Installed nextdns via the "sh ... curl" line. Captive portals stopped working. I uninstalled nextdns but captive p still don't work. Help
- Necks_Dee
- 2 mths ago
- 37replies
On my Linux Mint Cinnamon 21.3, I installed nextdns in the terminal this way:
sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'
I couldn't log into a public wifi that uses a captive portal, so I've decided to uninstall nextdns using that same command.
But even though https://my.nextdns.io/[my_special_id]/setup says "This device is not using NextDNS.", I still can't log into the same public wifi (the one that uses a captive portal).
What must I do to completely undo whatever that linux terminal command did to my linux laptop? I wish to be able to log into
37 replies
-
- R_P_M
- 2 mths ago
- Reported - view
You didn’t need to uninstall the CLI, there is an option to detect captive portals, you should have tried that first.
nextdns config set -detect-captive-portals true
-
- Necks_Dee
- 2 mths ago
- Reported - view
thanks for your reply!
I tried the command you suggested and got this:
~$ nextdns config set -detect-captive-portals true Unrecognized parameter: true -auto-activate Run activate at startup and deactivate on exit. -bogus-priv Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc.) are answered with "no such domain" rather than being forwarded upstream. The set of prefixes affected is the list given in RFC6303, for IPv4 and IPv6. (default true) -cache-max-age duration If set to greater than 0, a cached entry will be considered stale after this duration, even if the record's TTL is higher. -cache-size string Set the size of the cache in byte. Use 0 to disable caching. The value can be expressed with unit like kB, MB, GB. The cache is automatically flushed when the pointed profile is updated. (default "0") -config value deprecated, use -profile instead -config-file string Custom path to configuration file. -control string Address to the control socket. (default "/var/run/nextdns.sock") -debug Enable debug logs. -detect-captive-portals Automatic detection of captive portals and fallback on system DNS to allow the connection to establish. Beware that enabling this feature can allow an attacker to force nextdns to disable DoH and leak unencrypted DNS traffic. -discovery-dns string The address of a DNS server to be used to discover client names. If not defined, the address learned via DHCP will be used. This setting is only active if report-client-info is set to true. -forwarder value A DNS server to use for a specified domain. Forwarders can be defined to send proxy DNS traffic to an alternative DNS upstream resolver for specific domains. The format of this parameter is [DOMAIN=]SERVER_ADDR[,SERVER_ADDR...]. A SERVER_ADDR can ben either an IP[:PORT] for DNS53 (unencrypted UDP, TCP), or a HTTPS URL for a DNS over HTTPS server. For DoH, a bootstrap IP can be specified as follow: https://dns.nextdns.io#45.90.28.0. Several servers can be specified, separated by commas to implement failover. This parameter can be repeated. The first match wins. -hardened-privacy Deprecated. -listen value Listen address for UDP DNS proxy server. -log-queries Log DNS queries. -max-inflight-requests uint Maximum number of inflight requests handled by the proxy. No additional requests will not be answered after this threshold is met. Increasing this value can reduce latency in case of burst of requests but it can also increase significantly memory usage. (default 256) -max-ttl duration If set to greater than 0, defines the maximum TTL value that will be handed out to clients. The specified maximum TTL will be given to clients instead of the true TTL value if it is lower. The true TTL value is however kept in the cache to evaluate cache entries freshness. This is best used in conjunction with the cache to force clients not to rely on their own cache in order to pick up profile changes faster. -mdns string Enable mDNS to discover client information and serve mDNS learned names over DNS. Use "all" to listen on all interface or an interface name to limit mDNS on a specific network interface. Use "disabled" to disable mDNS altogether. (default "all") -profile value NextDNS custom profile id. The profile id can be prefixed with a condition that is match for each query: * 10.0.3.0/24=abcdef: A CIDR can be used to restrict a profile to a subnet. * 2001:0DB8::/64=abcdef: An IPv6 CIDR. * 00:1c:42:2e:60:4a=abcdef: A MAC address can be used to restrict profile to a specific host on the LAN. * eth0=abcdef: An interface name can be used to restrict a profile to all hosts behind this interface. This parameter can be repeated. The first match wins. -report-client-info Embed clients information with queries. -setup-router Automatically configure NextDNS for a router setup. Common types of router are detected to integrate gracefully. Changes applies are undone on daemon exit. The listen option is ignored when this option is used. -timeout duration Maximum duration allowed for a request before failing. (default 5s) -use-hosts Lookup /etc/hosts before sending queries to upstream resolver. (default true)
-
- Necks_Dee
- 2 mths ago
- Reported - view
I tried
sudo nextdns config set -detect-captive-portals
but the captive portal with my public library wifi still doesn't work :(
-
- R_P_M
- 2 mths ago
- Reported - view
How did you before login to the public WiFi? Maybe the portal site is still in your browser history?
-
- Necks_Dee
- 1 mth ago
- Reported - view
I'm not at the public library right now. but i don't think it's because the webpage is cached in browser history .Is there something I could paste here to let us investigate what's going on? Some terminal command I could run?
