS as a global nameserver to use different profiles for different devices.
To specify a different profile than the global profile for a specific Tailscale device:
-
Set up NextDNS as a global nameserver for your tailnet.
-
Add a node attributes
nodeAttrs
section to your tailnet policy file. Set atarget
for the devices you want the profile to apply to. This can be a tag, user, group, or*
. -
Set the attribute
nextdns:abc123
to use the desired NextDNS profile IDabc123
.
For example, in your tailnet policy file:
{
"acls": ["..."],
"nodeAttrs": [
{
"target": ["user@example.com", "tag:server"],
"attr": [
"nextdns:abc123",
],
},
],
}
Disable sharing device metadata with NextDNS
To block sharing device metadata with NextDNS, in your tailnet policy file, set the attribute nextdns:no-device-info
:
{
"acls": ["..."],
"nodeAttrs": [
{
"target": ["*"],
"attr": [
"nextdns:no-device-info",
],
},
],
}