Sat · 25 Apr 2026
>therundown.today
→ Get the weekly rundown · free
Setup guide · Router
Advanced30 min setup

NextDNS for Families

A $2/month filtered DNS service that blocks porn, gambling, malware, and bypass methods at the network layer — covering every device including iPhone, Android, Chromebook, Xbox, and the friend's hand-me-down iPad.

The $2/Month Parental Control Most Parents Don't Know Exists

Updated April 2026 · Advanced · 30 min setup · 14 min read

The one-paragraph summary

NextDNS is a filtered DNS service. You point your kid's phone, your router, or both at it, and it blocks porn, malware, gambling, VPN bypass sites, and 50+ other categories before the device can load them. It works on every device — iPhone, Android, Chromebook, Xbox, smart TV, friend's-hand-me-down iPad. It can't be uninstalled like an app. And it costs $1.99 per month. Most parents don't know it exists because NextDNS doesn't run ads. That's the guide in one paragraph. The rest of this is how to actually deploy it.

What DNS is, in plain English

Every time any device tries to load a website, it first asks a translator service: "what's the IP address of youtube.com?" That translator is called a DNS server. Your internet company (Comcast, Verizon, AT&T, Spectrum, whoever) gives you a DNS server by default. It will cheerfully translate any address your devices ask for, including the ones you'd rather your kid didn't reach.

NextDNS is a replacement translator with a blocklist. You tell it: "don't translate anything in these categories." When a device tries to reach a porn site, gambling platform, known malware domain, or any of the hundreds of categories you enable, NextDNS responds with "that address doesn't exist." The browser shows a blocked page. No site loads. No workaround at the app level. No battery drain from running monitoring software.

This happens at the network layer — which means a kid can't escape it by installing a different browser, disabling an app, or creating a second account. If their device is pointed at NextDNS, the filter applies to everything the device tries to load.

Why this beats app-based parental controls

Apple Screen Time and Google Family Link are genuinely useful. But they share three structural limits:

  1. They only work on the device they're installed on. Your kid's iPad Pro is a different install from the iPhone. The Switch is unsupervised. The Xbox is unsupervised. The smart TV is unsupervised.
  2. They're defeatable. A motivated teenager with a YouTube tutorial can disable most of them in under 5 minutes. Factory reset, profile removal, workaround browsers — all documented online.
  3. They don't extend to visitors. Your kid's friend comes over, hands your kid their unfiltered phone, and every control you set up is bypassed.

NextDNS operates one level lower. Deployed on the router, it filters every device on the network — including the friend's phone the moment it joins your Wi-Fi. Deployed directly on the kid's phone, it travels with them: home, cellular, school Wi-Fi, grandma's house. They can't install a different browser to escape it. They can't uninstall it without your Apple/Google credentials.

It doesn't replace Screen Time. It underlies it.

What it costs

Pricing as of April 2026 — verify current rates at nextdns.io/pricing before citing:

  • Free tier: 300,000 queries per month. Fine for single-device testing. Usually runs out in 2–3 days for a typical family.
  • Pro (individual): $1.99/month or $19.90/year. Unlimited queries. This is what you want.
  • Pro (family): $2.99/month or $29.90/year. Adds separate configurations for different family members — useful if you want different rules for a 9-year-old and a 15-year-old on the same account.

No affiliate program. I don't earn anything from recommending them. I just think it's the best value in consumer parental controls by a wide margin.

Setup Part 1 — Create and configure the NextDNS account

Sign up

  1. Go to nextdns.io and create an account (email and password; no credit card for the free tier)
  2. You land on a config page with a unique 6-character config ID (something like abc123). Bookmark this page — it's the only place you configure rules.
  3. At the top, give the configuration a clear name like Family Filter or Kids Phones.

Security tab

Turn on:

  • Threat Intelligence Feeds
  • AI-Driven Threat Detection
  • Google Safe Browsing
  • Cryptojacking Protection
  • DNS Rebinding Protection
  • Homograph Attack Protection
  • Typosquatting Protection
  • Block Newly Registered Domains (this blocks phishing sites that registered in the last 30 days — very high signal-to-noise)

Privacy tab

  • Enable NextDNS Ads & Trackers Blocklist (default)
  • Add OISD Big from the available blocklists — best single blocklist in the business, stops most tracking without breaking sites
  • Leave AdGuard DNS Filter off unless you're comfortable troubleshooting broken sites. It's aggressive.

