Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
DNSCrypt or NextDNS to protect home network? What do you use please
« previous
next »
Print
Pages: [
1
]
Author
Topic: DNSCrypt or NextDNS to protect home network? What do you use please (Read 2922 times)
HammerfistC64
Newbie
Posts: 3
Karma: 0
DNSCrypt or NextDNS to protect home network? What do you use please
«
on:
April 02, 2021, 02:08:53 pm »
Hello,
I see there is a tutorial on here for setting up DNSCrypt to protect DNS over Http, I'm not sure it does DNS over TTL though where NextDNS does from what I read.
What do you you use please and what tutorial do you use?
Thanks
Logged
janci
Newbie
Posts: 25
Karma: 0
Re: DNSCrypt or NextDNS to protect home network? What do you use please
«
Reply #1 on:
February 02, 2022, 10:04:46 pm »
I am using dnscrypt and I think it is using protocol which is not DNS over TLS / HTTP.
https://dnscrypt.info/protocol/
nextDns is supporting DoH and DoT
https://help.nextdns.io/t/x2hmvas/what-is-dns-over-tls-dot-dns-over-quic-doq-and-dns-over-https-doh-doh3
so client {your router} is comunicating with oposite side by secure channel. But what happend on oposite side? in case DNScrypt there can be any from many servers {some of them are privacy friendly some not} but in case NextDNS there is just one company.
I am planing to try NextDNS to see how it is working and what benefit I get. But know, I dont know.
Logged
rman50
Newbie
Posts: 31
Karma: 3
Re: DNSCrypt or NextDNS to protect home network? What do you use please
«
Reply #2 on:
February 03, 2022, 01:46:20 am »
I use Unbound configured with DNS over TLS pointing to my NextDNS account. Very simple to configure in the OPNSense GUI and works great. I have been very pleased with NextDNS for both its security and ad/tracker blocking capabilities.
If you decide to give that config a try, make sure you select "Disable DNS Rebinding Checks" under Settings -> Administration to allow NextDNS to return 0.0.0.0 to Unbound for any blocked sites.
To ensure devices don't bypass my DNS server, I configured a port forwarding rule for 53 TCP/UDP, blocked ports 853/8853 and blocked HTTPs for known DNS server lists (several public lists are available).
Logged
janci
Newbie
Posts: 25
Karma: 0
Re: DNSCrypt or NextDNS to protect home network? What do you use please
«
Reply #3 on:
February 03, 2022, 09:20:00 pm »
1) account at nextdns created
2) disable dnscrypt
3) remove dnscrypt conf from /usr/local/etc/unbound.opnsense.d/
4) in Unbound DNS > DNS over TLS adding new record, for CN I did used ID of endpoints from setup tab of nextdns gui
5) restart unbound
6) dns is not working
7) checking log on Unbound DNS and following error is find
2022-02-03T21:08:05 unbound[92145] [92145:2] notice: ssl handshake failed 45.90.28.179 port 853
2022-02-03T21:08:05 unbound[92145] [92145:2] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
any idea?
thanks
edit #1:
cat /usr/local/etc/unbound.opnsense.d/dot.conf
server:
tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.179@853#XXXXX
edit #2:
I still run opnsense 21.7.7
should I update to 22 ?
«
Last Edit: February 03, 2022, 09:37:58 pm by janci
»
Logged
janci
Newbie
Posts: 25
Karma: 0
Re: DNSCrypt or NextDNS to protect home network? What do you use please
«
Reply #4 on:
February 03, 2022, 11:12:52 pm »
I suspect that that IPS changing my dns query.
I did check for dns leaks and when using 9.9.9.9 in resolve.conf on my linux laptop then it looks ok
but when using nexdns 45.90.28.179 dns leak test web page show me that I am using google or opendns.
thats for 53 port
I think that they are doing same trick for 853.
so response is coming form different IP as request was sent to.
what do you think?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
DNSCrypt or NextDNS to protect home network? What do you use please