UBNT USG about nextdns HOT 61 CLOSED

Just wanted to leave a note with my experience here. EdgeOS 2.x is based on Debian stretch which has "apt" and other commands used in the script.

The UniFi USG runs EdgeOS 1.x which is based on Debian wheezy (no apt, only apt-get).
The script currently detects the OS incorrectly as Debian and not EdgeOS because the version string in /etc/version is different than the regex in the install script:

cat /etc/version
UniFiSecurityGateway.ER-e120.v4.4.50.5272448.200215.0243

I modified the install script locally to detect it as EdgeOS and use binary install rather than debian packages and was able to get up and running. Still working through testing reboot/reprovision persistence. Note, using the "router" mode automatic setup, will bind to 5432 to not interfere with dnsmasq. You will need to update your config.gateway.json overrides in the UniFi Controller (e.g. CloudKey) to match so that reprovision doesn't wipe stuff out. If you're enabling device names, there's a couple extra options which I found in the nextdns client source here:

Router mode seems to rewrite the dnsmasq config directly, ignoring what's in the edgeos configuration.

https://github.com/nextdns/nextdns/blob/master/router/edgeos/setup.go#L74-L78

In recent controller versions (I'm running 5.12.66) the controller DNS settings seem to override anything you put in config.gateway.json (ironic, right?). So to ensure that everything goes through the NextDNS CLI, I've set them to 127.0.0.1 in the UniFi controller as well, though that still doesn't quite seem right, since you cannot specify an alternate port number in the UI, nor does it seem like you can override it in config.gateway.json anymore.

from nextdns.

I can try it in a bit. Do we know if the Unifi USG will keep the config or will it get overwritten on a reboot/upgrade/provision operation from the controller?

PS - keep up the great work, been telling everyone i know in IT to test the service!

from nextdns.

I have a backup USG-3 I can test on with a re-provisioning as well before I push it to my production USG. I keep that smaller spare on hand for isolated testing like this. I will report back.

from nextdns.

@rs woot woot!

PS - nice job adding the block page option too!

from nextdns.

Is there any progress on this? I would love to be able to run this on a USG as well.

from nextdns.

Can you guys please test the installer on USG and report any issue?

from nextdns.

Yes please contact us on chat.

from nextdns.

The mips64 detection was broken. Can you please test with:

sh -c "$(curl -sL https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh)"

from nextdns.

I tested as a standalone. It should survive reboots and upgrades, not sure about controller provisioning.

from nextdns.

well bugger, my spare USG-3 seems to be dead....hmm....don't have another one to test on besides my production USG-Pro. I gave it a try anyhow and got this:

      Welcome to EdgeOS on UniFi Security Gateway!


 **********************  WARNING!  **********************
 * Configuration changes made here are not persistent.  *
 * They will be overwritten by the controller on next   *
 * provision. Configuration must be done in controller. *
 ********************************************************

Last login: Sat Jan  4 11:52:28 2020 from 192.168.100.162
admin@Gateway:~$ sh -c "$(curl -sL https://github.com/nextdns/nextdns/blob/master/install.sh)"
sh: -c: line 6: syntax error near unexpected token `newline'
sh: -c: line 6: `<!DOCTYPE html>'

My experience with the Unifi stuff is depending on the change too it needs to be in a JSON file on the controller to remain persistent but I can always see if it removes the settings with a forced provision if we can get the installer to work.

from nextdns.

however, now the original commands work seem to run but wget is missing....these USG's are finicky...

did you test on an EdgeRouter or a USG? Just curious

admin@Gateway:~$ sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"' INFO: OS: debian INFO: GOARCH: mips64 INFO: GOOS: linux i) Install NextDNS q) Quit Choice (default=i): i INFO: Installing NextDNS... sh: line 148: wget: command not found gpg: no valid OpenPGP data found. deb https://nextdns.io/repo/deb stable main sudo: apt: command not found sudo: apt: command not found sudo: apt: command not found ERROR: install: exit 0

from nextdns.

