0

How to use NextDNS profile when IVPN is disconnected? (linux Debian)

I use IVPN on my desktop and it works PERFECTLY with NextDNS (configure for DNS over HTTPS)

IVPN has a way to use the service "on demand" (able to turn IVPN on/off), and when I disconnect IVPN, my desktop reverts to simply using my desktop DNS. I use the IVPN on/off feature for scenarios like my current wifi provider is blocking VPN or when I trust the network already has VPN at the router level)

And this is my issue- the only way i can seem to configure my desktop DNS and not break anything w/ IVPN (on or off) is with resolvconf (install resolvconf, configure /etc/resolv.conf w/ 'nameserver <<IP address of NextDNS name servers>>, but the only thing allowed seems to be standard numerical IP addresses- '#' in this file are treated as comments, and I can't specify the profile id).

After configuring resolvconf, I can turn on/off IVPN, but testing connectivity with my NextDNS profile page, NextDNS tells me message "This device is using NextDNS with no profile." - which makes sense, because I couldn't figure out how to specify my profile in /ect/resolv.conf)

I've tried all the other NextDNS setup configuration options: system-resolved, installing the nextDNS command line client, dnsmasq, stubby, DNSCrypt (which is what IVPN uses), Knot Resolver, Unboud )  but all seem to either have 0 affect or break ivpn or break my internet connection.

HOW DO I SET UP MY DESKTOP DNS TO USE NEXTDNS WITH MY PROFILE  ID WHEN I DISCONNECT FROM IVPN?

Thank you in advance for any help.

5 replies

null
    • R_P_M
    • 1 yr ago
    • Reported - view

    I’m not familiar IVPN in any way so I’m guessing the rest of the details below. 
     

    To get this to work you’ll need to use a custom port number, for some of those things you tried (CLI and stubby for starters).

     I find system-resolved tends to interfere with the resolv.conf file. Best to start by disabling system-resolved before setting up anything else. 

    • RagingBullDurham
    • 1 yr ago
    • Reported - view

    I THINK THIS IS RESOLVED! The above was good advice, and I ended up using a combination of stubby, resolveconf and customizing the loopback address 127.0.0.2 (not the port number) to get it to work.

    First - I installed stubby and added the profile items:

    $ sudo apt install stubby
    $ sudo nano /ect/stubby.yml

    Make these changes to stubby.yml:

    1. Search for the 'upstream_recursive_servers:' (already in the file)  and place the recommended NextDNS stubby profile config under it:
      upstream_recursive_servers:
        - address_data: 45.XX.XX.XX
          tls_auth_name: "**MYID**.dns.nextdns.io"
        - address_data: 2a07:XXXX::0
          tls_auth_name: "**MYID**.dns.nextdns.io"
        - address_data: 45.XX.XX.XX
          tls_auth_name: "**MYID**.dns.nextdns.io"
        - address_data: 2a07:XXXX::0
          tls_auth_name: "**MYID**.dns.nextdns.io"
      

      (The round_robin_upstream parameter is already set to 1 - no need to copy that from the suggested NextDNS config)

    2. Comment out all the other test servers under 'upstream_recursive_servers:'. For example:
      ####### IPv4 addresses ######
      ### Test servers ###
      # The Surfnet/Sinodun servers
      #  - address_data: 145.100.185.15
      #    tls_auth_name: "dnsovertls.sinodun.com"
      #    tls_pubkey_pinset:
      #      - digest: "sha256"
      #        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
      #  - address_data: 145.100.185.16
      #    tls_auth_name: "dnsovertls1.sinodun.com"
      #    tls_pubkey_pinset:
      #      - digest: "sha256"
      #        value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
      # The getdnsapi.net server
      #  - address_data: 185.49.141.37
      #    tls_auth_name: "getdnsapi.net"
      #    tls_pubkey_pinset:
      #      - digest: "sha256"
      #        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
      

      I also commented out all the IPV6 servers below this as well.

    3. MAKE CHANGE THE LISTENING ADDRESSES SO THEY WONT CONFLICT WITH THE DEFAULT 127.0.0.1 IVPN ADDRESS: I learned this little trick after scouring the internet. I couldn't figure out how to get the system dns resolver (like resolveconf) to send off to different/specific PORT, BUT I just learned that every 127.XXX.XXX.XXX address can be used as a loopback address - so lets let stubby listen on one of those. Changed 127.0.0.1 and 0::1 to 127.0.0.2 and 0::2:
      listen_addresses:
        - 127.0.0.2 #any 127.XXX.XXX.XXX address should work? Don't know if I created a conflict
        - 0::2
    4.  
    5. Restart stubby
      sudo service stubby restart

      And you can confirm stubby.yml is good to go:
       

      $ sudo stubby -i
      ...
       "upstream_recursive_servers":
          [
            {
              "address_data": <bindata for .... # ALL THE NEXT DNS SERVERS SHOULD BE HERE
      ...
      Result: Config file syntax is valid.
      

     

    Now lets use resolve.conf to permanently forward all DNS requests to stubby: (I looked at several article, but this one is among the best).

    $ apt install resolvconf
    # now enable, restart and check the status of resolvconf
    $ systemctl start resolvconf.service
    $ systemctl enable resolvconf.service
    $ systemctl status resolvconf.service
    
    # add the line 'nameserver 127.0.0.2' near the top of this file , that will point to stubby
    $ sudo nano /etc/resolvconf/resolv.conf.d/head
    $ resolvconf --enable-updates
    $ resolvconf -u
    

    And your network should work w/ your NextDNS servers should work when you have IVPN  disconnected or paused.

    NOW I CAN disconnect from IVPN and still use NextDNS.

    By the way, -my IVPN configs;

    • RagingBullDurham
    • 1 yr ago
    • Reported - view

    CORRECTIONS TO DISCUSSION ABOVE.

    • Its NOT
      $ sudo nano /ect/stubby.yml

      it should be

      sudo nano /etc/stubby/stubby.yml

    That was just plain sloppy - sorry (and why can't I change MY original post?)

      • R_P_M
      • 1 yr ago
      • Reported - view

       Glad to see you sorted it out.

      To get the port number I think it was “#” or “@“ after the IP address. It’s been awhile since I set up everything (including trying stubby) before I switched to using AdGuardHome to connect to NextDNS. Some of the old info might still be there, I’ll probably take a quick look later.

      Also you only get a small window of time after posting to edit, either 5 or 15 minutes afterwards here. 

      • R_P_M
      • 1 yr ago
      • Reported - view

       Sorry, seems I mixed up the port info with dnsmasq and stubby configs.

      resolv.conf will only accept IP addresses, nothing else. 

Content aside

  • 1 yr agoLast active
  • 5Replies
  • 207Views
  • 2 Following