Comment by ignoramous

> If I may ask, what are the dns tricks, is there a blog post about what you added, I am sooo curious about what sorcery is nextdns using.

It is likely they use some form of SNI-based proxy, similar to: https://github.com/celzero/midway

The way this works is, for preset domains, you always answer with the IP of your SNI proxy, which then forwards the connection to the real IP based on the domain in TLS's SNI extension. This "trick" only works for TLS connections that send SNI in the clear, and will not work with QUIC (HTTP/3) or with TLS v1.3 with ECH (encrypted client hello). For non-TLS connections, like cleartext HTTP/2 or HTTP/1, the proxy would look at the Host header. Similar heuristics may exist for other popular cleartext protocols.

ControlD, a similar DNS provider, has supported redirections for a long time now: https://controld.com/features/traffic-redirection

If you own enough public IPs (like a /64 IPv6 or a /22 IPv4), you can vend time-limited unique IP per domain per client IP and support all transport protocols (and not just TLS/HTTP).