Secure NextDNS with cnspec
Scan NextDNS profiles against security and compliance best practices with cnspec.
Scan your NextDNS account to find security risks before they become incidents. cnspec evaluates each DNS profile's threat-intelligence feeds, safe-browsing and malware protections, privacy blocklists, parental controls, query-logging settings, allow and deny lists, and other NextDNS controls.
If you're new to cnspec, start with the Quickstart. For an overview of every SaaS service cnspec can scan, see the SaaS scanning overview.
Prerequisites
To test your NextDNS account with cnspec, you must have:
- cnspec installed on your workstation
- A NextDNS account with one or more profiles
- A NextDNS API key
Give cnspec access using a NextDNS API key
cnspec connects to the NextDNS management API using your account API key. The key grants read access to every profile the account owns.
To find your API key:
- Sign in to the NextDNS account page.
- Scroll to the API section.
- Copy the API key value.
Configure the NEXTDNS_API_KEY environment variable
You can supply your key to cnspec using an environment variable. This avoids passing it on the command line with every command.
On Linux / macOS:
export NEXTDNS_API_KEY=YOUR_API_KEYOn Windows, using PowerShell:
$Env:NEXTDNS_API_KEY = "YOUR_API_KEY"When NEXTDNS_API_KEY is set, you can omit the --api-key flag from all the commands below.
Test your connection
Before running a full scan, verify that your key works by opening a cnspec shell:
cnspec shell nextdns --api-key YOUR_API_KEYcnspec> nextdns.profiles { id name }
nextdns.profiles: [
0: { id: "abc123" name: "Home" }
1: { id: "def456" name: "Office" }
]If you see your profiles listed, cnspec is connected and ready to scan.
Scan NextDNS
To scan your NextDNS account:
cnspec scan nextdns --api-key YOUR_API_KEYcnspec discovers every profile the API key can access and scans each one. To scan only a subset, use the --discover flag with accounts or profiles.
Understand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure NextDNS threat intelligence feeds are enabled
✕ Fail: Ensure query logging drops client IP addresses
✓ Pass: Ensure Google Safe Browsing is enabledAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues. To learn more about reading scan results, read Understand cnspec Results.
Scan with the Mondoo NextDNS Security policy
Mondoo maintains an out of the box NextDNS Security policy that checks threat-intelligence feeds, safe-browsing and malware protections, privacy blocklists, parental controls, query-logging settings, and more.
Mondoo Platform users: Enable the policy in your space. In the Mondoo App, go to Findings > Policies, search for "NextDNS", and add the policy. All future scans of your NextDNS account automatically evaluate against it. To learn more, read Manage policies in Mondoo Platform.
Open source users: Pass the policy bundle URL directly to cnspec:
cnspec scan nextdns --api-key YOUR_API_KEY \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-nextdns-security.mql.yamlYou can also write your own policy against the NextDNS resources cnspec exposes to meet your specific requirements.
Explore your NextDNS account
Run cnspec shell nextdns --api-key YOUR_API_KEY to open the interactive shell.
List all profiles
cnspec> nextdns.profiles { id name }Inspect a profile's security settings
cnspec> nextdns.profiles.first.security { threatIntelligenceFeeds googleSafeBrowsing cryptojacking nrd }Inspect a profile's privacy blocklists
cnspec> nextdns.profiles.first.privacy.blocklists { id name entries }Inspect parental controls
cnspec> nextdns.profiles.first.parentalControl { safeSearch youtubeRestrictedMode blockBypass }Inspect logging settings
cnspec> nextdns.profiles.first.settings { logsEnabled logsDropIp logsRetention logsLocation }List denied and allowed domains
cnspec> nextdns.profiles.first.denylist { id active }
cnspec> nextdns.profiles.first.allowlist { id active }Example security checks
From the cnspec interactive shell, you can make checks like the examples below.
Ensure threat intelligence feeds are enabled
NextDNS threat intelligence feeds block domains associated with malware, phishing, and command-and-control infrastructure. This check confirms they are turned on for every profile:
cnspec> nextdns.profiles.all(security.threatIntelligenceFeeds == true)
[ok] value: trueEnsure Google Safe Browsing is enabled
Google Safe Browsing adds a second source of phishing and malware blocking. This check confirms it is enabled on every profile:
cnspec> nextdns.profiles.all(security.googleSafeBrowsing == true)
[ok] value: trueEnsure newly registered domains are blocked
Newly registered domains (NRDs) are frequently used in phishing and malware campaigns. This check confirms NRD blocking is enabled:
cnspec> nextdns.profiles.all(security.nrd == true)
[ok] value: trueEnsure query logs drop client IP addresses
Dropping client IP addresses from query logs reduces the personal data NextDNS retains. This check confirms IP logging is disabled wherever query logging is on:
cnspec> nextdns.profiles.where(settings.logsEnabled == true).all(settings.logsDropIp == true)
[ok] value: trueEnsure block-bypass methods are blocked
Blocking bypass methods stops VPNs, proxies, Tor, and public resolvers from being used to circumvent NextDNS filtering. This check confirms the protection is enabled:
cnspec> nextdns.profiles.all(settings.blockBypassMethods == true)
[ok] value: trueLearn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
To learn about all the NextDNS resources and properties you can query, read the Mondoo NextDNS Resource Pack Reference.