Skeptical.me
Very Senior Member
Ahh, it's working now. Thanks for your help.
NextDNS Installer
- Thread starter Olivier Poitrey
- Start date
Ahh, it's working now. Thanks for your help.
The answer depends. I prefer "layering" anything security related - routers included. Both Diversion and NextDNS are performing similar services but there may be some areas where they are distinct. For instance, the GUI NextDNS provides is quite helpful on turning on/off specific entities or NextDNS can do some things that Diversion maybe cannot. An example of that is the ability to "blocks third-party trackers disguising as first-party trackers". With Diversion, you retain full control of the filtering and are not dependent on a 3rd party for these services.
By layering the two services, I assume the entries I see NextDNS block, are DNS requests that Diversion allowed to pass since I still had them both running and did the manual configuration earlier on as they continue perfecting on the script install. The pain with layering is that well if something is blocked, I now have to check in two places. So it's entirely up to you which path to choose.
I had both installed (manually, not used their script yet) and when NextDNS is installed, it will show your router's IP on the main page and it will log everything permitted or denied in the logs tab on their GUI. The analytics tab will start showing numbers as well.. so if you are not seeing any of that when you login to NextDNS, then I'm doubting your router is talking to their services. Later.
Skeptical.me
Very Senior Member
Thanks, it's working now. I updated NextDNS and it started working, cheers for the information.
Skeptical.me
Very Senior Member
With the Hardened Privacy feature, am I able to choose the jurisdiction of the DNS server. Or is it a matter of you get what's closest?
S
ShelaMonster
Guest
I would like some clarification regarding using this properly, please.
Should I be using DNSFilter, or does the NextDNS router client override all queries by default? (Even device-coded DNS like Google products?)
Also, since DNS Rebind protection is available on NextDNS website, I shouldn't enable it here, and same for DNSSEC right?
I have DNSFilter enabled just to be sure, but I'm not positive if it makes any difference with NextDNS since the only device that usually tries to bypass router DNS settings is my friend's Pixel 3.
But they have the NextDNS app installed on it and "always enabled" since it doesn't have the iOS options to enable/disable for certain saved Wi-Fi networks.
Mostly want clarification regarding any of these settings:
Thanks and much appreciated.
Should I be using DNSFilter, or does the NextDNS router client override all queries by default? (Even device-coded DNS like Google products?)
Also, since DNS Rebind protection is available on NextDNS website, I shouldn't enable it here, and same for DNSSEC right?
I have DNSFilter enabled just to be sure, but I'm not positive if it makes any difference with NextDNS since the only device that usually tries to bypass router DNS settings is my friend's Pixel 3.
But they have the NextDNS app installed on it and "always enabled" since it doesn't have the iOS options to enable/disable for certain saved Wi-Fi networks.
Mostly want clarification regarding any of these settings:
Thanks and much appreciated.
You can use DNSFilter set to Router mode to ensure all clients use the router for DNS, which will then forward to nextdns. NextDNS does not intercept everything.
If you are using blocking lists on the NextDNS website, you should disable DNS Rebind protection.
Your settings look good. Make sure no DNS servers are set on the LAN DHCP Server page for DNSFilter to work properly.
RejZoR
Regular Contributor
I've installed NextDNS somehow on my router via SSH lol. I'm having hard time finding what "Hardened privacy" feature does. Configuration asked me about it, but I was unsure what to select. Searching here only shows me a log of someone with this entry in his debug log so that's not helpful.
Also, do I have to enable DoT for it to work or is it ON by default if NextDNS is installed? NextDNS page seems to register router's NextDNS client install and I can see resolvings on NextDNS page. I just want to be sure everything is configured correctly. Does it matter if DNSFilter is enabled and set to Router or not? I want everything going through router to be resolved by NextDNS.
Also what about DNSSEC and DNS Rebind Protection in Merlin's settings. Just leave it disabled since NextDNS is suppose to do that by itself or not?
EDIT:
Oh, during install it said:
curl: (6) Couldn't resolve host 'sL'
It seems to have installed it regardless. What's with this? Just copied the whole install command as it is on GitHub page...
