NextDNS in latest firmware?

I am impressed with latest firmware giving option to select DNS from list of DNS providers but I couldn’t find NextDNS there. The service is awesome and can be customized from your account and is free.

1 Like

yes. We know NextDNS and will add to the list.

I disagree, there must be the possibility to insert any dns tls and it is not just two commercial services.

I avoid regardless of commercial dns services as far as they can say not to log

Welcome.
They are paid after 300k queries and offer you to enable or disable logging. Provides very good adware or malicious sites filter.

Have you seen securedns.eu ?

If you are European, no obvious problem that if you live in other contexts, your response can increase

it’s all foss and believe me, it deserves a nice donation of 10 € for the service that the dns offers compared to the classic anycast on 5500 servers with different data laws for each country

They are also free in Beta, lets you configure ad/malware/tracker blocking as well as white/black list, logs and analytics(!) and supports DNS-TLS (and DNS over HTTPS or DoH). It took a bit of configuration, but replacing the 1.1.1.1 stubby config with the one on the NextDNS.io setup page worked perfectly. Even the direct dnsmasq.conf adjustments worked, but I wanted the encryption.

As far as paid, the VPN services (including the new wireguard ones!) are better than trying to do the cut-paste stuff by hand. And you can always just use the files.

And as far as I know the base DNS service would still be free, only the blocks/logs/etc. and only after 300k inquiries.

1 Like

Any guidance on how to access and modify this file?
I am keen to give this a try

It is better to @ some one who have the solution @tz1

1 Like

Before anything else save a config backup and maybe ssh in and tar /etc into a file and save it off so you can restore things if they go wrong.

First make sure in the main setup, advanced, DNS tab you are using the 1.1.1.1 cloudflare and override for all (and I turn on rebind prevention) and that it works to resolve.

Go into /etc/config/stubby using SSH and replace the 1.1.1.1 references with the nextdns versions, you will see this in the setup/linux tab in the my.nextds. io (assuming you are using an account). My id has been replaced with 123456, but you can also use the generic values if you aren’t using an account and analytics. I add the device ID so I know which router or device (I can do this with android and windows directly).

config resolver
    option address 45.90.28.0
    option tls_auth_name: 'MyRtr-123456.dns1.nextdns.io
config resolver
    option address 2a07:a8c0::0
    option tls_auth_name: 'MyRtr-123456.dns1.nextdns.io'
config resolver
    option address 45.90.30.0
    option tls_auth_name: 'MyRtr-123456.dns2.nextdns.io'
config resolver
    option address 2a07:a8c1::0
    option tls_auth_name: 'MyRtr-123456.dns2.nextdns.io'

Then restart.

You can also alter the dnsmasq.conf if you don’t want DNS-over-TLS with Stubby.

no-resolv
bogus-priv
strict-order
server=2a07:a8c1::
server=45.90.30.0
server=2a07:a8c0::
server=45.90.28.0
add-cpe-id=123456

Which in the dnsmasq stanza in /etc/config/dhcp looks like:

    option boguspriv '1'
    option noresolv '1'
    option strict-order '1'
    list server '2a07:a8c1::75:76e5'
    list server '45.90.30.81'
    list server '2a07:a8c0::75:76e5'
    list server '45.90.28.81'
    option add-cpe-id '123456'

I don’t know if the analytics trick of using MyRtr-123456 would work. But you can get your blocking with your account.

1 Like

I dont have an account with nextdns but this worked for me

cp /etc/stubby/stubby.yml /etc/stubby/stubby.yml.cloudflare

file info below /etc/stubby/stubby.yml below

resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

tls_query_padding_blocksize: 128

edns_client_subnet_private : 0

round_robin_upstreams: 0

idle_timeout: 10000

listen_addresses:
  - 127.0.0.1@53535
  -  0::1@53535

upstream_recursive_servers:
  - address_data: 45.90.28.0
    tls_auth_name: "6ffa65.dns1.nextdns.io"
  - address_data: 2a07:a8c0::0
    tls_auth_name: "6ffa65.dns1.nextdns.io"
  - address_data: 45.90.30.0
    tls_auth_name: "6ffa65.dns2.nextdns.io"
  - address_data: 2a07:a8c1::0
    tls_auth_name: "6ffa65.dns2.nextdns.io"

dont forget to
webadmin/more_settings/custom_dns_server/DNS over TLS from Cloudflare
disable, then apply
enablel, then apply

2 Likes

How to setup stubby with NextDNS?

so the default stubby(DNS over TLS from Cloudflare) file uses cloudflare. this file is located at /etc/stubby/stubby.yml
first command backs up defualt file to stubby.yml.cloudflare
and then clear /etc/stubby/stubby.yml and enter replacement info for nextdns

then go to gli-webadmin\More\custom_dns_server\DNS over TLS from Cloudflare
and disable and hit apply,
then enable and hit apply
or
(service stubby restart) from cli

1 Like

or wait for gli-net to incorporate into current or in 19.07.1 there is luci-app-nextdns

1 Like

or DNSCrypt v2…because DNSCrypt faster than stubby/tls

Can/Howto do device tags in DNSCrypt?
i.e. you say
6ffa65.dns1.nextdns.io
for the authname, prefixing it, e.g. “MyRouter1-6ffa65…” will add a tag to your logs and analytics (so I can tell which device is requesting).

Also you can still put 0.0.0.0 entries in the hosts file with stubby to stop the chatter and log clutter when you can’t stop it at the source. e.g. I have a camera that wants to phone home to p2p.vendorname.com every few hours even though I have the feature disabled. I added this to hosts with 0.0.0.0 and my logs cleaned up. (tip, also add “0.0.0.0 ANY” so netstat will show that instead of the first blocked entry).

yes if you go to nextdns.io and create an account you can create custom configurations for different devices. from nextdns.io usersetting page you can create a new config under the setup tag in the top left corner above it. Or rename your current one under settings. you can then go back to the setup page and look for your own custom ID under Enpoints and change every instance of 6ffa65 from above at the end of stubby.yml and replace with your custom id. works great.

This is a really neat service because it allows you to basically run adblock on a remote device and offload the cpu power and also allows you block sites that are application specific like snapchit and facedump or even ebayt.

I did not dig into this when I orginally posted this but now that I have I have nothing but good things to say about it.

I’ll have to checkout DNSCrypt and see if I can do the same thing

so there is a snapshot testing bin for ar750 /firmware/ar750/snapshots/openwrt-ar750-3.103-0302.bin with NextDNS support with stubby.

I enabled it but did not notice the change in /etc/stubby/stubby.yml so I have to assuming the settings are coming from elswhere as a script. reason I’m asking is because it it not pointing to nextdns but still showing cloudflare. also if your going to set for nextdns your still need a entry box for clientid to be entered. wow i wish most companies out there acted rather than only just listened to their customers. great job on moving forward with this. keep up the great work.

Sorry man. This beta firmware has problems. Will update and put the correct settings. So in one 2 two weeks NextDNS should work.

no complaints. it is working already with the above posts just hope you guys find time to have it so you can insert client id info. glad you chose to do it with stubby instead of nextdns. I prefer stubby version.

I just had an idea. since you guys do /etc/openevpn/ovpn0 ovpn1 ovpn2
maybe you could do /etc/stubby/stby1/stubby.yml
and higher for custom stubby choices outside of cloudflare and nextnds?

food for thought