0

DoH Proxy w/Eero Pro 6E - Lesson's learned + Is there an easier way?

Hey everyone, I recently moved from a home lab setup with pfSense and standalone AP's back to consumer grade gear with Eero Pro 6E's for simplicities sake and I am kinda of over running racks of gear at the house. My requirements were to use the Eero's with ethernet backhaul as both routers and AP's. I also wanted Ad prevention and internet security. I am aware of PiHole but let's be honest NextDNS is awesome and there is nothing close to it at the price point the service charges (which is a steal for the value you get imo). I can also take NextDNS with me via iOS VPN config and Windows on the go.

Anyway, with the Eero gear like most consumer grade stuff there isn't an ability to run the NextDNS CLI DoH proxy on the Eero device as it's a closed system (yes, I know about Merlin and DD-WRT alternatives but again simplicity is the goal here). I have AT&T fiber thus dual stack Ipv4/6 which amazingly the Eero's support but using Linked IP + the public IPv4/6 DNS servers works great with DDNS but I lose the client device support I enjoyed with pfSense previously. :-(

So, the 'solution' I came up with was to run a Linux server on a Raspberry Pi 4 I had lying around and point the Eero's DNS to the Pi configured with static IPv4 and IPv6 addresses with fallback addresses on the Eero to the public NextDNS IPv4/IPv6 in case the Pi blows up and things would just still work (minus client device data but hey the Spousal and Kid approval factor would stay at 11). I used ddclient on the Pi to keep the linked IP up to date with a domain I owned associated with a free Cloudflare account (100 other ways to do this part).

This solution turned out to be a surprisingly big P.I.T.A mostly with the strange issues I encountered with different Linux distros and the NextDNS CLI. Firstly, let me share the victory setup that works great in the end:

Great! --> Raspberry Pi 4 (2GB) w/32GB SD Card + FreeBSD 13.1-Release (aarch64) + NextDNS CLI v1.38.0 w/ddclient for Linked IP fallback (see docs here and use this sample file). Rock solid as was my previous setup with pfSense (which is based on FreeBSD).

Alpine Misery --> same config as Great above but using Alpine (latest). NextDNS DoH proxy gets stuck on 'Activating' the router with no apparent error.

Ubuntu Misery --> same config as Great above but using Ubuntu 22.04 first challenge is setting up the dual stack network with cloud init YAML. Who thought this was a good idea? It's arcane and reminds me of PowerShell DSC only more unpleasant. Ubuntu OOTB uses resolvd which conflicts with NextDNS and disabling the resolvd stub let to the same DoH proxy getting stuck on 'Activating' the router. Starting NextDNS DoH on 5353 instead of 53 works with resolvd pointing to localhost:5353 but you lose client device information. 

Raspberry Pi OS 32/64 Misery -> This is basically Debian and regardless of dual stack network setup with dhcpd or NetworkManager the DoH proxy would start and activate (yea!!!) but eventually it would fail. Restarting would work for a time and again it would fail. Wasn't able to figure this out unfortunately.

Fedora Misery -> Almost the exact same experience as Alpine. DoH proxy would start but get stuck on Activating the router. Basically the same issue as I had with Ubuntu above.

Anyway, despite having 'fun' playing with a bunch of distros and troubleshooting I am curious what others have found as reliable working setups for setting up the NextDNS DoH proxy with home consumer gear. 

-RD

Reply

null

Content aside

  • 1 yr agoLast active
  • 892Views
  • 1 Following