Also, do I have to enable DoT for it to work or is it ON by default if NextDNS is installed? NextDNS page seems to register router's NextDNS client install and I can see resolvings on NextDNS page. I just want to be sure everything is configured correctly. Does it matter if DNSFilter is enabled and set to Router or not? I want everything going through router to be resolved by NextDNS.
Also what about DNSSEC and DNS Rebind Protection in Merlin's settings. Just leave it disabled since NextDNS is suppose to do that by itself or not?
EDIT:
Oh, during install it said:
curl: (6) Couldn't resolve host 'sL'
It seems to have installed it regardless. What's with this? Just copied the whole install command as it is on GitHub page...
Last edited:
Olivier Poitrey
Regular Contributor
Hardened privacy mode will only use NextDNS servers located in jurisdictions with strong privacy laws. Note that depending how far your are from those, it may slow down your dns queries significantly.
You should leave DNSSEC and rebinding protection off on your router when using NextDNS. NextDNS will enforce those, and they can interfere with the blocking if left on.
And no need to use DoT when NextDNS daemon is installed.
RejZoR
Regular Contributor
Ok, thanks for explanation. I'm from Europe so servers with such properties shouldn't be that far physically.
What about the "-sL" switch in the install command for which I got error: curl: (6) Couldn't resolve host 'sL'
I just retyped the command directly from GitHub and it apparently installed NextDNS regardless, I'm just wondering what is it for and if it can be breaking something as a result or it's fine.
Olivier Poitrey
Regular Contributor
Please add DEBUG=1 before the command and send the full transcript of the output.
RejZoR
Regular Contributor
Interesting. Running installer again with DEBUG enabled and it said nothing about -sL switch. Removed NextDNS and reinstalled it and again no mention of -sL. Weird.
XIII
Very Senior Member
Warning: it looks like NextDNS overhauled its configuration web site https://my.nextdns.io and in the process reset all blocklists...
Did this happen to other NextDNS users as well?
If so, I can’t believe they did this without any notice; this makes me reconsider becoming a customer. Pretty disappointed about that (even though I know the service is still in beta).
Did this happen to other NextDNS users as well?
If so, I can’t believe they did this without any notice; this makes me reconsider becoming a customer. Pretty disappointed about that (even though I know the service is still in beta).
RejZoR
Regular Contributor
It didn't reset them for me. Some did disappear because they were removed, but the rest remained selected like before. I also tweaked privacy and security settings a bit to harden my network even further. I've expanded filtering so far and on so many devices that I own that I'm further convinced to use their service. And now that I could finally get NextDNS to work perfectly with ASUSWRT-Merlin, even more so. Enforcing all devices to obey MY rules is the best frigging thing ever.
jackiechun
Regular Contributor
My blocklist settings were not reset.
jackiechun
Regular Contributor
I ran into an issue where no domains would resolve on both my OpenWRT-based and Merlin-based routers. Today at 11:05am Eastern Time this occurred on my AC86U router and the only solution was a physical reboot of the router. (unfortunately no logs; AC86U at my parents and they did the reboot)
I've changed both routers to use the unencrypted DNS servers + cron jobs to call the linked IP address every hour; I figured this is the most stable config and doesn't require certificates/accurate timestamps. Will report again if this config results in reduced errors.
I've changed both routers to use the unencrypted DNS servers + cron jobs to call the linked IP address every hour; I figured this is the most stable config and doesn't require certificates/accurate timestamps. Will report again if this config results in reduced errors.
Last edited:
Similar threads
Similar threads
Similar threads
-
IPv6 and NextDNS Configuration Assistance Request
- Started by bitmonster
- Replies: 19
-
Is Diversion better than NextDNS, PiHole or AdGuard Home?
- Started by Logi
- Replies: 10
-
TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (THREAD #1 CLOSED)- Started by Viktor Jaep
- Replies: 556
Latest threads
-
Some wireless devices are unreachable from clients but are reachable from the router itself
- Started by itayt
- Replies: 0
-
RT-BE92U connections in AIMesh nodes intermittently dropped
- Started by TurboWG
- Replies: 1
-
-
BACKUPMON BACKUPMON installation instructions / tutorial
- Started by KrautHolg
- Replies: 8
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!