EdgeRouter. Isn’t curl installed on your router? It should not use wget.

from nextdns.

The mips64 detection was broken. Can you please test with:

sh -c "$(curl -sL https://github.com/nextdns/nextdns/blob/master/install.sh)"

This should be the raw link:

https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh

from nextdns.

Correct, sorry about that

from nextdns.

The installer uses wget to install the deb signing key. I will fix that and use curl when available.

Can you confirm curl is installed and working with https? If not, is openssl command?

from nextdns.

Curl is installed on a USG...yes

admin@Gateway:~$ curl curl: try 'curl --help' or 'curl --manual' for more information admin@Gateway:~$

I did try to hack some packages on the USG, broke it, reset it and re-provisioned it got it back online.....The upside to Unifi devices I guess :)

from nextdns.

Now I wish that backup spare wasn't dead so I don't bring down the whole house LOL

from nextdns.

so maybe we need to figure out the Unifi side of things separately than the Edgerouter. I am pretty sure if the installer works Unifi upgrades will wipe the install.

While Unifi Runs EdgeOS they configure very differently especially with :"installed" items directly on the router. Worst case the installer needs to be re-run each time the router is rebooted or at least upgraded. A reboot on unifi will trigger a re-provision so that is easily tested.

from nextdns.

I've run into a couple issues while attempting to use the setup script.

USG does not have the apt alias/helper, though apt-get works. I replaced that in the script but ran up against another error. While running apt-get update I get a TLS error, upon investigation I believe the OS doesn't support SNI.

xxx@ubnt:/usr/bin$ sudo apt-get update
Ign https://nextdns.io stable Release.gpg
Ign https://nextdns.io stable Release
Err https://nextdns.io stable/main mips Packages
  gnutls_handshake() failed: A TLS fatal alert has been received.
Ign https://nextdns.io stable/main Translation-en
W: Failed to fetch https://nextdns.io/repo/deb/dists/stable/main/binary-mips/Packages  gnutls_handshake() failed: A TLS fatal alert has been received.

E: Some index files failed to download. They have been ignored, or old ones used instead.

yyy@ubnt:~$ openssl s_client -connect nextdns.io:443
CONNECTED(00000003)
2002551960:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 290 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1579274310
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

zzz@ubnt:~$ openssl s_client -tls1_2 -connect nextdns.io:443
CONNECTED(00000003)
1994589336:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1579274347
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

from nextdns.

@notsureifkevin I still believe this code is only written for the EdgeRouter line NOT the Unifi Line. For this to work it has to be completely different fort Unifi Security Gateway (USG). I too am a USG user and need this integrated into that line not the EdgeRouter Line.

from nextdns.

I'm not familiar with USG. How can I test it using an EdgeRouter?

from nextdns.

@rs you can't they are two distinctly different products from Ubiquiti...

USG does not support directly installing applications (there is work arounds), but it's a JSON based config push from a controller
https://www.ui.com/unifi-routing/usg/

EdgeRouter as you have seen supports directly installing applications.
https://www.ui.com/edgemax/edgerouter-lite/

from nextdns.

I would also love to be able to use this on the USG.

from nextdns.

I need an USG setup to test it with. Since you have experience with it, do you know if there is a way to simulate it?

from nextdns.

They may have a simulator for development if you contact them but other wise you just have to buy one or borrow one from someone. I had a spare but it died on me a while back :/

Ubiquiti Unifi Security Gateway (USG) https://www.amazon.com/dp/B00LV8YZLK/ref=cm_sw_r_cp_api_i_Si-qEbTPJWKYE

from nextdns.

@rs do we need to pitch in to buy you a USG? :)

from nextdns.

Done already but thx :)

from nextdns.

Same I know a bunch of people using the USG

from nextdns.

Same! Excited to move on nextdns with my USG :)

from nextdns.

Yes, the setup-router mode is an automated setup of routers so you don't have to edit things yourself. The idea is to change settings on startup and restore then on exit.

from nextdns.

