0

NextDNS with Unifi Layer 3 Setup

I am running a Unifi Controller on Windows 10 within my network (Location 1) and have it setup for Layer 3 device adoption from a remote location (Location 2). Location 1 has NextDNS installed via USG cli and enabled. Location 2 has NextDNS installed via USG cli as well but when I enable NextDNS at Location 2, it prevents the devices from communicating with the controller at Location 1. I've verified this multiple times as the devices connect to the controller at Location 1 almost instantaneously when I disable NextDNS at Location 2.

The controller is setup to utilize dynamic dns with ports 8080 (inform port) and 3478 (stun) open at Location 1 so that Location 2 can communicate with the controller and manage the remote devices. I've tried disabling the following within NextDNS with no luck:

Block Newly Registered Domains (NRDs)

Block domains registered less than 30 days ago. Those domains are known to be favored by threat actors to launch malicious campaigns.

Block Dynamic DNS Hostnames

BETA

Dynamic DNS (or DDNS) services let malicious actors quickly set up hostnames for free and without any validation or identity verification. While legit DDNS hostnames are rarely accessed in every-day use, their malicious counterparts are heavily used in phishing campaigns — e.g. paypal‑login.duckdns.org.

If you are using DDNS, note that this setting will not block the DDNS services' own website or their update API.

DNS Rebinding Protection

Prevent attackers from taking control of your local devices through the Internet by automatically blocking DNS responses containing private IP addresses.

Added Dynamic DNS TLD/Subdomains to Allowlist.

I have also specifically added the dynamic dns tld/subdomain to the allow list as well. This made no difference in NextDNS blocking the connection.

Has anyone else run into this issue before?  Apologies if I missed a post or documentation on this specific setup but I've looked and can't for the life of me figure out how to fix it.

Thanks for your help!

1 reply

null
    • itislp
    • 1 yr ago
    • Reported - view

    I also checked the NextDNS logs, it is showing that the Dynamic DNS domain is being resolved, so could it be blocking the specific ports? Does it have that capability? Thanks again for any help.

Content aside

  • 1 yr agoLast active
  • 1Replies
  • 339Views
  • 1 Following