Use NextDNS
NextDNS is a personalized DNS nameserver, that can be used to increase the security of your network by blocking malicious domains, block ads and trackers, and limit the browsing experience for your kids. Tailscale only uses NextDNS with DNS over HTTPS (DoH).
You can configure NextDNS as a global nameserver in Tailscale, and set different NextDNS profiles for different devices.
What information is shared with NextDNS?
By default, when using NextDNS with Tailscale, your device information is sent to your NextDNS logs so you can have detailed logs and analytics. This includes: device name, OS, Tailscale IP, and Tailscale node ID.
You can disable this metadata sharing.
Prerequisites
You’ll need a NextDNS profile. If you don’t already have one, create a NextDNS profile.
Use NextDNS as a global nameserver
Use NextDNS as a global nameserver to route DNS queries from all devices on your tailnet to NextDNS.
To add NextDNS as a global nameserver:
- Open the DNS page of the admin console.
- Under Nameservers, select Add nameserver.
- Select Custom.
- Enter the IPv6 address for your NextDNS profile, for example
2a07:a8c0::ab:c123
. This is available in the Endpoints section of the setup tab of the NextDNS web console. - The NextDNS profile will save as a global nameserver for your profile ID. One NextDNS IPv6 address will automatically add all IPv6 addresses for that profile.
- Select Override local DNS to force devices to use NextDNS as a global nameserver instead of what is locally configured on each device.

Use different NextDNS profiles for different devices
NextDNS allows you to create multiple profiles (also known as configurations) to protect different devices differently. For example, you might create a parental control profile for your kids’ devices.
To specify a different profile than the global profile for a specific Tailscale device:
- Set up NextDNS as a global nameserver for your tailnet.
- Add a node attributes
nodeAttrs
section to your tailnet policy file. Set atarget
for the devices you want the profile to apply to. This can be a tag, user, group, or*
. - Set the attribute
nextdns:abc123
to the desired NextDNS profileabc123
.
For example, in your tailnet policy file:
{
"acls": ["..."],
"nodeAttrs": [
{
"target": ["my-kid@my-home.com", "tag:server"],
"attr": [
"nextdns:abc123",
],
},
],
}
Disable sharing device metadata with NextDNS
To block sharing device metadata with NextDNS, in your tailnet policy file, set the attribute nextdns:no-device-info
:
{
"acls": ["..."],
"nodeAttrs": [
{
"target": ["*"],
"attr": [
"nextdns:no-device-info",
],
},
],
}