NextDNS Setup for UDM Pro/SE, Multi-VLAN, Multi Profile

G'morning all,

I wanted to drop a post here as I was recently converted to NextDNS for its features and controls.  Being a long time Unifi user & engineer, I wanted to post the setup I used for a Multi-vlan / Multi-profile setup and how to get it working correctly.  I will also tell you that when Network upgrades are done on the UDM, they do NOT affect the installation of Next DNS, but if it does, simply re-run the Nextdns setup with the "Remove" option, and re-install. Easy.

Anyways, I am running the UDM SE (Identical to the UDM Pro from a base OS standpoint, so no difference),  I run multiple Vlans, and I have multiple profiles setup on NextDNS, one being for the teens, the other for the rest of the house.  I want to go through the setup process as there were a number of steps out there, but none of them brought it all together to make it work correctly.

Ok, first thing first.  Make sure the UDM has the latest Console/Network updates. (OS setting on local console), once updated, go to nest step.

1. You must make a few changes on the UDM to make sure that NextDNS will work correctly with the Unifi OS,  so in no particular order
   1. Navigate to settings, Internet, click on Internet IP top of the screen, and make sure DNS is set to AUTO
   2. Navigate to Networks, if you have a single network or multiple VLANs, it is the same process.  Go into each Vlan, DHCP options, and make sure DNS is set to AUTO
   3. On the same screen, make sure that "Content Filtering" is "NONE" (Unifi is not noted for its great content filtering anyway.)
   4. Navigate to "Security" and make sure "AD Blocking" is unchecked and DNS Sheild is "Off" (If you use DNS Sheild, refer to the setup option on the setup tab of NextDNS)
2. Follow the install directions for NextDNS listed here: https://github.com/nextdns/nextdns/wiki/UnifiOS
   1. **If you get any errors stating to shut off the ad blocker or content filtering, you missed something from the above step, go back and review your UDM setup, once you fix on UDM, the setup process will automatically continue**
3. When going through the install, you will hit "Y or Yes" for a few initial questions, then you will get the first input prompt "Profile ID:"  Put in your profile ID (xxxxxx) OR put in your main profile ID if you have multiple.  No worry here, we are going to change this shortly.
4. It will then ask you about NextDNS cache to improve latency, answer "N" and move on.
5. At this point, you SHOULD be back to the UDM CLI prompt.  Now we create the custom config files to make this work.
6. Using the CLI, here is the "format" for 2 VLANs, one for kids, and one for everything else, I think you will get the flow here (xxxxxx would be the MAIN profile, yyyyyy would be the VLAN-specific profile)

   1. nextdns start
      nextdns activate
      nextdns config set -profile xxxxxx -profile 172.16.100.0/24=yyyyyy -setup-router
      nextdns config set -auto-activate -report-client-info
      nextdns restart

       

7. Some notes on the config setup for your knowledge.  This step will re-write the config file (/var/run/nextdns.sock) created with the base setup when you installed it.
8. I put the first profile config "-profile xxxxxx" first as this will define that profile xxxxxx be applied to every other network NOT defined in the proceeding list.  This is a blanket to all the other vlans you might have
9. The next CLI section "-profile 172.16.100.0/24=yyyyyy", use CIDR notation to set up every network (Vlan) you have that you want a profile against. You could have one like the above example OR just keep adding another "-profile" after this one to add more.
10. Finish the config set command with "-setup-router" to have NextDNS integrate with router firmware
11. Next command set "-auto-activate" and "-report-client-info" are the commands needed to make sure that the logs in NextDNS report the correct client names.
12. Restart the NextDNS service. 
13. At this point, NextDNS is running on the UDM, but we need one more step to complete it.
    1. Go to NextDNS dashboard, go to the "Linked IP" section and down to "Linked IP" and tap on the blue box to the right.  That should link your external IP router IP address to the NextDNS service.  *Note, if you are running a VPN on the router, this will require advanced configuration not documented here.  Also if you are running a VPN on any device (ie. work laptop, etc.) directly, it will circumvent NextDNS and will not provide any services.
14. Easy way to test, simply go to your browser and try this for a search & TLD block. (if you have these setup in NextDNS)

    1. 

    2. I have a block on the ".ai" TLD domain to block AI chat sites

       

You should be good to go!  You should also see the correct client names BY PROFILE in the logs on the dashboard.

Some notes on the product I found during the setup & use.

• If you have ANY iOS product (iPad, iPhone, etc), use the Apple Configuration Profile Generator on the iOS setup page, add the device name and USE THE QR code (much easier), follow the install on the device.  Apple devices are weird with their IP masking and other things they do, and to get it to work successfully, I had to go this route.  and It also continues to work OFF the wifi on LTE which is GREAT for kids phones when they are away from home.
• NextDNS is superior to the two previous services I used, OpenDNS and Pihole, much more advanced features, and most importantly to me, the ability to filter TLDs (.ai & .me OR specific sites with those TLDs) as to get rid of AI chats, etc.
• It has a pre-built AD block list (that auto updates), lots of options for parental control as well as Threat intelligence & AI threat detection, does an excellent job blocking domains that are known, new, and unknown via the AI
• Let's be honest, Unifi's Ad blocker, content filtering, etc. is NOT a game changer.  They seemed to have put a basic level of effort into those areas, thus why we are here.
• The parental control options are absolutely amazing.  Especially the ability to block bypass methods AND most importantly "Recreation time"  i.e. Welcome to screen time for ALL devices connected to the service.
• And if you are an inquiring parent, the logs show you EVERYTHING being accessed by device.
• If you are a Unifi user, when you utilize firewall rules to block apps and/or sites, Apple devices, due to how they encapsulate traffic, go right around your block as the traffic going through the router is not "seen" (i.e. blocking youtube on a router, but are able to access through SSL browser).  This product will prevent that from happening as it is working at the domain request level.

I hope this helps anyone using the UDM Pro/SE with the NextDNS product.

**One last note, when NextDNS upgrades the product, just go back to the UDM CLI and run

nextdns upgrade
nextdns restart

Have a great day