What's new

NextDNS Windows installler

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

liukuohao

Regular Contributor
This question I have is regarding the NextDNS installer itself.

1.1) NextDNS Windows installer.jpg


This sub forum: https://www.snbforums.com/threads/nextdns-installer.61002/ seems to be inactive for over 2 years.
and I can't post anything there.


Hopefully, someone can help me out as to what NextDNS installer actually do.

From my finding when you have NextDNS installer (Windows client) installed on the PC and it is enabled.
DOH or Secure DNS is working - test on the web browser on the same PC -test.nextdns.io
Otherwise, if the software is disabled (stopped) then DOT will used.

4) Using test.nextdns.io to test DOT or DOH.jpg


However, when the NextDNS client software is disabled/stopped. Protocol is now changed to DOT.

5) Using test.nextdns.io to test DOT or DOH.jpg


So my question what does NextDNS installer/client actually do?
 

Attachments

  • 4) Using test.nextdns.io to test DOT or DOH.jpg
    4) Using test.nextdns.io to test DOT or DOH.jpg
    72.2 KB · Views: 47
It's mainly useful if you have multiple NextDNS profiles, as each device on your network can easily be assigned a different profile (if so desired). It's also configured out of the box to send responses with low TTL values to clients, so the clients will constantly ask the router about DNS information. This is done so changes made to your lists of your NextDNS profiles get seen very quickly by your router devices. Useful for promptly hunting down and fixing incorrectly blocked domains.

If you don't care about individual device domain logging, multiple blocking profiles or quickly fixing false positives, you can stick with the built-in DoT solution in the Merlin firmware and just apply a single NextDNS profile to the entire network.
 
  • Like
Reactions: fsb
It's mainly useful if you have multiple NextDNS profiles,
BTW I posted the a question to NextDNS community, asking about what does the software to.
I have yet to get a reply from anyone.


I was pondering your answer about having difference profiles.
At the end, it didn't make sense to me. :rolleyes:
So you are saying having either NextDNS client software (or installer) enabled or disabled can yield 2 different profiles.
Profile A = using DOT
Profile B = using DOH

I consulted ChatGPT and the AI gave this answer to me. What is your take of this response?
Does, the answer given provide a true reflection of what DOT and DOH really mean?

Regarding DOH & DOT's CA, I have not install any NextDNS CA into my PC, does it mean,
having the NextDNS installer /client software is running, NextDNS CA has already installed.

How to install NextDNS CAs: https://help.nextdns.io/t/g9hmv0a/how-to-install-and-trust-nextdns-root-ca

Which protocol is better DOH vs DOT.jpg

As the response says, having DOH will be a "nightmare" for any of the Network Administrators to tackle.
 
The NextDNS CLI solution's DoH will override the built-in's DoT solution. So you wouldn't be using both at the same time. But yes, you can technically set up one NextDNS profile for DoH and then when the CLI is disabled, you can fall back to another NextDNS profile using DoT.

You technically don't need to mess with CAs. Installing the NextDNS CA is mainly useful for having their custom block page show up on devices when you visit a domain being blocked. It's not a necessity to install it though.
 
Also, note that their installer for Windows is not the same as the CLI for Merlin. You don't need the installer for Windows if you run the CLI on the router. That's the point.

And as a bonus you can force all devices on your network to use the router DNS instead of potentially being overridden by the device itself. Just set up the DNS Director in Merlin firmwares to globally redirect with the Router setting.
 
Also, note that their installer for Windows is not the same as the CLI for Merlin. You don't need the installer for Windows if you run the CLI on the router.
Unless that Windows machine is a laptop that is also used at other locations?
 
Unless that Windows machine is a laptop that is also used at other locations?
That's the exception. If you leave your local network then the NextDNS for Windows thingy becomes useful again.

Though I'd personally either: just connect back to my home using a VPN, and get the benefits of the CLI for Merlin but on my remote device. OR use something like YogaDNS on the device which gives you more flexibility with connecting through various DNS providers using either DoT or DoH (there's a NextDNS profile option inside of YogaDNS for simplicity's sake).

