NextDNS Installer

[SomeWhereOverTheRainBow]

Interesting benchmark, but it does only measure the difference between two block modes. As you mentioned, it does not measure the impact of DNS filtering, would it be local or remote.

The latency to our servers would be the major factor impacting the performance. As most DNS queries are performed in parallel, the performance to your DNS resolver, with local or remote filtering, will have the biggest impact on performance. What you don’t want, is filtering slowing down your DNS query latency. That is why with carefully select the blocklists we propose and avoid impossible to optimize matching methods like regex.

Regex is a powerful and effective way of blocking,but can also be too powerful as it can block false positives easily as well,but it cuts down on the need for massive block list as well. So there are pros and cons.

 

[Olivier Poitrey]

Regex is a powerful and effective way of blocking,but can also be too powerful as it can block false positives easily as well,but it cuts down on the need for massive block list as well. So there are pros and cons.

You can optimize a multi million entries static blocklist much much better than one with a few hundreds regex. I see mostly cons if you ask me

 

[gattaca]

.. Keep in mind that some of those Asus routers have limited compute capacity. One could argue that doing all the matching on router can slow down the overall performance of the router and impact even non DNS traffic to a certain extent.

In general I don't recommend layering blocking services. While it can give the impression that it can catch more stuff, it quickly become very hard to debug false positives. Logging becomes inconsistent and you have to manage whitelisting in two places.

... DNS with browser extension (like uBlock Origin) is an interesting combo. DNS based blocking will protect every apps & devices of your network while browser extension can catch and hide more varieties of ads but will only work in browser.

a) Yes, absolutely. There's only so much CPU in these routers to process frames, I/O etc.. That's why I turn most of the "fluff" off and only use AMTM tooling now.
b) Yes, I agree that is a negative . I still consider it part of the overall security onion.
c) Yes, that's a 3rd layer but everyone in my household won't use uBlock.

FWIW, Gut says Diversion is doing a pretty good job b/c if I have everything setup right, this is all that's getting through to NextDNS.

NOTE: These are the DEFAULT NEXTDNS settings without adding any other Privacy lists.

However, the attractiveness of your services is I could use it as a good alternative for non-ASUS routers. When my MIL calls complaining about she cannot get somewhere... then hopping into NextDNS can fix that easily.

BTW, what happened to the "Advanced Settings" where the filtering was broken out a lot more than I see now. I think it was on the "Security" tab.

 

[Olivier Poitrey]

a) Yes, absolutely. There's only so much CPU in these routers to process frames, I/O etc.. That's why I turn most of the "fluff" off and only use AMTM tooling now.
b) Yes, I agree that is a negative . I still consider it part of the overall security onion.
c) Yes, that's a 3rd layer but everyone in my household won't use uBlock.

FWIW, Gut says Diversion is doing a pretty good job b/c if I have everything setup right, this is all that's getting through to NextDNS.

However, the attractiveness of your services is I could use it as a good alternative for non-ASUS routers. When my MIL calls complaining about she cannot get somewhere... then hopping into NextDNS can fix that easily.

View attachment 21535

Looks like your blocklist settings are very well aligned between the two systems.

The other advantage is that you can keep the same setup while outside of your network.

 

[gattaca]

^^ Yeap.. without having to use VPN. No way the family would use a VPN... So YES Absolutely!!

BTW, what happened to the "Advanced Settings" where the filtering was broken out a lot more than I see today. I think it was on the "Security" tab. Thanks.

Ah.. Found'm. You guys relocated to "Privacy > Block Lists" Each entry has to be "Added" vs turning them On/Off like earlier.

 

[XIII]

Could you please upgrade to the last version, disable captive portal detection and validate that it still work with NTP? Thanks for your help.

Yes, NextDNS 1.4.33 with "detect-captive-portals false" works!

 

[XIII]

Can anyone else check whether hosts from /etc/ hosts.dnsmasq are resolved?

(space should not be in filename, but I get blocked on this forum if I remove it?)

@Olivier Poitrey added this some time ago, but it does not seem to work anymore (for me) in 1.4.33...

 

[XIII]

Can anyone else check whether hosts from /etc/ hosts.dnsmasq are resolved?

Oh wait, that's maybe because I have been told to use WAN DNS for the router itself? (i.e. not the NextDNS CLI client)

But shouldn't the router then still be able to resolve entries from hosts.dnsmasq?

EDIT: Oh, I would need to enable "Wan: Use local caching DNS server as system resolver (default: No)" for that?