Parental Control tab — this is the core

  • Safe Search: ON — forces Google, Bing, DuckDuckGo, and Yandex to filter their image and video results. Cannot be bypassed from the browser.
  • YouTube Restricted Mode: ON — hides videos flagged as mature
  • Block Bypass Methods: ON — this is critical. Blocks VPN services, proxy sites, and DNS-over-HTTPS endpoints that kids commonly use to tunnel past filtering.
  • Services to block: Enable individual services you want gone entirely. Common picks for tweens: TikTok, Snapchat, Discord, Reddit, Omegle, Kick, Telegram. Leave these off if you allow the app and just want category-level content filtering.
  • Categories:
    • Porn: always ON
    • Gambling: always ON
    • Piracy: recommended ON
    • Dating: ON for under-16
    • Social Networks: depends on family rules
    • Gaming: leave OFF unless you're sure — this breaks Steam, Xbox Live, PlayStation Network in surprising ways
  • Recreation Times: Schedule block windows (school hours 8am–3pm, bedtime 9pm–7am). Affects only the categories tagged as recreation.

Denylist — concrete additions worth making

The UI lets you block specific domains. Here's a starter list that catches common bypass attempts and things the categories miss:

youtube-nocookie.com     (embed bypass for YouTube Restricted)
youtubeeducation.com     (alternate YouTube surface)
10minutemail.com         (throwaway email services)
temp-mail.org
tempmail.com
discord.gg               (Discord invite shortener — blocks invites even if Discord itself is allowed)
telegram.dog             (Telegram mirror)
web.telegram.org         (Telegram web client)
tiktokv.com              (TikTok CDN — harder to bypass than tiktok.com alone)
roblox.com               (only if you're blocking Roblox entirely)

Allowlist

Start empty. Add domains here only when something gets incorrectly blocked — common culprits are school learning platforms, educational YouTube channels, and some banking sites. Enter only the specific domain, not wildcards, unless you know what you're doing.

Settings tab — things worth knowing

  • Logs → Retention: Set to 1 hour or "don't log" if privacy matters more than auditing. Set to 1 month if you want to actually review what your kid's phone is doing (recommended). You can also set logs to a specific geographic region.
  • Logs → Clients: Enable this. It lets you see which device made which query. Without this, every log entry just says "a family device queried X." With it, you see "Kid 1's iPhone queried X at 10:47pm."
  • Block Page: Leave on. When a site is blocked, the kid sees a clean "This site is blocked" page instead of a confusing timeout.

Analytics — this is NextDNS's killer feature

Click the Analytics tab. You're looking at every DNS query your devices made, bucketed by domain, device, and category.

Most parents don't realize this exists. It's more useful than most $15/month parental control dashboards for one reason: it shows you what your kid is actually trying to do, not what the parental control company thinks is important.

Some things worth checking weekly in the first month after deploying:

  • Top domains queried. You'll see the actual apps and websites in use, not just the ones visible on the home screen.
  • Blocked queries. If your kid is trying to reach porn sites or bypass services, you'll see it here. Common pattern: 200 blocked queries to the same VPN provider means they tried to install a VPN.
  • Queries by device. A sudden spike in queries from one device at 2am is a signal worth investigating.
  • New domains. Anything the device has never queried before shows up fresh. Sometimes it's a legitimate new app; sometimes it's a calculator-vault app reaching for its backend.

This is the feature that pays for the $2/month on its own.

One personal note. The first week I deployed NextDNS across my family's devices, I sat down on a Friday night and opened Analytics for the first time. Two things caught my eye immediately. First, one of my kids' phones had made 300+ queries to Discord's backend — which was interesting, because we hadn't had a Discord conversation yet. Second, there were 40+ blocked queries to a couple of vault-app backend domains. That one evening of log-reading produced two good conversations and a permanent denylist entry. I hadn't installed surveillance software. I hadn't monitored any messages. I'd just looked at DNS queries the devices were already making.

Setup Part 2 — Deploy to the kid's phone (iPhone)

NextDNS ships a configuration profile — a small file iOS treats as a system-level DNS override. Once installed, the phone uses NextDNS for every DNS query, including on cellular data, airport Wi-Fi, and school networks. It doesn't run as an app. It doesn't drain battery. It doesn't show up in the running apps list.

