NextDNS Installer

[Skeptical.me]

Run the install again to upgrade to v1.4.31. They fixed a crash in that version.

There is no a need to update anything in the router GUI.

Ahh, it's working now. Thanks for your help.

 

[gattaca]

Just so I understand correctly ... If I install NextDNS I won't need to use Diversion? Or do I just leave it on/installed?

Edit: I have NextDNS installed but the Web UI for NextDNS doesn't indicate the router is connected. And I still have Diversion on.

The answer depends. I prefer "layering" anything security related - routers included. Both Diversion and NextDNS are performing similar services but there may be some areas where they are distinct. For instance, the GUI NextDNS provides is quite helpful on turning on/off specific entities or NextDNS can do some things that Diversion maybe cannot. An example of that is the ability to "blocks third-party trackers disguising as first-party trackers". With Diversion, you retain full control of the filtering and are not dependent on a 3rd party for these services.

By layering the two services, I assume the entries I see NextDNS block, are DNS requests that Diversion allowed to pass since I still had them both running and did the manual configuration earlier on as they continue perfecting on the script install. The pain with layering is that well if something is blocked, I now have to check in two places. So it's entirely up to you which path to choose.

I had both installed (manually, not used their script yet) and when NextDNS is installed, it will show your router's IP on the main page and it will log everything permitted or denied in the logs tab on their GUI. The analytics tab will start showing numbers as well.. so if you are not seeing any of that when you login to NextDNS, then I'm doubting your router is talking to their services. Later.

 

[Skeptical.me]

The answer depends. I prefer "layering" anything security related - routers included. Both Diversion and NextDNS are performing similar services but there may be some areas where they are distinct. For instance, the GUI NextDNS provides is quite helpful on turning on/off specific entities or NextDNS can do some things that Diversion maybe cannot. An example of that is the ability to "blocks third-party trackers disguising as first-party trackers". With Diversion, you retain full control of the filtering and are not dependent on a 3rd party for these services.

I had both installed (manually, not used their script yet) and when NextDNS is installed, it will show your router's IP on the main page and it will log everything permitted or denied in the logs tab on their GUI. The analytics tab will start showing numbers as well.. so if you are not seeing any of that when you login to NextDNS, then I'm doubting your router is talking to their services. Later.

Thanks, it's working now. I updated NextDNS and it started working, cheers for the information.

 

[Skeptical.me]

With the Hardened Privacy feature, am I able to choose the jurisdiction of the DNS server. Or is it a matter of you get what's closest?

 

[kpod]

Will there be any way to integrate nextdns with the Synology RT2600ac router?

 

[dave14305]

Will there be any way to integrate nextdns with the Synology RT2600ac router?

It lists Synology on their github site.

https://github.com/nextdns/nextdns

 

[ShelaMonster]

I would like some clarification regarding using this properly, please.
Should I be using DNSFilter, or does the NextDNS router client override all queries by default? (Even device-coded DNS like Google products?)
Also, since DNS Rebind protection is available on NextDNS website, I shouldn't enable it here, and same for DNSSEC right?

I have DNSFilter enabled just to be sure, but I'm not positive if it makes any difference with NextDNS since the only device that usually tries to bypass router DNS settings is my friend's Pixel 3.
But they have the NextDNS app installed on it and "always enabled" since it doesn't have the iOS options to enable/disable for certain saved Wi-Fi networks.

Mostly want clarification regarding any of these settings:

Thanks and much appreciated.

 

[dave14305]

Should I be using DNSFilter, or does the NextDNS router client override all queries by default? (Even device-coded DNS like Google products?)
Also, since DNS Rebind protection is available on NextDNS website, I shouldn't enable it here, and same for DNSSEC right?

You can use DNSFilter set to Router mode to ensure all clients use the router for DNS, which will then forward to nextdns. NextDNS does not intercept everything.

If you are using blocking lists on the NextDNS website, you should disable DNS Rebind protection.

Your settings look good. Make sure no DNS servers are set on the LAN DHCP Server page for DNSFilter to work properly.

 

[RejZoR]

I've installed NextDNS somehow on my router via SSH lol. I'm having hard time finding what "Hardened privacy" feature does. Configuration asked me about it, but I was unsure what to select. Searching here only shows me a log of someone with this entry in his debug log so that's not helpful.

Also, do I have to enable DoT for it to work or is it ON by default if NextDNS is installed? NextDNS page seems to register router's NextDNS client install and I can see resolvings on NextDNS page. I just want to be sure everything is configured correctly. Does it matter if DNSFilter is enabled and set to Router or not? I want everything going through router to be resolved by NextDNS.

Also what about DNSSEC and DNS Rebind Protection in Merlin's settings. Just leave it disabled since NextDNS is suppose to do that by itself or not?

EDIT:
Oh, during install it said:
curl: (6) Couldn't resolve host 'sL'

It seems to have installed it regardless. What's with this? Just copied the whole install command as it is on GitHub page...

