Go back

Screen Gremlin Wars - Moving to NextDNS from Cloudflare DNS for the WiN!! 🏁

Weaponizing DNS for Household Peace!!

Switching from Cloudflare’s “Family” DNS to NextDNS was the moment I stopped playing DNS on easy mode and levelled up my DNS game - for a chaotic household featuring two screen‑addicted boys, one suspiciously responsible teen daughter, one exhausted ex‑Windows power‑user dad, and a loving momma bear who was getting tired of the SGW’s (Screen Gremlin Wars) . đŸ§‘â€đŸ’»đŸŽź

For years, DNS was just that boring thing you pointed at 1.1.1.2 and forgot. Then the boys discovered Roblox, Fortnite, and the YouTube recommendation algorithm. Now DNS is my primary parenting tool.

Welcome to the story of how I swapped Cloudflare for NextDNS, tightened up the kids’ internet, gave my Fedora 43 laptop its own grown‑up profile, and accidentally discovered that Past Me had hard‑wired Cloudflare into my system and then completely forgotten about it.

When Cloudflare Stopped Being Enough

Back in my “just make it better than the ISP” days, Cloudflare’s malware‑blocking DNS felt like the perfect set‑and‑forget upgrade. 🔧
Point the router at 1.1.1.2, walk away, enjoy slightly faster lookups and some basic malware protection.

Then the boys levelled up.

Meanwhile, my teen daughter is just out here using her devices
 respectfully.
Homework, messaging friends, occasionally watching something, and then putting the phone down like some sort of functioning adult in training. Did not see that plot twist coming.

Cloudflare’s family DNS is decent: fast, private, with basic malware and adult content filtering.
But “blocks some malware” doesn’t help much when your real issue is:

“My sons are trying to 100% speedrun digital dopamine.”

I needed a DNS service that:

Why NextDNS Won (For This House)

I stumbled across an article describing NextDNS as “the fastest public DNS you’ve never heard of — and more powerful than Cloudflare” and realised it was basically describing my dream setup: Cloudflare‑ish speed, but with knobs, sliders, levers, and a big red “no more Roblox after 8 pm” button.

Here’s what made me switch.

Per-profile everything

NextDNS lets you create multiple configurations, each with its own security, privacy, and parental control settings.

In practice, this turned into:

Each profile has its own unique DNS endpoint or client ID, so devices and routers know which rules to follow.

DNS-level parenting (without nag apps) 🧠

Unlike simple “family” resolvers that just block a few categories, NextDNS stacks proper parental controls on top of DNS:

And the big win:

I am no longer drowning in Google Family Link and Qustodio “please approve this” notifications.

Ain’t nobody got time for that.

Everything is enforced silently at the DNS level. No root‑certificate‑installing weirdness, no per‑device agents constantly breaking things, no pop‑up wars. Just “this domain doesn’t resolve right now, go play outside.”

Privacy, analytics, and nerd knobs

NextDNS also scratches the ex‑Windows‑registry‑tweaker itch:

Cloudflare is still excellent if you just want “fast, private, simple.”
NextDNS is what you reach for when your life has turned into a cross‑over episode of Roblox Addicts Anonymous and Linux Power Users Anonymous.

Parenting With DNS: Silently Taming Screen Goblins 🎯

The real game‑changer wasn’t speed; it was moving control out of the kids’ devices and into the router.

Router + NextDNS = quiet enforcement

Here’s the basic setup:

The result:

If something legit is blocked, I don’t need to argue with Google Family Link or Qustodio. I just:

  1. Open the NextDNS dashboard.
  2. Check what’s being blocked.
  3. Adjust rules or whitelist a domain.

Simple, centralised, and blessedly quiet.

The plot twist: the daughter

Out of the three kids:

So she gets a lighter profile:

The boys? Let’s just say their profile would make corporate firewalls nod in approval.

Fedora 43: Innocent Until Proven Guilty 🐧

Now for the Linux‑specific part of the drama.

