0

Caching is weirdly broken with NextDNS on OpenWRT

I tried running NextDNS on OpenWRT today. After setting up everything I noticed that it seems like dnsmasq doesn't do any caching anymore.

After a bit of investigation I realized that NextDNS configures two dnsmasq parameters when using client reporting:

add-mac
add-subnet=32,128

Source: my router and https://github.com/nextdns/nextdns/blob/v1.41.0/router/openwrt/setup.go#L131-L145

The problem with these is that they disable the cache in dnsmasq:

--add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]

Add a subnet address to the DNS queries which are forwarded upstream. If an address is specified in the flag, it will be used, otherwise, the address of the requestor will be used. The amount of the address forwarded depends on the prefix length parameter: 32 (128 for IPv6) forwards the whole address, zero forwards none of it but still marks the request so that no upstream nameserver will add client address information either. The default is zero for both IPv4 and IPv6. Note that upstream nameservers may be configured to return different results based on this information, but the dnsmasq cache does not take account. Caching is therefore disabled for such replies, unless the subnet address being added is constant.

Source: https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

On the other hand setting a client cache size in /etc/config/nextdns causes the nextdns CLI to disable dns resolving of dnsmasq altogether, breaking the DNS resolution of hosts in the local domain since nextdns has no knowledge about DHCP clients registered in dnsmasq.

This is causing a few problems for me because I do need client reporting to disable ad blocking for a few devices but need the resolution of local domain hosts and I also can't not have a DNS cache for obvious reasons…

I don't see any way to fix this, but maybe someone has an idea?

5 replies

null
    • Strayer
    • 1 yr ago
    • Reported - view

    Further info: I now know that nextdns reads the dhcp.leases file and can resolve local hostnames, but not when it includes the domain. E.g. dig client1 resolves to an IP but client1.local.domain doesn't. I heavily use the full local domain because of SSL certificates, so I'm still stuck :(

      • NextDNs
      • 1 yr ago
      • Reported - view

       for non local domain, have you tried setting up a rewrite?

      • Strayer
      • 1 yr ago
      • Reported - view

      While this post was in review I already figured out what to do. I decided to run dnsmasq on a different port and let nextdns "replace" it as the default DNS on OpenWRT, just as it does when it is configured with a cache-size. It will leave dnsmasq alone if it finds the port config entry in the dhcp config. Then I set discovery-dns and forwarder in nextdns to dnsmasq to allow it to correctly resolve the local domain clients.

      In /etc/config/dhcp:

      config dnsmasq
          [...]
          option port '5353'

      In /etc/config/nextdns:

      config nextdns 'main'
              option setup_router '1'
              option report_client_info '1'
              option hardened_privacy '0'
              option log_queries '0'
              option enabled '1'
              option discovery_dns '127.0.0.1:5353'
              list forwarder 'my.local.domain.=127.0.0.1:5353'
              list config '123456'
              list config 'DE:AD:BE:EF:CA:FE=654321'
              list config 'BA:AD:BE:EF:FA:CE=654321'
              list config 'BE:EF:FA:CE:CA:FE=654321'
              list config 'C0:FF:EE:DA:DA:DA=654321'
              option cache_size '10MB'

      This seems to work fairly well now! Local client hostnames like "foobar" get resolved just as "foobar.my.local.domain" do and caching seems to work as well.

    • NextDNs
    • 1 yr ago
    • Reported - view

    Enable caching in the CLI.

    • Andrey.1
    • 1 yr ago
    • Reported - view

    Using OpenWrt 23.05 with default dnsmasq_full configuration and nextdns:

    nft sets with domain names resolved only if nextdns cache is disabled. 

Content aside

  • 1 yr agoLast active
  • 5Replies
  • 626Views
  • 3 Following