Unifi OS, how do you block all DNS except Nextdns?
Looking to force all DNS traffic over NextDNS so that no one on my network can easily bypass DNS.
8 replies
-
First, block DoH/DoT in Network app: Settings -> Security -> Traffic & Firewall Rules (choose Simple). Create an entry and select block as action, app as type, choose networks you want to enforce rule on, and for destination choose DNS over HTTPS and DNS over TLS.
I also listed 244 domains (that I gathered from various sources on the net) that are blocked also with one of these simple firewall rules. These are all DoH server domain names.
Second, switch to advanced in traffic & firewall rules. In LAN In, create a firewall rule to accept for all networks as source and destination list all of your NextDNS IP addresses for various profiles. For mine, I have source network all (I had to create a new IP address group) and port any. Destination is my profile IP addresses. I'm using DNSFilter instead of NextDNS, but that's not relevant to what you're doing here. See pic below.
After creating that rule, then create another rule blocking DNS resolvers. Make sure you put this AFTER your allow rule for your NextDNS IPs. Source is port/IP group, address group any, port group any. Destination is port/IP group, address group any, and port group DNS ports. Create a new port group and put 53 and 853 for ports.
I'm hoping that Ubiquiti uses dnsmasq in a future release. It would spoof DNS resolvers. So if a client has 8.8.8.8 set on their client individually, the UniFi console would use its own DNS resolver and pretend like it's 8.8.8.8. The client would never know the difference.
The above rules work well. Guests that come over have trouble connecting when they have Apple iCloud relay enabled.
-
For Traffic & Firewall Rules I do not see the option to select DNS over HTTPS, only TLS.
I created a rule blocking these 1149 DOH domains, except line 401 which is dns.nextdns.io
https://github.com/dibdot/DoH-IP-blocklists/blob/master/doh-domains.txtDestination is my profile IP addresses. I'm using DNSFilter instead of NextDNS, but that's not relevant to what you're doing here. See pic below.
I'm not sure if destIP at https://test.nextdns.io is what you're referring to. I'm using DOH for NextDNS so they are domains, not IPs unless I have this wrong. I can setup a rule for destIP but I doubt that IP is unique per NextDNS profile, also not sure if it would ever change, doubtful.
-
I am also not seeing DNS over HTTPS. @sidnen were you able to find that option?
-
What version of Network? I'm using 8.4 EA.
Content aside
-
2
Likes
- 1 mth agoLast active
- 8Replies
- 1891Views
-
7
Following