0

NextDNS and pfSense

I would like to use NextDNS with my pfSense router.

What are the differences between using NextDNS CLI and the manual configuration (https://github.com/nextdns/nextdns/wiki/pfSense)?

What pfSense settings are required for CLI to work?

4 replies

null
    • ericafterdark
    • 1 yr ago
    • Reported - view

    For anyone reading this in the future.

    I followed up on the manual pfSense configuration (https://github.com/nextdns/nextdns/wiki/pfSense) without installing any additional CLI software and everything works fine.

    I used the NextDNS configuration guide at https://github.com/yokoffing/NextDNS-Config but made one exception. Since pfSense uses Unbound I enabled CNAME flattening.

      • Steve_Gadd
      • 4 wk ago
      • Reported - view

       Cheers, I was guided by your comments and have done the same as I had issues when installing NEXTDNS on my DD-WRT MERLIN router which just got slower and slower and was flaky with Android devices. This method seems much more dependable in all regards, and because the front end cloud config is the same regardless, the whole thing is very easy and portable, despite being very granular with depth a broad range of options. In particular the Android DNS resolver works as it should, instead of having to put it on Auto mode which I was having to do using the router Merlin router. But just enabling it as permanently 'on' now is much more reassuring.

    • Failsafe
    • 3 wk ago
    • Reported - view

    I'm sure you're probably aware, but just using the IPv4 addresses from the "Linked IP" does not give you secure DNS (DNS using TLS) like DoH/DoT/DoQ. The Linked IP type of setup is just using UDP:53 connectivity which is plain-text DNS over the internet.

    Conversely, the NextDNS CLI listens on :53 (port 53) by default and your local clients "talk DNS" with it, but then it uses DoH to securely send your requests across the internet to NextDNS. This keeps your ISP and other interested parties a little more in the dark as to your internet traffic.

    • Failsafe
    • 3 wk ago
    • Reported - view
     said:
    I'm sure you're probably aware, but just using the IPv4 addresses from the "Linked IP" does not give you secure DNS (DNS using TLS) like DoH/DoT/DoQ. The Linked IP type of setup is just using UDP:53 connectivity which is plain-text DNS over the internet.

     I re-read the pfSense config you followed and I do apologize--I see that it has you configuring DoT. So you're good there 👍🏻

    FWIW, I do still recommend using the NextDNS CLI where possible. It uses DoH (which should be faster than DoT) and has several additional features that improve the NextDNS experience:
     

    https://github.com/nextdns/nextdns/wiki#features
Login to reply

Content aside

  • 3 wk agoLast active
  • 4Replies
  • 632Views
  • 3 Following