On Windows 11 and possibly Win 10, you can natively connect to DNS providers using DoH (DoT is currently in development stages), which means you don't need the resolver software above. Though if you use this, you will not connect to NextDNS' ultra-low latency servers due to the implementation Microsoft has for DoH. Something about not supporting a specific feature of DoH.
 
The NextDNS CLI solution's DoH will override the built-in's DoT solution. So you wouldn't be using both at the same time. But yes, you can technically set up one NextDNS profile for DoH and then when the CLI is disabled, you can fall back to another NextDNS profile using DoT.
Sorry, I should have mentioned right off the bat that I didn't follow this instruction:
https://github.com/nextdns/nextdns/wiki/AsusWRT-Merlin
That is I didn't install NextDNS within the router by following instructions below:
[LIST=1] [*]Enable SSH access to the router via the GUI: Administration -> System Tab then Click Enable SSH=LAN only [*]Connect to the router using SSH [*]Execute: sh -c "$(curl -sL https://nextdns.io/install)" [*]Follow the instructions [/LIST]

Questions:
1) What is the difference? Currently I have not try to NextDNS via CLI. Any difference if I install it?
2) After I installed it, do you get a NextDNS GUI within Asuswrt-Merlin OS?
3) In case, I don't want it later, Is there a way to uninstall NextDNS via CLI?

Thank you.
 
Last edited:
The difference between the CLI and the Windows program?

The CLI effectively replaces a big part of Dnsmasq on the router, and it has its own domain cache and everything. Allows you to assign specific NextDNS profiles to specific clients, among other things, as I already mentioned. While the CLI is running, the DoT entries in the Merlin GUI effectively do nothing, as the CLI overrides them and that functionality (including the DNSSEC and DNS rebinding options).

The Windows program intercepts all DNS traffic, wraps it in DoH and sends it to NextDNS' resolver servers. For that device only. The CLI is more or less also doing the same thing with the DNS interception, except it works on every device connected to your entire home network.

There is no GUI for the Merlin CLI. You must use the terminal via SSH to configure and run it.

And yes you can deactivate and uninstall the CLI by entering the same sh command you used to install it with. And then Dnsmasq starts working like it did before.
 
Last edited:
  • Like
Reactions: fsb
The Windows program intercepts all DNS traffic, wraps it in DoH and sends it to NextDNS' resolver servers. For that device only. The CLI is more or less also doing the same thing with the DNS interception, except it works on every device connected to your entire home network.
Basically if I have CLI done, it will be done at the "global" level- catching everything on the fishing net so to speak.
which means I don't have to install the "windows program" ? Right?
 
Frankly, IMHO, for a beginner like me, this whole thing about NextDNS is really a maze.
The documentation is kind of lacking, and hence I need to ask a 3rd party forum for help.
 
Basically if I have CLI done, it will be done at the "global" level- catching everything on the fishing net so to speak.
which means I don't have to install the "windows program" ? Right?
Correct. Unless you leave your home network, then you need either the Windows program, a VPN connection back to your home, YogaDNS, or something similar.
 
Frankly, IMHO, for a beginner like me, this whole thing about NextDNS is really a maze.
The documentation is kind of lacking, and hence I need to ask a 3rd party forum for help.
Yeah, I understand. Anyway, the CLI configuration has some information about some of the things you can configure, at least. The part I didn't quite understand at first was how to add multiple NextDNS configuration IDs to the configuration, and how to direct network clients to the various IDs. But we can work that out if you get that far.
 
As I've said above, it's for their custom block page. It removes the HTTPS warning if using their block page, which is off by default. You can find the option in your NextDNS profile settings.

You don't need to mess with any CAs if you don't use the custom block page.
 
As I've said above, it's for their custom block page. It removes the HTTPS warning if using their block page, which is off by default. You can find the option in your NextDNS profile settings.

You don't need to mess with any CAs if you don't use the custom block page.
Ok thanks for the reminder. 👍 :)
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top