What's new

Need help configuring NextDNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

StrikerXXX

Occasional Visitor
Guys, I'm using nextdns in merlin, but I would like to know the correct form of nextdns configuration. This is the configuration I use:

xvxLGCj.png


Is this the correct way to set up nextdns in merlin right now? In nextdns panel control, what should I set up to get the most out of the merlin?

I did the downgrade to the .13, I found it well but stable that .14, heats less ac68u and slides no more bugs. The webgui works normally, very fast, now no longer has the choking as before as they occur in .14
 
Guys, I'm using nextdns in merlin, but I would like to know the correct form of nextdns configuration. This is the configuration I use:

xvxLGCj.png


Is this the correct way to set up nextdns in merlin right now? In nextdns panel control, what should I set up to get the most out of the merlin?

I did the downgrade to the .13, I found it well but stable that .14, heats less ac68u and slides no more bugs. The webgui works normally, very fast, now no longer has the choking as before as they occur in .14
In TLS Host name you should write devicename-yourID.dns.nextdns.io

For example:

ASUS-12a345.dns.nextdns.io

Then go to test.nextdns.io to see if it’s working.

Anyway, if you use Merlin, imho is better to use the NextDNS CLI client, that uses DoH instead of DoT.

 
In TLS Host name you should write devicename-yourID.dns.nextdns.io

For example:

ASUS-12a345.dns.nextdns.io

Then go to test.nextdns.io to see if it’s working.

Anyway, if you use Merlin, imho is better to use the NextDNS CLI client, that uses DoH instead of DoT.

It is configured as in its example, the DoT is functional. Is Doh better than dot? I always doubt what would be better than the two protocols to use.
 
I have now also installed “NextDNS CLI” on my AX86U with Asuswrt-Merlin and set it up so far. Unfortunately there are no detailed tutorials about it. Even on Github it is only explained very superficially, at least that's how I feel.

Should I set something in the WebGUI of the router under “WAN - Internet Connection” or “LAN - DNS Director” regarding NextDNS or should I leave everything as default?

What could be entered or changed under “/jffs/nextdns/nextdns.conf” or “/jffs/scripts/dnsmasq.postconf” that would improve performance and security?

I've been looking for answers like this for weeks and not everyone is born a professional. It can all be very complicated...

Translated with DeepL.com (free version)
 
Something I notice is that using the nextdns with the dns over tls really the connection with the sites takes a little longer, it should be by the question of crypto, correct? Using dns over htps is faster. I also have these doubts: AsusFreak, I would also like to know what to do in this situation. My knowledge of these matters is practically nil.
 
I have now also installed “NextDNS CLI” on my AX86U with Asuswrt-Merlin and set it up so far. Unfortunately there are no detailed tutorials about it. Even on Github it is only explained very superficially, at least that's how I feel.
The CLI is the best way to go. It is set it and forget it. No settings to change, nothing to configure. When you install the CLI it will ask some questions, say yes to all and you are done.
 
Does the NextDNS CLI support IPv6? Last time I ran it I only saw IPv4 hits in the NextDNS dashboard. I'll try again maybe some of the settings were off.

Edit -- nope - tried installing it again and it falls back to IPv4 NextDNS. I ran "nextdns uninstall" and it falls back IPv6 DNS.
 
Last edited:
It supports IPv6. I use it on my system with no issue. Just like IPv4, don't configure anything manually other than turning IPv6 on. The CLI takes care of the rest.
 
Thanks I tried that and my NextDNS log then shows it all going via IPv4 DNS, not IPv6. Maybe it's something on my side then.
 
Speaking of CLI installation, what are the differences between dns over https and dns over tls in the nextdns? Which of the two protocols is more secure, stable?

I know that the installation in cli is DoH, the configuration in dot can only do it by the merlin webgui.
 
Unless a mobile device is connecting to an external public network, no additional configuration is required. I'm not sure if this understanding is correct?

1727840838880.png



I only performed a basic DNS IP configuration without using CLI specifically.

for ipv4
1727840911325.png


for ipv6
1727841042776.png



The above configuration of NextDNS will be treated as an unrecognized device, but it won't affect statistics and protection.
1727841126982.png



However, a significant drawback is that devices in the home make tens of thousands of queries to dns.msftncsi.com daily, quickly exhausting the 300,000 free queries. I have currently installed unbound for local caching to reduce the query volume as much as possible, but I am still unable to prevent dns.msftncsi.com from querying upstream DNS.
 
Last edited:
I recall 2 options from my earlier setup
  1. There's a way in the router to send the "dns.msftnsci.com" DNS queries to a specific DNS and not use NextDNS... (I think).. but do not recall where that setting is OTOMH.
  2. If home user, pay their $19.90 / YR fee for the PRO version.
Please post your results with the latest NextDNS setup. I've been using NextDNS on/off for a couple of years and VERY early on there were stability issues with their developing client so it was a total manual configuration to get it working properly. One of the NextDNS guys use to frequent the Merlin forums but it's been a while since I've seen him answering questions. Have a good one!
 
I believe that paying $19.90 annually for the PRO version will allow me to easily ignore the excessive queries from dns.msftncsi.com. However, these types of excessive queries account for 60% of the total, affecting the accuracy of the NextDNS statistics report.

1728026515700.png


Fortunately, you provided the first option, and I also discovered a solution. By adding the following two lines to the /etc/hosts file, dns.msftncsi.com will no longer send excessive queries to the upstream NextDNS.

Edit the /etc/hosts file and add the following at the end, The NextDNS logs no longer show any queries for dns.msftncsi.com.
Code:
# Forcing dns.msftncsi.com to use Google DNS (ipv4 and ipv6)
8.8.8.8 dns.msftncsi.com
2001:4860:4860::8888 dns.msftncsi.com

My own observations of combining NextDNS with Unbound have the following advantages:

1. Unbound has caching capabilities, so most queries are resolved locally with speeds between 0-1 microseconds. Only when an upstream query to NextDNS is needed will the response time range from 1 millisecond to 4 seconds.

1728020730363.png


2. This significantly reduces the number of queries to the upstream NextDNS. According to the Unbound statistics report, the caching system is functioning well, with over 90% of DNS queries being resolved directly from the local cache. Specifically, there were a total of 1,433,210 queries, of which only 137,204 were cache misses that required querying the upstream DNS.

1728021746162.png


3. NextDNS offers features like Threat Intelligence Feed and AI threat detection without requiring additional installation or consuming extra router resources, along with some protection measures that I don't fully understand but seem quite powerful. Even if the 300,000 query limit is exceeded, Skynet and Diversion on the router will still provide basic protection, which should be sufficient for home use. I suspect the impact won't be significant.



screencapture-my-nextdns-io-67b954-privacy-2024-10-04-15_32_46.png


Update:

After editing /etc/hosts, I observed the NextDNS statistics report and noticed that the daily query count dropped from tens of thousands to just over a thousand. The effect is remarkable.

螢幕擷取畫面 2024-10-12 191110.png
 
Last edited:

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top