2

Unifi OS, how do you block all DNS except Nextdns?

Looking to force all DNS traffic over NextDNS so that no one on my network can easily bypass DNS.

8 replies

null
    • Eric.9
    • 7 mths ago
    • Reported - view

    First, block DoH/DoT in Network app: Settings -> Security -> Traffic & Firewall Rules (choose Simple).  Create an entry and select block as action, app as type, choose networks you want to enforce rule on, and for destination choose DNS over HTTPS and DNS over TLS.

    I also listed 244 domains (that I gathered from various sources on the net) that are blocked also with one of these simple firewall rules.  These are all DoH server domain names.

    Second, switch to advanced in traffic & firewall rules.  In LAN In, create a firewall rule to accept for all networks as source and destination list all of your NextDNS IP addresses for various profiles.  For mine, I have source network all (I had to create a new IP address group) and port any.  Destination is my profile IP addresses.  I'm using DNSFilter instead of NextDNS, but that's not relevant to what you're doing here.  See pic below.

    After creating that rule, then create another rule blocking DNS resolvers.  Make sure you put this AFTER your allow rule for your NextDNS IPs.  Source is port/IP group, address group any, port group any.  Destination is port/IP group, address group any, and port group DNS ports.  Create a new port group and put 53 and 853 for ports.

    I'm hoping that Ubiquiti uses dnsmasq in a future release.  It would spoof DNS resolvers.  So if a client has 8.8.8.8 set on their client individually, the UniFi console would use its own DNS resolver and pretend like it's 8.8.8.8.  The client would never know the difference.

    The above rules work well.  Guests that come over have trouble connecting when they have Apple iCloud relay enabled.  

      • Blobbie
      • 1 mth ago
      • Reported - view

       Thank you for your detailed guide, you’ve been a big help to me! •ᴗ• 

    • sidnen
    • 7 mths ago
    • Reported - view

    For Traffic & Firewall Rules I do not see the option to select DNS over HTTPS, only TLS.

    I created a rule blocking these 1149 DOH domains, except line 401 which is dns.nextdns.io
    https://github.com/dibdot/DoH-IP-blocklists/blob/master/doh-domains.txt

    Destination is my profile IP addresses.  I'm using DNSFilter instead of NextDNS, but that's not relevant to what you're doing here.  See pic below.

    I'm not sure if destIP at https://test.nextdns.io is what you're referring to. I'm using DOH for NextDNS so they are domains, not IPs unless I have this wrong. I can setup a rule for destIP but I doubt that IP is unique per NextDNS profile, also not sure if it would ever change, doubtful.

      • Martheen
      • 7 mths ago
      • Reported - view

       Since you allow the NextDNS domain, nothing stops other users from using their own NextDNS profile.

      • sidnen
      • 7 mths ago
      • Reported - view

      I'm aware of that, but this is just to block the kids so I think I'm fine. Block/allow list only allows domains so even if I wanted to exclude any other NextDNS profiles besides my own I'm not exactly sure how id go about doing that.

    • bookworm
    • 4 mths ago
    • Reported - view

    I am also not seeing DNS over HTTPS. @sidnen were you able to find that option?

    • Eric.9
    • 4 mths ago
    • Reported - view

    What version of Network?  I'm using 8.4 EA.

      • bookworm
      • 4 mths ago
      • Reported - view

       Aha! I have to switch to EA to get DoH blocklist? I got 8.3.32. Just a bit worried about bugs and stability.

Content aside

  • 2 Likes
  • 1 mth agoLast active
  • 8Replies
  • 1891Views
  • 7 Following