2024 Ubiquiti DNS Shield Configuration Issue
I noticed that Ubiquiti now allows the use of DNS Shield which allows DNS over HTTPS within the Dream Machine Pro's Controller software. I also noticed that NextDNS has 3 entries in the UniFi control panel by default (see attached screenshot). I have a paid NextDNS Pro account. How do I force Ubiquiti's settings to use my specific paid account? In other words, how do I set it to use "https://dns.nextdns.io/XXXXXX" as an entry?
64 replies
-
Hi Guys, I enabled both the CLI and the Custom. is there any issue with doing this? show I only have one?
-
Since Unifi has added the ability to configure NextDNS within their UDM’s UI using Custom DNS (formerly DNS Shield), what is the point or benefit of continuing to use the CLI installer?
-
I'm using Control D's CLI which will work with NextDNS or any other DoH/DoT provider. It's much more stable, survives reboots and firmware updates, and is highly configurable. Until Ubiquiti changes something in their firmware which they're known for doing.
-
Running Unifi OS 4.1.13 on a UDM Pro with Network v9.0.114. Not interested in installing the CLI at this time. In order to use NextDNS and have the logging and analytics work, do I setup NextDNS using Security->Protection->Encrypted DNS->Custom and just fill in the server name and DNS stamp? I did this and it resolves names, but it doesn't use my profile. I also don't see any entries in the Analytics or Logs tabs. I also tried the Predefined setup and picked NextDNS from the list with the same result. Do I also need to link my IP and point my WAN interface to the NextDNS primary and secondary? The setup screen makes it look like it's Endpoint or Linked IP, but not both. Some documentation would really help out here. Thank you
-
I see this topic has aged a bit, so I am going to ask this question. Looking at buying a Ubiquiti UDM-PRO-MAX for my church and for my homelab here. Can these units work with DOH3 with NextDNS and can they force all traffic connected to the network to use that DNS even if they are using other settings? Basically I am looking to absolutely ensure that I minimize the chance of someone using the church network for illicit activity and to keep everything child safe. Looking at these also because in the end there will be four separate VLANS passing through either with or without outside access. Thank you!
-
@james.57 I don’t think you can force everyone to use your DNS; those days are gone somewhat. I’ve not configured DOH3 or DoQ and I’m not sure UniFi supports it. You might be better off asking that in UniFi forums, but here’s what I can say… NextDNS support for DoQ and DOH3 seems sketchy at best. Perhaps you have reasons for requiring these newish protocols, but seems like you might be too soon to the party.
- Using the native secure DNS in UniFi (DNS Shield) you can use DOH from the UDM’s “natively.”
- Using the NextDNS CLI installed on a UniFi cloud gateway you can use DOH for secure DNS.
So if you accept using DOH, not DOH3, you still cannot prevent devices from using their own secure DNS without pretty advanced (draconian?) traffic filtering. DOH uses TCP port 443 which is intended to make blocking it difficult. For example, any Apple user with iCloud Private Relay will be using secure DNS which you will probably not be able to block. Anyone using the NextDNS client app will also bypass your preferred DNS.
Lots of DNS traffic still uses original port 53 DNS, and you can block or redirect such traffic. You may even be able to block the use of DoT, but not DoH.
Additional info:
The CLI does not seem to support DoQ or DOH3, and support is not currently planned:
- https://github.com/nextdns/nextdns/issues/658
- https://github.com/nextdns/nextdns/issues/812
You may be able to get DOH3 working using the Control D client app and NextDNS’s doh3.dns.nextdns.io as reported here:
https://github.com/Control-D-Inc/ctrld/wiki/Example-Configurations
This is what NextDNS says about the different protocols:
Content aside
-
1
Likes
- 11 hrs agoLast active
- 64Replies
- 17286Views
-
32
Following