What's new

NextDNS CLI Merlin GUI

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

SevenFactors

Regular Contributor
I just found out about Nextdns CLI and its support for asus-merlin.

Was the GUI ever implemented?

It is kind of a let down to see the excitement this thread started with and then how it abruptly ended.
https://www.snbforums.com/threads/nextdns-installer.61002/#post-538162

I scanned the thread while reading some post. It kind of sounds like the GUI was implemented/tested yet I can't seem to find it on my merlin install.

I have ran into some issues like unable to access nextdns log and after router reboot nextdns daemon not responding to commands each time yielding -sh: nextdns: not found. Though in my case, the router rtac68u somehow is still using nextdns cli settings. DNS leak tests, nextdns webpanel and logs do report/confirm nextdns as the dns resolver and dns queries being 100% encrypted.

Who knows what's going on.
 
The OP of that thread hasn't been here for @ 2 years. The GitHub page was last edited 3 years ago .

Isn't NextDns integrated into Merlin now?
 
The OP of that thread hasn't been here for @ 2 years. The GitHub page was last edited 3 years ago .

Isn't NextDns integrated into Merlin now?

Exactly. It stated with much excitement but then pfff.

It is not clear to me if it was ever integrated but I surely am hoping for some support/integration.

The Nextdns CLI allows for use of nextdns profiles per device, client, host, subnet. which is what I'm looking for.
 
Not to put a downer on your NextDNS Cli prospects, but have any of y'all noticed any stale lookups, bad cache responses, or potential cache poisoning coming from upstream NextDNS servers? I just ran into a situation where a user of NextDNS on AdGuardHome could not resolve static.adguard.com to its appropriate IP address, with their upstream NextDNS account. It was responding with improper IP addresses in its response. As a consequence, the User could not download a fresh copy or new release version of AdGuardHome. We did a couple of tests, the user could not ping any of the IP addresses being returned from NextDNS server when doing lookups of static.adguard.com. The user switch to testing with cloudflare, google, and quad9. Each of these servers provided an accurate IP address. The only way the user could complete their update was to use one of these servers because NextDNS was not providing accurate information about static.adguard.com.


If we are all considering switching to NextDNS Cli for our use of nextdns profiles per device, client, host, subnet, shouldn't we evaluate it for its reliability, and accuracy?
 
Last edited:
For me NextDNS and Cloudflare resolve that to the same IP address:

Code:
static.adguard.com.     5       IN      A       185.76.10.3
static.adguard.com.     5       IN      A       185.76.10.12
here is what I get.

Code:
dig static.adguard.com +short @unbound
1625341327.rsc.cdn77.org.
89.187.171.27
dig static.adguard.com +short @1.1.1.1
1625341327.rsc.cdn77.org.
89.187.173.14
89.187.173.22
dig static.adguard.com +short @8.8.8.8
1625341327.rsc.cdn77.org.
89.187.173.14
89.187.173.23
dig static.adguard.com +short @9.9.9.9
1625341327.rsc.cdn77.org.
89.187.171.26
 
For me NextDNS and Cloudflare resolve that to the same IP address:

Code:
static.adguard.com.     5       IN      A       185.76.10.3
static.adguard.com.     5       IN      A       185.76.10.12
I am contemplating the idea that under the right conditions, NextDNS upstream cached entries for static.adguardhome.com could go stale before it is aware of its new IP address change. It seems static.adguardhome.com is load balanced across multiple servers because its IP address changes quite frequently.

Here are the failed download attempts by the user.


You can see all the different IP addresses curl tried.

Another thought is, those servers could have simply just been down that day. Who knows.
 
Last edited:
Do
here is what I get.

Code:
dig static.adguard.com +short @unbound
1625341327.rsc.cdn77.org.
89.187.171.27
dig static.adguard.com +short @1.1.1.1
1625341327.rsc.cdn77.org.
89.187.173.14
89.187.173.22
dig static.adguard.com +short @8.8.8.8
1625341327.rsc.cdn77.org.
89.187.173.14
89.187.173.23
dig static.adguard.com +short @9.9.9.9
1625341327.rsc.cdn77.org.
89.187.171.26
Does that mean you are using unbound in conjuction with google, cloudflare and quad9 as well.
 
Do

Does that mean you are using unbound in conjuction with google, cloudflare and quad9 as well.
Not particularly all the time. just for that specific test. I queried all those different servers directly using the @ option of dig. During the test where dig queried unbound, my unbound instance was acting in recursive mode without forwarding to any upstream other than requesting from root servers.
 
