NextDNS 'leakage'
I've posted about this before but the "problem" (or so I perceive it) seems to be getting worse. Any helpful hints would be appreciated.
I am using the NextDNS CLI on my Unifi router. In my ideal world 100% of DNS queries on my network should flow into the default gateway (my router -- 192.168.0.1 on my LAN) and be resolved via the CLI via an encrypted call to NextDNS using DoH (which the CLI uses).
Last time I looked this was a little under 100% and I wondered where the leakage was.
Now it's almost down to 60%. Looking at the logs (see screenshot) I notice the following:
- There are a LOT of queries from "unidentified devices" which then are only identified by my WAN IP address. Almost all of them go to Microsoft, a few go to Google and a fewer still go to Unifi. I somehow need to track down which device(s) is/are left on my network that don't identify themselves since pretty much everything does.
- More importantly, for the NextDNS analytics to be able to calculate this % it must able to know the total reaching it versus the number reaching it via DoH. This can only mean, I think, that about 38% of DNS queries reaching NextDNS are NOT encrypted i.e. did not come through the NextDNS CLI (because if they did, they would be encrypted!).
It was suggested to me before that I remove the explicitly stated IPv4 addresses for NextDNS from my router (presently they are there - see screenshot) BUT I whilst I think this will probably increase the %, the risk is it increases it for the wrong reasons; if I set this back to "Auto" the router's standard DNS resolver will default back to whichever DNSs my ISP gives out... so queries not passing through the NextDNS CLI will be resolved by Google DNS, or Cloudflare DNS, etc -- yes, true, the % of queries NextDNS sees via DoH as a proportion of ALL the queries it sees may well go up, but that may only be because the queries that the CLI is currently missing (but still reach NextDNS via the IPv4 addresses) will simply disappear from view.
BUT the leaking remains.
So I am at a loss as to what I can change to ensure that the NextDNS CLI intercepts and picks up ALL DNS queries leaving my LAN via my default gateway.
Any thoughts?
Thank you.
4 replies
-
This is most likely the dashboard causing this. It checks against Microsoft, Google, & Cloudflare. This function uses the ISP DNS Settings and doesn’t use NextDNS. The fix is to go to your internet settings and use 127.0.0.1 for the primary DNS and leave the secondary blank. I don’t use nextDNS CLI and use the newer encrypted DNS setting within UniFi but making these changes got me to 100% encrypted DNS traffic to NextDNS.
Content aside
- 23 hrs agoLast active
- 4Replies
- 94Views
-
3
Following