Install the profile

  1. On the kid's iPhone, open Safari and go to apple.nextdns.io
  2. Sign in with your NextDNS account. Choose the configuration (Family Filter or whatever you named it).
  3. Tap Download Profile. iOS prompts to allow the download.
  4. Open Settings → General → VPN, DNS & Device Management (on iOS 16 and later — older versions call it "Profiles & Device Management").
  5. Tap the NextDNS profile that appears under "Downloaded Profile."
  6. Tap Install, enter the device passcode, tap Install again, then Done.

Verify it's working

Open Safari on the kid's phone and go to test.nextdns.io. You should see a green banner confirming NextDNS is active and showing your configuration ID. Then try to visit any porn site or a known bypass service like 2bypass.com. You should see a NextDNS block page.

Lock it down — prevent bypass

The profile can be removed from Settings if you don't lock it:

  1. Settings → Screen Time → Content & Privacy Restrictions (requires your Screen Time passcode)
  2. Toggle Content & Privacy Restrictions ON
  3. Scroll to Allow Changes section
  4. VPN & DNS → tap → Don't Allow Changes

With this setting, the NextDNS profile is frozen in place. The kid cannot remove it, modify it, or install a competing VPN profile to tunnel around it. Only you (with the Screen Time passcode) can.

Setup Part 3 — Deploy to the kid's phone (Android)

Android has two deployment options. Use the first unless your kid has an older phone.

Option A: Android Private DNS (Android 9+, recommended)

Android's built-in Private DNS feature is the cleanest way to deploy NextDNS — no app, no always-on VPN profile, no battery impact.

  1. On NextDNS, go to the Setup tab and scroll to Android. Note the hostname, which looks like [your-config-id].dns.nextdns.io.
  2. On the kid's Android phone, open Settings → Network & internet → Private DNS (path varies slightly by manufacturer — Samsung buries it under Connections → More connection settings → Private DNS).
  3. Select Private DNS provider hostname.
  4. Paste your hostname from step 1.
  5. Tap Save.

Verify: open a browser on the kid's phone and go to test.nextdns.io. You should see the green banner.

Lock it down: in Family Link → Controls → Restrict apps & games, deny the kid access to the Settings → Network submenu if Family Link offers that granularity (newer versions do). At minimum, require your approval for any new app install, which prevents the kid from adding a competing Private DNS configurator.

Option B: NextDNS Android app (Android 8 and older, or when Private DNS isn't available)

  1. Install the NextDNS app from the Play Store on the kid's phone.
  2. Sign in. Select your configuration.
  3. Tap Enable. The app requests VPN permission — this is because Android delivers system-wide DNS override via a local VPN connection. Grant it.
  4. In Family Link, disable the kid's ability to disable the VPN — this is under Family Link → Controls → device restrictions.

Verify and lock

Same test: visit test.nextdns.io from a browser. Green banner or nothing works.

Setup Part 4 — Deploy at your router

This is the layer that covers every device on your home network — guest phones, Switches, Xboxes, smart TVs, the Alexa in the kitchen. Deploying at the router is strictly additive to deploying on the phone: when the kid is on cellular or a friend's Wi-Fi, only the phone config protects them, so both layers matter.

Router compatibility varies drastically by brand. Quick reference:

Router / Brand NextDNS support Notes
UniFi (UDM/UDR/UCG) Full See our separate UniFi Parental Controls guide
pfSense / OPNsense Full Custom DNS, DoT, and DoH all supported natively
ASUS (most models) DNS only Enter NextDNS endpoints in WAN → DNS; no DoH
Netgear Nighthawk DNS only Same pattern as ASUS
TP-Link (most) DNS only Same pattern
eero None No custom DNS at all; DNS filtering comes from their paid eero Plus
Nest Wifi / Google Wifi None No custom DNS
Orbi DNS only, limited Some firmware versions only
ISP modem/router (Xfinity, Verizon) None Bridge-mode it and put a real router behind it

For routers that support it, use the IPv4 and IPv6 addresses from your NextDNS setup page, or — on capable routers — use the DoH/DoT endpoint ([config-id].dns.nextdns.io) which is more resistant to tampering.

