For John's fork of Merlin, there are some firmware differences that break the smooth operation of nextdns CLI.

1. dnsmasq.conf uses "resolv-file=/tmp/resolv.conf" instead of "servers-file=/tmp/resolv.dnsmasq". Setup cannot find resolv.dnsmasq to perform the commenting of "server=". The /tmp/resolv.conf contains standard "nameserver 1.1.1.1" lines instead.
2. John's implementation of Stubby uses the nvram variable "stubby_proxy" to indicate if Stubby will run or not. Merlin uses "dnsprivacy_enable". dnsprivacy_enable does not exist on John's fork and should not be set.

There are errors running the commentServer() code due to the /tmp/resolv.dnsmasq not found, so the Setup never completes successfully and doesn't restart dnsmasq to enable the forwarding to nextdns CLI.

The same issue can happen on stopping or uninstalling, since it also cannot uncomment out the /tmp/resolv.dnsmasq lines, and dnsmasq is not restarted.

Hi,
I installed the nextdns cli on my Centos7 box, I tried to change the listen address/port in the configuration file, but it looks like, that the server/proxy only wants to listen on 0.0.0.0:53.

nextdns version 1.4.19

/etc/nextdns.conf

report-client-info true
detect-captive-portals false
bogus-priv true
use-hosts false
timeout 5s
auto-activate true
listen 127.0.0.1:10053
config XXX
log-queries true
hardened-privacy true
setup-router true

After executing "service nextdns restart", in the log files i see:

Jan 11 20:47:35 XXX systemd[1]: Started NextDNS DNS53 to DoH proxy..
Jan 11 20:47:35 XXX nextdns[12115]: Starting NextDNS 1.4.19/linux on :53
Jan 11 20:47:35 XXX nextdns[12115]: Listening on TCP/:53
Jan 11 20:47:35 XXX nextdns[12115]: Starting discovery resolver
Jan 11 20:47:35 XXX nextdns[12115]: Listening on UDP/:53

I would expect, that it would listen on port 10053 instead of 53.
Thanks

I set up a first config, then registered to save it. Set the DNS in Ubuntu 19.04 and it worked fine. But too many lists chosen and blocking is too vigorous.

Looks good, so I decided to start again, making a new config and deleting the first one.

I set the DNS addresses for the new config (confirmed multiple times) in a new network manager profile.

But now it does not record any queries in the Analytics page, doesn't block much and I get the message:

"This device is using NextDNS with another configuration."

This is despite having no other config - original one was deleted.

Running https://browserleaks.com/ip, it tells me I am connected to your DNS servers, consistent with the message above.

Why won't my new config work?

Thanks!

After testing the freebsd_amd64 v1.3.3 client on pfSense 2.4.4 for several days, I am happy to report it runs very well. However, after a reboot today I realized the NextDNS client did not start. I rebooted again to verify and confirmed the same.

After investigating, I found that pfSense does not follow the standard implementation of 'rc' and therefore any third-party scripts in /usr/local/etc/rc.d/ must end in a .sh extension in order to execute at boot: shell-script-option

I tried a couple things so I could report back the behavior:

1. [Simple "fix" 1] Added /usr/local/bin/nextdns start as an earlyshellcmd option. This worked perfectly and it still allowed me to execute nextdns <start|stop|restart|status> commands from the shell as expected.
2. [Simple "fix" 2] Added /usr/local/bin/nextdns start as a shellcmd option. This worked perfectly and will likely be my path forward as it is recommended to use this over earlyshellcmd when possible. It still allowed me to execute nextdns <start|stop|restart|status> commands from the shell as expected.
3. Removed earlyshellcmd and shellcmd as referenced above and renamed /usr/local/etc/rc.d/nextdns to /usr/local/etc/rc.d/nextdns.sh. This executed the script properly and started the service upon boot as desired, but broke the ability to execute nextdns ... commands at the shell:

[2.4.4-RELEASE][[email protected]]/root: nextdns status
Error: the service is not installed
[2.4.4-RELEASE][[email protected]]/root: service nextdns status
nextdns does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable

Listing services (service -l | grep nextdns) revealed it was now known as nextdns.sh, so the following worked:

[2.4.4-RELEASE][[email protected]]/root: service nextdns.sh status
nextdns is running as pid 63866.

