OPNsense NextDNS Configuration – Can't Enable DoH or DoT

Started by BlackJoker, October 15, 2023, 09:51:38 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 15, 2023, 09:51:38 AM
Hello fellow forum members,

I hope you all are doing well. I've encountered an issue with my OPNsense setup that I'm hoping some of you can help me solve. I've successfully installed the CLI version of NextDNS on my OPNsense router, but I'm having difficulty enabling DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) as the protocols.

Setup Details

  • OPNsense version: 23.7.5
  • NextDNS CLI version: 1.41.0
  • Zenarmor is also in use and configured to allow DoH traffic.

Even after installation and configuration, when I visit test.nextdns.io, it shows that my protocol is still UDP. I've also tried disabling Unbound to see if it was causing conflicts, but no luck there.

What I've Tried

  • Checked all NextDNS CLI configurations.
  • Allowed DoH traffic in Zenarmor.
  • Used the bypass function in Zenarmor for test purposes.
  • Restarted OPNsense.
  • Restarted NextDNS service via SSH

Is there anything specific in the OPNsense settings that I should look for?
Are there any known conflicts with Zenarmor?
What logs should I be looking at to troubleshoot this issue?
Are there specific firewall rules I should be checking?
Any insights or guidance on solving this problem would be greatly appreciated. Thank you for taking the time to read my post and for any help you can provide.



Code Select
C:\Users\Fabio>curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.0:443
* Connecting to hostname: 45.90.28.0
* Connecting to port: 443
*   Trying 45.90.28.0:443...
* Connected to (nil) (45.90.28.0) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* using HTTP/1.x
> GET /info HTTP/1.1
> Host: dns.nextdns.io
> User-Agent: curl/8.0.1
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: application/json
< Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
< Timing-Allow-Origin: *
< Date: Wed, 11 Oct 2023 21:17:38 GMT
< Content-Length: 80
<
{"locationName": " Frankfurt, Germany", "pop": "zepto-fra", "rtt": 5740}* Connection #0 to host (nil) left intact
October 15, 2023, 04:21:52 PM #1
Is there a reason you need the NextDNS CLI instead of just configuring Unbound for NextDNS DoT?  I'm not seeing what the benefit is for the CLI but I don't use NextDNS.
October 15, 2023, 05:15:28 PM #2
 I'd like to mention that I'm accustomed to using the CLI version because of my experience with UDM-Pro from UniFi. The CLI offers a familiar interface and workflow, making it easier for me to manage my network settings effectively.
October 17, 2023, 06:46:05 PM #3
No one can help?
October 19, 2023, 03:45:10 PM #4
I would wager that everyone else using NextDNS is just connecting via Unbound with DoT configured and not using the CLI and that's why you're not getting any responses.  As I mentioned, I'm not familiar with the CLI at all and I don't use NextDNS so I don't have any other help I can provide.
October 21, 2023, 09:22:53 AM #5
I uninstalled the CLI version and completely removed the configuration using Putty, but it still only supports UDP.
I activated the Unbound Plugin, and here are my settings.
October 21, 2023, 09:25:48 AM #6
Okay it only needed some time now it's showing DOT  :)
October 22, 2023, 04:24:01 PM #7
Glad to hear you got it working. :)

Also, Windows now includes ssh so you don't need to use Putty.
Print
Go Up Pages1
User actions