2024 Ubiquiti DNS Shield Configuration Issue

Rene Network 8.4.59 (EA) allows you to use a custom DNS Shield option.  You can get your profile info under dnscrypt in NextDNS Setup page under either Linux or routers.  You'll need the sdns.

Currently you can only do one profile.  I've heard they are implementing a per VLAN DNS Shield option.

The CLI works great from what I hear, but I've never gotten the courage to use it.  I've heard of people having issues when they update UniOS firmware and it's incompatible.

Dan Yes, I have and has worked fine on both UDM-P and UXG-L. After watching my logs I saw that the UDM/UXG itself also needed to have its WAN DNS pointed to 127.0.0.1 so when it resolved microsoft.com, google.com, and cloudflare.com as part of the internet health check, those DNS lookups did not escape. My Encrypted DNS metric in the Analytics tab is now 100% after over a week of use with 50+ LAN clients.

Dan works perfectly fine for me on my UDM-SE for 2 weeks

JWARE In my setup NextDNS keeps flapping between being an unconfigured profile and a configured one.  Does your setup have that issue?

JWARE That is awesome news and good catch on the WAN DNS. Thanks!

Dan I had that with another setup. Turned out it was working on IPv4 and not on IPv6 - so it sometimes worked and sometimes didn't.

JWARE where do you obtain the DNS Stamp (sdns://) value for NextDNS?  Thank you.

Jason Miles The stamp can be found in the Linux setup section.

Then visit https://dnscrypt.info/stamps/ and paste in the stamp for further editing of the info (like adding a device name).

R P M device name does not work when using dns shield with custom option. It would require CLI to run 

Mike Brust You are correct that individual device names don’t work with dns stamps behind the router but I was referring to giving the router a device name. 

JWARE Thanks for the help! Could you explain why it is necessary to point the WAN DNS to 127.0.0.1? I did and Microsoft and Google latency indicators stopped working. I don't know if it had anything to do with it.

Miguel My guess is that you have an Adblock rule that limits access to MS and Google sites and not Cloudflare.  Test by turning off all adblocking in NextDNS. The reason that you point the UDM to itself is so you don't have leaks.  Watch the dashboard and you will see unencrypted requests coming from the UDM is you just point you WAN DNS setting to you 2 custom NextDNS IPs.

Miguel that’s because there’s a bug in UniFi whenever you set your WAN’s DNS settings to a non-public IP  (localhost or RF1918) the Google and Microsoft tests will always report nothing, but Cloudflare always will report the value.  It’s been like this for years.

The funny thing is if you perform the same test from the command line, it reports just fine.

Safwan Shaikh 

Go to: https://my.nextdns.io.

In the "Setup Guide" section click "Routers".

Scroll to the "Stubby" section and copy the first part of the tls_auth_name. Should be something like 69a699.dns.nextdns.io. Copy that 69a699 part before the first period. That's the Server Name.

Next you'll need to scroll to the "DNSCrypt" section and copy the entire URL starting with sdns://. This is the DNS Stamp.

Apply those settings and you're done.

tonycoco Thank you for sharing, this got us going.