So, given the options at this point, option 2 will be my path forward. It allows me to continue acting upon the NextDNS client as designed and won't require extra steps if the client is upgraded (or uninstalled/reinstalled for testing reasons). If there are better options I have not considered, I'm all ears.

I wanted to make you aware of this behavior on pfSense, however, just in case you wanted to add some additional verbiage in the README.md for those using pfSense as well.

NextDNS outputs DNS information to syslog, which is potentially disclosing information to other users on the system.
I could write a PR but there's no configuration file right now, and no option to use flags so I am not sure how you would want it.

what do the numbers at the end mean?

I: 13:19:25 127.0.0.1 tcp api.apple-cloudkit.fe.apple-dns.net. (53/461) 252
I: 13:19:25 127.0.0.1 tcp api.apple-cloudkit.fe.apple-dns.net. (53/145) 258
I: 13:19:27 127.0.0.1 tcp safebrowsing.googleapis.com. (45/88) 12
I: 13:19:27 127.0.0.1 tcp safebrowsing.googleapis.com. (45/100) 12

lead to
#20

NextDNS install script succeeds in pfSense, but it ignores the config in /usr/local/etc. No matter what I do or change it always wants to listen on 53, rather than an alternate port.

With recent versions of the NextDNS linux client on Raspbian I get the following error when starting the client:

Cannot start mDNS resolver: mdns browse: write udp6 [::]:5353->224.0.0.251:5353: sendto: network is unreachable

My config is:

setup-router false
listen :53
detect-captive-portals false
use-hosts true
bogus-priv true
timeout 5s
auto-activate false
config XXXXXX
log-queries false
report-client-info true
hardened-privacy false

As a future enhancement, it would be nice if the NextDNS client could cache records. This would be similar to the way in which dnsmasq and dnscrypt-proxy operate. Having this option would remove the need to have dnsmasq or unbound (or the like) sitting between client-devices and the NextDNS client in order to reduce lookup latency for common queries.

Additionally, if this feature was implemented, an added bonus would be if the NextDNS client could prefetch common queries like unbound does so well. That would further benefit lower latency for client-devices. I recognize this would interfere with the "-report-client-info" option as the requestor for prefetched records would be the NextDNS client itself. To some, this might be an acceptable tradeoff if latency is a concern.

i cant see my log activity when using the cli app and my rules are not being applied

I've noticed the stub always uses IPv4.
is IPv6 support planned?

--forwarder company.com=10.1.0.1,10.0.20.2

Due to experiencing the same #18 issue on my ArcoLinux installation, I've decided to install the nextdns resolver via Linuxbrew by using the brew formula given in the Readme.md. However, I notice that this brew formula is still stuck on the 1.1.1 version.

would it be possible to have a nextdns config to printout what is the current configuration the app will use on start up?

in case the config isnt valid or multiple are available or a user isnt aware one is installed on /etc/nextdns

I try to run nextdns listen on 127.0.3.1:53 because 127.0.0.1:53 always been used. and the are dnscrypt-proxy run on 127.0.2.1 so i just make it 127.0.3.1 on nextdns and it's run. But when nextdns started always changes resolve.conf nameserver into 127.0.0.1. How to make it changes IP automatically same as configure file (127.0.3.1) when nextdns started or after PC being restarted?

is there are any config parameter to make resolv.conf IP same config as listen parameter?

/etc/nextdns.conf

listen 127.0.3.1:53
config xxxxxx
log-queries false
report-client-info true
detect-captive-portals false
hardened-privacy false
bogus-priv true
timeout 5s
auto-activate true

/etc/resolve.conf

# This file is managed by nextdns.
#
# Run "nextdns deactivate" to restore previous configuration.

nameserver 127.0.0.1

NextDNS version 1.3.1
Linux Mint 19.1 Cinnamon

Thanks.

