Configuring NextDNS

I am trying to configure nextdns on the router (snapshot) and installed luci-app-nextdns on a working router. The page shows that the service is enabled and the executable is indeed running, but no changes are made to /etc/config/dhcp for dnsmasq to actually use nextdns. @olivier Is that by design?

Are resolutions going thru nextdns then or it does not work?

It does not change visible router settings, but add some directives to the dnsmasq configuration under the hood in a place that is easy to remove when the process exit.

It did not work. My router was configured with stubby and cleanbrowsing and after installing nextdns, the resolution was still going through cleanbrowsing.

I checked /etc/config/dhcp and there were no changes made. Can you tell me what file is supposed to be changed by nextdns?

1 Like

You should see a file called /tmp/dnsmasq.d/nextdns.conf.

Can you please show the out of:

cat /var/etc/dnsmasq.conf.*

as well as:

nextdns version

It is all working now, but I had to add list server '127.0.0.1#5342' to /etc/config/dhcp and disable dense validation in dnsmasq.

cat /tmp/dnsmasq.d/nextdns.conf
server=127.0.0.1#5342
no-resolv
add-mac
add-subnet=32,128
nextdns version
nextdns version 1.3.1

can you please cat /var/etc/dnsmasq.conf.*

It is slightly stripped...

cat /var/etc/dnsmasq.conf.*
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
filterwin2k
no-resolv
localise-queries
read-ethers
enable-ubus
expand-hosts
bind-dynamic
dhcp-sequential-ip
cache-size=1500
dns-forward-max=150
domain=blah
server=/lan/
server=127.0.0.1#5453
server=/openwrt.pool.ntp.org/9.9.9.9
server=/cdnjs.cloudflare.com/9.9.9.9
dhcp-leasefile=/tmp/dhcp.leases
servers-file=/root/adb_list.overall
stop-dns-rebind
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
dnssec-no-timecheck
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq
dhcp-host=[stripped]
dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf
bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,blah
dhcp-range=set:iot,blah
enable-ra
quiet-ra

Ok got it. You'll have to remove the forwarders you've set in the DHCP/DNS config for now. Next revision will handle that automatically.

1 Like

For now, I have setup stubby to talk to NextDNS. I will try your fix when it is available.

A somewhat related question: what is the benefit of using nextdns over stubby here? You app is written in Go, so it is ginormous :slight_smile: I guess your app can provide some granular configurability. Are there any other big differences?

UPDATE: In both cases, my router would be connecting to NextDNS.

We are working on the size, it should get smaller, but still bigger than dynamically linked C programs.

The main advantages are:

  • We use different routing and fallback techniques to connect to our servers, so you should get a closer server (lower latency) and in case of issue, it will try very hard to find another (farther) server before failing.
  • Stubby has some known issue with our service where it get unstable in some cases (we are still investigating)
  • Our daemon is able to discover your LAN hosts (if you enable the Report Client Info) and show them in the analytics (you need the very last version of nextdns for this to work well, which is not yet pushed to opkg, coming soon).
  • You can apply different NextDNS configuration ID based on the subnet/IP/MAC address of the LAN client. This is very handy to apply kid specific config on kid devices (not yet implemented in the UI tho).
1 Like

Thx, looking forward to all these improvements!

I have this entry list server '/openwrt.pool.ntp.org/9.9.9.9' in /etc/config/dhcp and as I understand it is to handle the case, when the router comes up with time way behind current and until the time is synced, SSL communications are not possible. Does your app handle this case or I am mistaken here?

any news on this issue?

I wish I could segregate different settings for some networks to create parental control for children

Which part of the issue?

How can i configure multiple ID configuration?

1 Like

Hi. I'm running the latest NextDNS (nextdns version 1.8.6) and have both one option config as well as a number of list host_config entries in /etc/config/nextdns. Yet, all the DNS queries from the list host_config MACs and subnets is now going only to the option configured in option config. I have tried restarting NextDNS as well as restarting the router, but to no avail.

Here's my config file, with the NextDNS configs blanked:

config nextdns main
    option enabled '1'

    option config ******

    list host_config 'E8:DE:27:C9:5F:04=******' # Ripe Atlas Probe
    list host_config 'a4:4b:d5:45:e3:3d=******' # Redmi Note 8 Phone
    list host_config '10.3.0.0/16=******' # Corvus
    list host_config '10.4.0.0/16=******' # Guest

    option report_client_info '1'
    option hardened_privacy '0'
    option log_queries '0'

UPDATE: changing the list host_config entries to list config entries seems to work. But I thought version 1.8.6 used list host_config for the individual MACs/IPs/subnets and option config for the main fallback config. :confused: