Question NextDNS setups

Please provide comments and solutions that are helpful to the author of this topic.

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,638
1. Is IP linking required with all NextDNS setups? I used the DoH setup for Windows 11.
No, it is meant only for IPv4 and classic DNS (UDP via 53).
2. Does the NextDNS protection work with existing and new Wi-Fi connections?
Yes, if you have set automatic DNS. You can check on NextDNS webpage or via https://test.nextdns.io

capture_01202024_153053.jpg
 

rashmi

Level 12
Thread author
Jan 15, 2024
551
I used IPv6 addresses for DoH, and it worked without requesting IP linking. So, I cannot use both IPv6 and IPv4?
DNS is set to manual DNS. Because I used the manual setup instead of their app, I guess.
I couldn't find the remaining query info. Does the account show this information? I haven't created an account as I'm testing it.
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,638
The DoH setup with IPv6 doesn't require linking the IP. Do I have to disable IPv4 on the system?
Sorry, I have zero experience in this area, I disable IPv6 ASAP. I like privacy and reliability, but I do not think that NextDNS supports DNS64 yet, so you might have an issue connecting to IPv4 only services. But with zero support from NextDNS you can simply test via trial and error, it will either work or not.
 

rashmi

Level 12
Thread author
Jan 15, 2024
551
The parental control software subscription on kids' systems will expire soon. I'm testing to see if NextDNS is a reliable alternative. I have the following problems.
1. My internet connection has both IPv4 and IPv6.
2. NextDNS DoH supports IPv4 only. I thought I'd add DoH for IPv4 and unencrypted IPv6 for IPv6.
3. Wi-Fi - Hardware Properties - DNS Assignment - I tested NextDNS DoH IPv4, but it didn't block adult sites. I then tried unencrypted IPv6, and it worked as expected.
4. I thought I'd use IPv6 only and disable IPv4, but some sites don't work, including the NextDNS website, if I disable IPv4.
5. All sites work if I use IPv4 and disable IPv6, but NextDNS DoH, which supports IPv4, doesn't work when added to Windows 11 23H2.
6. If I use IPv6 with NextDNS unencrypted IPv6 and keep IPv4 enabled, I could access adult sites sometimes and sometimes not.
 
Last edited:

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
885
2. NextDNS DoH supports IPv4 only. I thought I'd add DoH for IPv4 and unencrypted IPv6 for IPv6.
No. It supports both. On the setup page select "windows" and you can see the IPV6 address for setting up IPV6. Like this "Replace the current addresses (if any) with 2a07:a8c0::74:3b4a and 2a07:a8c1::74:3b4a." In windows you need to
  1. Open the Settings app.
  2. Go to Network & internet.
  3. Click on Wi-Fi (or Ethernet).
  4. Click on Hardware properties, or ignore this step if you clicked on Ethernet.
  5. Click the Edit button next to DNS server assignment.
  6. Select Manual.
  7. Enable IPv6 only if you need IPv6 alone functionality.
  8. Enter 22a07:a8c0::74:3b4a as Preferred DNS, then select On (manual template) and enter
  9. Enter 2a07:a8c1::74:3b4a as Alternate DNS, then select On (manual template) and enter https://dns.nextdns.io/743b4a.
  10. Click Save.
PS: replace underlined text with your own configuration. Even though it works for IPV6 I suggest you to use IPV4 alone, IPV6 doesn't provide any particular benefit when compared with IPV4.
Wi-Fi - Hardware Properties - DNS Assignment - I tested NextDNS DoH IPv4, but it didn't block adult sites. I then tried unencrypted IPv6, and it worked as expected.
It works better with DOH as the old unencrypted port 53 dns does leak as some dns queries are sent through port 5353 too. to disable such leaks you need to enable DOH and login to your nextdns account then go to "parental control" in nextdns page, enable "Block Bypass Methods".
To prevent any kind of DNS leak you need a wifi router that can support DOH or DOT natively ( like Mikrotik, routers that are installed with open/DD wrt). Normal routers do not filter port 5353 DNS queries. But if you donot want to invest money into it, you can enable DOH/DOT function in all your devices and use the parental control functions.

With windows, I have seen some dns leaks even after using builtin windows doh settings. So I suggest you to use Yogadns app. Detailed instructions are available here.

YogaDNS can run as a Windows Service. This mode provides two main features:
  • YogaDNS can run in the background when no user is logged on to the machine which will prevent any dns leaks.
  • Only the administrator can start/stop the service and change the configuration.
4. I thought I'd use IPv6 only and disable IPv4, but some sites don't work, including the NextDNS website, if I disable IPv4.
5. All sites work if I use IPv4 and disable IPv6, but NextDNS DoH, which supports IPv4, doesn't work when added to Windows 11 23H2.
6. If I use IPv6 with NextDNS unencrypted IPv6 and keep IPv4 enabled, I could access adult sites sometimes and sometimes not.
Use IPV4 alone. Most of the internet still functions on IPV4 alone.
 

rashmi

Level 12
Thread author
Jan 15, 2024
551
@Brahman, NextDNS DoH IPv6 works well when added to Windows 11, but DoH IPv4 doesn't. I don't want to install software for it to work. I renewed the parental control software subscription. The NextDNS DoH IPv4 didn't work on another Windows 11 system, either.
 
