0

NextDNS CLI - Listen only on specific IP address?

I am running NextDNS CLI on a Cloud hosted Debian Server. I am also running a StrongSwan iKEv2 VPN server on the same machine. 

My current IP addresses on the server machine:
Public IPv4 (xxx.yyy.zzz.aaa)
Public IPv6 (aaa.bbb.ccc.x........)
Private IPv4 (10.1.1.254)

The default installation of NextDNS CLI is installed and it is listening on all IP addresses. Meaning that all my IP addresses (including my Public IP address) is listening as a DNS server.

What changes do I make to my nextdns.conf so that it acts as a DNS listener only on a specific IP address (mainly only on  internal private IP address like 10.1.1.254)

My current nextdns.conf looks like below

auto-activate true
bogus-priv true
cache-max-age 0s
cache-size 10MB
config ca2f5e
control /var/run/nextdns.sock
detect-captive-portals false
discovery-dns
hardened-privacy false
listen localhost:53
log-queries false
max-inflight-requests 256
max-ttl 5s
mdns all
report-client-info true
setup-router true
timeout 5s
use-hosts true

What I would like is that my Debian Server should only respond to DNS requests that arrive on IP address 10.1.1.254 only. I do not want my server to become a DNS server on the public IP address, only on my specific private IP.

Help please...

7 replies

null
    • NextDNs
    • 3 yrs ago
    • Reported - view
    setup-router: false
    listen: 10.1.1.254:53
    
      • GuruPannu
      • 3 yrs ago
      • Reported - view

      NextDNS Thank for your suggestion.

      I have changed the settings as advised. My conf now looks like.

      control /var/run/nextdns.sock
      max-ttl 5s
      detect-captive-portals false
      hardened-privacy false
      use-hosts true
      log-queries false
      report-client-info true
      bogus-priv true
      timeout 5s
      setup-router false
      listen: 10.1.1.254:53
      auto-activate true
      config ca2f5e
      cache-size 10MB
      cache-max-age 0s
      discovery-dns
      mdns all
      max-inflight-requests 256

      However, on executing sudo netstat -tunlp


      Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      612/nextdns tcp        0      0 0.0.0.0:56765           0.0.0.0:*               LISTEN      621/sshd: /usr/sbin tcp6       0      0 ::1:53                  :::*                    LISTEN      612/nextdns tcp6       0      0 :::56765                :::*                    LISTEN      621/sshd: /usr/sbin udp        0      0 0.0.0.0:4500            0.0.0.0:*                           395/charon udp        0      0 0.0.0.0:500             0.0.0.0:*                           395/charon udp        0      0 127.0.0.1:53            0.0.0.0:*                           612/nextdns udp6       0      0 :::4500                 :::*                                395/charon udp6       0      0 :::500                  :::*                                395/charon udp6       0      0 ::1:53                  :::*                                612/nextdns udp6       0      0 :::33980                :::*                                262/systemd-timesyn

       

      This does not seem to show that 10.1.1.254 is working as the DNS address.

      • NextDNs
      • 3 yrs ago
      • Reported - view

      Guru Pannu you need to restart the daemon (nextdns restart)

    • GuruPannu
    • 3 yrs ago
    • Reported - view

    Essentially, what I am trying to do is stop advertising my server as a public DNS server.

    When my VPN clients connect to this server, I assign them addresses like 10.1.1.2, 10.1.1.3, and so on.... and I provide the clients a DNS address of 10.1.1.254.

    Since, the 10.1.1.254 private address is only available to my VPN clients, I am effectively preventing any 'unknown clients' trying to access my DNS server.

    The above was working fine with AdGuard Home (and I used the same 10.1.1.254 address). I was running AdGuard Home with DNS binding on 10.1.1254.

    I then decided to switch to NextDNS. Uninstalled AdGuard, installed NextDNS CLI.

    Everything works fine, if I use 

    setup-router true
    listen: localhost:53

    but VPN clients cannot resolve anything if I use what you suggested...

    setup-router: false
    listen: 10.1.1.254:53
    
    • GuruPannu
    • 3 yrs ago
    • Reported - view

    @NextDNS

    I think I figured out, it was a typo !!! 

    I was using  listen: 10.1.1.254:53 instead of the correct notation  

    listen 10.1.1.254:53

    Dumb of me, really ! 

    Thanks for your help... 

    Is there any help/ document/ guide/ forum link that explains each of the nextdns.conf settings in detail? 

    I have seen the GitHub wiki, but it does not explain all the config parameters..

      • NextDNs
      • 3 yrs ago
      • Reported - view

      Guru Pannu nextdns config set -help

      • Lifetech_Solutions
      • 1 yr ago
      • Reported - view

       I agree with you. I puchaased thinking there would be support. Its been two weeks and I cant get any more help than "check out our help page. These people are a piece of work. You pay for something and they expect you to know all thew indepth routing BS they do. They market as being easy to get going but oh no. I am preetty good at this stuff and I find thier instructions and help cryptic. Worthless

Content aside

  • 1 yr agoLast active
  • 7Replies
  • 1090Views
  • 3 Following