I tried to use the approach
https://github.com/nextdns/nextdns/wiki/OpenWRT

% sudo nextdns status
running

% sudo nextdns stop
Error: Failed to stop NextDNS Proxy: "launchctl" failed with stderr: /Library/LaunchDaemons/nextdns.plist: Operation now in progress

% sudo nextdns stop
Error: Failed to stop NextDNS Proxy: "launchctl" failed with stderr: /Library/LaunchDaemons/nextdns.plist: Could not find specified service

macOS 10.15.1

Tried to upgrade from 1.4.1 to 1.4.3 using installer. This is the result:
pfSense - Netgate Device ID: c91beea12631a8de4936

*** Welcome to pfSense 2.4.4-RELEASE-p3 (amd64) on pfSense ***

WAN (wan) -> ngeth0 ->

LAN (lan) -> ix1 -> v4:

0. Logout (SSH only) 9) pfTop
1. Assign Interfaces 10) Filter Logs
2. Set interface(s) IP address 11) Restart webConfigurator
3. Reset webConfigurator password 12) PHP shell + pfSense tools
4. Reset to factory defaults 13) Update from console
5. Reboot system 14) Disable Secure Shell (sshd)
6. Halt system 15) Restore recent configuration
7. Ping host 16) Restart PHP-FPM
8. Shell

Enter an option: 8

[2.4.4-RELEASE][[email protected]]/root: sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'
INFO: OS: pfsense
INFO: GOARCH: amd64
INFO: GOOS: freebsd

1. Configure NextDNS
2. Upgrade NextDNS from 1.4.1 to 1.4.3
3. Uninstall NextDNS
4. Quit
   Choice (default=1): 2
   INFO: Installing NextDNS...
   eval: cannot create /usr/local/sbin/nextdns: Text file busy
5. Configure NextDNS
6. Upgrade NextDNS from 1.4.1 to 1.4.3
7. Uninstall NextDNS
8. Quit
   Choice (default=1):

I have been trying to troubleshoot why my NextDNS logs do not show a proper device name for IPv6 capable clients which also have temporary addresses. I now see what is causing the discrepancy.

Here's an example of one of my clients (partially obscured IPs to protect the innocent):

I: 15:43:06 Discovered 192.168.XX.145 = MBP-2
I: 15:43:06 Discovered fe80::c1a:aaaa:a1b2:f7b7 = MBP-2
I: 15:43:06 Discovered 2606:XXXX:YYYY:ZZZZ:4d2:9953:51c2:8583 = MBP-2

Here is the ifconfig info from this same client:

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::c1a:aaaa:a1b2:f7b7%en0 prefixlen 64 secured scopeid 0x4
	inet 192.168.XX.145 netmask 0xffffff00 broadcast 192.168.45.255
	inet6 2606:XXXX:YYYY:ZZZZ:4d2:9953:51c2:8583 prefixlen 64 autoconf secured
	inet6 2606:XXXX:YYYY:ZZZZ:81c:58e3:329b:690f prefixlen 64 autoconf temporary

So the mDNS resolver is only discovering the IPv4, IPv6-LL, and IPv6-secured addresses. But due to the nature of IPv6 when temporary addressing is used, outbound connections usually use the temporary address. In this case, the temporary address is what is getting ushered to my NextDNS client (via dnsmasq add-subnet=32,128) and subsequently logged with the query. The result is a device name such as Device #7DSZQ instead of MBP-2 (in this example) on the NextDNS side.

Is there a way for mDNS resolver to also discover or otherwise account for IPv6 temporary addresses?

When using the web interface, the domains in blacklist/whitelist are presented as a flat list. It would be more convenient to be able to group them so that it is easier to tell which domain is for what purpose there.

I run nextdns on the same host as a bind server that I used for an internal zone file. I want to run bind on loopback on a different port and use nextdns as my network dns server. Then point nextdns to my bind server for the internet domain. looking at the code (not a developer, but did not see a port variable in the code) and trying some configs like 127.0.0.1:5353 did not work.

Right now I am pointing bind to nextdns, but I lose the ability to running different policies based on mac or ip.

How to setup split horizon?

I opened an account in your website: my.nextdns.io.
After trying your service I have seen that I am not interested but I cannot delete my account.
How can I delete it?

Upon reboot, daemon is running but doesn't connect. The following run at a command prompt after boot resolves:

sudo nextdns stop
sudo nextdns run

Any way to make this connect mores smoothly on reboot / startup?

Thanks.

Might https://github.com/nextdns/nextdns/blob/master/README.md be updated for a FreeBSD audience?