  • Like
Reactions: Jack and Brahman

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,638
Once DoH is enabled (though you might need to have DNR enabled for the first time, so DOH can be verified)
Code:
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableAutoDoh" /t REG_DWORD /d "2" /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DoHPolicy" /t REG_DWORD /d "3" /f
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableDnr" /t REG_DWORD /d "0" /f

you can even set it up via registry by creating a template with your custom link and enabling it for your adapter's ID directly:
Code:
wmic nicconfig where DHCPEnabled=TRUE call SetDNSServerSearchOrder ("45.90.28.99","45.90.30.99")

reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\45.90.28.99" /v "Template" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx/LianLiPC-7NB" /f
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\45.90.30.99" /v "Template" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx/LianLiPC-7NB" /f

reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{2fea24ab-7667-4d1c-87c9-220b61023550}\DohInterfaceSettings\Doh\45.90.28.99" /v "DohFlags" /t REG_QWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{2fea24ab-7667-4d1c-87c9-220b61023550}\DohInterfaceSettings\Doh\45.90.28.99" /v "DohTemplate" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx/LianLiPC-7NB" /f
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{2fea24ab-7667-4d1c-87c9-220b61023550}\DohInterfaceSettings\Doh\45.90.30.99" /v "DohFlags" /t REG_QWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{2fea24ab-7667-4d1c-87c9-220b61023550}\DohInterfaceSettings\Doh\45.90.30.99" /v "DohTemplate" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx/LianLiPC-7NB" /f

capture_03312024_125652.jpg

Windows also likes to use the default DNS (UDP via port 53), you might want to block it in the firewall, so it will not get used.

capture_03312024_130617.jpg
 
Last edited:

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
885
@Brahman, NextDNS DoH IPv6 works well when added to Windows 11, but DoH IPv4 doesn't. I don't want to install software for it to work. I renewed the parental control software subscription. The NextDNS DoH IPv4 didn't work on another Windows 11 system, either.
What parental control software do you use?
 
  • Like
Reactions: Jack and rashmi

rashmi

Level 12
Thread author
Jan 15, 2024
551
NextDNS or DNS-based services cannot block a website if it is present in the browser's history/data?
 
  • Like
Reactions: Jack

rashmi

Level 12
Thread author
Jan 15, 2024
551
Not until you have cleared any dns cache in your system and in Nextdns settings.

View attachment 282650
NextDNS defaults have the cache boost option disabled. Do you mean to enable it? Anyway, the blocking works now. I don't know if it was an incompatibility with AdGuard Desktop. I removed it and reinstalled uBlock Origin. After that, NextDNS seems to block the websites already present in the browser's history or data.
 
  • Like
Reactions: Jack

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
885
NextDNS defaults have the cache boost option disabled. Do you mean to enable it? Anyway, the blocking works now. I don't know if it was an incompatibility with AdGuard Desktop. I removed it and reinstalled uBlock Origin. After that, NextDNS seems to block the websites already present in the browser's history or data.
You can enable cache boot option if you want to reduce number of DNS queries, as the free account can only have 300K ( image 1) queries. It has nothing to do with your system DNS cache nor with your router. Its a cache system employed by Nextdns in their servers for your DNS queries that caches your queries for 3 or 4 minutes. The only issue is that if you get a block by nextdns and you want to unblock that and add that website to allow list, it will only get unblocked only after 3 or 4 minutes, ie after expiring the cache time (TTL) (See Image 2).

Screenshot 2024-04-09 085630.png

2.png
 

rashmi

Level 12
Thread author
Jan 15, 2024
551
@Brahman, Thank you for all your help. I had to clear browser data sometimes to block a website or allow a download, which is annoying. The parental control categories also missed or allowed websites they should block. I'll continue Kaspersky Safe Kids, as it's much more effective, reliable, and instantly syncs allow and block actions.
 
  • Like
Reactions: Jack and Brahman
F

ForgottenSeer 107474

@rashmi

Have a look at AdguardDNS, thay have parental control and any user rule or filterlist the changes are applied immediatelly, also is is very easy from the logs to create allow or block rules
 

rashmi

Level 12
Thread author
Jan 15, 2024
551
@rashmi

Have a look at AdguardDNS, thay have parental control and any user rule or filterlist the changes are applied immediatelly, also is is very easy from the logs to create allow or block rules
I have tested AdGuardDNS, and its parental control is basic, with no category blocking. A parental control without category blocking is simply a normal family DNS server with added allow/block functions.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top