NextDNS

[L9342344554]

Hi,
anyone knows if NextDNS could be integrated or connected with OpnSense?

I recently switched to NextDNS.io for some of my devices and find it extremely nice, convenient, without knowing too much of the network-architectural side of it.
I would love to have it enabled in the router, because OpenDNS seems way behind in feature/analysis/reporting scope.

As a feature recommendation.

Or anyone has a working setup?

Kind regards and Happy 2021!

[rlocone]

Here is the github for NextDNS
https://github.com/nextdns/nextdns/wiki

I installed via SSH and disabled 'unbound dns' since this would conflict with port 53. 

Now, if there is a better way to do this I'm all ears. 

[Demus4202]

Bump

I have been trying to manually config DNS over TLS, using the unbound custom config, but cant seem to get anywhere.

Would prefer to use unbound instead of the NextDNS CLI.

Any help would be greatly appreciated.

[Demus4202]

So i figured it out after all...

It seems that DNS settings under system > settings > general, cannot coexist with the lines we are adding to the custom options in unbound.

They both write forward-zones in the unbound.conf and unbound notices duplicates and drops one as far as i can tell.

So make sure you don't have manually defined servers elsewhere.

[blusens]

So i figured it out after all...

It seems that DNS settings under system > settings > general, cannot coexist with the lines we are adding to the custom options in unbound.

They both write forward-zones in the unbound.conf and unbound notices duplicates and drops one as far as i can tell.

So make sure you don't have manually defined servers elsewhere.

Thanks for this tip. Unbound doesn't seem to start after a reboot if I delete the DNS entries from General. Did you have this issue?

Edit: must have misconfigured something initially. Retried now and worked.

[Giant850]

Here's a blog on setting up OPNsense + NextDNS: https://www.derekseaman.com/2021/04/how-to-nextdns-opnsense-firewall.html


That bypasses unbound, so DNS queries go directly from client -> OPNsense gateway -> NextDNS. This allows NextDNS to show client/device info, if that's something you are interested in.

[japtain.cack]

I am currently using Unbound + Nextdns with client identification. It should be noted that you cannot modify /usr/local/etc/unbound.opnsense.d/dot.conf directly. opnsense will overwrite this file with whatever is configured in the GUI, even if it's blank. Unbound is configured to automatically load in any files contained in the /usr/local/etc/unbound.opnsense.d/ directory.

So, simply wipe your exiting DoT config in unbound, copy in the unbound config from NextDNS, add tls-server-bundle file option, to prevent any SSL errors (I ran into this), save, and restart. Here are the detailed steps.

• Disable all DoT options in Unbound, save, and restart unbound.
• Edit/create this file: /usr/local/etc/unbound.opnsense.d/dot-custom.conf
• Insert the Unbound config code block from NextDNS setup. You can use my code block, but ensure you update the ID and ensure it's similar to the NextDNS setup instructions. My example also shows how to configure a NextDNS client. I called mine "opnsense01", you can change this to whatever.
• Save the file, and restart unbound. Your UI may show Unbound is not started, but refresh the page and you should be good. If there are issues, check the logs.

Code: [Select]

server:
  tls-cert-bundle: "/etc/ssl/cert.pem"

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#opnsense01-1a2345.dns1.nextdns.io
  forward-addr: 45.90.30.0#opnsense01-1a2345.dns2.nextdns.io


[rman50]

With the latest releases of the Unbound plugin, the DNS over TLS configurations works fine with NextDNS and client identification by using the hostname field. I switched from the custom configuration to the plugin once the DOT hostname option was added.

[redbull666]

With the latest releases of the Unbound plugin, the DNS over TLS configurations works fine with NextDNS and client identification by using the hostname field. I switched from the custom configuration to the plugin once the DOT hostname option was added.

Hi, I am trying to make this work and have my client devices show up in the NextDNS web UI, but I am not sure what you mean with this. Are you referring to the Unbound in Opnsense, or a NextDNS Unbound plugin, or a NextDNS Opnsense plugin (cannot find).

[rman50]

I configured forwarding to NextDNS using OPNSense's Unbound's DOT configuration (Services -> Unbound DNS -> DNS over TLS). With that configuration the only client device that will show up in the NextDNS GUI is OPNsense itself which is the way I wanted it. I use separate tools (Zeek, Influx & Grafana) to track/report on all my internal DNS queries. If you want individual device names to show up in the NextDNS GUI when utilizing a centralized forwarder, I believe you would need to use the NextDNS CLI client on OPNsense.

[redbull666]

I configured forwarding to NextDNS using OPNSense's Unbound's DOT configuration (Services -> Unbound DNS -> DNS over TLS). With that configuration the only client device that will show up in the NextDNS GUI is OPNsense itself which is the way I wanted it. I use separate tools (Zeek, Influx & Grafana) to track/report on all my internal DNS queries. If you want individual device names to show up in the NextDNS GUI when utilizing a centralized forwarder, I believe you would need to use the NextDNS CLI client on OPNsense.

Ok thanks, then I misunderstood what you meant!

[janci]

I did find out that I did post to not correct thread, so copy past my question here


1) account at nextdns created
2) disable dnscrypt
3) remove dnscrypt conf from /usr/local/etc/unbound.opnsense.d/
4) in Unbound DNS > DNS over TLS adding new record, for CN I did used ID of endpoints from setup tab of nextdns gui
5) restart unbound
6) dns is not working
7) checking log on Unbound DNS and following error is find


2022-02-03T21:08:05   unbound[92145]   [92145:2] notice: ssl handshake failed 45.90.28.179 port 853   
2022-02-03T21:08:05   unbound[92145]   [92145:2] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


any idea?
thanks



NOTE #1
cat /usr/local/etc/unbound.opnsense.d/dot.conf

server:                                                                         
   tls-cert-bundle: /etc/ssl/cert.pem                                           
forward-zone:                                                                   
   name: "."                                                                     
   forward-tls-upstream: yes                                                     
   forward-addr: 45.90.28.179@853#XXXXX



NOTE #2
I still run opnsense 21.7.7
should I update to 22 ?



NOTE #3
I suspect that my IPS changing my dns queries.
I did check for dns leaks and when using 9.9.9.9 in resolve.conf on my linux laptop then it looks OK
but when using nexdns 45.90.28.179 then dns leak test web page show me that I am using google or opendns.

thats for 53 port and I think that they are doing same trick for 853.
so response is coming form different IP as request was sent to and it could be problem of "certificate verify failed"

what do you think?

[rman50]

The format for the Hostname in the Unbound DNS over TLS tab is: XXXXX.dns1.nextdns.io or XXXXX.dns2.nextdns.io where XXXXX is your endpoint ID. If you want the endpoint to have a name, you would do: name-XXXXX.dns1.nextdns.io.

Your dot.conf forward addr lines should look like these:

forward-addr: 45.90.28.0#XXXXX.dns1.nextdns.io
forward-addr: 45.90.30.0#XXXXX.dns2.nextdns.io

Fixing the hostname format should clear up the certificate verification error you are getting.

[janci]

aha, somohow I did not understand CN field correctly and I did put there just XXXX part.

thanks, it is working now