How to have DNS encrypted with NextDNS?

I have seen packages like https-dns-proxy and dnscrypt-proxy to encrypt DNS queries, but I can't find how to configure this encrypted DNS provider with ad blocking in any of these apps.

there appears to be a nextdns package, at least in 19.07.

1 Like

It does not enter my device. That is why I did not mention that package.

You can install Adblock as usual:

It should work fine with the DNS encryption methods listed in the wiki:

If you need NextDNS specifically, it should be like this:

opkg update
opkg install nextdns luci-app-nextdns
/etc/init.d/rpcd restart
/etc/init.d/dnsmasq stop
uci set dhcp.@dnsmasq[0].noresolv="1"
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server=""
uci commit dhcp
/etc/init.d/dnsmasq start

Keep installing the 3 Megabyte package. And Adblock consumes a lot of RAM for my 8/64 MB device.

But if you can with other DNS providers. Why not with NextDNS? I don't see a hardware problem for this case. It would be more of software.

The nextdns package is implemented in go, apart from rewriting it in another language (not something you could expect from a package maintainer), there's not a whole lot to improve or change here. If you insist on using nextdns, you'll have to provide the hardware requirements it demands.

tl;dr: not a bug, nothing to be fixed - either get sufficient hardware or use another DNS filtering implementation.


I chose NextDNS because it is the best for my situation. 10ms latency, ad blocking (no need to install adblock locally), encrypted DNS. The device is an Archer C60 with 8/64 MB. It shouldn't be a hardware problem. As I said before, with the two mentioned packages you can have encrypted DNS with the same device and another provider.

go as a language is unsuited for embedded devices, likek routers, due tobits size- and system requirements, there is nothing to improve in the package using it.

1 Like

That is why I am not thinking of installing this package, but the other two mentioned. They fit perfectly (both) on my device and it is a configuration problem.

Find the dnscrypt-proxy settings for NextDNS here:

The NextDNS control panel contains that information as well, but not the way to configure specifically for dnscrypt-proxy.

Install https-dns-proxy. Edit /etc/config/https-dns-proxy to include your custom/ad-blocking resolver NextDNS URL instead of the URL there and remove second resolver. Restart https-dns-proxy.


I tried a bunch of setups before eventually settling on unbound-daemon replacing dnsmasq as the DNS server and using nextdns as one of the forward zones. It's been stable for over a year. https-dns-proxy was heavy on my 128MB / 1-Core TP-Link

With unbound-control you can interrogate your DNS server as well as read metrics for monitoring.

Snippets of my configs below - you would have to adjust the DNS server DHCP option to your LAN gateway so clients know where to send their queries.

You would also have to configure the upstream to your own NextDNS instance.

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option localuse '0'
	option port '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,'
> /etc/config unbound

config unbound 'ub_main'
	option add_extra_dns '0'
	option add_local_fqdn '1'
	option add_wan_fqdn '0'
	option dhcp_link 'none'
	option dhcp4_slaac6 '0'
	option dns64 '0'
	option dns64_prefix '64:ff9b::/96'
	option domain 'lan'
	option domain_type 'static'
	option edns_size '1232'
	option extended_stats '0'
	option hide_binddata '1'
	option interface_auto '1'
	option listen_port '53'
	option localservice '1'
	option manual_conf '0'
	option num_threads '1'
	option protocol 'default'
	option query_minimize '0'
	option query_min_strict '0'
	option rate_limit '0'
	option rebind_localhost '0'
	option rebind_protection '1'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option ttl_neg_max '1000'
	option validator '0'
	option validator_ntp '1'
	option verbosity '1'
	list iface_trig 'lan'
	list iface_trig 'wan'
	list iface_wan 'wan'
	option unbound_control '1'

config zone 'fwd_nextdns'
	option enabled '1'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list zone_name '.'
	list server '<next-dns-id>'
	list server '<next-dns-id>'

You could try Stubby (DNS over TLS) as this is not a huge package

Once installed and configured you could then use vi or nano to edit the stubby config.
NextDNS website has a script under the Router set up guide section that may work.

I tried this some time ago and it worked but I now use Unbound and Adblock for my encrypted DNS and ad filtering.

Here is the script I used. My NextDNS ID is removed.

config resolver
       option address '2a07:a8c0::0'
       option tls_auth_name '<nextdns id>'
config resolver
       option address '2a07:a8c1::0'
       option tls_auth_name '<nextdns id>'
config resolver
       option address ''
       option tls_auth_name '<nextdns id>'

config resolver
       option address ''
       option tls_auth_name '<nextdns id>'

In https-dns-proxy there is a NextDNS profile, but not to configure the ID. In the NextDNS panel it says that it is connected but without configuration, and that the appropriate "endpoint" is not configured. I tried changing the url in /etc/config/https-dns-proxy and it works. A minor detail is that the LuCI app shows another provider, but I don't think it's important.

EDIT: I also see a padlock on the NextDNS panel that says DNS-over-HTTPS and https-dns-proxy so I guess it's working.

Stubby is not huge, but it uses OpenSSL and my system is WolfSSL.

Could I use Unbound as a DNS and DHCP server and remove dnsmasq?

No. You could try odhcpd - dnsmasq as a DHCP server will mostly be quiet and barely noticeable though.

In the end I chose https-dns-proxy and not Unbound and stubby because they use OpenSSL and do not enter my device.