I have found that the VPN client overrides the NextDNS DNS setting unless you start NextDNS client after VPN established. Ideally, NextDNS client would detect the network change and reestablish. Can be overridden in a browser like Firefox, where a custom DNS-oer-https connection can be indicated, but doesn't work for other client-network comms.

nextdns version 1.4.2

my mac is connect to the network via usb-c/ether network, not over the usual WiFi

with auto-activate enable, that USB network interface isnt updated to use 127.0.0.1 (or whatever IP nextdns is bind to).

if i run nextdns activate that USB network interface changes.
but if i stop nextdns and start again, the old DNS is reset

All the new discovery code is not invoked on the router because the config is in localhost mode, which suppresses discovery.

configs redacted

host 10.10.10.180 is showing up in the log for conf1 when it should be matching conf2. No, it is not one of the MAC addresses listed.

config 10.10.10.128/27=
config 28:a0:2b:56:e9:66=
config 84:89:ad:7c:e3:db=
config f4:37:b7:7f:fd:6a=
config 70:48:0f:b2:71:c1=
config 10.10.10.160/27=

[2.4.4-RELEASE][[email protected]]/root: sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'
e[31mERROR: Unsupported GOARCH: amd64e[0m

Hi I'm having issues installing NextDNS on my linux laptop.

What I use: Manjaro Cinnamon 18.1.3

What I've done:

• Install Go from Pacman
• Run: go get -u github.com/nextdns/nextdns
• Run: go install github.com/nextdns/nextdns

Where the issue occurs:
When trying to run sudo nextdns install -report-client-info -config <conf_id>, it says that sudo: nextdns: command not found

Is there a step that I'm missing? Thanks.

Noticed this page was added for Ubiquiti:
https://github.com/nextdns/nextdns/wiki/Installer

but getting errors on a USG:

admin@Gateway:~$ sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'
ERROR: Unsupported GOARCH: mips64

Maybe this also is only good for non Unifi devices only EdgeGateway? The Unifi USG runs Edge OS but re-writes on every update/boot

Maybe this is not ready yet for EdgeOS? I see QNAP is coming soon as well....nice!

I installed the CLI with Homebrew and it's working well. I have seen a few times where open WiFi with a captive portal though does not work unless I remove the 127.0.0.1 setting in Mac DNS. I suspect the NextDNS servers are not reachable until the portal is authenticated but can't get to the portal otherwise. I am not sure the work around but wanted to log the issue for tracking and ongoing testing of the Mac CLI.

I think the mac VPN app is fine as it won't connect until the internet is active, but I use the CLI so I can support other VPN's.

Once I removed the manual 127.0.0.1 portal came up and I could re-add 127.0.0.1 but that's not ideal for the average user.

WaLLy3K/wally3k.github.io@721e82a

Hello

I've noticed some strange thing.
On my device with Windows 8.1 (32bit), after installing the nextdns, after system restart, when the windows for login option appears which by default in my case is logging by image pattern, it takes for the login much more time then normal. It actually looks like some process is freezes after I made the pattern and it takes few seconds for the system to show the login messages that normally appears instantly. I can click other places and it's not totally freeze, just the process of logging seems to be stuck for some time.
Turning off automatic start-up or/and nextdns services strangely enough doesn't change anything.
Only uninstalling brings the situation to normal...

Usage of nextdns:
  -config value
    	NextDNS custom configuration id.

    	The configuration id can be prefixed with a condition that is match for each query:
    	* 10.0.3.0/24=abcdef: A CIDR can be used to restrict a configuration to a subnet.
    	* 00:1c:42:2e:60:4a=abcdef: A MAC address can be used to restrict configuration
    	 to a specific host on the LAN.

    	This parameter can be repeated. The first match wins.
  -listen string
    	Listen address for UDP DNS proxy server. (default "localhost:53")
  -log-queries
    	Log DNS query.
  -report-client-info
    	Embed clients information with queries.

cli help shows one dash
while the docs uses two dashes

is it possible to have a persistent config file in a well known location so that we don't have to always set the parameters via CLI?

Ubuntu 18.04 and NextDNS v1.2.10, I installed using the README instructions. After installing,

sudo nextdns install -report-client-info -config xxxxxx
sudo nextdns activate

When I try to browse or ping, I get nothing. The dig just times out.

