Unifi UDMP-SE Custom DNS Shield - Multiple Profiles/Servers?

I have multiple profiles on my NextDNS service. I use the NextDNS CLI on my UDM Pro SE and my config file for that assigns the profile based on the network or MAC address of the device. I am able to add multiple custom DNS Shield servers to my UDM Pro SE, one for each of my profiles.


Okay .... now what? Is this even doing anything? I think it may be, as I was getting some undesirable logs in the NextDNS app when I didn't have the Stamps configured correctly. It looks like things are correct now in those logs. Is the custom DNS Shield compatible with the NextDNS CLI? Can you use both at the same time? Is it possible to assign the custom DNS Shield server to be used by network or MAC address, like you can in the NextDNS CLI? I was thinking that the NextDNS CLI may not be needed if that was possible. Seems like it may be a useful feature, but I am not sure of the proper implementation for my situation. Any guidance would be appreciated. Thank you.

16 replies

    • NextDNs
    • 5 mths ago
    • Reported - view

    Most advanced features of the CLI like multi-profiles or LAN client identification in the log won’t be supported by DNS shield.

      • Matthew.12
      • 5 mths ago
      • Reported - view

      I deactivated the CLI (NextDNS Deactivate then NextDNS stop) and the logs at my.nextdns.io are showing that the LAN client device names are still coming through on my main profile. It did look like the logs for my other two profiles stopped. I couldn't leave it in that state for long as others are still active of the network. I created the DNS Stamp at https://dnscrypt.info/stamps/ and I am using the path of:

      /XXXXXX/deviceName/ where XXXXXX is my profile ID.  When I use of path of just:

      /XXXXXX/ I was getting LAN device names of 'undefined' for everything. 

      If I only used one profile this seems like it would work.  However, I use three profiles so this will not work for me unless Unifi somehow incorporates a 'config' file similar to how the CLI works so I can have a custom DNS Shield server for each profile and be able to assign LAN devices to a specific server.

      • NextDNs
      • 5 mths ago
      • Reported - view

       if you embed a device name in your stamp, this device name will be used for all your LAN's clients, which is not what you want in a router setup. It is unlikely DNS shield will ever support forwarding LAN device info as it is not a standard DNS feature.

      • Matthew.12
      • 5 mths ago
      • Reported - view

      Thanks for the reply. I has hoping that Unifi was replacing '/deviceName/' with the actual LAN deviceName, as shown in my test.nextdns.io results:

      I was not seeing 'deviceName' listed in my logs on NextDNS, but was seeing the actual LAN device names ('Matthews-2N1'), so I hoped this may have been working.  As I indicated I did not restart the router after making the changes so I probably had some caching going on that was showing me the results I was hoping to see.

      • NextDNs
      • 5 mths ago
      • Reported - view

       how would the UDM firmware know which part of the URL to rewrite?

      • Matthew.12
      • 5 mths ago
      • Reported - view

      I was thinking the UDM firmware would look for 'deviceName' in the URL and replace that with the actual LAN deviceName.

      • NextDNs
      • 5 mths ago
      • Reported - view

      it would be documented.

      • Matthew.12
      • 5 mths ago
      • Reported - view

      As this is a 'Early Access' feature for Unifi that was just released, there are many gaps in the documentation.  Thank you for your time.  I appreciate the responses.  🙂

    • Eric.9
    • 5 mths ago
    • Reported - view

    Unfortunately, you won't be able to identify clients without the CLI.  However, after much consideration, I'm not going to install the CLI on my EFG.  Just too high of a risk to cause something to break.

    I really wish NextDNS would work with Ubiquiti to have an officially supported integration so firmware updates won't break it.  Would generate more business for NextDNS, and it would allow users to have client identification, multiple profiles, etc.

    I believe eventually Ubiquiti will partner with a DNS service.  Question will be who gets their interest first.  NextDNS, ControlD, DNSFilter, etc.

      • wprivera.1
      • 5 mths ago
      • Reported - view

       I've installed the CLI on the Unifi UGP3, UDM, UDR, UGP4Pro, UXG Pro, and now the UDM Pro Max. At one point, Olivier Poitrey let me install an unreleased version of the CLI, which resolved my issue. In my experience, the CLI has been rock steady. The only issue I have is that when Unifi releases a console update, I loose the ability to track my clients by device name. In which case I just reinstall.


      But I manage 6 home networks, and am not in a production environment. The worst that will happen to me is, if I break something, G-Maw can't watch Netflix.

    • Matthew.12
    • 5 mths ago
    • Reported - view

    The DNS Stamp I am using in the custom DNS Shield is here:


    I replaced my real profile ID with 'abc123' in this stamp so you will need to update that. Go to https://dnscrypt.info/stamps/ and paste the stamp above in, then change the path to your profile ID and the resulting stamp will be for your profile ID.

    In my very limited testing this seemed to work for my main profile ID, although it may have been that that I did not re-start the router after making some changes and some caching was still in play.  It may be some time before I can more full test this on my home network.  I am curious if anyone is able to use the custom DNS Shield server on their Unifi router with their NextDNS profile ID and have the LAN device names come through in the NextDNS logs without using the NextDNS CLI.

      • Eric.9
      • 5 mths ago
      • Reported - view

      Why are you doing that when this information is provided to you in the setup page?!?  Look under Linux or routers section.  It's already customized for your profile.  If you switch to a different profile's setup page, it will change.

      • Matthew.12
      • 5 mths ago
      • Reported - view

      Disregard.    I am aware that the router setup has the DNS Stamp that NextDNS provides and changing your profile on that page does change the DNS Stamp.  After further testing this was not doing what I hope it would by altering the DNS Stamp (bring in the LAN device names into the NextDNS logs).


      • Defender
      • 2 wk ago
      • Reported - view

       Not a good idea to post your stamp publicly unless you want to allow others to use your DNS profile.

    • Flynn_Einhorn
    • 2 wk ago
    • Reported - view

    I have been testing this on UXG Max and when I get the NextDNS CLI, the UXG is unable to hit the internet and kind of breaks everything.  Right now I am using the IP address for each of my nextdns configs, not ideal and not showing 100% Encrypted. Anyone see this?

      • Defender
      • 2 wk ago
      • Reported - view

       All of the DNS settings on each network should be set to auto everywhere except the Internet DNS settings.  Set those to your two NextDNS IPs which will catch the Google and Microsoft pings test queries.  Those queries will be unencrypted, but everything should go out through the CLI.

      Make sure UniFi Ad Blocking and DNS Shield/Encrypted DNS are disabled.  You can't have those enabled with the NextDNS or Control D CLI's as they conflict with each other.


Content aside

  • 2 wk agoLast active
  • 16Replies
  • 1294Views
  • 6 Following