DNSCrypt or NextDNS to protect home network? What do you use please

[HammerfistC64]

Hello,

I see there is a tutorial on here for setting up DNSCrypt to protect DNS over Http, I'm not sure it does DNS over TTL though where NextDNS does from what I read.

What do you you use please and what tutorial do you use?

Thanks

[janci]

I am using dnscrypt and I think it is using protocol which is not DNS over TLS / HTTP.
https://dnscrypt.info/protocol/

nextDns is supporting DoH and DoT
https://help.nextdns.io/t/x2hmvas/what-is-dns-over-tls-dot-dns-over-quic-doq-and-dns-over-https-doh-doh3

so client {your router} is comunicating with oposite side by secure channel. But what happend on oposite side? in case DNScrypt there can be any from many servers {some of them are privacy friendly some not} but in case NextDNS there is just one company.

I am planing to try NextDNS to see how it is working and what benefit I get. But know, I dont know.

[rman50]

I use Unbound configured with DNS over TLS pointing to my NextDNS account. Very simple to configure in the OPNSense GUI and works great. I have been very pleased with NextDNS for both its security and ad/tracker blocking capabilities.

If you decide to give that config a try, make sure you select "Disable DNS Rebinding Checks" under Settings -> Administration to allow NextDNS to return 0.0.0.0 to Unbound for any blocked sites.

To ensure devices don't bypass my DNS server, I configured a port forwarding rule for 53 TCP/UDP, blocked ports 853/8853 and blocked HTTPs for known DNS server lists (several public lists are available).

[janci]

1) account at nextdns created
2) disable dnscrypt
3) remove dnscrypt conf from /usr/local/etc/unbound.opnsense.d/
4) in Unbound DNS > DNS over TLS adding new record, for CN I did used ID of endpoints from setup tab of nextdns gui
5) restart unbound
6) dns is not working
7) checking log on Unbound DNS and following error is find


2022-02-03T21:08:05   unbound[92145]   [92145:2] notice: ssl handshake failed 45.90.28.179 port 853   
2022-02-03T21:08:05   unbound[92145]   [92145:2] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


any idea?
thanks



edit #1:
cat /usr/local/etc/unbound.opnsense.d/dot.conf

server:                                                                         
   tls-cert-bundle: /etc/ssl/cert.pem                                           
forward-zone:                                                                   
   name: "."                                                                     
   forward-tls-upstream: yes                                                     
   forward-addr: 45.90.28.179@853#XXXXX



edit #2:
I still run opnsense 21.7.7
should I update to 22 ?

[janci]

I suspect that that IPS changing my dns query.
I did check for dns leaks and when using 9.9.9.9 in resolve.conf on my linux laptop then it looks ok
but when using nexdns 45.90.28.179 dns leak test web page show me that I am using google or opendns.

thats for 53 port
I think that they are doing same trick for 853.
so response is coming form different IP as request was sent to.

what do you think?