Home Network Setup | MacOS | IOS | iPad OS | Router | VPN

After tinkering with NextDNS here is my setup. So far, only one false negative on blocking.

Prior to this was just using Cloudflare 1.1.1.2 on the router only, which is unencrypted DNS and allegedly blocks ads and malware on their servers and does not keep logs.

Hope this helps others, let me know if you have any questions or better ways!

Desktops on Home Network (MacOS) with no VPN:

1. Create a "Desktop" profile on NextDNS

2. Download and Install the NextDNS provided apple Config Profile (This gets DNS Encrypted to Internet Provider's IP)

Desktops on Home Network (MacOS) with VPN - Private Internet Access (PIA):

1. Use "Desktop" profile on NextDNS

2. Download and Install the NextDNS provided apple Config Profile (This gets DNS Encrypted to Internet Provider's IP)

3. Configure the PIA DNS settings to "using existing DNS".

This will use the encrypted DNS from NextDNS and both the DNS and traffic will flow to the VPN IP address.

Mobile Devices (IOS + iPad OS) with no VPN:

1. Create a "Mobile" profile on NextDNS

2. Download and Install the NextDNS provided apple Config Profile (This gets DNS Encrypted to Internet Provider's IP)

Desktops on Home Network (MacOS) with VPN - Private Internet Access (PIA): ... This is where it gets tricky.

1. Use the "Mobile" profile on NextDNS.

2. Purchase ($9.99) from the app store and install AdGuard Pro app. (more on why below)

3. On AdGuard Pro, setup a custom Encrypted DNS in the DNS Protection settings using the DNS-over-HTTPS address provided in the "mobile" NextDNS config.

4. On AdGuard Pro, disable Safari Protection (not needed since you will be using NextDNS config)

5. On Private Internet Access VPN, set the VPN Protocol Settings to "IPSEC IKEv2".

There is not a setting in PIA to use "existing DNS" on the mobile app (yet). That is why need to setup the separate AdGuard Pro for the Encrypted DNS and VPN with IPSEC IKEv2, so two VPN's they can co-exist. Using PIA with the NextDNS apple config is nothing but conflicts and trouble!

This combo setup will use the encrypted DNS from NextDNS to your ISP IP (not your VPN) and your web traffic will flow thru the VPN tunnel.

It sure would be nice if PIA would create a setting like the desktop to "use existing DNS", then would not need the extra AdGuard app. #justsayin

Current Home Router (IoT, Guests, Devices without Config, Default):

1. Create a "Router" profile on NextDNS

2. Use the NIPv4 (with Linked IP) option in NextDNS which basically uses your ISP address.

3. Create a Hostname on NoIP.com for DDNS (Need this because your ISP address may change in the future, mine is the same for years, however you never know with Comcast)

4. On Orbi Access point, add the NOIP host name as a DDNS so it can update the NoIP.com if the ISP WAN address changes.

This will not encrypt DNS requests, however you will get the benefits of NextDNS.

Plan is to replace this Router config with a Pi device running NextDNS on home network to send encrypted DNS and eliminate the need for the clunky DDNS.