0

NextDNS 'leakage'

I've posted about this before but the "problem" (or so I perceive it) seems to be getting worse. Any helpful hints would be appreciated.

I am using the NextDNS CLI on my Unifi router. In my ideal world 100% of DNS queries on my network should flow into the default gateway (my router -- 192.168.0.1 on my LAN) and be resolved via the CLI via an encrypted call to NextDNS using DoH (which the CLI uses).

Last time I looked this was a little under 100% and I wondered where the leakage was.

Now it's almost down to 60%. Looking at the logs (see screenshot) I notice the following:

- There are a LOT of queries from "unidentified devices" which then are only identified by my WAN IP address. Almost all of them go to Microsoft, a few go to Google and a fewer still go to Unifi. I somehow need to track down which device(s) is/are left on my network that don't identify themselves since pretty much everything does.

- More importantly, for the NextDNS analytics to be able to calculate this % it must able to know the total reaching it versus the number reaching it via DoH. This can only mean, I think, that about 38% of DNS queries reaching NextDNS are NOT encrypted i.e. did not come through the NextDNS CLI (because if they did, they would be encrypted!).

It was suggested to me before that I remove the explicitly stated IPv4 addresses for NextDNS from my router (presently they are there - see screenshot) BUT I whilst I think this will probably increase the %, the risk is it increases it for the wrong reasons; if I set this back to "Auto" the router's standard DNS resolver will default back to whichever DNSs my ISP gives out... so queries not passing through the NextDNS CLI will be resolved by Google DNS, or Cloudflare DNS, etc -- yes, true, the % of queries NextDNS sees via DoH as a proportion of ALL the queries it sees may well go up, but that may only be because the queries that the CLI is currently missing (but still reach NextDNS via the IPv4 addresses) will simply disappear from view.

BUT the leaking remains. 

So I am at a loss as to what I can change to ensure that the NextDNS CLI intercepts and picks up ALL DNS queries leaving my LAN via my default gateway.

Any thoughts?

Thank you.

 

4 replies

null
    • bauer3139
    • 2 days ago
    • Reported - view

    This is most likely the dashboard causing this. It checks against Microsoft, Google, & Cloudflare. This function uses the ISP DNS Settings and doesn’t use NextDNS. The fix is to go to your internet settings and use 127.0.0.1 for the primary DNS and leave the secondary blank. I don’t use nextDNS CLI and use the newer encrypted DNS setting within UniFi but making these changes got me to 100% encrypted DNS traffic to NextDNS.

      • Alastair_MacLeod
      • yesterday
      • Reported - view

        thank you for replying -- just to clarify, when you say "the dashboard" is causing this... which dashboard to you mean is making these DNS lookups that are originating from an unknown device? You're right though, the longer version of that list I only saw Microsoft, Google, and UI (for Unify) so yes, whatever it is, it seems to be doing as you suggest.

      My hypothesis was / is that it's these unknown devices in the log which are also somehow "missing" the NextDNS CLI daemon. But could be they're just two random unrelated clues.

      At the moment my router has "my" IPv4 DNS addresses for NextDNS manually configured, I could (as you suggest) change one of these to the loopback address, or I could set it to 'auto' at which point it would pick up whichever resolvers my ISP gives it. 
      The bit that still eludes me though is why are DNS queries getting to NextDNS but not getting there via DoH (i.e. via the daemon)? Obviously to get to 100% everything it sees needs to arrive via DoH, but in the process of fixing this I don't want to inadvertently fix the wrong thing and lose visibility of the non-DoH queries -- if they suddenly all find their way to Cloudflare, my % will go up but the underlying problem won't be solved.

      • bauer3139
      • yesterday
      • Reported - view

       On the dashboard it shows the reposnse times for those three services. The firewall is using the ISP's DNS to resolve them. By setting it the loopback, your making the firewall itself use it's own internal DNS service to resolve them. This way everything on your network uses NextDNS. 

      On a side note, I'd also reccomend the use of NAT destination rules to redirect DNS traffic to your firewall as well. Lots of IOT devices , especially Google devices, like to hard code their DNS and ignore the local network. This way no devices leak DNS and you force everything to NextDNS.

      • Alastair_MacLeod
      • 23 hrs ago
      • Reported - view

       OK thanks I'll try those things. NAT'ing and custom firewall configurations are all brand new to me (I'm just a humble home user on a learning curve) but I'll get into it!

Content aside

  • 23 hrs agoLast active
  • 4Replies
  • 94Views
  • 3 Following