2024 Ubiquiti DNS Shield Configuration Issue
I noticed that Ubiquiti now allows the use of DNS Shield which allows DNS over HTTPS within the Dream Machine Pro's Controller software. I also noticed that NextDNS has 3 entries in the UniFi control panel by default (see attached screenshot). I have a paid NextDNS Pro account. How do I force Ubiquiti's settings to use my specific paid account? In other words, how do I set it to use "https://dns.nextdns.io/XXXXXX" as an entry?
59 replies
-
You can’t with this feature. It’s best to install our CLI.
-
Is there any update in this matter? What's the best practice to have Ubiquiti/Unifi use our paid NextDNS profile for DNS requests using encryption?
Is the latest best practice still to run the https://nextdns.io/cli on the router with specific instructions for UnifiOS from https://github.com/nextdns/nextdns/wiki/UnifiOS (Keep Content Filtering and the Ad Blocking OFF at UnifiOS) ?
-
First UNA beta was released with the option for „Custom DNS Shield settings“:
-
Based on the release notes forum comments at Ubiquiti I shall stick to CLI first. The DNS-SHIELD using the DnsCrypt settings in the Unifi Security Settings seems not to run very smoothly yet.
BTW: After the update to the new ("EA") version at Ubiquiti Unifi I had to re-install the CLI using SSH.
-
Now the general release is out has anyone tried it with Nextdns without using the CLI method? Why do you need the sdns://? I thought DNSCrypt was dying, is that what Unifi is using instead of TLS? I have a cloud gateway ordered and I'd really like it to work with Nextdns.
-
Yes, I have and has worked fine on both UDM-P and UXG-L. After watching my logs I saw that the UDM/UXG itself also needed to have its WAN DNS pointed to 127.0.0.1 so when it resolved microsoft.com, google.com, and cloudflare.com as part of the internet health check, those DNS lookups did not escape. My Encrypted DNS metric in the Analytics tab is now 100% after over a week of use with 50+ LAN clients.
-
works perfectly fine for me on my UDM-SE for 2 weeks
-
In my setup NextDNS keeps flapping between being an unconfigured profile and a configured one. Does your setup have that issue?
-
That is awesome news and good catch on the WAN DNS. Thanks!
-
I had that with another setup. Turned out it was working on IPv4 and not on IPv6 - so it sometimes worked and sometimes didn't.
-
where do you obtain the DNS Stamp (sdns://) value for NextDNS? Thank you.
-
The stamp can be found in the Linux setup section.
Then visit https://dnscrypt.info/stamps/ and paste in the stamp for further editing of the info (like adding a device name).
-
device name does not work when using dns shield with custom option. It would require CLI to run
-
You are correct that individual device names don’t work with dns stamps behind the router but I was referring to giving the router a device name.
-
Thanks for the help! Could you explain why it is necessary to point the WAN DNS to 127.0.0.1? I did and Microsoft and Google latency indicators stopped working. I don't know if it had anything to do with it.
-
My guess is that you have an Adblock rule that limits access to MS and Google sites and not Cloudflare. Test by turning off all adblocking in NextDNS. The reason that you point the UDM to itself is so you don't have leaks. Watch the dashboard and you will see unencrypted requests coming from the UDM is you just point you WAN DNS setting to you 2 custom NextDNS IPs.
-
that’s because there’s a bug in UniFi whenever you set your WAN’s DNS settings to a non-public IP (localhost or RF1918) the Google and Microsoft tests will always report nothing, but Cloudflare always will report the value. It’s been like this for years.
The funny thing is if you perform the same test from the command line, it reports just fine.
-
Thank you!
-
-
On new version 8.4.59 got an option to set the nextDNS how to setup this btw please anyone let me know
Content aside
- 9 days agoLast active
- 59Replies
- 12138Views
-
27
Following