How to use NextDNS profile when IVPN is disconnected? (linux Debian)
I use IVPN on my desktop and it works PERFECTLY with NextDNS (configure for DNS over HTTPS)
IVPN has a way to use the service "on demand" (able to turn IVPN on/off), and when I disconnect IVPN, my desktop reverts to simply using my desktop DNS. I use the IVPN on/off feature for scenarios like my current wifi provider is blocking VPN or when I trust the network already has VPN at the router level)
And this is my issue- the only way i can seem to configure my desktop DNS and not break anything w/ IVPN (on or off) is with resolvconf (install resolvconf, configure /etc/resolv.conf w/ 'nameserver <<IP address of NextDNS name servers>>, but the only thing allowed seems to be standard numerical IP addresses- '#' in this file are treated as comments, and I can't specify the profile id).
After configuring resolvconf, I can turn on/off IVPN, but testing connectivity with my NextDNS profile page, NextDNS tells me message "This device is using NextDNS with no profile." - which makes sense, because I couldn't figure out how to specify my profile in /ect/resolv.conf)
I've tried all the other NextDNS setup configuration options: system-resolved, installing the nextDNS command line client, dnsmasq, stubby, DNSCrypt (which is what IVPN uses), Knot Resolver, Unboud ) but all seem to either have 0 affect or break ivpn or break my internet connection.
HOW DO I SET UP MY DESKTOP DNS TO USE NEXTDNS WITH MY PROFILE ID WHEN I DISCONNECT FROM IVPN?
Thank you in advance for any help.
5 replies
-
I’m not familiar IVPN in any way so I’m guessing the rest of the details below.
To get this to work you’ll need to use a custom port number, for some of those things you tried (CLI and stubby for starters).
I find system-resolved tends to interfere with the resolv.conf file. Best to start by disabling system-resolved before setting up anything else.
-
I THINK THIS IS RESOLVED! The above was good advice, and I ended up using a combination of stubby, resolveconf and customizing the loopback address 127.0.0.2 (not the port number) to get it to work.
First - I installed stubby and added the profile items:
$ sudo apt install stubby $ sudo nano /ect/stubby.ymlMake these changes to stubby.yml:
- Search for the 'upstream_recursive_servers:' (already in the file) and place the recommended NextDNS stubby profile config under it:
upstream_recursive_servers: - address_data: 45.XX.XX.XX tls_auth_name: "**MYID**.dns.nextdns.io" - address_data: 2a07:XXXX::0 tls_auth_name: "**MYID**.dns.nextdns.io" - address_data: 45.XX.XX.XX tls_auth_name: "**MYID**.dns.nextdns.io" - address_data: 2a07:XXXX::0 tls_auth_name: "**MYID**.dns.nextdns.io"(The round_robin_upstream parameter is already set to 1 - no need to copy that from the suggested NextDNS config)
- Comment out all the other test servers under 'upstream_recursive_servers:'. For example:
####### IPv4 addresses ###### ### Test servers ### # The Surfnet/Sinodun servers # - address_data: 145.100.185.15 # tls_auth_name: "dnsovertls.sinodun.com" # tls_pubkey_pinset: # - digest: "sha256" # value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= # - address_data: 145.100.185.16 # tls_auth_name: "dnsovertls1.sinodun.com" # tls_pubkey_pinset: # - digest: "sha256" # value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= # The getdnsapi.net server # - address_data: 185.49.141.37 # tls_auth_name: "getdnsapi.net" # tls_pubkey_pinset: # - digest: "sha256" # value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=I also commented out all the IPV6 servers below this as well.
- MAKE CHANGE THE LISTENING ADDRESSES SO THEY WONT CONFLICT WITH THE DEFAULT 127.0.0.1 IVPN ADDRESS: I learned this little trick after scouring the internet. I couldn't figure out how to get the system dns resolver (like resolveconf) to send off to different/specific PORT, BUT I just learned that every 127.XXX.XXX.XXX address can be used as a loopback address - so lets let stubby listen on one of those. Changed 127.0.0.1 and 0::1 to 127.0.0.2 and 0::2:
listen_addresses: - 127.0.0.2 #any 127.XXX.XXX.XXX address should work? Don't know if I created a conflict - 0::2 - Restart stubby
sudo service stubby restartAnd you can confirm stubby.yml is good to go:
$ sudo stubby -i ... "upstream_recursive_servers": [ { "address_data": <bindata for .... # ALL THE NEXT DNS SERVERS SHOULD BE HERE ... Result: Config file syntax is valid.
Now lets use resolve.conf to permanently forward all DNS requests to stubby: (I looked at several article, but this one is among the best).
$ apt install resolvconf # now enable, restart and check the status of resolvconf $ systemctl start resolvconf.service $ systemctl enable resolvconf.service $ systemctl status resolvconf.service # add the line 'nameserver 127.0.0.2' near the top of this file , that will point to stubby $ sudo nano /etc/resolvconf/resolv.conf.d/head $ resolvconf --enable-updates $ resolvconf -uAnd your network should work w/ your NextDNS servers should work when you have IVPN disconnected or paused.
NOW I CAN disconnect from IVPN and still use NextDNS.
By the way, -my IVPN configs;
- Search for the 'upstream_recursive_servers:' (already in the file) and place the recommended NextDNS stubby profile config under it:
-
CORRECTIONS TO DISCUSSION ABOVE.
- Its NOT
$ sudo nano /ect/stubby.ymlit should be
sudo nano /etc/stubby/stubby.yml
That was just plain sloppy - sorry (and why can't I change MY original post?)
- Its NOT
Content aside
- 1 yr agoLast active
- 5Replies
- 207Views
-
2
Following