Side question, is it correct to only see the padlock and tool tip in the NextDNS dashboard logs section for DNS-over-HTTPS (NextDNS CLI) for IPv4 networks? For IPv6 queries I usually see the device ID but no indicator of DNS-over-HTTPS or the NextDNS CLI.

from nextdns.

No it is not, contact us on our live chat for that.

from nextdns.

Also, apt is not supposed to be used by machines, only apt-get is.

The apt command is meant to be pleasant for end users and does not need to be backward compatible like apt-get(8).

from nextdns.

Can confirm it worked for me:

• USG Pro 4
• Using dnsmasq instead of default
• Dual WAN with Load Balancing

admin@sidewinder:~$ uname -ar
Linux sidewinder 3.10.107-UBNT #1 SMP Sat Feb 15 05:22:22 UTC 2020 mips64 GNU/Linux

from nextdns.

Worked for me with the standard (non pro) USG.

$ uname -ar
Linux SecurityGateway 3.10.107-UBNT #1 SMP Sat Feb 15 02:47:59 UTC 2020 mips64 GNU/Linux

I had to upgrade to the latest USG firmware; the installer failed until I did that with the error tar: short read

from nextdns.

I tested this on a Dream Machine Pro and ran into the following error:

# uname -ar
Linux gasteiz 4.1.37-v1.6.6.2431-b2007c3 #1 SMP Fri Mar 27 20:17:42 UTC 2020 aarch64 GNU/Linux
# sh -c 'DEBUG=1 sh -c "$(curl -sL https://nextdns.io/install)"'
ERROR: Unsupported OS: Linux
INFO: OS:
INFO: GOARCH: arm64
INFO: GOOS: linux
ERROR: Cannot detect running environment.
# sh -c "$(curl -sL https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh)"
ERROR: Unsupported OS: Linux
INFO: OS:
INFO: GOARCH: arm64
INFO: GOOS: linux
ERROR: Cannot detect running environment.

This device is fairly new so I'm happy to help test things as needed.

from nextdns.

I can test later today on a USG pro. Do we know if it survives an upgrade/reprovison?

from nextdns.

What do you get for cat /etc/version on UDM?

from nextdns.

@ChrisColotti I doubt it.

from nextdns.

from nextdns.

Note that if you enable caching it will disable dnsmasq dns and bind port 53 directly since 1.5 (recommended). This might ignore some dns related functions of ubiquity tho, but they should be easy to replicate with the cli if needed.

from nextdns.

Well installer seemed to work fine and logs are reporting MANY more device names....which is a GOOD thing, and some are now showing DNSoHTTPS but not all. In some cases the same client shows both HTTPS and non-HTTPS.

Also with this implementation are the controller WAN DNS servers no longer in use? Just trying to understand how the config changes on the USG itself as a router I've been more used to the local clients only this is the first "router" client I have not.

from nextdns.

Are those clients windows machines by any chance? Let’s discuss that over chat as it is not related to this issue.

from nextdns.

from nextdns.

from nextdns.

Please upgrade to 1.5.2 first.

from nextdns.

Hi! I just ran the installer on my EdgeRouter PoE running EdgeOS 2.0.1 as mentioned on the wiki. I completed the setup and gave it my NextDNS configuration ID. When I check my dashboard, though, NextDNS says I'm still using Cloudflare for DNS resolving.

If I remember correctly I had previously set up dnsmasq to cache locally with 1.1.1.1/1.0.0.1 as the upstream resolvers. Will the NextDNS install/configuration disable that or do I need to do it?

from nextdns.

Ah nevermind, I'm seeing activity and stats showing up. I bet the Cloudflare info was cached somewhere. I'll be more patient 😄

from nextdns.

Does this works on a UniFi Dream Machine Pro? I'm currently running it on a Raspberry Pi with no issues but I will like to have a one Device solution if possible.

from nextdns.

What do you get for cat /etc/version on UDM?

# cat /etc/version
cat: can't open '/etc/version': No such file or directory

I can also send you guys an email or chat about this – definitely don't wanna take over the USG discussion! Should I just open a new issue?

from nextdns.