I wanted:

So, like any good GNOME user, I started in the GUI:

  1. Opened Wi‑Fi settings.
  2. Went to IPv4 / IPv6 settings.
  3. Entered my shiny new NextDNS DNS servers.
  4. Hit “Apply”.
  5. Ran:
resolvectl status


and it still showed Cloudflare as the resolver.

Flush DNS? Still Cloudflare.
Restart NetworkManager? Still Cloudflare.
At this point I started side‑eyeing Fedora like it was misbehaving.

But Fedora 43 wasn’t the problem.

Fedora 43 was doing exactly what it had been told — by Past Me.

Past Me had, at some point, decided to get fancy with DNS‑over‑TLS and dropped in a config hard‑wiring Cloudflare into the system.
Present Me had completely forgotten that ever happened.

Fedora was being the annoyingly obedient student following instructions I’d left taped to the wall months ago.

Step 1: Reset NetworkManager DNS overrides

First, I reset any DNS overrides for active connections:

for conn in $(nmcli -t -f NAME connection show --active); do
nmcli connection modify "$conn" ipv4.dns "" ipv4.ignore-auto-dns no
nmcli connection modify "$conn" ipv6.dns "" ipv6.ignore-auto-dns no
nmcli connection up "$conn"
done

This puts connections back to “let DHCP provide DNS, don’t force anything custom”.

Step 2: Clean up systemd-resolved main config

Next, I checked /etc/systemd/resolved.conf:

sudo systemctl restart systemd-resolved

Then I pointed /etc/resolv.conf back to the stub resolver:

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

At this point, resolved.conf was basically empty.
And yet, Cloudflare was still hanging around like some pre‑installed trial antivirus from the Windows XP era.

Step 3: Find the real culprit (Cloudflare ghost)

The breakthrough came from:

resolvectl status

Under the active link (Wi‑Fi), there was a reference to a drop‑in file:

/etc/systemd/resolved.conf.d/99-dns-over-tls.conf

That file was not Fedora freelancing. That was Past Me, manually adding a DNS‑over‑TLS setup pointing straight at Cloudflare and then promptly forgetting it existed.

Fedora 43 wasn’t being “that guy” — it was just patiently obeying old instructions.

So I removed the ghost:

sudo rm /etc/systemd/resolved.conf.d/99-dns-over-tls.conf

Then, for good measure, I reran the cleanup:

for conn in $(nmcli -t -f NAME connection show --active); do
nmcli connection modify "$conn" ipv4.dns "" ipv4.ignore-auto-dns no
nmcli connection modify "$conn" ipv6.dns "" ipv6.ignore-auto-dns no
nmcli connection up "$conn"
done

Followed up by :


sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
sudo systemctl restart systemd-resolved
sudo systemctl restart NetworkManager

After this, resolvectl status finally stopped chanting “Cloudflare” and showed a clean, auto‑configured resolver ready to use whatever I actually pointed it at.

Step 4: Give Fedora its own grown-up NextDNS profile

With the Cloudflare ghost banished, Fedora 43 behaved exactly as it should:

Fedora 43 wasn’t the villain.
It was just the one machine in the house with a long memory and a strong sense of “you told me to use Cloudflare, don’t yell at me.”

DNS as a Sanity-Preserving Superpower

Where I’ve landed:

For me, NextDNS turned DNS from:

“That invisible thing the router does”

into:

A family policy engine — ad blocker, privacy shield, parental control system, and analytics dashboard rolled into one.

And Fedora 43? It walked away from this story with more credit than anything:

Not bad for a distro running on a battle‑scarred old Core i7 that survived the Windows 8.1 & 10 eras
and TOO OLD n CRAPPY for Win 11 😄

NextDNS FREE Plan has a default allocation of 300k queries pm, I’m using their affiliate link in this article - Just so that I can get few extra DNS Queries added to my account.

Share this post on:
Share this post via WhatsAppShare this post on FacebookShare this post on XShare this post via TelegramShare this post on PinterestShare this post via email
Previous Post
Windows PowerShell to Linux Terminal: Your Survival Guide! 🚀
Next Post
How to Set Up Your Own NextDNS Profile on Fedora 43 (No Router Rules!) 🏆