How to have DNS encrypted with NextDNS?

I chose NextDNS because it is the best for my situation. 10ms latency, ad blocking (no need to install adblock locally), encrypted DNS. The device is an Archer C60 with 8/64 MB. It shouldn't be a hardware problem. As I said before, with the two mentioned packages you can have encrypted DNS with the same device and another provider.

go as a language is unsuited for embedded devices, likek routers, due tobits size- and system requirements, there is nothing to improve in the package using it.

1 Like

That is why I am not thinking of installing this package, but the other two mentioned. They fit perfectly (both) on my device and it is a configuration problem.

Find the dnscrypt-proxy settings for NextDNS here:

The NextDNS control panel contains that information as well, but not the way to configure specifically for dnscrypt-proxy.

Install https-dns-proxy. Edit /etc/config/https-dns-proxy to include your custom/ad-blocking resolver NextDNS URL instead of the URL there and remove second resolver. Restart https-dns-proxy.


I tried a bunch of setups before eventually settling on unbound-daemon replacing dnsmasq as the DNS server and using nextdns as one of the forward zones. It's been stable for over a year. https-dns-proxy was heavy on my 128MB / 1-Core TP-Link

With unbound-control you can interrogate your DNS server as well as read metrics for monitoring.

Snippets of my configs below - you would have to adjust the DNS server DHCP option to your LAN gateway so clients know where to send their queries.

You would also have to configure the upstream to your own NextDNS instance.

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option localuse '0'
	option port '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,'
> /etc/config unbound

config unbound 'ub_main'
	option add_extra_dns '0'
	option add_local_fqdn '1'
	option add_wan_fqdn '0'
	option dhcp_link 'none'
	option dhcp4_slaac6 '0'
	option dns64 '0'
	option dns64_prefix '64:ff9b::/96'
	option domain 'lan'
	option domain_type 'static'
	option edns_size '1232'
	option extended_stats '0'
	option hide_binddata '1'
	option interface_auto '1'
	option listen_port '53'
	option localservice '1'
	option manual_conf '0'
	option num_threads '1'
	option protocol 'default'
	option query_minimize '0'
	option query_min_strict '0'
	option rate_limit '0'
	option rebind_localhost '0'
	option rebind_protection '1'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option ttl_neg_max '1000'
	option validator '0'
	option validator_ntp '1'
	option verbosity '1'
	list iface_trig 'lan'
	list iface_trig 'wan'
	list iface_wan 'wan'
	option unbound_control '1'

config zone 'fwd_nextdns'
	option enabled '1'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list zone_name '.'
	list server '<next-dns-id>'
	list server '<next-dns-id>'

You could try Stubby (DNS over TLS) as this is not a huge package

Once installed and configured you could then use vi or nano to edit the stubby config.
NextDNS website has a script under the Router set up guide section that may work.

I tried this some time ago and it worked but I now use Unbound and Adblock for my encrypted DNS and ad filtering.

Here is the script I used. My NextDNS ID is removed.

config resolver
       option address '2a07:a8c0::0'
       option tls_auth_name '<nextdns id>'
config resolver
       option address '2a07:a8c1::0'
       option tls_auth_name '<nextdns id>'
config resolver
       option address ''
       option tls_auth_name '<nextdns id>'

config resolver
       option address ''
       option tls_auth_name '<nextdns id>'

In https-dns-proxy there is a NextDNS profile, but not to configure the ID. In the NextDNS panel it says that it is connected but without configuration, and that the appropriate "endpoint" is not configured. I tried changing the url in /etc/config/https-dns-proxy and it works. A minor detail is that the LuCI app shows another provider, but I don't think it's important.

EDIT: I also see a padlock on the NextDNS panel that says DNS-over-HTTPS and https-dns-proxy so I guess it's working.

Stubby is not huge, but it uses OpenSSL and my system is WolfSSL.

Could I use Unbound as a DNS and DHCP server and remove dnsmasq?

No. You could try odhcpd - dnsmasq as a DHCP server will mostly be quiet and barely noticeable though.

In the end I chose https-dns-proxy and not Unbound and stubby because they use OpenSSL and do not enter my device.


SG-105 in ~ # opkg info https-dns-proxy
Package: https-dns-proxy
Version: 2021-09-27-1
Size: 19812

SG-105 in ~ # opkg info unbound-daemon
Package: unbound-daemon
Version: 1.13.2-2
Size: 133666

Storage was okay - it was leaking memory at the time.

Yeah, it was a PITA to trace, since it happened so rarely, but whatever hasn't been fixed upstream since, has been attributed to an outdated wolfssl library (dependency of libcurl).

1 Like

I am using on my device with 64 MB and I do not see it "heavy".

Glad to hear it's working. Believe this was the issue at the time - Issue 75. Also see @stangri comment


Now that I see, there are several out of memory ads.

[172855.118852] Out of memory: Killed process 5334 (https-dns-proxy) total-vm:4696kB, anon-rss:604kB, file-rss:4kB, shmem-rss:0kB, UID:65534 pgtables:20kB oom_score_adj:0

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.