0

NextDNS CLI - Listen only on specific IP address?

I am running NextDNS CLI on a Cloud hosted Debian Server. I am also running a StrongSwan iKEv2 VPN server on the same machine. 

My current IP addresses on the server machine:
Public IPv4 (xxx.yyy.zzz.aaa)
Public IPv6 (aaa.bbb.ccc.x........)
Private IPv4 (10.1.1.254)

The default installation of NextDNS CLI is installed and it is listening on all IP addresses. Meaning that all my IP addresses (including my Public IP address) is listening as a DNS server.

What changes do I make to my nextdns.conf so that it acts as a DNS listener only on a specific IP address (mainly only on  internal private IP address like 10.1.1.254)

My current nextdns.conf looks like below

auto-activate true
bogus-priv true
cache-max-age 0s
cache-size 10MB
config ca2f5e
control /var/run/nextdns.sock
detect-captive-portals false
discovery-dns
hardened-privacy false
listen localhost:53
log-queries false
max-inflight-requests 256
max-ttl 5s
mdns all
report-client-info true
setup-router true
timeout 5s
use-hosts true

What I would like is that my Debian Server should only respond to DNS requests that arrive on IP address 10.1.1.254 only. I do not want my server to become a DNS server on the public IP address, only on my specific private IP.

Help please...

6replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • setup-router: false
    listen: 10.1.1.254:53
    
    Like
    • NextDNS Thank for your suggestion.

      I have changed the settings as advised. My conf now looks like.

      control /var/run/nextdns.sock
      max-ttl 5s
      detect-captive-portals false
      hardened-privacy false
      use-hosts true
      log-queries false
      report-client-info true
      bogus-priv true
      timeout 5s
      setup-router false
      listen: 10.1.1.254:53
      auto-activate true
      config ca2f5e
      cache-size 10MB
      cache-max-age 0s
      discovery-dns
      mdns all
      max-inflight-requests 256

      However, on executing sudo netstat -tunlp


      Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      612/nextdns tcp        0      0 0.0.0.0:56765           0.0.0.0:*               LISTEN      621/sshd: /usr/sbin tcp6       0      0 ::1:53                  :::*                    LISTEN      612/nextdns tcp6       0      0 :::56765                :::*                    LISTEN      621/sshd: /usr/sbin udp        0      0 0.0.0.0:4500            0.0.0.0:*                           395/charon udp        0      0 0.0.0.0:500             0.0.0.0:*                           395/charon udp        0      0 127.0.0.1:53            0.0.0.0:*                           612/nextdns udp6       0      0 :::4500                 :::*                                395/charon udp6       0      0 :::500                  :::*                                395/charon udp6       0      0 ::1:53                  :::*                                612/nextdns udp6       0      0 :::33980                :::*                                262/systemd-timesyn

       

      This does not seem to show that 10.1.1.254 is working as the DNS address.

      Like
    • Guru Pannu you need to restart the daemon (nextdns restart)

      Like 1
  • Essentially, what I am trying to do is stop advertising my server as a public DNS server.

    When my VPN clients connect to this server, I assign them addresses like 10.1.1.2, 10.1.1.3, and so on.... and I provide the clients a DNS address of 10.1.1.254.

    Since, the 10.1.1.254 private address is only available to my VPN clients, I am effectively preventing any 'unknown clients' trying to access my DNS server.

    The above was working fine with AdGuard Home (and I used the same 10.1.1.254 address). I was running AdGuard Home with DNS binding on 10.1.1254.

    I then decided to switch to NextDNS. Uninstalled AdGuard, installed NextDNS CLI.

    Everything works fine, if I use 

    setup-router true
    listen: localhost:53

    but VPN clients cannot resolve anything if I use what you suggested...

    setup-router: false
    listen: 10.1.1.254:53
    
    Like
  • @NextDNS

    I think I figured out, it was a typo !!! 

    I was using  listen: 10.1.1.254:53 instead of the correct notation  

    listen 10.1.1.254:53

    Dumb of me, really ! 

    Thanks for your help... 

    Is there any help/ document/ guide/ forum link that explains each of the nextdns.conf settings in detail? 

    I have seen the GitHub wiki, but it does not explain all the config parameters..

    Like
    • Guru Pannu nextdns config set -help

      Like 1
Like Follow
  • 8 mths agoLast active
  • 6Replies
  • 344Views
  • 2 Following