 

[Olivier Poitrey]

I've installed NextDNS somehow on my router via SSH lol. I'm having hard time finding what "Hardened privacy" feature does. Configuration asked me about it, but I was unsure what to select. Searching here only shows me a log of someone with this entry in his debug log so that's not helpful.

Also, do I have to enable DoT for it to work or is it ON by default if NextDNS is installed? NextDNS page seems to register router's NextDNS client install and I can see resolvings on NextDNS page. I just want to be sure everything is configured correctly. Does it matter if DNSFilter is enabled and set to Router or not? I want everything going through router to be resolved by NextDNS.

Also what about DNSSEC and DNS Rebind Protection in Merlin's settings. Just leave it disabled since NextDNS is suppose to do that by itself or not?

EDIT:
Oh, during install it said:
curl: (6) Couldn't resolve host 'sL'

It seems to have installed it regardless. What's with this? Just copied the whole install command as it is on GitHub page...

Hardened privacy mode will only use NextDNS servers located in jurisdictions with strong privacy laws. Note that depending how far your are from those, it may slow down your dns queries significantly.

You should leave DNSSEC and rebinding protection off on your router when using NextDNS. NextDNS will enforce those, and they can interfere with the blocking if left on.

And no need to use DoT when NextDNS daemon is installed.

 

[RejZoR]

Hardened privacy mode will only use NextDNS servers located in jurisdictions with strong privacy laws. Note that depending how far your are from those, it may slow down your dns queries significantly.

You should leave DNSSEC and rebinding protection off on your router when using NextDNS. NextDNS will enforce those, and they can interfere with the blocking if left on.

And no need to use DoT when NextDNS daemon is installed.

Ok, thanks for explanation. I'm from Europe so servers with such properties shouldn't be that far physically.

What about the "-sL" switch in the install command for which I got error: curl: (6) Couldn't resolve host 'sL'

I just retyped the command directly from GitHub and it apparently installed NextDNS regardless, I'm just wondering what is it for and if it can be breaking something as a result or it's fine.

 

[Olivier Poitrey]

Ok, thanks for explanation. I'm from Europe so servers with such properties shouldn't be that far physically.

What about the "-sL" switch in the install command for which I got error: curl: (6) Couldn't resolve host 'sL'

I just retyped the command directly from GitHub and it apparently installed NextDNS regardless, I'm just wondering what is it for and if it can be breaking something as a result or it's fine.

Please add DEBUG=1 before the command and send the full transcript of the output.

 

[RejZoR]

Please add DEBUG=1 before the command and send the full transcript of the output.

Interesting. Running installer again with DEBUG enabled and it said nothing about -sL switch. Removed NextDNS and reinstalled it and again no mention of -sL. Weird.

 

[RejZoR]

Do I need to re-install NextDNS after updating Merlin FW ? Or will it just keep on working like before?

 

[XIII]

Warning: it looks like NextDNS overhauled its configuration web site https://my.nextdns.io and in the process reset all blocklists...

Did this happen to other NextDNS users as well?

If so, I can’t believe they did this without any notice; this makes me reconsider becoming a customer. Pretty disappointed about that (even though I know the service is still in beta).

 

[RejZoR]

Warning: it looks like NextDNS overhauled its configuration web site https://my.nextdns.io and in the process reset all blocklists...

Did this happen to other NextDNS users as well?

If so, I can’t believe they did this without any notice; this makes me reconsider becoming a customer. Pretty disappointed about that (even though I know the service is still in beta).

It didn't reset them for me. Some did disappear because they were removed, but the rest remained selected like before. I also tweaked privacy and security settings a bit to harden my network even further. I've expanded filtering so far and on so many devices that I own that I'm further convinced to use their service. And now that I could finally get NextDNS to work perfectly with ASUSWRT-Merlin, even more so. Enforcing all devices to obey MY rules is the best frigging thing ever.

 

[jackiechun]

Warning: it looks like NextDNS overhauled its configuration web site https://my.nextdns.io and in the process reset all blocklists...

Did this happen to other NextDNS users as well?

My blocklist settings were not reset.

 

[XIII]

Then maybe I was unlucky?

The new NextDNS recommended list is enabled, but all others were disabled - for all of my configurations.

Edit: all Privacy related lists (Security seems untouched)

 

[jackiechun]

I ran into an issue where no domains would resolve on both my OpenWRT-based and Merlin-based routers. Today at 11:05am Eastern Time this occurred on my AC86U router and the only solution was a physical reboot of the router. (unfortunately no logs; AC86U at my parents and they did the reboot)

I've changed both routers to use the unencrypted DNS servers + cron jobs to call the linked IP address every hour; I figured this is the most stable config and doesn't require certificates/accurate timestamps. Will report again if this config results in reduced errors.

 

[XIII]

Any tips on how to work around the Catch-22 where NextDNS needs proper time and NTP needs DNS?

(the NTP service I use requires me to use a domain name instead of an IP address)