1

Installed nextdns via the "sh ... curl" line. Captive portals stopped working. I uninstalled nextdns but captive p still don't work. Help

On my Linux Mint Cinnamon 21.3, I installed nextdns in the terminal this way:

sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'

I couldn't log into a public wifi that uses a captive portal, so I've decided to uninstall nextdns using that same command.

But even though https://my.nextdns.io/[my_special_id]/setup says "This device is not using NextDNS.", I still can't log into the same public wifi (the one that uses a captive portal).

What must I do to completely undo whatever that linux terminal command did to my linux laptop? I wish to be able to log into

33 replies

null
    • R_P_M
    • 3 wk ago
    • Reported - view

    You didn’t need to uninstall the CLI, there is an option to detect captive portals, you should have tried that first.

    nextdns config set -detect-captive-portals true
      • Necks_Dee
      • 3 wk ago
      • Reported - view

       

      thanks for your reply!

      I tried the command you suggested and got this:

      ~$ nextdns config set -detect-captive-portals true
      Unrecognized parameter: true
        -auto-activate
              Run activate at startup and deactivate on exit.
        -bogus-priv
              Bogus private reverse lookups.
      
              All reverse lookups for private IP ranges (ie 192.168.x.x, etc.) are
              answered with "no such domain" rather than being forwarded upstream.
              The set of prefixes affected is the list given in RFC6303, for IPv4
              and IPv6. (default true)
        -cache-max-age duration
              If set to greater than 0, a cached entry will be considered stale after
              this duration, even if the record's TTL is higher.
        -cache-size string
              Set the size of the cache in byte. Use 0 to disable caching. The value
              can be expressed with unit like kB, MB, GB. The cache is automatically
              flushed when the pointed profile is updated. (default "0")
        -config value
              deprecated, use -profile instead
        -config-file string
              Custom path to configuration file.
        -control string
              Address to the control socket. (default "/var/run/nextdns.sock")
        -debug
              Enable debug logs.
        -detect-captive-portals
              Automatic detection of captive portals and fallback on system DNS to
              allow the connection to establish.
      
              Beware that enabling this feature can allow an attacker to force nextdns
              to disable DoH and leak unencrypted DNS traffic.
        -discovery-dns string
              The address of a DNS server to be used to discover client names.
              If not defined, the address learned via DHCP will be used. This setting
              is only active if report-client-info is set to true.
        -forwarder value
              A DNS server to use for a specified domain.
      
              Forwarders can be defined to send proxy DNS traffic to an alternative
              DNS upstream resolver for specific domains. The format of this parameter
              is [DOMAIN=]SERVER_ADDR[,SERVER_ADDR...].
      
              A SERVER_ADDR can ben either an IP[:PORT] for DNS53 (unencrypted UDP,
              TCP), or a HTTPS URL for a DNS over HTTPS server. For DoH, a bootstrap
              IP can be specified as follow: https://dns.nextdns.io#45.90.28.0.
              Several servers can be specified, separated by commas to implement
              failover.
              This parameter can be repeated. The first match wins.
        -hardened-privacy
              Deprecated.
        -listen value
              Listen address for UDP DNS proxy server.
        -log-queries
              Log DNS queries.
        -max-inflight-requests uint
              Maximum number of inflight requests handled by the proxy. No additional
              requests will not be answered after this threshold is met. Increasing
              this value can reduce latency in case of burst of requests but it can
              also increase significantly memory usage. (default 256)
        -max-ttl duration
              If set to greater than 0, defines the maximum TTL value that will be
              handed out to clients. The specified maximum TTL will be given to
              clients instead of the true TTL value if it is lower. The true TTL
              value is however kept in the cache to evaluate cache entries
              freshness. This is best used in conjunction with the cache to force
              clients not to rely on their own cache in order to pick up
              profile changes faster.
        -mdns string
              Enable mDNS to discover client information and serve mDNS learned names over DNS.
              Use "all" to listen on all interface or an interface name to limit mDNS on a
              specific network interface. Use "disabled" to disable mDNS altogether. (default "all")
        -profile value
              NextDNS custom profile id.
      