-
- R_P_M
- 1 mth ago
- Reported - view
Well I wasn’t thinking of browser cache as such, more about the login page location to revisit. If it’s not in history maybe you could try visiting the IP address of the router or dns IP (if it’s different from router IP).
-
- Necks_Dee
- 1 mth ago
- Reported - view
I don't know the IP address or DNS ip. When I'm at the public library. We can go to any website and it should redirect to a URL of the captive portal.
-
- R_P_M
- 1 mth ago
- Reported - view
The IP addresses should appear in your network manger once you’ve connected to the public library WiFi.
I’m familiar with how it’s supposed to work after seeing a few different setups in the past.
Maybe try out “sudo nextdns deactivate” when connected to the WiFi, try to login. Then once internet access is allowed “sudo nextdns activate” and see if it’s working still.
-
- Necks_Dee
- 1 mth ago
- Reported - view
I tried out sudo nextdns deactivate when connected to this public library's wifi. i then tried to log in. but it still gives the same error message.
On firefox:
Hmm. We're having trouble finding that site.
We can't connect to the server at captiveportal-login.[publiclibrarywebsite].com
On Chromium
Your connection is not private.
Attackers might be trying to steal your information from yahoo<dot>com)
NET:ERR_CERT_COMMON_NAME_INVALID
This server could not prove that it is yahoo<dot>com; its security certificate is from *.[publiclibrarywebsite].com. This may be caused by a misconfiguration or an attacker intercepting your connection.
(I put the dot in yahoo . com in brackets because this nextdns helpforum thinks it's spam otherwise)
When I click "Proceed anyway", I'm taken to this error message:
This site can't be reached.
Check if there's a typo in captiveportal-login.[publiclibrarywebsite].com
DNS_PROBE_FINISHED_NXDOMAIN
-
- R_P_M
- 1 mth ago
- Reported - view
Well that’s interesting, it’s correctly capturing and redirecting to the login but it’s receiving a NXDOMAIN from the DNS server. So, therefor it’s connecting to a dns server ok because there is a response. Unfortunately however the response is broken/wrong.
Ok next time try a dig command for the login page/site. Hopefully it will show what dns server it’s using.
dig a captiveportal-login.[publiclibrarywebsite].com
-
- Necks_Dee
- 1 mth ago
- Reported - view
dig a captiveportal-login.librarywebsite.com
;; communications error to 127.0.0.53#53: timed out; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> a captiveportal-login.librarywebsite.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56941
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;captiveportal-login.librarywebsite.com. IN A;; AUTHORITY SECTION:
librarywebsite.com. 86400 IN SOA lucy.librarywebsite.com. root.lucy.librarywebsite.com. 2024102101 10800 3600 3600000 86400;; Query time: 22 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Nov 04 15:08:37 PST 2024
;; MSG SIZE rcvd: 101 -
- R_P_M
- 1 mth ago
- Reported - view
OK, I think 127.0.0.53 is systemd-resolved. I’ll need to refresh my memory on systemd-resolved as it’s been a long time since I’ve had to deal with it (or battle with it sometimes). Will be back with more info in about a day or two.
-
- R_P_M
- 1 mth ago
- Reported - view
Right, for systemd-resolved to find out what dns server is in use, run this command:
resolvectr status
It will spit out lots of info but all we need is the DNS server lines.
-
- Necks_Dee
- 1 mth ago
- Reported - view
to bypass review, I changed ".io" to "DOT io".
~$ resolvectr status
Command 'resolvectr' not found, did you mean:
command 'resolvectl' from deb systemd-resolved (255.4-1ubuntu8.4)
Try: sudo apt install <deb name>~$ resolvectl status
Global
Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
DNS Servers: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
2a07:a8c0::#compy-1c34c4.dns.nextdns DOT io
45.90.30.0#compy-1c34c4.dns.nextdns DOT io
2a07:a8c1::#compy-1c34c4.dns.nextdns DOT ioLink 2 (wlp3s0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 75.153.171.114
DNS Servers: 75.153.176.1 75.153.171.114 -
- Necks_Dee
- 1 mth ago
- Reported - view
My previous post was when I was connected to a working wifi (not the problematic public-library wifi). In this post, I share the terminal printout when connected to the problematic public-library wifi:
resolvectl status
Global
Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
DNS Servers: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
2a07:a8c0::#compy-1c34c4.dns.nextdns DOT io
45.90.30.0#compy-1c34c4.dns.nextdns DOT io
2a07:a8c1::#compy-1c34c4.dns.nextdns DOT ioLink 2 (wlp3s0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 207.194.177.177
DNS Servers: 207.194.177.177 -
- R_P_M
- 1 mth ago
- Reported - view
Ah, there’s the problem. It shows on the first print out the issue at hand (the second one just confirms it). ((p.s. sorry about the typo with the command))
It’s showing that you’ve setup NextDNS within systemd-resolved settings and is overriding the DNS from the WiFi connection.
Since you’ve installed the CLI already you probably should remove NextDNS from the systemd-resolved setup (it complicates things - as you have found out).