$ dig +short @127.0.0.1 example.com
;; connection timed out; no servers could be reached

When I do a

sudo systemctl status nextdns

I see:

Dec 07 18:54:52 xps13 systemd[1]: Started NextDNS DNS53 to DoH proxy..
Dec 07 18:54:52 xps13 nextdns[3720]: Starting NextDNS 1.2.10/linux on localhost:
Dec 07 18:54:52 xps13 nextdns[3720]: Starting mDNS resolver
Dec 07 18:55:02 xps13 nextdns[3720]: doh resolve: context deadline exceeded
Dec 07 18:55:02 xps13 nextdns[3720]: doh resolve: context deadline exceeded

However! When I try (after deactivating the service so that port 53 doesn't conflict)

sudo nextdns run

I am able to dig just fine.

Any idea what's wrong, or how to find out if I'm missing something?

Ubuntu 18.04, NextDNS 1.3.0

Hello again, I'm not sure if this is an issue or advice is needed,

Whenever I reboot, NextDNS service is running but not used. I notice in /etc/resolv.conf that the network manager has overwritten the file:

# Generated by NetworkManager
nameserver 127.0.0.53

I have to manually sudo nextdns activate to get NextDNS being used again and then the /etc/resolv.conf file shows 127.0.0.1 and my DNS requests go to NextDNS...

Just like @krioso in #13 I did an uninstall reinstall following the README steps, I did it several times, but I'm always having the same result - I need to manually activate after each reboot.

What I see when I run sudo systemctl status nextdns - I don't see the 'context deadline exceeded' error from #13 that's why I made this a separate issue

Dec 11 11:49:34 xps13 nextdns[1705]: Endpoint failed: https://dns2.nextdns.io#45.90.30.0,2a07:a8c1::: roundtrip: dial tcp 45.90.30.0:443: connect: network is unreachable
Dec 11 11:49:34 xps13 nextdns[1705]: Switching endpoint: https://dns1.nextdns.io#45.90.28.0,2a07:a8c0::
Dec 11 11:49:34 xps13 nextdns[1705]: Endpoint provider failed: https://router.nextdns.io?stack=dual: Get https://216.239.32.21:443?stack=dual: dial tcp 216.239.36.21:443: connect: network is unreachable
Dec 11 11:49:34 xps13 nextdns[1705]: https://dns1.nextdns.io#45.90.28.0,2a07:a8c0::
Dec 11 11:49:34 xps13 nextdns[1705]: https://dns2.nextdns.io#45.90.30.0,2a07:a8c1::
Dec 11 11:49:34 xps13 nextdns[1705]: Endpoint failed: https://dns1.nextdns.io#45.90.28.0,2a07:a8c0::: roundtrip: dial tcp 45.90.28.0:443: connect: network is unreachable
Dec 11 11:49:34 xps13 nextdns[1705]: Endpoint failed: https://dns2.nextdns.io#45.90.30.0,2a07:a8c1::: roundtrip: dial tcp 45.90.30.0:443: connect: network is unreachable
Dec 11 11:49:39 xps13 nextdns[1705]: Server [2a07:a8c0::]:443 0ms
Dec 11 11:49:39 xps13 nextdns[1705]: Server 45.90.28.0:443 31ms
Dec 11 11:49:39 xps13 nextdns[1705]: Connected 45.90.28.0:443 con=31ms tls=93ms, TLS13)

when connecting to a new endpoint like
I: 12:34:24 Switching endpoint: https://ipv4-m247-lon-1.edge.nextdns.io#194.79.31.68
return the latency to that endpoint

Freebsd_amd64 v1.3.3 client on pfSense 2.4.4:

[2.4.4-RELEASE][[email protected]]/root: nextdns log
Error: exit status 2

Where would the NextDNS service logs be stored by default?

when log-queries yes show the TYPE of query executed

when log-queries yes show if upstream query was done via IPv6 or IPv4

@rs I have seen file flag/file.go in this project and just wanted to advertise my own flagfile module. It provides a File that uses a flexible interface Loader which you could use to implement your own file format on top of File.

when my macbook resumes, nextdns cli app fails to re-connect

W: 12:52:43 Endpoint failed: https://dns1.nextdns.io#45.90.28.0: dial tcp 45.90.28.0:443: connect: network is unreachable
W: 12:52:43 Endpoint failed: https://dns2.nextdns.io#45.90.30.0: dial tcp 45.90.30.0:443: connect: network is unreachable