How to install and trust NextDNS Root CA
Windows
- Open https://nextdns.io/ca to download the NextDNS.cer file.
- Open the NextDNS.cer file (the Certificate window will open).
- Click on Install Certificate.
- In the Certificate Import Wizard, when prompted for the Certificate Store, choose Place all certificates in the following store and select the Trusted Root Certification Authorities store.
CLI Installation
In a PowerShell as administrator, run:
Invoke-WebRequest -Uri "https://nextdns.io/ca" -OutFile "$env:TEMP\nextdns.cer"
certutil -addstore -f root "$env:TEMP\nextdns.cer"macOS
- Open https://nextdns.io/ca to download the NextDNS.cer file.
- Open the NextDNS.cer file (the Keychain Access.app will open with the list of Certificates installed on your computer).
- Double-click on NextDNS Root CA in that list.
- Under Trust, choose Always Trust for Secure Socket Layers (SSL).
- Close the window (you may be asked to enter your system password to confirm the change).
iOS
- Open https://nextdns.io/ca, then choose Allow.
- Open the Settings app, then go to General → Profiles.
- Open NextDNS Root CA, then Install.
- In the Settings app, go to General → About → Certificate Trust Settings.
- Enable Full Trust for NextDNS Root CA.
Android
- Open https://nextdns.io/ca, then choose Download.
- Open the downloaded NextDNS.cer file.
- When asked, name the certificate NextDNS.
Linux
Firefox
- Open https://nextdns.io/ca to download the NextDNS.cer file.
- Open about:preferences →Privacy & Security.
- Scroll down to Certificates and click View Certificates…
- In the Authorities tab click Import.
- Select the NextDNS.cer file.
- Check Trust this CA to identify websites then click OK
Chrome, Chromium
- Open https://nextdns.io/ca to download the NextDNS.cer file.
- Open chrome://settings/certificates
- In the Authorities tab click Import.
- In the lower right, select All Files
- Select the NextDNS.cer file.
- Check Trust this certificate for identifying websites then click OK.
If you're using Firefox, an additional step is required:
- Enter about:config in the address bar, then press Enter.
- If asked, click on Accept the Risk and Continue.
- Set the value for security.enterprise_roots.enabled to true.
34 replies
-
What potential risk is there in installing the nextdns ca certificate?
I read a pre installation warning that the owner of the CA certificate could potentially read my passwords and cc details.
-
I think for Firefox on PC it is safer and better to install the certificate in the internal storage rather than change the setting so that the browser trusts all system certificates.
-
Hi, thanks for elaborating on this. In my android, yes its perfectly working. But in my laptop, especially in Chrome browser even after following all the instructions it doesn't remove https warning message. So, do i have to tweak something from chrome?
-
Hi, I have installed it but now I can not delete from my Samsung S21, could you help me?
-
Thanks
-
Can this certificate be installed at the router level?
-
Helo! I installed the certificate on my device, but the certificate does not appear on the websites:
-
To upgrade or uninstall the NextDNS CLI, run the same install command again and select "Upgrade" or "Uninstall" from the menu.
-
You talk about a slight load time increase with the block page. What order of increase and is it for every query or just the blocked ones ? I'm french and my English not so good so I hope you understand what I mean.
-
Romain Navarro @NextDNS
I understood your question, and am wondering the same thing.
Does anyone know?! -
Romain Navarro Anyone?! Why are pertinent/critical questions (which would be any/all on here!) being ignored?
-
Romain Navarro K M S I'm not sure why the decided not to touch your question. Anyway I haven't dug too much into it... (AKA I'm not sure if they're using some CNAME magic which might actually trigger multiple queries, or if it all resolves to one "Block page server", or what?) But at a minimum level you are dealing with comparing a speed of "Already Done" to "Load a block page." If an ad site for example is blocked having DNS resolve as "No DNS record" exists means your computer stops looking and the page with the ad moves onward with loading. Having it load a page that says "This page is blocked" means where the ad was supposed to be your web browser calls out to the block server, asks for the page, and the server replies "Oh no, blocked.example.com is blocked
". So in a particular bad situation you could go with something overloaded with ads taking 50 seconds to load, to only taking 20 seconds with no block pages, to 22 seconds with the block pages. Quantifying this is hard though..... Take ping for example. On windows it sends 4 packets 1 second apart and asks a site if it's ok. SO for the results to come back from ping blocked.example.com if you are blocking it and are set to show pages will take 4 seconds to finish running. If you don't send a block page though ping Immediately finishes stating it could not find blocked.example.com. On paper that's infinitely faster to not show a block page.
-
-
Coud u make regular https so i dont need to install cert to 1000 devices. Just for notification and maybe make some options to customise message backfround color logo and that stuffs.
-
I installed it on my new Macbook. The keystore doesn't trust it.
-
Okay, so in the event that my kiddo is able to get around the block page, how could I prevent this?
-
How to undo? Or uninstall it incase we don't want it on the system?
-
Raiyan Asaral In the event you don't want to use the block page, then follow these steps. Note: This is strictly for windows devices.
1. Go onto your task bar and select the search bar/icon.2. Type "Certificates"
3. Select "Manage User Certificates"
4. On the LEFT pane, click "Trusted Root Certification Authorities"
5. Click "Certificates"
6. Find "NextDNS Root CA"
7. Click "the red X on the top to remove the NextDNS root certificate.
THEN 
-
-
How to script cert installation?
