Need help configuring NextDNS

[StrikerXXX]

Guys, I'm using nextdns in merlin, but I would like to know the correct form of nextdns configuration. This is the configuration I use:

Is this the correct way to set up nextdns in merlin right now? In nextdns panel control, what should I set up to get the most out of the merlin?

I did the downgrade to the .13, I found it well but stable that .14, heats less ac68u and slides no more bugs. The webgui works normally, very fast, now no longer has the choking as before as they occur in .14

 

[jfim88]

Guys, I'm using nextdns in merlin, but I would like to know the correct form of nextdns configuration. This is the configuration I use:

Is this the correct way to set up nextdns in merlin right now? In nextdns panel control, what should I set up to get the most out of the merlin?

I did the downgrade to the .13, I found it well but stable that .14, heats less ac68u and slides no more bugs. The webgui works normally, very fast, now no longer has the choking as before as they occur in .14

In TLS Host name you should write devicename-yourID.dns.nextdns.io

For example:

ASUS-12a345.dns.nextdns.io

Then go to test.nextdns.io to see if it’s working.

Anyway, if you use Merlin, imho is better to use the NextDNS CLI client, that uses DoH instead of DoT.

AsusWRT Merlin

NextDNS CLI client (DoH Proxy). Contribute to nextdns/nextdns development by creating an account on GitHub.

github.com

 

[StrikerXXX]

In TLS Host name you should write devicename-yourID.dns.nextdns.io

For example:

ASUS-12a345.dns.nextdns.io

Then go to test.nextdns.io to see if it’s working.

Anyway, if you use Merlin, imho is better to use the NextDNS CLI client, that uses DoH instead of DoT.

AsusWRT Merlin

NextDNS CLI client (DoH Proxy). Contribute to nextdns/nextdns development by creating an account on GitHub.

github.com

It is configured as in its example, the DoT is functional. Is Doh better than dot? I always doubt what would be better than the two protocols to use.

 

[jfim88]

It is configured as in its example, the DoT is functional. Is Doh better than dot? I always doubt what would be better than the two protocols to use.

NextDNS recommends using the CLI client on ASUS routers.

 

[AsusFreak]

I have now also installed “NextDNS CLI” on my AX86U with Asuswrt-Merlin and set it up so far. Unfortunately there are no detailed tutorials about it. Even on Github it is only explained very superficially, at least that's how I feel.

Should I set something in the WebGUI of the router under “WAN - Internet Connection” or “LAN - DNS Director” regarding NextDNS or should I leave everything as default?

What could be entered or changed under “/jffs/nextdns/nextdns.conf” or “/jffs/scripts/dnsmasq.postconf” that would improve performance and security?

I've been looking for answers like this for weeks and not everyone is born a professional. It can all be very complicated...

Translated with DeepL.com (free version)

 

[StrikerXXX]

Something I notice is that using the nextdns with the dns over tls really the connection with the sites takes a little longer, it should be by the question of crypto, correct? Using dns over htps is faster. I also have these doubts: AsusFreak, I would also like to know what to do in this situation. My knowledge of these matters is practically nil.

 

[Sonyrolfy]

The above picture is correct, also you can add your Nextdns ip to WAN DNS.

 

[tnpapa]

I have now also installed “NextDNS CLI” on my AX86U with Asuswrt-Merlin and set it up so far. Unfortunately there are no detailed tutorials about it. Even on Github it is only explained very superficially, at least that's how I feel.

The CLI is the best way to go. It is set it and forget it. No settings to change, nothing to configure. When you install the CLI it will ask some questions, say yes to all and you are done.

 

[bitmonster]

Does the NextDNS CLI support IPv6? Last time I ran it I only saw IPv4 hits in the NextDNS dashboard. I'll try again maybe some of the settings were off.

Edit -- nope - tried installing it again and it falls back to IPv4 NextDNS. I ran "nextdns uninstall" and it falls back IPv6 DNS.

 

[tnpapa]

It supports IPv6. I use it on my system with no issue. Just like IPv4, don't configure anything manually other than turning IPv6 on. The CLI takes care of the rest.

 

[bitmonster]

Thanks I tried that and my NextDNS log then shows it all going via IPv4 DNS, not IPv6. Maybe it's something on my side then.

 

[StrikerXXX]

Speaking of CLI installation, what are the differences between dns over https and dns over tls in the nextdns? Which of the two protocols is more secure, stable?

I know that the installation in cli is DoH, the configuration in dot can only do it by the merlin webgui.

 

[aru]

Unless a mobile device is connecting to an external public network, no additional configuration is required. I'm not sure if this understanding is correct？

I only performed a basic DNS IP configuration without using CLI specifically.

for ipv4

for ipv6

The above configuration of NextDNS will be treated as an unrecognized device, but it won't affect statistics and protection.

However, a significant drawback is that devices in the home make tens of thousands of queries to dns.msftncsi.com daily, quickly exhausting the 300,000 free queries. I have currently installed unbound for local caching to reduce the query volume as much as possible, but I am still unable to prevent dns.msftncsi.com from querying upstream DNS.