              The profile id can be prefixed with a condition that is match for
              each query:
              * 10.0.3.0/24=abcdef: A CIDR can be used to restrict a profile to
                a subnet.
              * 2001:0DB8::/64=abcdef: An IPv6 CIDR.
              * 00:1c:42:2e:60:4a=abcdef: A MAC address can be used to restrict
                profile to a specific host on the LAN.
              * eth0=abcdef: An interface name can be used to restrict a profile
                to all hosts behind this interface.
      
              This parameter can be repeated. The first match wins.
        -report-client-info
              Embed clients information with queries.
        -setup-router
              Automatically configure NextDNS for a router setup.
              Common types of router are detected to integrate gracefully. Changes
              applies are undone on daemon exit. The listen option is ignored when
              this option is used.
        -timeout duration
              Maximum duration allowed for a request before failing. (default 5s)
        -use-hosts
              Lookup /etc/hosts before sending queries to upstream resolver. (default true)
      
      • Necks_Dee
      • 3 wk ago
      • Reported - view

       

      I tried

      sudo nextdns config set -detect-captive-portals

      but the captive portal with my public library wifi still doesn't work :(

      • R_P_M
      • 3 wk ago
      • Reported - view

       How did you before login to the public WiFi? Maybe the portal site is still in your browser history?

      • Necks_Dee
      • 3 wk ago
      • Reported - view

      I'm not at the public library right now. but i don't think it's because the webpage is cached in browser history .Is there something I could paste here to let us investigate what's going on? Some terminal command I could run?

      • R_P_M
      • 3 wk ago
      • Reported - view

       Well I wasn’t thinking of browser cache as such, more about the login page location to revisit. If it’s not in history maybe you could try visiting the IP address of the router or dns IP (if it’s different from router IP).

      • Necks_Dee
      • 3 wk ago
      • Reported - view

        I don't know the IP address or DNS ip. When I'm at the public library. We can go to any website and it should redirect to a URL of the captive portal.

      • R_P_M
      • 3 wk ago
      • Reported - view

       The IP addresses should appear in your network manger once you’ve connected to the public library WiFi.

      I’m familiar with how it’s supposed to work after seeing a few different setups in the past.

      Maybe try out “sudo nextdns deactivate” when connected to the WiFi, try to login. Then once internet access is allowed “sudo nextdns activate” and see if it’s working still. 

      • Necks_Dee
      • 3 wk ago
      • Reported - view

       

       

      I tried out sudo nextdns deactivate when connected to this public library's wifi. i then tried to log in. but it still gives the same error message.

      On firefox:

          Hmm. We're having trouble finding that site.

          We can't connect to the server at captiveportal-login.[publiclibrarywebsite].com

      On Chromium

          Your connection is not private.

          Attackers might be trying to steal your information from yahoo<dot>com)

          NET:ERR_CERT_COMMON_NAME_INVALID

          This server could not prove that it is yahoo<dot>com; its security certificate is from *.[publiclibrarywebsite].com. This may be caused by a misconfiguration or an attacker intercepting your connection.

      (I put the dot in yahoo . com in brackets because this nextdns helpforum thinks it's spam otherwise)

      When I click "Proceed anyway", I'm taken to this error message:

          This site can't be reached.

          Check if there's a typo in captiveportal-login.[publiclibrarywebsite].com

          DNS_PROBE_FINISHED_NXDOMAIN

      • R_P_M
      • 3 wk ago
      • Reported - view

       Well that’s interesting, it’s correctly capturing and redirecting to the login but it’s receiving a NXDOMAIN from the DNS server. So, therefor it’s connecting to a dns server ok because there is a response. Unfortunately however the response is broken/wrong.

      Ok next time try a dig command for the login page/site. Hopefully it will show what dns server it’s using.

      dig a captiveportal-login.[publiclibrarywebsite].com
      • Necks_Dee
      • 2 wk ago
      • Reported - view

       

      dig a captiveportal-login.librarywebsite.com
      ;; communications error to 127.0.0.53#53: timed out

      ; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> a captiveportal-login.librarywebsite.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56941
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 65494
      ;; QUESTION SECTION:
      ;captiveportal-login.librarywebsite.com.    IN    A

      ;; AUTHORITY SECTION:
      librarywebsite.com. 86400 IN SOA lucy.librarywebsite.com. root.lucy.librarywebsite.com. 2024102101 10800 3600 3600000 86400

      ;; Query time: 22 msec
      ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
      ;; WHEN: Mon Nov 04 15:08:37 PST 2024
      ;; MSG SIZE  rcvd: 101

      • R_P_M
      • 2 wk ago
      • Reported - view

       OK, I think 127.0.0.53 is systemd-resolved. I’ll need to refresh my memory on systemd-resolved as it’s been a long time since I’ve had to deal with it (or battle with it sometimes). Will be back with more info in about a day or two. 

      • R_P_M
      • 2 wk ago
      • Reported - view

      Right, for systemd-resolved to find out what dns server is in use, run this command:

      resolvectr status
      

      It will spit out lots of info but all we need is the DNS server lines.

      • Necks_Dee
      • 2 wk ago
      • Reported - view

      to bypass review, I changed ".io" to "DOT io".

       

      ~$ resolvectr status
      Command 'resolvectr' not found, did you mean:
        command 'resolvectl' from deb systemd-resolved (255.4-1ubuntu8.4)
      Try: sudo apt install <deb name>

      ~$ resolvectl status
      Global
               Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
        resolv.conf mode: stub
      Current DNS Server: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
      DNS Servers: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
                          2a07:a8c0::#compy-1c34c4.dns.nextdns DOT io
      45.90.30.0#compy-1c34c4.dns.nextdns DOT io
                          2a07:a8c1::#compy-1c34c4.dns.nextdns DOT io

      Link 2 (wlp3s0)
          Current Scopes: DNS
               Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
      Current DNS Server: 75.153.171.114
             DNS Servers: 75.153.176.1 75.153.171.114

      • Necks_Dee
      • 2 wk ago
      • Reported - view

       

      My previous post was when I was connected to a working wifi (not the problematic public-library wifi). In this post, I share the terminal printout when connected to the problematic public-library wifi:

       

       resolvectl status
      Global
               Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
        resolv.conf mode: stub
      Current DNS Server: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
      DNS Servers: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
                          2a07:a8c0::#compy-1c34c4.dns.nextdns DOT io
      45.90.30.0#compy-1c34c4.dns.nextdns DOT io
                          2a07:a8c1::#compy-1c34c4.dns.nextdns DOT io

      Link 2 (wlp3s0)
          Current Scopes: DNS
               Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
      Current DNS Server: 207.194.177.177
             DNS Servers: 207.194.177.177

      • R_P_M
      • 2 wk ago
      • Reported - view

       Ah, there’s the problem. It shows on the first print out the issue at hand (the second one just confirms it). ((p.s. sorry about the typo with the command))

      It’s showing that you’ve setup NextDNS within systemd-resolved settings and is overriding the DNS from the WiFi connection. 

      Since you’ve installed the CLI already you probably should remove NextDNS from the systemd-resolved setup (it complicates things - as you have found out). 

      Edit the file /etc/systemd/resolved.conf with super user privileges. Comment the NextDNS lines out using #, to save it for later (just for a backup). A system reboot should get it back to working as default. Check using the command from last time, should not list anything for “global” dns. 

      • Necks_Dee
      • 2 wk ago
      • Reported - view

       

      thanks for your reply. Two points in response.

       

      Point 1. Actually, I've been having this issue before I changed /etc/systemd/resolved.conf. I've had this issue for 2 weeks (since I created this thread).  I changed resolved.conf only a few days ago.  So I'm not sure how undoing resolved.conf will fix things.

       

      Point 2: I'm not at the public library right now. I haven't commented the nextdns lines out yet from resolved.conf. I'm at home, and when I go to http s :// my . nextdns DOt io/, it does say

      All good!

      This device is using NextDNS with this profile.

      • R_P_M
      • 13 days ago
      • Reported - view

       Setting NextDNS in systemd-resolved while also using the CLI is not recommended (you don’t really want to accidentally override some of the advanced features of the CLI & can sometimes cause confusion as to whether the CLI is working correctly).

      When at library try “ping -c5 207.194.177.177” and also put “207.194.177.177” into a browser location, see if anything shows up. 

