diff --git a/net/dns/publicdns/publicdns.go b/net/dns/publicdns/publicdns.go
index 76b71a6b2..0b7aff646 100644
--- a/net/dns/publicdns/publicdns.go
+++ b/net/dns/publicdns/publicdns.go
@@ -80,6 +80,10 @@ func DoHIPsOfBase(dohBase string) []netip.Addr {
 		return s
 	}
 	if hexStr, ok := strs.CutPrefix(dohBase, "https://dns.nextdns.io/"); ok {
+		// The path is of the form /<profile-hex>[/<hostname>/<model>/<device id>...]
+		// but only the <profile-hex> is required. Ignore the rest:
+		hexStr, _, _ = strings.Cut(hexStr, "/") // discard any optional
+
 		// TODO(bradfitz): using the NextDNS anycast addresses works but is not
 		// ideal. Some of their regions have better latency via a non-anycast IP
 		// which we could get by first resolving A/AAAA "dns.nextdns.io" over
diff --git a/net/dns/publicdns/publicdns_test.go b/net/dns/publicdns/publicdns_test.go
index 45c9c75a6..5219120fd 100644
--- a/net/dns/publicdns/publicdns_test.go
+++ b/net/dns/publicdns/publicdns_test.go
@@ -86,6 +86,15 @@ func TestDoHIPsOfBase(t *testing.T) {
 				"2a07:a8c1::c3:a884",
 			),
 		},
+		{
+			base: "https://dns.nextdns.io/c3a884/with/more/stuff",
+			want: ips(
+				"45.90.28.0",
+				"45.90.30.0",
+				"2a07:a8c0::c3:a884",
+				"2a07:a8c1::c3:a884",
+			),
+		},
 	}
 	for _, tt := range tests {
 		got := DoHIPsOfBase(tt.base)