Asus Merlin AC68U and NextDNS issues

[dotpanic]

Hi!

I have some issues installing NextDNS on Asus Merlin 386.2_2.

The install seems to complete successfuly:

Spoiler: Complete install log

admin@u8t-wlanap:/tmp/home/root# DEBUG=1 sh -c "$(curl -sL https://nextdns.io/install)"
INFO: OS: asuswrt-merlin
INFO: GOARCH: armv5
INFO: GOOS: linux
INFO: NEXTDNS_BIN: /jffs/nextdns/nextdns
INFO: LATEST_RELEASE: 1.12.5
DEBUG: Start install loop with CURRENT_RELEASE=
DEBUG: NextDNS is not installed
i) Install NextDNS
e) Exit
Choice (default=i): i
INFO: Installing NextDNS...
DEBUG: Using merlin install type
DEBUG: Installing 1.12.5 binary for linux/armv5 to /jffs/nextdns/nextdns
DEBUG: Downloading https://github.com/nextdns/nextdns/releases/download/v1.12.5/nextdns_1.12.5_linux_armv5.tar.gz
DEBUG: Start configure
DEBUG: Get configuration ID
DEBUG: Previous config ID: xxxxxx
NextDNS Configuration ID (default=xxxxxx):
DEBUG: Add arg -config=xxxxxx
Sending your devices name lets you filter analytics and logs by device.
Report device name? [Y|n]: Y
DEBUG: Add arg -report-client-info=true
DEBUG: Add arg -setup-router=true
Make nextdns CLI cache responses. This improves latency and reduces the amount
of queries sent to NextDNS.
Note that enabling this feature will disable dnsmasq for DNS to avoid double
caching.
Enable caching? [Y|n]: Y
DEBUG: Add arg -cache-size=10MB
Instant refresh will force low TTL on responses sent to clients so they rely
on CLI DNS cache. This will allow changes on your NextDNS config to be applied
on you LAN hosts without having to wait for their cache to expire.
Enable instant refresh? [Y|n]: Y
DEBUG: Add arg -max-ttl=5s
NextDNS installed and started using merlin init

Congratulations! NextDNS is now installed.

To upgrade/uninstall, run this command again and select the approriate option.

You can use the nextdns command to control the daemon.
Here is a few important commands to know:

# Start, stop, restart the daemon:
nextdns start
nextdns stop
nextdns restart

# Configure the local host to point to NextDNS or not:
nextdns activate
nextdns deactivate

# Explore daemon logs:
nextdns log

# For more commands, use:
nextdns help

The first issue I have is that I can't see logs:

admin@u8t-wlanap:/tmp/home/root# nextdns log
Error: exit status 1

Ok I can live without that but anyway, is this a security issue? Does nextdns need some rights on its logging path?

Everything is working fine just after installation. But as soon as I reboot the router, nextdns is not activated.

admin@u8t-wlanap:/tmp/home/root# nextdns
-sh: nextdns: not found
admin@u8t-wlanap:/tmp/home/root# ls /tmp/opt/sbin/
ls: /tmp/opt/sbin/: No such file or directory

*** symbolic link is not recreated at reboot? Do I need to manually add a "mkdir -p /tmp/opt/sbin" and "ln -sf /jffs/nextdns/nextdns /tmp/opt/sbin/nextdns" to /jffs/init-start?

admin@u8t-wlanap:/tmp/home/root# ps w | grep next
  373 admin     781m S    /jffs/nextdns/nextdns run
admin@u8t-wlanap:/tmp/home/root# grep next /tmp/syslog.log
/tmp/syslog.log:May  5 07:05:15 nextdns[373]: Starting NextDNS 1.12.5/linux on 127.0.0.1:5342
/tmp/syslog.log:May  5 07:05:15 nextdns[373]: Starting mDNS discovery
/tmp/syslog.log:May  5 07:05:15 nextdns[373]: Listening on TCP/127.0.0.1:5342
/tmp/syslog.log:May  5 07:05:15 nextdns[373]: Listening on UDP/127.0.0.1:5342
/tmp/syslog.log:Apr 20 09:49:19 nextdns[373]: Setting up router
/tmp/syslog.log:Apr 20 09:49:34 nextdns[373]: Activating

