0

Can't force DNSSEC and DNSOverTLS

I'm using systemd to setup NextDNS. Only this (relaxed) configuration works:

[Resolve]
DNS=45.90.28.0#xxxxx.dns1.nextdns.io
DNS=2a07:a8c0::#xxxxx.dns1.nextdns.io
DNS=45.90.30.0#xxxxx.dns2.nextdns.io
DNS=2a07:a8c1::#xxxxx.dns2.nextdns.io
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic

If i try to force them:

[Resolve]
...
DNSSEC=yes
DNSOverTLS=yes

or only DNSOverTLS

[Resolve]
...
DNSSEC=allow-downgrade
DNSOverTLS=yes

or only DNSSEC

[Resolve]
...
DNSSEC=yes
DNSOverTLS=opportunistic

DNS aren't working. Any ideas here?

(all outgoing/egress traffic is allowed by default)

2 replies

null
    • NextDNs
    • 2 yrs ago
    • Reported - view

    DNSSEC validation should be disabled on the client when using a DNS firewall. We do the validation for you and inevitably break DNSSEC when blocking a domain.

      • acsf
      • 2 yrs ago
      • Reported - view

      NextDNS thanks, but then why this also fails?

      [Resolve]
      ...
      DNSSEC=allow-downgrade # the systemd default
      DNSOverTLS=yes # your guides recommendation

Content aside

  • 2 yrs agoLast active
  • 2Replies
  • 360Views
  • 2 Following