Feature Request: Bind NextDNS Profiles to a Specific Source IP
I propose a feature that allows a NextDNS DoH/DoT profile to be bound to a specific source IP address or IP range. DNS requests over HTTPS or TLS would only be accepted if the encrypted connection originates from an authorized IP; requests from any other IP would be dropped or rejected. This restriction would apply directly to the profile endpoint, effectively enforcing source-IP validation in addition to encryption.
This is useful in scenarios where NextDNS is accessed through a VPN or secure tunnel. If that tunnel drops, DNS queries would fail closed instead of resolving over the public internet, preventing DNS leaks. The feature would add an extra layer of security, help protect against misuse of leaked profile URLs, and be particularly valuable for servers, homelabs, and users with static or known egress IPs.
Question for Developers:
Do you think binding DoH/DoT profiles to a specific source IP (or range) is a reasonable and useful feature to add to NextDNS?
1 reply
-
Considering the target of NextDNS is likely home users or small businesses who have internet service with a dynamic IP address, if they were to have such a setting enabled and their IP address were to change to an address in a different address block managed by their ISP and suddenly they can't resolve DNS anymore, that would be problematic. I could see such a setting creating problems and confusion if it were to be accidentally enabled.
I could see this being something that someone with a static IP address might be interested in, but I would bet that that's a minority of most users here.
Content aside
- 8 hrs agoLast active
- 1Replies
- 30Views
-
2
Following