0

NextDNS UDM Pro listen config

I have several vlans and the conditional profiles work great. However I get a DNS leak when using nextdns on wireguard VPN that is perfect if nextdns is disabled.

I have a VLAN (80) not using IPv6 that I want to exclude from nextDNS 

So far I've tried configuring to listening on the various interfaces but no luck. It won't run nextdns config on everything else.

 

How do I get the nextdns client to pick up every vlan except a specific one for pre routing? I was thinking I could configure pihole as the local DNS and have nextdns listen on its IP and send everything there except the VLAN for VPN clients.

 

Any ideas of a simple way?

 

So basically vlan1 should be picked up by nextdns if it is it gets profiled correctly, vlan 2 same, 3 same and then 80 should be excluded from nextDNS proxy 

1 reply

null
    • Shaun.1
    • 1 yr ago
    • Reported - view

    I thought I would add more context and detail to hopefully make everything a bit simplier (or not)

    The official NextDNS client is installed natively on the UDM Pro and configured as standard to utilising conditional profiles to send different VLAN’s to different profiles.

    This works without issue in normal circumstances.

    When (utilising peacy/split-vpn) to utilise the kernel Wireguard client and forcing VPN traffic against br80 (VLAN 80, VPN Clients) all traffic successfully routes via the wg0 interface (VPN – NordVPN). The VLAN 80 runs IPv4 only to avoid any issues with failback as well.

    When performing any dns leak test from a client on the VPN VLAN (80) it will show the IPv4 NextDNS VPN from the default profile and the IPv4_DNS from the Wireguard VPN and utilise the NextDNS DNS. This represents as a leak.

    If I disable the NextDNS CLI client then the clients utilising VLAN 80 (VPN) show no leak and fully utilise the required DNS.

    After reviewing the NextDNS CLI config setup-router was TRUE which forces NextDNS to listen on localhost (IPv4 and IPv6) (127.0.0.1 and ::1 respectively) and bind to 5553. This appears to override the Wireguard DNS Config (or inject into it).

    After reviewing the NextDNS CLI the listen object stood out and it occurred that I should only listen on the VLAN’s that I want to route via NextDNS leaving VLAN 80 untouched. This in theory should net the correct result.

    However, I am unable to workout what I should listen on besides localhost (IPv4 and IPv6) (127.0.0.1 and ::1 respectively) to only pickup traffic from those VLAN’s (in my case VLAN 1, 20, 40, 60, 90) to listen to and then apply the conditional profiles to segment the NextDNS Profiles.

    I have tried the individual brX interfaces and bound to 5553 to no avail (this makes sense) but nothing is picked up. When I do the individual interfaces I set setup-router to false

    My question ultimately is:

    1)      Do I need to configure something like PiHole and configure VLAN 1, 20, 40, 60 and 90 to point to it) and then configure NextDNS to listen against PiHole as a forwarder? In this I would manually configure the PiHole as the DNS server for each VLAN.

    2)      If not required to add a DNS service can I do it natively? By this I mean can I bind NextDNS to map and listen to what interfaces to get the job done and pickup all traffic from VLAN 1, 20, 40, 60, 90

Content aside

  • 1 yr agoLast active
  • 1Replies
  • 359Views
  • 2 Following