allowlist / denylist
NextDNS Blocker provides two command groups for managing domain lists with full CRUD operations: allowlist and denylist.
Command Groups
Section titled “Command Groups”denylist
Section titled “denylist”Manage NextDNS denylist (blocked domains).
| Subcommand | Description |
|---|---|
denylist list | List all domains in the denylist |
denylist add | Add one or more domains |
denylist remove | Remove one or more domains |
denylist export | Export to JSON or CSV |
denylist import | Import from file |
allowlist
Section titled “allowlist”Manage NextDNS allowlist (whitelisted domains).
| Subcommand | Description |
|---|---|
allowlist list | List all domains in the allowlist |
allowlist add | Add one or more domains |
allowlist remove | Remove one or more domains |
allowlist export | Export to JSON or CSV |
allowlist import | Import from file |
denylist Commands
Section titled “denylist Commands”denylist list
Section titled “denylist list”List all domains currently in your NextDNS denylist.
nextdns-blocker denylist listOutput:
Denylist
Domain Active────────────────────────────reddit.com Yestwitter.com Yesinstagram.com Yestiktok.com No
Total: 4 domainsdenylist add
Section titled “denylist add”Add one or more domains to the denylist.
nextdns-blocker denylist add DOMAIN [DOMAIN ...]Example:
nextdns-blocker denylist add reddit.com twitter.com instagram.comOutput:
+ reddit.com + twitter.com + instagram.com
Added 3 domain(s) to denylistdenylist remove
Section titled “denylist remove”Remove one or more domains from the denylist.
nextdns-blocker denylist remove DOMAIN [DOMAIN ...]Example:
nextdns-blocker denylist remove reddit.comOutput:
- reddit.com
Removed 1 domain(s) from denylistdenylist export
Section titled “denylist export”Export denylist to a file.
nextdns-blocker denylist export [--format json|csv] [-o FILE]Options:
| Option | Default | Description |
|---|---|---|
--format | json | Output format (json or csv) |
-o, --output | stdout | Output file path |
Examples:
# Export to JSON filenextdns-blocker denylist export -o denylist.json
# Export to CSVnextdns-blocker denylist export --format csv -o denylist.csv
# Print to stdoutnextdns-blocker denylist exportJSON format:
[ {"domain": "reddit.com", "active": true}, {"domain": "twitter.com", "active": true}]CSV format:
domain,activereddit.com,Truetwitter.com,Truedenylist import
Section titled “denylist import”Import domains from a file.
nextdns-blocker denylist import FILE [--dry-run]Options:
| Option | Description |
|---|---|
--dry-run | Preview what would be imported |
Supported formats:
- JSON: Array of strings or objects with
domainfield - CSV: Must have
domaincolumn, optionalactivecolumn - Plain text: One domain per line (lines starting with
#are ignored)
Examples:
# Preview importnextdns-blocker denylist import domains.json --dry-run
# Import from filenextdns-blocker denylist import domains.txtOutput:
Importing 25 domains...
Added: 20 Skipped (existing): 5 Failed: 0allowlist Commands
Section titled “allowlist Commands”allowlist list
Section titled “allowlist list”List all domains currently in your NextDNS allowlist.
nextdns-blocker allowlist listOutput:
Allowlist
Domain Active────────────────────────────aws.amazon.com Yesgithub.com Yes
Total: 2 domainsallowlist add
Section titled “allowlist add”Add one or more domains to the allowlist.
nextdns-blocker allowlist add DOMAIN [DOMAIN ...]Example:
nextdns-blocker allowlist add github.com stackoverflow.comOutput:
+ github.com + stackoverflow.com
Added 2 domain(s) to allowlistallowlist remove
Section titled “allowlist remove”Remove one or more domains from the allowlist.
nextdns-blocker allowlist remove DOMAIN [DOMAIN ...]Example:
nextdns-blocker allowlist remove github.comOutput:
- github.com
Removed 1 domain(s) from allowlistallowlist export
Section titled “allowlist export”Export allowlist to a file.
nextdns-blocker allowlist export [--format json|csv] [-o FILE]Example:
nextdns-blocker allowlist export -o allowlist.jsonallowlist import
Section titled “allowlist import”Import domains from a file.
nextdns-blocker allowlist import FILE [--dry-run]Example:
nextdns-blocker allowlist import work-domains.txtLegacy Commands: allow / disallow
Section titled “Legacy Commands: allow / disallow”The single-domain allow and disallow commands are still available for quick operations.
