After winning the SGW with NextDNS on router, enjoy some well deserved late night downtime!!✨
This quick guide shows how to give your Fedora workstation its own personal NextDNS profile — globally enforced via a clean systemd-resolved drop-in file using DNS-over-TLS (DoT). No GNOME GUI fiddling, no NetworkManager overrides, no ghosts from Past You.
Perfect for when the router’s DNS is treating you like a naughty 12-year-old, but you just want privacy, ad-blocking, and unrestricted access. 😎
Why Bother? (The Personal Profile Win)
My router runs a strict NextDNS config for the boys’ endless Roblox gardens and YouTube black holes.
But my Core i7 Fedora 43 battlewagon? It needed:
- Aggressive privacy + tracker blocking without bedtime schedules
- No game bans or “recreation time” nonsense
- Global enforcement so it ignores the router’s kid-friendly DNS entirely
NextDNS makes this dead simple with unlimited configurations. Create one called mine “Lachie Fed43” (you do you!!), copy its unique DoT endpoint, and wire it directly into systemd-resolved.
Result: Your laptop talks to your NextDNS profile. The router’s kid filters never even get a vote. 🎯
Step-by-Step: Global NextDNS DoT on Fedora 43
1. Get Your Personal NextDNS Endpoint
- Log into my.nextdns.io
- Create a new Configuration (or use an existing one for “for the adults”)
- Go to Setup → Linux (systemd-resolved)
- Copy your unique DoT endpoint (looks like
abc123.dns.nextdns.io) - Note the IP addresses listed there too
Device naming tip: NextDNS converts spaces to -- (dashes). “Lachie Fed43” becomes Lachie--Fed43-abc123.dns.nextdns.io.
2. Create the Drop-in Config File
Fire up nano in the systemd-resolved drop-ins directory:
sudo nano /etc/systemd/resolved.conf.d/nextdns.confPaste this exact template (replace with your IPs and endpoint):
#Use NextDNS IP addresses with your unique device identifier endpoint
DNS=45.90.28.0#Lachie--Fed43-abc123.dns.nextdns.io 45.90.30.0#Lachie--Fed43-abc123.dns.nextdns.io
DNS=2a07:a8c0::#Lachie--Fed43-abc123.dns.nextdns.io 2a07:a8c1::#Lachie--Fed43-abc123.dns.nextdns.io
#Enforce DNS-over-TLS
DNSOverTLS=yes
#Direct ALL DNS traffic globally to these servers (overrides DHCP/router)
Domains=~.Key bits explained:
45.90.28.0#your-endpoint.dns.nextdns.io— The#tells systemd-resolved to use DoT to that specific hostnameDomains=~.— The magic. Forces all domains through these servers, ignoring router DHCP DNS completely- IPv4 + IPv6 for maximum compatibility
Save and exit (Ctrl+O, Enter, Ctrl+X).
3. Apply & Restart
Reload the magic:
sudo systemctl restart systemd-resolved4. Verify It’s Working
Check the global status:
resolvectl statusUnder Global, you should see:
Protocols: LLMNR=resolve -mDNS +DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 45.90.28.0#Lachie--Fed43-abc123.dns.nextdns.io
DNS Servers: 45.90.28.0#Lachie--Fed43-abc123.dns.nextdns.io 45.90.30.0#Lachie--Fed43-abc123.dns.nextdns.io 2a07:a8c0::#Lachie--Fed43-abc123.dns.nextdns.io 2a07:a8c1::#Lachie--Fed43-abc123.dns.nextdns.io
DNS Domain: ~.
5. Confirm on NextDNS Dashboard
Visit your NextDNS Setup page — it should cheer:
✅ All good! This device is using NextDNS with this configuration
Device: Lachie—Fed43
You’ll also see real-time logs from your Fedora laptop hitting your personal profile, separate from the router’s kid lockdown.
Troubleshooting: If It Doesn’t Work
Still seeing router DNS?
Nuke any NetworkManager DNS overrides first
for conn in $(nmcli -t -f NAME connection show --active); do
nmcli connection modify "$conn" ipv4.dns "" ipv4.ignore-auto-dns no
nmcli connection modify "$conn" ipv6.dns "" ipv6.ignore-auto-dns no
nmcli connection up "$conn"
doneEnsure no other drop-ins are fighting you
ls /etc/systemd/resolved.conf.d/Check for ghosts (like my old Cloudflare config):
sudo rm /etc/systemd/resolved.conf.d/99-dns-over-tls.conf # If it exists
sudo systemctl restart systemd-resolvedTest resolution:
dig @45.90.28.0 google.com # Should work via your endpoint
resolvectl query example.com # Should show DoT in useWhy This Beats GUI / NMCLI Methods
- Global, not per-connection:
Domains=~.catches everything - DoT baked in: No extra
DNSOverTLS=per server - Router-proof: DHCP DNS gets completely ignored
- Drop-in clean: Easy to backup, version, or remove (
sudo rm nextdns.conf)
As a recovering Windows registry tweaker, this felt like coming home. One config file rules them all. No more GNOME Settings → WiFi → IPv4 → “Why isn’t this applying?” loops. 😄
Pro Tips for Power Users
- Multiple profiles? Create separate drop-ins (
nextdns-work.conf,nextdns-home.conf) and enable/disable withsystemctl - Logs & analytics: Watch your Fedora’s unique traffic in real-time on the NextDNS dashboard
- Backup:
cp /etc/systemd/resolved.conf.d/nextdns.conf ~/dot-backup.conf - IPv6-only networks: The IPv6 lines ensure you don’t break
Now my Fedora 43 sips from its own privacy-focused NextDNS well while the router keeps the screen goblins in check. Everyone’s happy. Except maybe Roblox’s bottom line. 🎮🚫
NextDNS FREE Plan has a default allocation of 300k queries pm, I’m using their affiliate link in this article - Just so that I can get few extra DNS Queries added to my account.