Use NextDNS

NextDNS is a personalized DNS nameserver, that can be used to increase the security of your network by blocking malicious domains, block ads and trackers, and limit the browsing experience for your kids. Tailscale only uses NextDNS with DNS over HTTPS (DoH).

You can configure NextDNS as a global nameserver in Tailscale, and set different NextDNS profiles for different devices.

What information is shared with NextDNS?

By default, when using NextDNS with Tailscale, your device information is sent to your NextDNS logs so you can have detailed logs and analytics. This includes: device name, OS, Tailscale IP, and Tailscale node ID.

You can disable this metadata sharing.

Prerequisites

Using NextDNS with Tailscale requires Tailscale v1.32 or later.

You’ll need a NextDNS profile. If you don’t already have one, create a NextDNS profile.

Use NextDNS as a global nameserver

Use NextDNS as a global nameserver to route DNS queries from all devices on your tailnet to NextDNS.

To add NextDNS as a global nameserver:

  1. Navigate to the DNS tab of the admin console.
  2. Under Nameservers, select Add nameserver.
  3. Select Custom.
  4. Enter the IPv6 address for your NextDNS profile, for example 2a07:a8c0::ab:c123. This is available in the Endpoints section of the setup tab of the NextDNS web console.
    A screenshot of entering the NextDNS profile IPv6 address as a custom global nameserver.
  5. The NextDNS profile will save as a global nameserver for your profile ID. One NextDNS IPv6 address will automatically add all IPv6 addresses for that profile.
  6. Select Override local DNS to force devices to use NextDNS as a global nameserver instead of what is locally configured on each device.
A screenshot of global nameservers, showing the NextDNS profile `abc123`.
If you configure NextDNS as a global nameserver, you should not configure another global nameserver for your tailnet. This is because queries denied by NextDNS could be answered by other nameservers, accidentally circumventing privacy or parental controls. NextDNS cannot be used with split DNS.

Use different NextDNS profiles for different devices

NextDNS profiles per device is currently in alpha.

NextDNS allows you to create multiple profiles (also known as configurations) to protect different devices differently. For example, you might create a parental control profile for your kids’ devices.

You must be using NextDNS as a global nameserver to use different profiles for different devices.

To specify a different profile than the global profile for a specific Tailscale device:

  1. Set up NextDNS as a global nameserver for your tailnet.
  2. Add a node attributes nodeAttrs section to your tailnet policy file. Set a target for the devices you want the profile to apply to. This can be a tag, user, group, or *.
  3. Set the attribute nextdns:abc123 to the desired NextDNS profile abc123.

For example, in your tailnet policy file:

    {
        "acls": ["..."],
        "nodeAttrs": [
            {
                "target": ["my-kid@my-home.com", "tag:server"],
                "attr": [
                    "nextdns:abc123",
                ],
            },
        ],
    }

Disable sharing device metadata with NextDNS

To block sharing device metadata with NextDNS, in your tailnet policy file, set the attribute nextdns:no-device-info:

    {
        "acls": ["..."],
        "nodeAttrs": [
            {
                "target": ["*"],
                "attr": [
                    "nextdns:no-device-info",
                ],
            },
        ],
    }

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms