DDNS hostname

Phil You should be ok using DoH, behind CGNAT. If not just post back with the issue.

R P M 

The setup page says

"This device is using NextDNS with no profile.

Make sure you use the DNS-over-HTTPS endpoint shown below."
 

ID

99f5de

DNS-over-TLS/QUIC

99f5de.dns.nextdns.io

DNS-over-HTTPS

https://dns.nextdns.io/99f5de"

In SimpleDNSCrypt I have nextdns DoH selected as the only resolver

and dnschecktools shows the IPV4 resolver as dns.nextdns.io

(but shows no 99f5de prefix).

I'm am registered, but all the query stats are 0.

Could DoH over UDP be a problem,  vs TCP with state, and cookies to go with it?

Phil  Sorry, I'm new to this.. I was looking at SimpleCrypts dnscrypt-proxy.toml file for some place to stick this 99f5de.     Seemed logical.    

AI says

"

Yes, with NextDNS, the configuration ID (or profile ID) is used to generate a unique, personalized subdomain for each user's configuration. 

Here are the details of how this works:

• Subdomain Structure: When configuring DoH (DNS-over-HTTPS) or DoT (DNS-over-TLS), the endpoint URL follows the format: https://dns.nextdns.io or ID.dns.nextdns.io.
• Unique Identifier: The "ID" part is a 6-character alphanumeric string (e.g., a1b2c3) that is unique to your specific profile.
• Purpose: This unique subdomain ensures that NextDNS can identify which customized blocklists, analytics, and security settings to apply to your traffic.
• Multiple Profiles: Users can create multiple profiles, and each profile will have its own unique ID, allowing different settings for different devices (e.g., one ID for kids, one for parents).
• Security & Privacy: The ID is difficult to guess, but if shared or exposed, it could allow others to see your DNS logs or use your customized blocklists

"

So if I could just find out where to stick my ID on this end for SimpleCrypt to use it..

Phil   AI says

"To use your NextDNS ID with dnscrypt-proxy, you generate a custom DNSCrypt stamp from the NextDNS setup page, modify the path with your ID (e.g., /123456/MyDevice), and add this stamp as a static server in your dnscrypt-proxy.toml file under the [static] section, then select it in server_names to enable personalized filtering. "

Hmm, ok, sounds like it's been done before.

Phil 

AI Overview

I see no such Routers section.  

https://help.nextdns.io/t/60halgj?r=x2hal2j#x2hal2j

losnad 

Thanks for the link.

I appended this at the bottom of the dnscrypt-proxy.toml (using SimpleDNSCrypt on Win 7)

[static]
 [static.'NextDNS-9XXXX']
   stamp = 'sdns://AgAAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8RLzlYWFhYL1RIR0VEODAwRzE'

I thought I should see it added to the list of resolvers, but it wasn't.

Then I removed the Servers section with the [source] elements and the 

service would not load on firing up Simple.

This is the whole file with nothing removed, except editing the ID for anonymity

server_names = ["nextdns"]
listen_addresses = ["127.0.0.1:53", "[::1]:53"]
max_clients = 250
ipv4_servers = true
ipv6_servers = false
disabled_server_names = []
dnscrypt_servers = true
doh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = true
daemonize = false
force_tcp = false
dnscrypt_ephemeral_keys = false
tls_disable_session_tickets = false
offline_mode = false
timeout = 5000
keepalive = 30
lb_estimator = false
netprobe_timeout = 60
netprobe_address = "9.9.9.9:53"
log_level = 0
use_syslog = false
cert_refresh_delay = 240
fallback_resolvers = ["9.9.9.9:53", "8.8.8.8:53"]
ignore_system_dns = true
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
block_ipv6 = true
block_unqualified = true
block_undelegated = true
reject_ttl = 600
cache = true
cache_size = 1024
cache_min_ttl = 2400
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600

[query_log]
format = "ltsv"

[nx_log]
format = "ltsv"

[blacklist]

[ip_blacklist]

[anonymized_dns]
skip_incompatible = false

[broken_implementations]
fragments_blocked = ["cisco", "cisco-ipv6", "cisco-familyshield", "cisco-familyshield-ipv6", "quad9-dnscrypt-ip4-filter-alt", "quad9-dnscrypt-ip4-filter-pri", "quad9-dnscrypt-ip4-nofilter-alt", "quad9-dnscrypt-ip4-nofilter-pri", "quad9-dnscrypt-ip6-filter-alt", "quad9-dnscrypt-ip6-filter-pri", "quad9-dnscrypt-ip6-nofilter-alt", "quad9-dnscrypt-ip6-nofilter-pri", "cleanbrowsing-adult", "cleanbrowsing-family-ipv6", "cleanbrowsing-family", "cleanbrowsing-security"]

[sources]

[sources.public-resolvers]
urls = ["https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md", "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md"]
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"
cache_file = "public-resolvers.md"
refresh_delay = 0
prefix = ""

[sources.relays]
urls = ["https://github.com/DNSCrypt/dnscrypt-resolvers/raw/master/v2/relays.md", "https://download.dnscrypt.info/resolvers-list/v2/relays.md"]
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"
cache_file = "relays.md"
refresh_delay = 72
prefix = ""

[static]
 [static.'NextDNS-9xxxx']
   stamp = 'sdns://AgAAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8RLzl4eHh4L1RIR0VEODAwRzE'

 
Thanks

Phil 

Ok, it seems to be fixed..  It says "All Good!" over here. I had been expecting SimpleDNScrypt to show the custom domain in the list of resolvers in its dashboard.  I was wrong and can see why now.   "[Static]" and options are incompatible.   

Phil   Summary for anyone who lands here using SimpleDNScrypt,  the top line of your dnscrypt-proxy.toml file can be:

server_names = [] 

Maybe it can even just be omitted altogether.

As others have stated, the [source] items should be removed.  You are only using nextDNS or your fallbacks like google, quad9 etc

At the end of the .toml file, using the endpoints from the nextDNS setup page,
append this:

[static]
[static.myegslentNextDNS-ID]    
stamp = "sdns://AgAAAAAAA................."

Generate the stamp at DNSCrypt - DNS Stamps online calculator | DNSCrypt

For DNS-over-HTTPS (DoH):

The host field: dns.nextdns.io

The path field:
/ID/yourcomputername       (cmd: hostname on windows)

No need to check any boxes like (DNSSEC etc) since they are only (hopefully honest) claims that would be made for each resolver domain that would be in a resolver list compilation (,md file) from which the user could filter and select from in their dashboard etc.