0

NextDNS CLI - Listen only on specific IP address?

I am running NextDNS CLI on a Cloud hosted Debian Server. I am also running a StrongSwan iKEv2 VPN server on the same machine. 

My current IP addresses on the server machine:
Public IPv4 (xxx.yyy.zzz.aaa)
Public IPv6 (aaa.bbb.ccc.x........)
Private IPv4 (10.1.1.254)

The default installation of NextDNS CLI is installed and it is listening on all IP addresses. Meaning that all my IP addresses (including my Public IP address) is listening as a DNS server.

What changes do I make to my nextdns.conf so that it acts as a DNS listener only on a specific IP address (mainly only on  internal private IP address like 10.1.1.254)

My current nextdns.conf looks like below

auto-activate true
bogus-priv true
cache-max-age 0s
cache-size 10MB
config ca2f5e
control /var/run/nextdns.sock
detect-captive-portals false
discovery-dns
hardened-privacy false
listen localhost:53
log-queries false
max-inflight-requests 256
max-ttl 5s
mdns all
report-client-info true
setup-router true
timeout 5s
use-hosts true

What I would like is that my Debian Server should only respond to DNS requests that arrive on IP address 10.1.1.254 only. I do not want my server to become a DNS server on the public IP address, only on my specific private IP.

Help please...

7 replies

null
    • NextDNs
    • 2 yrs ago
    • Reported - view
    setup-router: false
listen: 10.1.1.254:53
      • GuruPannu
      • 2 yrs ago
      • Reported - view

      NextDNS Thank for your suggestion.

      I have changed the settings as advised. My conf now looks like. 

      control /var/run/nextdns.sock
max-ttl 5s
detect-captive-portals false
hardened-privacy false
use-hosts true
log-queries false
report-client-info true
bogus-priv true
timeout 5s
setup-router false
listen: 10.1.1.254:53
auto-activate true
config ca2f5e
cache-size 10MB
cache-max-age 0s
discovery-dns
mdns all
max-inflight-requests 256

      However, on executing sudo netstat -tunlp 


      Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      612/nextdns
tcp        0      0 0.0.0.0:56765           0.0.0.0:*               LISTEN      621/sshd: /usr/sbin
tcp6       0      0 ::1:53                  :::*                    LISTEN      612/nextdns
tcp6       0      0 :::56765                :::*                    LISTEN      621/sshd: /usr/sbin
udp        0      0 0.0.0.0:4500            0.0.0.0:*                           395/charon
udp        0      0 0.0.0.0:500             0.0.0.0:*                           395/charon
udp        0      0 127.0.0.1:53            0.0.0.0:*                           612/nextdns
udp6       0      0 :::4500                 :::*                                395/charon
udp6       0      0 :::500                  :::*                                395/charon
udp6       0      0 ::1:53                  :::*                                612/nextdns
udp6       0      0 :::33980                :::*                                262/systemd-timesyn

       

      This does not seem to show that 10.1.1.254 is working as the DNS address.

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Guru Pannu you need to restart the daemon (nextdns restart)

    • GuruPannu
    • 2 yrs ago
    • Reported - view

    Essentially, what I am trying to do is stop advertising my server as a public DNS server.

    When my VPN clients connect to this server, I assign them addresses like 10.1.1.2, 10.1.1.3, and so on.... and I provide the clients a DNS address of 10.1.1.254.

    Since, the 10.1.1.254 private address is only available to my VPN clients, I am effectively preventing any 'unknown clients' trying to access my DNS server.

    The above was working fine with AdGuard Home (and I used the same 10.1.1.254 address). I was running AdGuard Home with DNS binding on 10.1.1254.

    I then decided to switch to NextDNS. Uninstalled AdGuard, installed NextDNS CLI.

    Everything works fine, if I use  

    setup-router true
listen: localhost:53

    but VPN clients cannot resolve anything if I use what you suggested... 

    setup-router: false
listen: 10.1.1.254:53
    • GuruPannu
    • 2 yrs ago
    • Reported - view

    @NextDNS

    I think I figured out, it was a typo !!! 

    I was using  listen: 10.1.1.254:53 instead of the correct notation  

    listen 10.1.1.254:53

    Dumb of me, really ! 

    Thanks for your help... 

    Is there any help/ document/ guide/ forum link that explains each of the nextdns.conf settings in detail? 

    I have seen the GitHub wiki, but it does not explain all the config parameters..

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Guru Pannu nextdns config set -help

      • Lifetech_Solutions
      • 1 yr ago
      • Reported - view

       I agree with you. I puchaased thinking there would be support. Its been two weeks and I cant get any more help than "check out our help page. These people are a piece of work. You pay for something and they expect you to know all thew indepth routing BS they do. They market as being easy to get going but oh no. I am preetty good at this stuff and I find thier instructions and help cryptic. Worthless

Login to reply

Content aside

  • 1 yr agoLast active
  • 7Replies
  • 1070Views
  • 3 Following