Not particularly all the time. just for that specific test. I queried all those different servers directly using the @ option of dig. During the test where dig queried unbound, my unbound instance was acting in recursive mode without forwarding to any upstream other than requesting from root servers.
Should I use unbound in my adguard home aswell? Or just use the three dns servers?
 
Should I use unbound in my adguard home aswell? Or just use the three dns servers?
That is your choice, though I suspect you might not have a full understanding of what the "test" was since the "test" did not involve actually using adguardhome.
1689034834349.png

In contrast, the test was conducted using dig querying each server directly, but individually. Which means a test with "dig" was conducted using each DNS server by querying each one individually in order to conduct a comparison of their individual dns query response.
As illustrated in this post https://www.snbforums.com/threads/nextdns-cli-merlin-gui.85868/post-853485
and this post https://www.snbforums.com/threads/nextdns-cli-merlin-gui.85868/post-853486
 
For me NextDNS and Cloudflare resolve that to the same IP address:

Code:
static.adguard.com.     5       IN      A       185.76.10.3
static.adguard.com.     5       IN      A       185.76.10.12


here is what I get.

Code:
dig static.adguard.com +short @unbound
1625341327.rsc.cdn77.org.
89.187.171.27
dig static.adguard.com +short @1.1.1.1
1625341327.rsc.cdn77.org.
89.187.173.14
89.187.173.22
dig static.adguard.com +short @8.8.8.8
1625341327.rsc.cdn77.org.
89.187.173.14
89.187.173.23
dig static.adguard.com +short @9.9.9.9
1625341327.rsc.cdn77.org.
89.187.171.26


Code:
nslookup static.adguard.com
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:    1625341327.rsc.cdn77.org
Addresses:  2a02:6ea0:cc00::11
          2a02:6ea0:cc00::6
          89.187.173.23
          89.187.173.11
Aliases:  static.adguard.com


These are my results with nextdns, quad9 and cloudflare

Ran it couple of times with each only different was having cloudflare at one point yield ip 89.187.173.22 rather than 89.187.173.23


Thus far I've not experienced any issues in regards to DNS poisoning that I am aware of.
 
I am contemplating the idea that under the right conditions, NextDNS upstream cached entries for static.adguardhome.com could go stale before it is aware of its new IP address change. It seems static.adguardhome.com is load balanced across multiple servers because its IP address changes quite frequently.

Here are the failed download attempts by the user.


You can see all the different IP addresses curl tried.

Another thought is, those servers could have simply just been down that day. Who knows.


Nextdns does recommend setting a low TTL value to avoid these type of issues.

https://github.com/nextdns/nextdns/wiki/Cache-Configuration


Unbound
Now that I'm getting a beefier router I'm looking to all these merlin addons.

I will check this adguardhome. I like the idea of a local install of unbound + a ad/tracker/malware filtering solution.
 
Nextdns does recommend setting a low TTL value to avoid these type of issues.

https://github.com/nextdns/nextdns/wiki/Cache-Configuration


Unbound
Now that I'm getting a beefier router I'm looking to all these merlin addons.

I will check this adguardhome. I like the idea of a local install of unbound + a ad/tracker/malware filtering solution.
Yea, I am a big advocate for Pihole+Unbound. I like AdGuardHome, but I haven't started putting it on RPI yet. I prefer Pihole because I am able to better identify ipv6 client traffic. AdGuardHome is a bit premature when it comes to the concepts of IPV6 in comparison to Pihole. I use RPI+Router configurations because the amount of stuff I block would simply choke the router regardless of whether I did it via unbound, diversion, or adguardhome.

1689215746054.png
 
Last edited:
Not to put a downer on your NextDNS Cli prospects, but have any of y'all noticed any stale lookups, bad cache responses, or potential cache poisoning coming from upstream NextDNS servers? I just ran into a situation where a user of NextDNS on AdGuardHome could not resolve static.adguard.com to its appropriate IP address, with their upstream NextDNS account. It was responding with improper IP addresses in its response. As a consequence, the User could not download a fresh copy or new release version of AdGuardHome. We did a couple of tests, the user could not ping any of the IP addresses being returned from NextDNS server when doing lookups of static.adguard.com. The user switch to testing with cloudflare, google, and quad9. Each of these servers provided an accurate IP address. The only way the user could complete their update was to use one of these servers because NextDNS was not providing accurate information about static.adguard.com.


If we are all considering switching to NextDNS Cli for our use of nextdns profiles per device, client, host, subnet, shouldn't we evaluate it for its reliability, and accuracy?
host static.adguard.com
static.adguard.com has address 185.76.9.14
static.adguard.com has address 185.76.9.23
static.adguard.com has IPv6 address 2a02:6ea0:c500::4
static.adguard.com has IPv6 address 2a02:6ea0:c500::3
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top