 

[gattaca]

I recall 2 options from my earlier setup

1. There's a way in the router to send the "dns.msftnsci.com" DNS queries to a specific DNS and not use NextDNS... (I think).. but do not recall where that setting is OTOMH.
2. If home user, pay their $19.90 / YR fee for the PRO version.

Please post your results with the latest NextDNS setup. I've been using NextDNS on/off for a couple of years and VERY early on there were stability issues with their developing client so it was a total manual configuration to get it working properly. One of the NextDNS guys use to frequent the Merlin forums but it's been a while since I've seen him answering questions. Have a good one!

 

[aru]

I believe that paying $19.90 annually for the PRO version will allow me to easily ignore the excessive queries from dns.msftncsi.com. However, these types of excessive queries account for 60% of the total, affecting the accuracy of the NextDNS statistics report.

Fortunately, you provided the first option, and I also discovered a solution. By adding the following two lines to the /etc/hosts file, dns.msftncsi.com will no longer send excessive queries to the upstream NextDNS.

Edit the /etc/hosts file and add the following at the end, The NextDNS logs no longer show any queries for dns.msftncsi.com.

# Forcing dns.msftncsi.com to use Google DNS (ipv4 and ipv6)
8.8.8.8 dns.msftncsi.com
2001:4860:4860::8888 dns.msftncsi.com

My own observations of combining NextDNS with Unbound have the following advantages:

1. Unbound has caching capabilities, so most queries are resolved locally with speeds between 0-1 microseconds. Only when an upstream query to NextDNS is needed will the response time range from 1 millisecond to 4 seconds.

2. This significantly reduces the number of queries to the upstream NextDNS. According to the Unbound statistics report, the caching system is functioning well, with over 90% of DNS queries being resolved directly from the local cache. Specifically, there were a total of 1,433,210 queries, of which only 137,204 were cache misses that required querying the upstream DNS.

3. NextDNS offers features like Threat Intelligence Feed and AI threat detection without requiring additional installation or consuming extra router resources, along with some protection measures that I don't fully understand but seem quite powerful. Even if the 300,000 query limit is exceeded, Skynet and Diversion on the router will still provide basic protection, which should be sufficient for home use. I suspect the impact won't be significant.

Update:

After editing /etc/hosts, I observed the NextDNS statistics report and noticed that the daily query count dropped from tens of thousands to just over a thousand. The effect is remarkable.

 

[Zuikkis2]

Old thread, but I'll continue anyway.

If using nextdns-cli, you can use "forwarder" to force different DNS to be used for certain domains.

For example, several devices in my network are constantly polling "time.nist.gov" and "pool.ntp.org" to get network time. These addresses have very short TTL so they are not really cached.

nextdns config set -forwarder=time.nist.gov=8.8.8.8
nextdns config set -forwarder=pool.ntp.org=8.8.8.8

No more entries to those in NextDNS logs after that.

Same can be done for "dns.msftncsi.com". But actually if you are using AsusWRT-Merlin, you should be able to prevent the router from polling that.

In Administration->System page:

In Merlin firmware, if you don't have a tick in "DNS Query" it will not make the dns.msftncsi.com queries... In stock AsusWRT this has no effect for some reason, router always polls no matter what.

We are a family of six so there's a lot of PCs and mobile devices and IoT stuff. But I can easily fit under the 300000 free monthly queries in NextDNS.

 

[ColinTaylor]

In Merlin firmware, if you don't have a tick in "DNS Query" it will not make the dns.msftncsi.com queries...

That's not the case, at least for 3004.388.8_4. Not ticking that option only reduces the frequency of the queries to once a minute.

 

[Zuikkis2]

That's not the case, at least for 3004.388.8_4. Not ticking that option only reduces the frequency of the queries to once a minute.

Ah sorry, yes you are correct. It was quite a while ago when I wondered about this dns.msftncsi.com problem.

Let's try again, maybe I get it right this time.

First, enable DNS Query so the address fields become visible. Then instead of "dns.msftncsi.com" write "8.8.8.8". Click Apply. Then afterwards you can disable DNS Query again and Apply again.

If you like tinkering with ssh more, you can just "nvram set dns_probe_host=8.8.8.8"

There's no longer dns.msftncsi.com in the logs. It perhaps does connect to 8.8.8.8 but that doesn't need a DNS lookup so it's ligher anyway. And network monitoring still works fine in case you need it.

It's likely this works in standard AsusWRT as well.

 

[Zuikkis2]

What you've effectively done is break that part of networking monitoring. wanduck checks the value dns_probe_host and sees that "8.8.8.8" is not a valid domain name. It therefore ignores that setting and assumes the DNS connection is OK, even if it's not.

Yeah. But that is what most people would expect when they uncheck the DNS Query.

 

[ColinTaylor]

Yeah. But that is what most people would expect when they uncheck the DNS Query.

I deleted my previous post because after looking at the source code it's more nuanced than I wrote. But at the end of the day the end result is probably the same.