*** at this point, the daemon is started but nextdns website reports: This device is currently using ”Cloudflare” as DNS resolver

admin@u8t-wlanap:/tmp/home/root# /jffs/nextdns/nextdns restart

*** and now nextdns website reports: All good

I've spend a few hours trying to understand why I don't have access to startdns logs and why it does not start correctly at reboot, but I'm pretty lost now

Is anyone can help?

Thank you!

 

[Zastoff]

Hi!

I have some issues installing NextDNS on Asus Merlin 386.2_2.

The install seems to complete successfuly:

Spoiler: Complete install log

admin@u8t-wlanap:/tmp/home/root# DEBUG=1 sh -c "$(curl -sL https://nextdns.io/install)"
INFO: OS: asuswrt-merlin
INFO: GOARCH: armv5
INFO: GOOS: linux
INFO: NEXTDNS_BIN: /jffs/nextdns/nextdns
INFO: LATEST_RELEASE: 1.12.5
DEBUG: Start install loop with CURRENT_RELEASE=
DEBUG: NextDNS is not installed
i) Install NextDNS
e) Exit
Choice (default=i): i
INFO: Installing NextDNS...
DEBUG: Using merlin install type
DEBUG: Installing 1.12.5 binary for linux/armv5 to /jffs/nextdns/nextdns
DEBUG: Downloading https://github.com/nextdns/nextdns/releases/download/v1.12.5/nextdns_1.12.5_linux_armv5.tar.gz
DEBUG: Start configure
DEBUG: Get configuration ID
DEBUG: Previous config ID: xxxxxx
NextDNS Configuration ID (default=xxxxxx):
DEBUG: Add arg -config=xxxxxx
Sending your devices name lets you filter analytics and logs by device.
Report device name? [Y|n]: Y
DEBUG: Add arg -report-client-info=true
DEBUG: Add arg -setup-router=true
Make nextdns CLI cache responses. This improves latency and reduces the amount
of queries sent to NextDNS.
Note that enabling this feature will disable dnsmasq for DNS to avoid double
caching.
Enable caching? [Y|n]: Y
DEBUG: Add arg -cache-size=10MB
Instant refresh will force low TTL on responses sent to clients so they rely
on CLI DNS cache. This will allow changes on your NextDNS config to be applied
on you LAN hosts without having to wait for their cache to expire.
Enable instant refresh? [Y|n]: Y
DEBUG: Add arg -max-ttl=5s
NextDNS installed and started using merlin init

Congratulations! NextDNS is now installed.

To upgrade/uninstall, run this command again and select the approriate option.

You can use the nextdns command to control the daemon.
Here is a few important commands to know:

# Start, stop, restart the daemon:
nextdns start
nextdns stop
nextdns restart

# Configure the local host to point to NextDNS or not:
nextdns activate
nextdns deactivate

# Explore daemon logs:
nextdns log

# For more commands, use:
nextdns help

The first issue I have is that I can't see logs:

admin@u8t-wlanap:/tmp/home/root# nextdns log
Error: exit status 1

Ok I can live without that but anyway, is this a security issue? Does nextdns need some rights on its logging path?

Everything is working fine just after installation. But as soon as I reboot the rooter, nextdns is not activated.

admin@u8t-wlanap:/tmp/home/root# nextdns
-sh: nextdns: not found
admin@u8t-wlanap:/tmp/home/root# ls /tmp/opt/sbin/
ls: /tmp/opt/sbin/: No such file or directory

*** symbolic link is not recreated at reboot? Do I need to manually add a "mkdir -p /tmp/opt/sbin" and "ln -sf /jffs/nextdns/nextdns /tmp/opt/sbin/nextdns" to /jffs/init-start?

