Tutorial Setup NextDNS with Pfsense

Hello to all,

First things First:
>>><<<>>>DISCLAIMER-START<<<>>><<<
For all Posted Applications and Lists
1. I am not responsible for damaged Hardware / Software of any kind
2. I do not own or am affiliated to the company / developers linked here
3. This is not a sponsored thread and do this as part of my hobby
4. Have fun and share your findings / experiences

>>><<<>>>DISCLAIMER-END<<<>>><<<

I just wanted to document on how to install NextDNS on a Pfsense Firewall box.

Why install?

For me it was a "peace of mind" thing since like the most I have a dynamic IP and want to know how each client behaves on the logs. (Self registering over NextDNS api and ID)

What does it do?

It installs an alternative to the unbound DNS Server.

How is the Setup?

Actually super easy and only requires a NextDNS account if you have more then 300000 Queries. At that point I was not sure how much I needed so I bought a Pro account for my household. (Private/Family)

Cmon come to the point!

OK OK - First you need a NextDNS ID (works with temp accounts too) <300,000 Queries - Then the git page -> nextdns/nextdns

Then shell access to your pfsense box (SSH) -> Option 8 -> Then use the Install script
Code:
sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'
Follow the instructions and insert the ID provided by NextDNS

1. Disable the Service "unbound" over the WebGUI of the Pfsense box
2. Delete DNS entries under System -> General Setup
-> 3. If you have special settings under Services -> DNS Resolver -> Custom Options [Caution -> If you use PFblockerNG do not delete the first line to the config!]
-> 4. If you have PFblockerNG installed there is no need for it since NextDNS can handle the workload! [Just double check the NextDNS Logs to see if filters are setup as you want it]

after that we go again to the Pfsense shell -> (SSH) -> Option 8
What we do there is change the cache size -> nextdns/nextdns
Code:
sh -c "nextdns config set -cache-size=10MB"
sh -c "nextdns restart"
AND Only IF -> "NextDNS with a custom configuration ID is configured!"
Code:
sh -c "nextdns config set -max-ttl=5s"
sh -c "nextdns restart"
To clear out the cache as explained here -> nextdns/nextdns

Then test your config with NextDNS...

What is should do?

in the logs it should show your devices in the network that request DNS queries. Then all requests should show a lock symbol for DNS over HTTPS - I tested with DNS over TLS but had DNS Leak issues.

Proof of working config:
PFDash.jpgDNSLeak.jpgSpeed.jpg
NextDNSLog.jpg

If more detail is needed just ask I am happy to provide more info.

Only If you want to help me out by getting NextDNS there is a Affiliate Link from me -> NextDNS <- Major Thanks in advance! I'll test some more and post updates... ;)

Best regards
Val.
 
Last edited:

MagikMark

New Member
May 2, 2021
3
Thanks valvaris for the tutorial.

I have some concern though. The tutorial works very well with my LAN interface. However, other interfaces lost their DNS server access rendering no internet connection.
Is there a tutorial that would give other interfaces same DNS feature as my LAN connection? If shell access is needed, maybe we could also include the syntax as well?

Thanks a lot
 
  • Like
Reactions: Nevi

valvaris

Level 4
Verified
Jul 26, 2015
191
Thanks valvaris for the tutorial.

I have some concern though. The tutorial works very well with my LAN interface. However, other interfaces lost their DNS server access rendering no internet connection.
Is there a tutorial that would give other interfaces same DNS feature as my LAN connection? If shell access is needed, maybe we could also include the syntax as well?

Thanks a lot
Hello @MagikMark

in the NextDNS Setup Dashboard there is a unbound script for DoT and how to set it up. But the Client has to be uninstalled for that to happen!

On the other hand you need to allow DNS Traffic to Firewall from the other Interfaces.

Example
LAN - Source: LANnet - Protocol: UDP - Port: DNS (53) - Destination: ThisFirewall - Protocol: UDP - Port: DNS (53)
same for
OPT1 - Source: OPT1net - Protocol: UDP - Port: DNS (53) - Destination: ThisFirewall - Protocol: UDP - Port: DNS (53)

The reason is that if that rule does not exist the optional Interfaces are not allowed to communicate to the Firewall - (Default Deny)

Best regards
Val.
 
  • Like
Reactions: Handsome Recluse

MagikMark

New Member
May 2, 2021
3
Have you tried this on your system? I tried opening the firewall as you have said. Same problem

For the unbound script, that is what I'm using now. I think this is now called DNS resolver
 

MagikMark

New Member
May 2, 2021
3
Workaround

Install NextDNS cli. After that do the ff:

1. Goto Dashboard -> Service -> DNS Resolver
1.1 Set DNS Resolver IP to somethin else, e.g. 5555
1.2 Check "Register DHP Leases in the DNS Resolver"
1.3 Check "Register Static mappings in DNS Resolver"
1.4 Save

2. Goto Dashboard -> Diagnostics -> Edit File
2.1 Browse "user/local/etc/nextdns.conf
2.1 Make sure the contens are the ff:

control /var/run/nextdns.sock
discovery-dns 127.0.0.1:5555
bogus-priv true
use-hosts true
setup-router false
listen LAN ip:53
listen Opt1 ip:53
listen Opt2 ip:53
listen OPt3 ip:53
listen localhost:53
config xxxxxx
cache-max-age 0s
log-queries true
max-ttl 5s
report-client-info true
detect-captive-portals false
timeout 5s
cache-size 10MB
hardened-privacy false
auto-activate true

DONE!

Stop and Restart DNS Resolver and NextDNS

Limitation:
1. Only Host Names are logged.
2. "Dashboard -> Status -> Dhp Leases" may not work
 
  • Thanks
Reactions: valvaris
Top