0

Can't force DNSSEC and DNSOverTLS

I'm using systemd to setup NextDNS. Only this (relaxed) configuration works:

[Resolve]
DNS=45.90.28.0#xxxxx.dns1.nextdns.io
DNS=2a07:a8c0::#xxxxx.dns1.nextdns.io
DNS=45.90.30.0#xxxxx.dns2.nextdns.io
DNS=2a07:a8c1::#xxxxx.dns2.nextdns.io
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic

If i try to force them:

[Resolve]
...
DNSSEC=yes
DNSOverTLS=yes

or only DNSOverTLS

[Resolve]
...
DNSSEC=allow-downgrade
DNSOverTLS=yes

or only DNSSEC

[Resolve]
...
DNSSEC=yes
DNSOverTLS=opportunistic

DNS aren't working. Any ideas here?

(all outgoing/egress traffic is allowed by default)

2replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • DNSSEC validation should be disabled on the client when using a DNS firewall. We do the validation for you and inevitably break DNSSEC when blocking a domain.

    Like 1
      • acsf
      • acsf
      • 7 mths ago
      • Reported - view

      NextDNS thanks, but then why this also fails?

      [Resolve]
      ...
      DNSSEC=allow-downgrade # the systemd default
      DNSOverTLS=yes # your guides recommendation
      Like
Like Follow
  • 7 mths agoLast active
  • 2Replies
  • 120Views
  • 2 Following