Any tips on how to work around the Catch-22 where NextDNS needs proper time and NTP needs DNS?
(the NTP service I use requires me to use a domain name instead of an IP address)
Ideally, NextDNS shouldn't use any crypto until the ntp_ready variable is set to 1 in nvram. This is how DoT and DNSSEC work in the built-in firmware - until the NTP is set, neither of them will validate signatures. Once ntp_ready is set to 1, they are both told to start validating certificates.