Successfully installed on a UniFi Security Gateway 3P running firmware 4.4.50.5272448.

$ cat /etc/version
UniFiSecurityGateway.ER-e120.v4.4.50.5272448.200215.0243

Forced a provision and NextDNS still reports running:

$ /config/nextdns/nextdns status
running

@ChrisColotti @rs However, I can confirm the duplicate entries from the same device, one encrypted and the other not. In my case it is Apple devices (iMac). This seems to happen for all devices, including the USG itself (when trying to resolve ping.ubnt.com).

from nextdns.

Here’s an example. It’s an Nvidia shield TV but same for Apple and amazon devices.

Not sure if that’s a bug that it’s making 2 requests

from nextdns.

@ChrisColotti For me it's different. I have the device name in one entry, and the ID in the other:

The tooltip for both the entries show the same originating IP address.

from nextdns.

@eproxus I have some that show that in the example I happened to grab it was the same device and ID but I do have some that the name/device ID is the same. I was looking more at the source IP to confirm it is in fact the same device making both calls.

@rs thoughts? While it is working it should only make the secure calls and only once right?

Oddly that NVIDIA device on my network does have a system name on it that most other things see, but the USG has an odd way of managing local DNS entries from DHCP as well....not sure if that's part of this.

The upside is I can at least track client IP's for block rules now that are not natively running the client so this is progress! :)

I will say in the last 24 hours since adding this Secure DNS Calls overall increased 25%, from 25.6% of calls to 49.8% of calls, but one would think at some point now everything behind the USG with or without the client should result in 100% Secure DNS lookups :)

from nextdns.

from nextdns.

@kunickiaj ibwas curious about the actual Controller wan DNS settings as those still have the NextDNS servers assigned. It would make sense this would have to be changed. If that’s the case @rs should be documented for the USG setup.

The thread has gotten pretty long some short consolidated setup instructions might be good now.

from nextdns.

Do you guys have cache enabled? When caching is enabled, dnsmasq dns is disable (with port=0 dnsmasq param). With such setup, this behavior should not happen if I understand the issue correctly.

from nextdns.

Can confirm that enabling caching disables dnsmasq. Problem with that for me is that it then breaks LAN name resolution for me which was previously handled by dnsmasq.

I previously had caching disabled and this line in my nextdns.conf
forwarder my-local-domain.xyz.=127.0.0.1:53

To clarify, the setup that is working best for me is actually kind of funky which has caching disabled, upstream forwarding to dnsmasq, which has upstream forwarding back to nextdns. This doesn't seem like a valid configuration but works for me.

/config/nextdns/nextdns.conf

forwarder my-local-domain.xyz.=127.0.0.1:53
log-queries false
cache-size 0
cache-max-age 0s
detect-captive-portals false
bogus-priv true
setup-router true
listen localhost:53
report-client-info true
max-ttl 5s
hardened-privacy false
use-hosts true
timeout 0s
auto-activate true
config abcdef

dnsmasq.conf contains the line server=127.0.0.1 and /etc/dnsmasq.d/nextdns.conf
contains the lines

# Configuration generated by NextDNS
no-resolv
server=127.0.0.1#5342
add-mac
add-subnet=32,128

from nextdns.

My caching is whatever the OOB config is which I think is caching enabled

from nextdns.

@kunickiaj the solution would be to implement lan host resolution in cli. Should be trivial.

from nextdns.

@rs

ubnt@USG:~$ cat /config/nextdns/nextdns.conf
cache-max-age 0s
detect-captive-portals false
hardened-privacy false
bogus-priv true
report-client-info true
use-hosts true
setup-router true
cache-size 0
timeout 5s
auto-activate true
listen localhost:53
config c0ffee
log-queries false
max-ttl 0s

ubnt@USG:~$ cat /etc/dnsmasq.d/nextdns.conf
# Configuration generated by NextDNS
no-resolv
server=127.0.0.1#5342
add-mac
add-subnet=32,128

from nextdns.