🌐 Languages: English | Русский
Allows to set Redirect and Block rules to your Cloudflare and NextDNS accounts.
Ready-to-run via GitHub Actions. Video guide
| NextDNS | Cloudflare | |
|---|---|---|
| DNS Query Limit | 300,000 per month | 100,000 per day |
| IPv4 Restrictions | DNS queries are limited to a single IP address (can be changed) | DNS queries are strictly limited to a single IP address (automatically assigned by Cloudflare and cannot be changed) |
| DoH / DoT / IPv6 | Unlimited | Unlimited |
| Setup API Limits | 60 requests per minute | Unlimited |
| General Limitations | None | Infrastructure is blocked by Roskomnadzor (availability issues in Russia) |
| Advantages | Built-in ad and tracker blocking options | More reliable and fast infrastructure |
In summary: if you are located in Russia, NextDNS is your only viable option due to Roskomnadzor restrictions.
If you are in another country, Cloudflare offers more generous limits on the free plan. Tracker and ad blocking can also
be enabled by providing a domain blocklist in BLOCK, for example: https://small.oisd.nl/domainswild2
Use the configurator https://dns-conf-ui.vercel.app in Quick mode. It will automatically configure your DNS profile and perform all required GitHub setup steps.
You only need to sign in with GitHub and provide CLIENT_ID and AUTH_SECRET. More details on where to find these values here: Setup credentials
Setup exclude redirects (optional)
-
Generate API KEY, from https://my.nextdns.io/account and set as environment variable
AUTH_SECRET -
Click on NextDNS logo. On the opened page, copy ID from Endpoints section. Set it as environment variable
CLIENT_ID
- After signing up into a Cloudflare, navigate to Zero Trust tab and create an account.
- Free Plan has decent limits, so just choose it.
- Skip providing payment method step by choosing Cancel and exit (top right corner)
- Go back to Zero Trust tab
- Create a Cloudflare API token, from https://dash.cloudflare.com/profile/api-tokens
with 2 permissions:
Account.Zero Trust : Edit
Account.Account Firewall Access Rules : Edit
Set API token to environment variable AUTH_SECRET
- Get your Account ID from : https://dash.cloudflare.com/?to=/:account/workers
Set Account ID to environment variable CLIENT_ID
Set environment variable DNS with DNS provider name (Cloudflare or NextDNS)
Each data source must be a link to a hosts file, e.g. https://raw.githubusercontent.com/Internet-Helper/GeoHideDNS/refs/heads/main/hosts/hosts
You can provide multiple sources split by coma: https://first.com/hosts,https://second.com/hosts
Set sources to environment variable REDIRECT
Script will parse sources, filtering out redirects to 0.0.0.0 and 127.0.0.1
Thus, parsing lines:
0.0.0.0 domain.to.block
1.2.3.4 domain.to.redirect
127.0.0.1 another.to.block
will keep only 1.2.3.4 domain.to.redirect for the further redirect processing.
- Redirect priority follows sources order. If domain appears more than one time, the first only IP will be applied.
Set sources to environment variable BLOCK
Script will parse sources, keeping only redirects to 0.0.0.0, 127.0.0.1, ::1, and also lines containing domain only.
Thus, parsing lines
1.2.3.4 domain.to.redirect
0.0.0.0 domain.to.block
127.0.0.1 another.to.block
::1 ipv6.to.block
no-ip.just.domain
will keep only
domain.to.block
another.to.block
no-ip.just.domain
ipv6.to.block
for the further block processing.
- You may want to provide the same source for both
BLOCKandREDIRECTfor Cloudflare. - For NextDNS, the best option might be to set
REDIRECTonly, and then manually choose any blocklists at the Privacy tab.
Put domains to environment variable EXCLUDE_REDIRECT separated by coma, e.g. instagram.com,twitch.com
These domains and their subdomains:
- will be removed from existing redirect rules;
- won't be added with new ones.
All profiles get similar settings. That means BLOCK, REDIRECT and EXCLUDE_REDIRECT are shared.
Put your profiles separated by coma without whitespace into related environment variables. E.g., two NextDNS profiles must be set as shown:
AUTH_SECREThas:secret_NextDns_1,secret_NextDns_2CLIENT_IDhasclient_id_NextDns_1,client_id_NextDns_2
In addition to setting above, list provider for each profile in environment variable DNS. For example:
DNShas:NEXTDNS,CLOUDFLARE,NEXTDNSAUTH_SECREThas:secret_NextDns_1,secret_Cloudflare_1,secret_NextDns_2CLIENT_IDhasclient_id_NextDns_1,client_id_Cloudflare_1,client_id_NextDns_2
Previously generated data will be removed. Script recognizes old data by marks:
- Name prefix for List: Blocked websites by script and Override websites by script
- Name prefix for Rule: Rules set by script
- Different Session id. Session id is stored in a description field.
After removing old data, new lists and rules will be generated and applied.
If you want to clear Cloudflare block/redirect settings, launch the script without providing sources in related *
environment variables*. E.g. providing no value for environment variable BLOCK will cause removing old related
data: lists and rules used to setup blocks.
For REDIRECT:
- Existing domain will be updated if redirect IP has changed
- If new domains are provided, they will be added
- The rest redirect settings are kept untouched
For BLOCK:
- If new domains are provided, they will be added
- The rest block settings are kept untouched
Previously generated data is removed ONLY when both BLOCK and REDIRECT sources were not provided.
Step-by-step video guide: REDIRECT for NextDNS
- Fork repository
- Go Settings => Environments
- Create New environment with name
DNS - Provide
AUTH_SECRETandCLIENT_IDto Environment secrets - Provide
DNS,REDIRECT,BLOCKandEXCLUDE_REDIRECTto Environment variables
- The action will be launched every day at 01:30 UTC. To set another time, change cron at
.github/workflows/github_action.yml - You can run the action manually via
Run workflowbutton: switch to Actions tab and choose workflow named DNS Block&Redirect Configurer cron task