admin@u8t-wlanap:/tmp/home/root# ps w | grep next
  373 admin     781m S    /jffs/nextdns/nextdns run
admin@u8t-wlanap:/tmp/home/root# grep next /tmp/syslog.log *
/tmp/syslog.log:May  5 07:05:15 nextdns[373]: Starting NextDNS 1.12.5/linux on 127.0.0.1:5342
/tmp/syslog.log:May  5 07:05:15 nextdns[373]: Starting mDNS discovery
/tmp/syslog.log:May  5 07:05:15 nextdns[373]: Listening on TCP/127.0.0.1:5342
/tmp/syslog.log:May  5 07:05:15 nextdns[373]: Listening on UDP/127.0.0.1:5342
/tmp/syslog.log:Apr 20 09:49:19 nextdns[373]: Setting up router
/tmp/syslog.log:Apr 20 09:49:34 nextdns[373]: Activating

*** at this point, the daemon is started but nextdns website reports: This device is currently using ”” as DNS resolver

admin@u8t-wlanap:/tmp/home/root# /jffs/nextdns/nextdns restart

*** and now nextdns website reports: All good

I've spend a few hours trying to understand why I don't have access to startdns logs and why it does not start correctly at reboot, but I'm pretty lost now

Is anyone can help?

Thank you!

Here is a thread with the same issue I think.

NextDNS becomes unknown on router reboot

I am trying out NextDNS on the RT-AC5300. I perform the curl install and all things come up just fine. However, when I reboot - the NextDNS daemon does not start nor does it appear to be installed on the router other than the config file. I haven't done anything about setting up an external...

www.snbforums.com

 

[dotpanic]

The command not been found after a reboot is just a link problem I think. The nextdns install script executes those commands:

mkdir -p /tmp/opt/sbin
ln -sf /jffs/nextdns/nextdns /tmp/opt/sbin/nextdns

So I've added them to /jffs/scripts/init-start script to be sure they are executed after each reboot and this solved the "not found issue"

But the "log issue" and "activation after reboot issue" persist

 

[dotpanic]

I've added a sligth delay to /jffs/scripts/services-start:

sleep 10; /jffs/nextdns/nextdns.init start

And now the service starts correctly on reboot. I think it is somehow related to other services dependency, maybe NTP.

 

[gattaca]

There's a way to test for if NTP has been set but I cannot put my fingers on that code segment right now. I have a manual setup (no client) which I had to disable about 3 weeks ago now... I could not get nextdns to stay happier for more than about 36 hours. My manual setup had worked for a year plus (before there was a client) without issues. I've not re-enabled it so far b/c the family was screaming with almost daily "the internet is broken" DNS not resolving. I've not tried the client b/c it breaks some of the AMTM scripts I continue using. Please post your results on if this keeps the client happy when you can. TY.

 

[dotpanic]

I've experienced some NextDNS CLI process unexpected shutdowns (5 in 3 days) so I abandonned this client for the moment cause I think it is not completely mature right now on asuswrt.
Furthemore my DNSFilter settings were not applied anymore so it wasn't a solution to my needs.

I've switched to DNScrypt that seems to work fine, but I've lost the device identification. This is a pity because this feature of NextDNS is really interesting. I keep looking for how to solve this issue.

 

[MvW]

I've been using the NextDNS CLI client for over a month now without a single hiccup on my RT-AC86U. FWIW, they have released several updates in the past few dates, which also work fine. I haven't experienced anything out of the ordinary, so I think the issue lies anywhere else instead of in the client. Within 24 hours after I discover it, I subscribed to the paid plan and there hasn't been a moment I've regretted it
.
If you're experiencing issues, please check syslog for clues and report them on Github:

GitHub - nextdns/nextdns: NextDNS CLI client (DoH Proxy)

NextDNS CLI client (DoH Proxy). Contribute to nextdns/nextdns development by creating an account on GitHub.

github.com

or on Reddit:

https://www.reddit.com/r/nextdns/

You can also report it on their support site: https://help.nextdns.io/

Nothing is going to fix itselves without user reports.