Overview
Section titled “Overview”The allowlist is used to:
- Create subdomain exceptions: Allow
aws.amazon.comwhile blockingamazon.com - Override category blocks: Allow specific domains blocked by NextDNS categories
- Permanent access: Keep domains always accessible
Add a domain to the allowlist.
nextdns-blocker allow DOMAINExample
Section titled “Example”nextdns-blocker allow aws.amazon.comOutput
Section titled “Output”Adding 'aws.amazon.com' to allowlist...✓ Domain added to allowlist
Note: This creates a permanent exception.For scheduled access, edit config.json directly.Behavior
Section titled “Behavior”- Adds domain to NextDNS allowlist immediately
- Adds domain to local
config.jsonallowlist - Domain will remain in allowlist across syncs
Scheduled Allowlist
Section titled “Scheduled Allowlist”The allow command creates permanent (always-allowed) entries. For time-based allowlist entries, edit config.json:
nextdns-blocker config edit{ "allowlist": [ { "domain": "youtube.com", "description": "Evening only", "schedule": { "available_hours": [ { "days": ["monday", "tuesday", "wednesday", "thursday", "friday"], "time_ranges": [{"start": "20:00", "end": "22:30"}] } ] } } ]}disallow
Section titled “disallow”Remove a domain from the allowlist.
nextdns-blocker disallow DOMAINExample
Section titled “Example”nextdns-blocker disallow aws.amazon.comOutput
Section titled “Output”Removing 'aws.amazon.com' from allowlist...✓ Domain removed from allowlistBehavior
Section titled “Behavior”- Removes domain from NextDNS allowlist immediately
- Removes domain from local
config.jsonallowlist - Domain is now subject to normal blocking rules
Tab Completion
Section titled “Tab Completion”With shell completion enabled, allowlist domains auto-complete:
nextdns-blocker disallow aws<TAB># Completes to: nextdns-blocker disallow aws.amazon.comAllowlist vs Blocklist Priority
Section titled “Allowlist vs Blocklist Priority”NextDNS processes lists with these priority rules:
| Priority | List | Result |
|---|---|---|
| 1 (Highest) | Allowlist | Domain is ALLOWED |
| 2 | Blocklist/Denylist | Domain is BLOCKED |
| 3 | Category blocks | Domain is BLOCKED |
| 4 | Default | Domain is ALLOWED |
Key Points
Section titled “Key Points”- Allowlist always wins over blocklist
- Use for subdomain exceptions
- Use to override category blocks
Use Cases
Section titled “Use Cases”Subdomain Exception
Section titled “Subdomain Exception”Block a domain but allow a specific subdomain:
# In config.json blocklist{"domain": "amazon.com", "schedule": null}
# Allow the exceptionnextdns-blocker allow aws.amazon.comResult:
amazon.com→ Blockedwww.amazon.com→ Blocked (inherits from parent)aws.amazon.com→ Allowed (allowlist override)console.aws.amazon.com→ Allowed (inherits from allowlist)
Override Category Block
Section titled “Override Category Block”If NextDNS blocks a domain via category (e.g., “Streaming”):
# Allow specific streaming site during certain hoursnextdns-blocker allow youtube.comOr for scheduled access, edit config:
{ "allowlist": [ { "domain": "youtube.com", "schedule": { "available_hours": [ { "days": ["saturday", "sunday"], "time_ranges": [{"start": "10:00", "end": "22:00"}] } ] } } ]}Work Resources
Section titled “Work Resources”Keep work-related domains always accessible:
nextdns-blocker allow docs.google.comnextdns-blocker allow github.comnextdns-blocker allow stackoverflow.comAllowlist During Panic Mode
Section titled “Allowlist During Panic Mode”When panic mode is active:
- The
allowcommand is hidden - The
disallowcommand is hidden - Scheduled allowlist sync is skipped
- This prevents bypassing emergency lockdown
After panic expires:
- Commands become available again
- Scheduled allowlist syncing resumes
Viewing Allowlist
Section titled “Viewing Allowlist”Via Status
Section titled “Via Status”nextdns-blocker statusShows:
Allowlist (2 domains): ✓ aws.amazon.com ALLOWED (always) ✓ youtube.com ALLOWED (until 22:30)Via Config
Section titled “Via Config”nextdns-blocker config showShows:
Allowlist (2 domains): aws.amazon.com Description: Work resource Schedule: null (always allowed)
youtube.com Description: Evening entertainment Schedule: Sat-Sun 10:00-22:00Validation Rules
Section titled “Validation Rules”Cannot Be in Both Lists
Section titled “Cannot Be in Both Lists”A domain cannot be in both blocklist and allowlist:
# If reddit.com is in blocklistnextdns-blocker allow reddit.comOutput:
Error: 'reddit.com' is in the blocklistRemove from blocklist first, or use a subdomain exceptionSubdomain Relationships Allowed
Section titled “Subdomain Relationships Allowed”You can have:
amazon.comin blocklistaws.amazon.comin allowlist
This is valid and will show a warning during config load.
Troubleshooting
Section titled “Troubleshooting”Domain still blocked after allow
Section titled “Domain still blocked after allow”-
Check if domain is in blocklist:
Terminal window nextdns-blocker config show | grep <domain> -
Clear DNS cache:
Terminal window # macOSsudo dscacheutil -flushcache# Linuxsudo systemctl restart systemd-resolved# Windowsipconfig /flushdns -
Force sync:
Terminal window nextdns-blocker config push
allow command hidden
Section titled “allow command hidden”Panic mode is active. Check status:
nextdns-blocker panic statusWait for panic to expire.
Domain not in allowlist after allow
Section titled “Domain not in allowlist after allow”Check for API errors:
nextdns-blocker config push --verboseVerify credentials:
nextdns-blocker init