 

[dave14305]

Oh wait, that's maybe because I have been told to use WAN DNS for the router itself? (i.e. not the NextDNS CLI client)

But shouldn't the router then still be able to resolve entries from hosts.dnsmasq?

hosts.dnsmasq is a function of dnsmasq, so if you have the local caching resolver option set to No (as usually recommended), the router won't be able to resolve local names since it would not use dnsmasq.

 

[ShelaMonster]

hosts.dnsmasq is a function of dnsmasq, so if you have the local caching resolver option set to No (as usually recommended), the router won't be able to resolve local names since it would not use dnsmasq.

So would this be correct?
Currently set to using these settings:

But for some reason NextDNS is only wanting to report the device name from the device itself, rather than the "custom" names set in the Router client table.

Should I remove NextDNS and re-add it?
I changed the "use local caching" option to -YES- after installing the NextDNS router client.

 

[dave14305]

View attachment 21598
So would this be correct?
Currently set to using these settings:
View attachment 21599

But for some reason NextDNS is only wanting to report the device name from the device itself, rather than the "custom" names set in the Router client table.

Should I remove NextDNS and re-add it?
I changed the "use local caching" option to -YES- after installing the NextDNS router client.

Are you adding these custom names in the DHCP tab? It won’t detect custom names set in the client list from Network Map.

 

[ShelaMonster]

Are you adding these custom names in the DHCP tab? It won’t detect custom names set in the client list from Network Map.

Yes, otherwise my SmartTVs get bogus names like this:

If custom naming doesn't work, I'll disable device reporting and swap back to not use the local caching.
I'm a stickler for naming of devices, especially if they don't support naming on the device itself.

 

[iJorgen]

View attachment 21598
But for some reason NextDNS is only wanting to report the device name from the device itself, rather than the "custom" names set in the Router client table..

Same issue here on my AC86U. It ignores the friendly names I have given to each device. Not a major issue but would be nice to have it perfect

One error still shows at startup, but the others are gone now

May  5 05:05:22 nextdns[1127]: Activate: activate: 127.0.0.1:53: no address found

 

[Olivier Poitrey]

Same issue here on my AC86U. It ignores the friendly names I have given to each device. Not a major issue but would be nice to have it perfect

One error still shows at startup, but the others are gone now

May  5 05:05:22 nextdns[1127]: Activate: activate: 127.0.0.1:53: no address found

Can you please open an issue on github regarding this issue, so I don’t forget to take a look?

 

[kannanni]

Hi,

I managed to install nextdns on my ac68u and to get it running on default settings, tested a few websites from one of my devices and is filtering ads etc.
Want to make sure i've got the rest of the settings ok: My dns settings on the router are:

nextdns website is detecting traffic using their dns with my profile id, also did a dns leak test and came up with correct nextdns numbers..
syslog is now clear from previous unlimited rebinding attacks when on DoT mode.

Please let me know if i have forgotten to set anything important

 

[dave14305]

Hi,

I managed to install nextdns on my ac68u and to get it running on default settings, tested a few websites from one of my devices and is filtering ads etc.
Want to make sure i've got the rest of the settings ok: My dns settings on the router are:
View attachment 21650

nextdns website is detecting traffic using their dns with my profile id, also did a dns leak test and came up with correct nextdns numbers..
syslog is now clear from previous unlimited rebinding attacks when on DoT mode.

Please let me know if i have forgotten to set anything important

You will be fine with those settings. The nextdns application will temporarily disable the DNS rebind and DNSSEC settings when it starts. Leave them enabled in the GUI so that if you stop nextdns or it fails for any reason, you will fallback to your WAN DNS settings and still have those protections enabled through dnsmasq.

 

[Reny]

Hello guys,

I just installed NextDNS on my AC68U router without problems.

I have a question, considering NextsDNS up and running on my router, all DNS query will be over HTTPS or TLS?

Thanks

 

[Olivier Poitrey]

Hello guys,

I just installed NextDNS on my AC68U router without problems.

I have a question, considering NextsDNS up and running on my router, all DNS query will be over HTTPS or TLS?

Thanks

HTTPS, which is TLS + HTTP/2.

 

[Reny]

HTTPS, which is TLS + HTTP/2.

Thanks Olivier Poitrey.
I usually access my NextDNS dashboard to make sure it is working. "This device is using NextDNS."

Is there any way to check on router logs if it is working properly ?

 

[Olivier Poitrey]

Thanks Olivier Poitrey.
I usually access my NextDNS dashboard to make sure it is working. "This device is using NextDNS."

Is there any way to check on router logs if it is working properly ?

Run: /jffs/nextdns/nextdns log