Search

Welcome to the Community!
Search the community
HomeCommunityDiscussions
0

Can't force DNSSEC and DNSOverTLS

I'm using systemd to setup NextDNS. Only this (relaxed) configuration works: 

[Resolve]
DNS=45.90.28.0#xxxxx.dns1.nextdns.io
DNS=2a07:a8c0::#xxxxx.dns1.nextdns.io
DNS=45.90.30.0#xxxxx.dns2.nextdns.io
DNS=2a07:a8c1::#xxxxx.dns2.nextdns.io
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic

If i try to force them: 

[Resolve]
...
DNSSEC=yes
DNSOverTLS=yes

or only DNSOverTLS 

[Resolve]
...
DNSSEC=allow-downgrade
DNSOverTLS=yes

or only DNSSEC 

[Resolve]
...
DNSSEC=yes
DNSOverTLS=opportunistic

DNS aren't working. Any ideas here?

(all outgoing/egress traffic is allowed by default)

2replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular

  • DNSSEC validation should be disabled on the client when using a DNS firewall. We do the validation for you and inevitably break DNSSEC when blocking a domain.

    Like 1
      • acsf
      • acsf
      • 7 mths ago
      • Reported - view

      NextDNS thanks, but then why this also fails? 

      [Resolve]
...
DNSSEC=allow-downgrade # the systemd default
DNSOverTLS=yes # your guides recommendation
      Like
Login to reply
Like Follow
  • 7 mths agoLast active
  • 2Replies
  • 120Views
  • 2 Following
Powered by Forumbee

Home

 View all topics

Tags

 View all tags