When NextDNS Broke Minecraft

The Setup

Every device on my Tailscale network routes DNS through NextDNS — ad blocking, tracker filtering, and threat protection at the DNS level. Clean, network-wide, no per-device configuration needed. It had been running perfectly for months.

Then I enabled NextDNS’s automatic blocking feature, which expands the blocklists beyond the defaults. More aggressive filtering, more privacy. Sounded good.

The Problem

My Minecraft server stopped accepting connections. Friends couldn’t join, the game launcher wouldn’t authenticate, and nothing in the server logs explained why. The server process was healthy, ports were open, Tailscale was connected.

I spent days checking the wrong things — firewall rules, Tailscale ACLs, server configuration, Java networking settings. Everything looked correct because everything was correct. The server was fine. The network was fine. DNS was lying.

The Cause

NextDNS had silently added Mojang’s authentication domains to its blocklist. Every connection attempt failed at the authentication step because the game client couldn’t reach Microsoft’s login servers. No error message, no log entry. Just a DNS query that returned nothing.

The fix was a single allowlist entry. The diagnosis took three days.

The Takeaway

DNS-level blocking is invisible by design. When it works, you never think about it. When it breaks something, there’s no error pointing at DNS — you get symptoms that look like firewall issues, network misconfiguration, or application bugs.

If you’re running network-wide DNS filtering, log your DNS queries. NextDNS has a query log that would have shown the blocked domains immediately. I wasn’t checking it because everything had been working. Now I check it first whenever something network-related breaks unexpectedly.