For unsupported routers (eero, Nest, Google Wifi, ISP-provided), your options are:

  1. Deploy at the device level only. Install NextDNS on every device individually. Works, but tedious and leaves visitors unfiltered.
  2. Put a real router behind the ISP/mesh router. Bridge-mode the ISP gear, hang a UniFi Dream Router or pfSense box off it. Adds $100–400 of hardware.
  3. Use a DNS-capable Pi-hole in front. Works but adds complexity.

Setup Part 5 — Chromebooks (the uncomfortable truth)

School-issued Chromebooks are largely outside your parental control. They're managed by the school's IT department via Google Workspace for Education, which means:

  • The DNS is locked to whatever the school configured (often a filtered service like Securly or GoGuardian).
  • You cannot install NextDNS profiles, change Private DNS, or override DNS at the device level.
  • If the Chromebook connects to your Wi-Fi, your router's NextDNS config applies to the extent the Chromebook honors the router's DHCP DNS — which some school images override.

What you can realistically do:

  • Deploy NextDNS at the router level. Most school-managed Chromebooks accept the DNS pushed by DHCP when on Wi-Fi, even though they may still force DoH to the school's service.
  • Accept that the Chromebook is a school device with school rules, and focus parental controls on the kid's personal phone and home devices.
  • If the Chromebook allows a second, personal Google account profile, that profile will typically respect your filtering more than the managed school profile.

Personal (non-school) Chromebooks support NextDNS via the chrome://settings/security → "Use secure DNS" → Custom → enter https://dns.nextdns.io/[your-config-id].

Close the browser DoH bypass

This is the gap most parental control guides miss, and it's the most common technical bypass a 13-year-old will find within a month.

The problem: Modern browsers (Firefox, Chrome, Brave, Edge) ship with DNS-over-HTTPS (DoH) built in. By default, these browsers can route DNS queries directly to Cloudflare, Google, or Mozilla — bypassing whatever DNS the device is configured to use, including NextDNS. If your kid installs Firefox, your carefully-configured NextDNS setup can be neutralized in three clicks.

The three fixes, layered:

  1. Enable "Block Bypass Methods" in NextDNS Parental Control. Turning this on blocks the known DoH endpoints (Cloudflare, Google, Mozilla, Quad9) at the NextDNS level. Most consumer browsers that encounter blocked DoH endpoints fall back to system DNS — which is NextDNS. Problem solved for most cases.
  2. Block alternate browser installs via Screen Time / Family Link. If the kid can only use Safari (iOS) or Chrome (Android default), and those browsers are configured to use system DNS, there's nothing to bypass.
  3. At the router layer (if you're deploying at the router): block outbound traffic to Cloudflare's 1.1.1.1 and 1.0.0.1 on ports 443 and 853. Google's 8.8.8.8 and 8.8.4.4 on the same ports. This stops DoH at the network level. This is covered in depth in the UniFi Parental Controls guide; apply the same principle to whatever router you have.

The combination of fixes 1 and 2 stops this bypass for 95% of kids. Fix 3 closes the remaining 5%.

Common bypass attempts — what works, what doesn't

Ranked by how often kids try them:

  1. "I'll just open Firefox." → Closed by the DoH fixes above.
  2. "I'll install a VPN." → Closed by NextDNS "Block Bypass Methods" + Screen Time/Family Link blocking VPN app installs.
  3. "I'll use cellular, not Wi-Fi." → Doesn't help them if NextDNS is installed as a profile on the phone (iOS) or set as Private DNS (Android). The filter follows the device.
  4. "I'll change DNS manually in Settings." → Closed by the Screen Time "Don't Allow Changes" lock on iOS; partial close via Family Link restrictions on Android.
  5. "I'll use a friend's phone." → Can't be beaten technically. This is a conversation, not a config.
  6. "I'll factory reset the phone." → A factory reset removes profiles. On iOS, you (as Family Sharing organizer) can require your Apple ID approval for any reset. On Android, requires your approval if set up properly in Family Link. The restore process will prompt for the Apple ID or Google account password, which the kid doesn't have.

What NextDNS doesn't do

It blocks domains. That's it.

