Yes. NextDNS is a validating DNSSEC resolver. This means that for domains implemeting DNSSEC, NextDNS will cryptographically ensure that the response provided matches the intended response of the domain operator. If the validation fails, NextDNS will return an empty answer. This ensures protection against domain spoofing or other attacks that attempt to provide false data. In the case of a query on a domain matching one of the blocklists enabled by a configuration, it is to be noted that DNSSEC validation is disabled in order to implement the blocking.

Did this answer your question?