Edit the file /etc/systemd/resolved.conf with super user privileges. Comment the NextDNS lines out using #, to save it for later (just for a backup). A system reboot should get it back to working as default. Check using the command from last time, should not list anything for “global” dns.
-
- Necks_Dee
- 1 mth ago
- Reported - view
thanks for your reply. Two points in response.
Point 1. Actually, I've been having this issue before I changed /etc/systemd/resolved.conf. I've had this issue for 2 weeks (since I created this thread). I changed resolved.conf only a few days ago. So I'm not sure how undoing resolved.conf will fix things.
Point 2: I'm not at the public library right now. I haven't commented the nextdns lines out yet from resolved.conf. I'm at home, and when I go to http s :// my . nextdns DOt io/, it does say
All good!
This device is using NextDNS with this profile.
-
- R_P_M
- 1 mth ago
- Reported - view
Setting NextDNS in systemd-resolved while also using the CLI is not recommended (you don’t really want to accidentally override some of the advanced features of the CLI & can sometimes cause confusion as to whether the CLI is working correctly).
When at library try “ping -c5 207.194.177.177” and also put “207.194.177.177” into a browser location, see if anything shows up.
-
- Necks_Dee
- 1 mth ago
- Reported - view
Without undoing CLI or resolved.conf (yet) I did this:
~$ resolvectl status
Global
Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 45.90.30.0#compy-1c34c4.dns . nextdns . io
DNS Servers: 45.90.28.0#compy-1c34c4.dns . nextdns . io
2a07:a8c0::#compy-1c34c4.dns . nextdns . io
45.90.30.0#compy-1c34c4.dns . nextdns . io
2a07:a8c1::#compy-1c34c4.dns . nextdns . ioLink 2 (wlp3s0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 207.194.177.177
DNS Servers: 207.194.177.177~$ ping -c5 207.194.177.177
PING 207.194.177.177 (207.194.177.177) 56(84) bytes of data.--- 207.194.177.177 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4126msIn a private/incognito browser tab, I put 207.194.177.177 and hit Enter. After 10 seconds, it redirected to https:// captiveportal-login DOT publiclibrarysite DOT com/swarm.cgi?opcode=cp_generate&orig_url=687474703a2f2f3230372e3139342e3137372e3137372f.
The window has the text:
Hmm. We’re having trouble finding that site.
We can’t connect to the server at captiveportal-login . publiclibrarysite dot com
If you entered the right address, you can:
Try again later
Check your network connection
Check that Firefox has permission to access the web (you might be connected but behind a firewall) -
- Necks_Dee
- 1 mth ago
- Reported - view
After my reply of 5 minutes ago (https://help.nextdns.io/t/m1yzty4?r=35yzjsj), I have just commented-out the nextdns-related lines from my resolved.conf file
Ready to do whatever steps we need.
-
- R_P_M
- 1 mth ago
- Reported - view
I have no idea why the library’s captive portal is pointing you to a domain that is being replied as NXDOMAIN from their own DNS server. It makes no sense.
Anyway, enough of the commentary. Let’s get back to trying to get around this problem.
One thought I had while mulling over your issue, testing the login with a different/clean device. Obviously if you don’t have any other devices, you couldn’t test that way. So then I thought, what about using a live image to boot into, like the one you probably used to install Mint Cinnamon in the first place, that’s a clean system. Do you still have the install media or has it been repurposed as something else?
-
- Necks_Dee
- 1 mth ago
- Reported - view
I have live usb, i believe.
So just to check... can't I just create a new administrator account on my Linux Mint? Is that not a good enough solution?
-
- R_P_M
- 1 mth ago
- Reported - view
Nice thought but sadly no. A change of account is not enough to reset the settings, installing the CLI and the change to systemd-resolved will affect any other account on the device (it’s a systemwide change).
The objective is to test whether a clean system can even login to the library’s captive portal successfully or not (my thinking is that it will also fail with the same problem - which will conclude that the fault is with their system). If it does turn out to be theirs, who do you explain the problem to (who would understand the issue?). Would a simple reboot of their system be enough?
Well anyway, let’s not jump to conclusions just yet. Testing with the live usb & login to the captive portal to check it works.
-
- Necks_Dee
- 1 mth ago
- Reported - view
I haven't tried the Live Mint USB in library.
Just thought I'd share a data point. I'm on transit which offers free wifi. It has a captive portal and my Linux Mint laptop was able to see the captive portal. I put a check mark in the "Agree to these Terms and conditions" button and clicked Submit and now I'm connected to the transit's wifi.
-
- Necks_Dee
- 1 mth ago
- Reported - view
said:
The objective is to test whether a clean system can even login to the library’s captive portal successfully or not (my thinking is that it will also fail with the same problem - which will conclude that the fault is with their system).But I can log into the public library's wifi on my phone. Plus, there's so many people at that library with their laptops . I have been assuming they can connect to the wifi, too.
Content aside
-
1
Likes
- 3 wk agoLast active
- 37Replies
- 220Views
-
2
Following