      • Necks_Dee
      • 13 days ago
      • Reported - view

       

      Without undoing CLI or resolved.conf (yet) I did this:

      ~$  resolvectl status
      Global
               Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
        resolv.conf mode: stub
      Current DNS Server: 45.90.30.0#compy-1c34c4.dns . nextdns . io
             DNS Servers: 45.90.28.0#compy-1c34c4.dns . nextdns . io
                          2a07:a8c0::#compy-1c34c4.dns . nextdns . io
                          45.90.30.0#compy-1c34c4.dns . nextdns . io
                          2a07:a8c1::#compy-1c34c4.dns . nextdns . io

      Link 2 (wlp3s0)
          Current Scopes: DNS
               Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
      Current DNS Server: 207.194.177.177
             DNS Servers: 207.194.177.177

       

      ~$ ping -c5 207.194.177.177
      PING 207.194.177.177 (207.194.177.177) 56(84) bytes of data.

      --- 207.194.177.177 ping statistics ---
      5 packets transmitted, 0 received, 100% packet loss, time 4126ms

       

      In a private/incognito browser tab, I put 207.194.177.177 and hit Enter. After 10 seconds, it redirected to https:// captiveportal-login DOT publiclibrarysite DOT com/swarm.cgi?opcode=cp_generate&orig_url=687474703a2f2f3230372e3139342e3137372e3137372f.

      The window has the text:

      Hmm. We’re having trouble finding that site.

      We can’t connect to the server at captiveportal-login . publiclibrarysite dot com

      If you entered the right address, you can:

          Try again later
          Check your network connection
          Check that Firefox has permission to access the web (you might be connected but behind a firewall)

      • Necks_Dee
      • 13 days ago
      • Reported - view

       

      After my reply of 5 minutes ago (https://help.nextdns.io/t/m1yzty4?r=35yzjsj), I have just commented-out the nextdns-related lines from my resolved.conf file

      Ready to do whatever steps we need.

      • R_P_M
      • 13 days ago
      • Reported - view

       I have no idea why the library’s captive portal is pointing you to a domain that is being replied as NXDOMAIN from their own DNS server. It makes no sense.

      Anyway, enough of the commentary. Let’s get back to trying to get around this problem. 

      One thought I had while mulling over your issue, testing the login with a different/clean device. Obviously if you don’t have any other devices, you couldn’t test that way. So then I thought, what about using a live image to boot into, like the one you probably used to install Mint Cinnamon in the first place, that’s a clean system. Do you still have the install media or has it been repurposed as something else?

      • Necks_Dee
      • 13 days ago
      • Reported - view

      I have live usb, i believe.

      So just to check... can't I just create a new administrator account on my Linux Mint? Is that not a good enough solution?

      • R_P_M
      • 12 days ago
      • Reported - view

       Nice thought but sadly no. A change of account is not enough to reset the settings, installing the CLI and the change to systemd-resolved will affect any other account on the device (it’s a systemwide change).

      The objective is to test whether a clean system can even login to the library’s captive portal successfully or not (my thinking is that it will also fail with the same problem - which will conclude that the fault is with their system). If it does turn out to be theirs, who do you explain the problem to (who would understand the issue?). Would a simple reboot of their system be enough?

      Well anyway, let’s not jump to conclusions just yet. Testing with the live usb & login to the captive portal to check it works. 

      • Necks_Dee
      • 12 days ago
      • Reported - view

      I haven't tried the Live Mint USB in library.

      Just thought I'd share a data point. I'm on transit which offers free wifi. It has a captive portal and my Linux Mint laptop was able to see the captive portal. I put a check mark in the "Agree to these Terms and conditions" button and clicked Submit and now I'm connected to the transit's wifi.

    • Necks_Dee
    • 12 days ago
    • Reported - view
     said:
    The objective is to test whether a clean system can even login to the library’s captive portal successfully or not (my thinking is that it will also fail with the same problem - which will conclude that the fault is with their system).

    But I can log into the public library's wifi on my phone. Plus,  there's so many people at that library with their laptops . I have been assuming they can connect to the wifi, too.

Content aside

  • 1 Likes
  • 13 hrs agoLast active
  • 33Replies
  • 150Views
  • 2 Following