Use NextDNS

NextDNS is a personalized DNS nameserver, that can be used to increase the security of your network by blocking malicious domains, block ads and trackers, and limit the browsing experience users on your tailnet. Tailscale only uses NextDNS with DNS over HTTPS (DoH).

You can configure NextDNS as a global nameserver in Tailscale, and set different NextDNS profiles for different devices.

What information is shared with NextDNS?

By default, when using NextDNS with Tailscale, your device information is sent to your NextDNS logs so you can have detailed logs and analytics. This includes: device name, OS, Tailscale IP, and Tailscale node ID.

You can disable this metadata sharing.

Prerequisites

Using NextDNS with Tailscale requires Tailscale v1.32 or later.

You’ll need a NextDNS profile. If you don’t already have one, create a NextDNS profile.

Use NextDNS as a global nameserver

Use NextDNS as a global nameserver to route DNS queries from all devices on your tailnet to NextDNS.

To add NextDNS as a global nameserver:

  1. Open the DNS page of the admin console.

  2. Go to Nameservers, then select NextDNS from the Add nameserver drop-down list.

  3. Enter the IPv6 address for your NextDNS profile. This address is available in the Endpoints section of the setup tab of the NextDNS web console.

    A screenshot of entering the NextDNS profile IPv6 address as a custom global nameserver.
  4. Click Save. The NextDNS profile will save as a global nameserver for your profile ID. One NextDNS IPv6 address will automatically add all IPv6 addresses for that profile.

  5. Select Override local DNS to force devices to use NextDNS as a global nameserver instead of what is locally configured on each device.

    A screenshot of global nameservers, showing the NextDNS profile `abc123`.
If you configure NextDNS as a global nameserver, you should not configure another global nameserver for your tailnet. This is because queries denied by NextDNS could be answered by other nameservers, accidentally circumventing privacy or content restrictions. Additionally, NextDNS cannot be used as a split DNS server.

Use different NextDNS profiles for different devices

NextDNS profiles per device is currently in alpha.

NextDNS lets you create multiple profiles (also known as configurations) to protect different devices differently. For example, you might create a administrator control profile and a user control profile for your devices.

You must be using NextDNS as a global nameserver to use different profiles for different devices.

To specify a different profile than the global profile for a specific Tailscale device:

  1. Set up NextDNS as a global nameserver for your tailnet.

  2. Add a node attributes nodeAttrs section to your tailnet policy file. Set a target for the devices you want the profile to apply to. This can be a tag, user, group, or *.

  3. Set the attribute nextdns:abc123 to the desired NextDNS profile abc123.

For example, in your tailnet policy file:

    {
        "acls": ["..."],
        "nodeAttrs": [
            {
                "target": ["user@example.com", "tag:server"],
                "attr": [
                    "nextdns:abc123",
                ],
            },
        ],
    }

Disable sharing device metadata with NextDNS

To block sharing device metadata with NextDNS, in your tailnet policy file, set the attribute nextdns:no-device-info:

    {
        "acls": ["..."],
        "nodeAttrs": [
            {
                "target": ["*"],
                "attr": [
                    "nextdns:no-device-info",
                ],
            },
        ],
    }