 

[gattaca]

Thanks! I agree! I reported issues and Olivier has been very responsive - a big plus!

However, I've not been able to use NextDNS in ~ 3 weeks b/c the stability I had for the prior year in manual configuration mode, as outlined on the site has not returned. The last answer was to "try using the client" which I do not want b/c it ignores the router setup and AMTM settings.

What I want the manual configuration, which had worked for a year as an early beta tester, to work as it did reliabily. At this point, I cannot prove is whether it's my ISP or the current ASUS firmware or something screwy in AMTM so I switched to QUAD9. What I can say is that using QUAD9 has been rock solid for 3 weeks without a single DNS is dead issue and no family standing in my doorway. My gut says it has something to do with that single source mode where it can only use 1 target at a time - round_robin_upstreams: 0.

At some point I'm going to setup another router with just vanilla merlin + nextdns / manual and see how stable it remains. I only have very limited windows on weekends while the family is asleep to dare disrupt the stability. I love the service.

 

[MvW]

The last answer was to "try using the client" which I do not want b/c it ignores the router setup and AMTM settings.

Can you clarify that? I don't have the same experience and the NextDNS CLI client is working flawless here, without any modification whatsover. It was just a matter of set and forget (although I can't deny I had to play around with some of it's settings to see what would change )

 

[gattaca]

^^ Sure. These few things OTOMH:

a) When researching "trying the NextDNS client" I read that the NextDNS client pretty much takes over the router's DNS and ignores the "DNS Filter" page. Well before NextDNS, I learned (with Diversion) that the ~ 6 IOT devices (cameras, etc...) are more reliable/stable when I do not filter their DNS streams. They end up on DNS Filter page talking to QUAD9.

b) I also use the "DNS Filter" page to quickly bypass NextDNS when the wife is screaming about something being blocked until I have time to determine the cause.

c) When the Merlin users were beta testing with/for Olivier, we debated using AMTM's Diversion with or without NextDNS as there is ad-blocking functional overlap. I wanted to keep that function closer to home on the router.

d) Someone reported they felt the NextDNS client may be a bit slower resolving than a native NextDNS setup. I filed that under "ok likely but not a show stopper unless it surfaces badly."

e) That's all I can recall ATM. All the other AMTM stuff I use works just fine. Stay safe, stay alive. Peace.

 

[MvW]

Each his own preference of course, but I wouldn't want without NextDNS anymore.

a. All my IoT devices work without any issue whatsoever.
b. I don't use the DNSFilter page. I set it to router when reconfiguring and that's just about it. I don't have a wife screaming at me (anymore) so that might make a difference. And if my kid starts complaining, I just shout back I'm in currently in maintenance mode and use the NextDNS logs to find out why things didn't work.
c. I loved Diversion, really I did. But I don't need it anymore with NextDNS. It's a waste of a great initiative but I can't find any benefits anymore compared to NextDNS. Probably too because my favorite lists are also in NextDNS and I always had love/hate relation with pixelserv which I haven't missed a minute.
d. As for speeds, I guess that heavily depends on where you are on the planet, but I myself, living 20 minutes from the Amsterdam Internet Exchange (AMS-IX) have no complaints whatsover. From their own diagnostics tool (easily reproducible):

Welcome to NextDNS network diagnostic tool.

This tool will capture latency and routing information regarding
the connectivity of your network with NextDNS.