  • It will not read messages, flag cyberbullying, or surface predator interactions. That's what Bark does.
  • It will not enforce time limits on specific apps. That's what Screen Time and Family Link do.
  • It will not catch in-app content that comes from a domain you've allowed. If you allow Instagram, NextDNS doesn't know what's shown inside Instagram.
  • It will not prevent a kid from seeing content a friend shows them on another device.

The layered stack I run at home:

  • NextDNS — content filtering and visibility (what domains were reached)
  • Apple Screen Time / Google Family Link — time limits, app install approval, device restrictions
  • Bark — conversational monitoring across messages, email, social (if warranted by age / platform access)

Each layer has a different job. No single one is enough.

Gotchas and things worth knowing

A few things the docs don't emphasize but every family-filtering config runs into:

  • Recreation Times defaults to UTC. If your schedules seem to fire at weird hours, check the timezone setting — NextDNS uses UTC by default, not your local time.
  • "Block Newly Registered Domains" is more aggressive than it sounds. Legitimate SaaS tools register new domains constantly. Expect to allowlist things frequently in the first month; it settles down after that.
  • YouTube Restricted Mode from the DNS layer can block legitimate educational content. Khan Academy videos, coding tutorials, and some school resources occasionally get flagged. Have an allowlist workflow ready.
  • If you and your kid share one NextDNS config, your activity mixes with theirs. Your searches show up in the same analytics view. Use the Pro (Family) plan for separate configs per person, or deploy NextDNS only on kids' devices.
  • The iOS profile occasionally breaks after major iOS updates. Check test.nextdns.io once a month from the kid's phone. If it's broken, reinstall the profile — takes 30 seconds.
  • Apple Private Relay bypasses NextDNS. If the kid's iCloud account has Private Relay enabled, DNS goes through Apple's servers instead of yours. Disable it via Screen Time → Content & Privacy Restrictions, or in the child's iCloud+ settings.
  • TikTok plays hide-and-seek with DNS blocking. The app probes for DNS filtering and rotates backend endpoints. Blocking tiktok.com alone isn't enough — enable the TikTok service block in NextDNS Parental Controls for reliable coverage.
  • Some apps use hardcoded DoH. Signal, WhatsApp, and a handful of others bake DNS-over-HTTPS directly into the app. "Block Bypass Methods" catches most of these but not all. Not usually a parenting problem — just a transparency caveat so you're not surprised when one slips through.

What to watch in the first 30 days

Your first month with NextDNS deployed is the most informative one you'll have. Some things worth doing:

  • Days 1–3: Check analytics daily. You'll see every app phoning home that you didn't know was installed. Start a running list of things you want to bring up — not as an interrogation, as curiosity.
  • Week 1: Watch the blocked-query log. A sudden burst of blocked queries to one domain is almost always a bypass attempt. A low, steady trickle is usually just an app's ad SDK hitting trackers — safe to ignore.
  • Week 2: Tag your devices. In NextDNS, default client names are cryptic (iPhone-14-abc). Rename them clearly ("Kid 1 iPhone," "Kid 2 iPad") so log-reading is actually useful.
  • Week 3: Clean up the lists. You'll have accumulated false-positive allowlist entries and a few things you wish you'd blocked. Prune and add.
  • Week 4: Enable the weekly digest email (Settings → Notifications). It's a 2-minute read and keeps you aware without daily log-diving.
  • Ongoing: Friday evenings and Saturday mornings are the signal windows. That's when teenage bypass attempts spike. If you see something interesting, that's conversation material, not punishment material.

Quick setup time budget

If you're doing this tonight after the kids are asleep:

  • Account creation + configuration: 20 minutes
  • Deploy on kid's phone (iOS or Android): 10 minutes
  • Deploy on router: 10–30 minutes depending on router
  • Verify and lock settings: 10 minutes
  • Read first 24 hours of logs: 15 minutes (do this tomorrow)

Total: about an hour, spread across two days.

Bottom line

NextDNS is a $2/month parental control that's more effective than most $15/month parental controls. It's not a replacement for conversation, monitoring, or native OS controls — but as the foundation of a filtering stack, it's the best value in this space by a wide margin.

Most parents don't know it exists because it doesn't advertise. Now you do. Deploy it tonight. Check the analytics tomorrow. Be quietly surprised.

Want to take this further with router-level filtering? Read our UniFi Parental Controls guide.

No affiliate relationship with NextDNS. I pay for my own subscription.

Updated April 2026