The source code of this tool is available at https://github.com/nextdns/diag

Do you want to continue? (press enter to accept)

Testing IPv6 connectivity
  available: false
Fetching https://test.nextdns.io
  status: ok
  client: 185.107.80.192
  protocol: DOH
  dest IP: 45.90.28.0
  server: zepto-ams-1
Fetching PoP name for ultra low latency primary IPv4 (ipv4.dns1.nextdns.io)
  anexia-ams: 2.411ms
Fetching PoP name for ultra low latency secondary IPv4 (ipv4.dns2.nextdns.io)
  vultr-ams: 2.525ms
Fetching PoP name for anycast primary IPv4 (45.90.28.0)
  zepto-ams: 2.639ms
Fetching PoP name for anycast secondary IPv4 (45.90.30.0)
  anexia-ams: 2.607ms
Pinging PoPs
  zepto-ams: 3.02ms
  zepto-ams: 2.947ms
  vultr-ams: 2.731ms
  anexia-ams: 2.616ms
  anexia-lon: 7.735ms
  vultr-lon: 7.739ms
  zepto-dus: 11.802ms
  zepto-lon: 11.419ms
  zepto-bru: 11.211ms
  fusa-bru: 26.492ms

Others:

PS C:\WINDOWS\system32> ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=79ms TTL=59
Reply from 1.1.1.1: bytes=32 time=77ms TTL=59
Reply from 1.1.1.1: bytes=32 time=72ms TTL=59
Reply from 1.1.1.1: bytes=32 time=537ms TTL=59

Ping statistics for 1.1.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 72ms, Maximum = 537ms, Average = 191ms
PS C:\WINDOWS\system32> ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=70ms TTL=119
Reply from 8.8.8.8: bytes=32 time=76ms TTL=119
Reply from 8.8.8.8: bytes=32 time=74ms TTL=119
Reply from 8.8.8.8: bytes=32 time=84ms TTL=119

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 70ms, Maximum = 84ms, Average = 76ms
PS C:\WINDOWS\system32> ping 9.9.9.9

Pinging 9.9.9.9 with 32 bytes of data:
Reply from 9.9.9.9: bytes=32 time=76ms TTL=59
Reply from 9.9.9.9: bytes=32 time=69ms TTL=59
Reply from 9.9.9.9: bytes=32 time=79ms TTL=59
Reply from 9.9.9.9: bytes=32 time=70ms TTL=59

Ping statistics for 9.9.9.9:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 69ms, Maximum = 79ms, Average = 73ms

The numbers speak for themselves, I have no complaints. For the record: caching is off on the NextDNS CLI client and these results are all measured through the same VPN (forgot to turn it off, but as they're all through the same VPN tunnel anyway, it doesn't matter for comparison).

e) Wishing you the same.

 

[Zastoff]

I also use NextDNS but not the NextDNS-cli, It would not work with how i want to set up DNS for my devices.
Use the NextDNS(regular) servers for Kids School devices via DNS-Filter and DDNS to make the ip-update, During school hours+homework time on weekdays.
Have cron jobs set to change servers for those devices..
I use DNSCrypt-proxy v2 for my main home devices(Anonymized DNSCrypt mainly) +Diversion/DNS-Filter global filter=router and some other work related devices is also set via DNS-Filter(quad9).

Been following the NextDNS cli since beta stage and it has the option to run several setups/configs for different devices and also fetch device name for logs..but it also removes the ability to other DNS options on the router (Diversion/DNS-Filter)
NextDNS cli (DoH) fit perfectly for some users.
Other Options:
DNS Privacy Protocol (WAN in router gui) DNS over TLS works with NextDNS Servers with one config + DNS-Filter and Diversion will work.
Example how to set it: Link

(Unbound also has the option to use DoT Servers, Only advantage i can think of in this case, If a user use a older firmware that do not have updated dnsmasq/dnssec)

DNSCrypt-proxy v2 via DNSCrypt Installer (installed via amtm) also works fine with NextDNS (DoH) with one config + DNS-Filter and Diversion will work.
It also has some features that help prevent finger printing devices, and more
Example how to set it: Link
And guess if users with these other options want to check logs (dnsmasq.log) example Diversion`s f command.

 

[gattaca]

10-4. NextDNS is a great service and the web gui is the icing. My gotcha is it has to be more reliable than I've seen since January '21. Again, I used it without issues for more than a year. I tried for 2 weeks putting the family thru "dns hell" before I fell back to Quad9. I'll try again soon. Thanks for the encourgement. I just hope it's something stupid... though I wish they would use both targets.