0

OPNsense NextDNS Configuration – Can't Enable DoH or DoT

Hello fellow forum members,

I hope you all are doing well. I've encountered an issue with my OPNsense setup that I'm hoping some of you can help me solve. I've successfully installed the CLI version of NextDNS on my OPNsense router, but I'm having difficulty enabling DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) as the protocols.

Setup Details

  • OPNsense version: 23.7.5
  • NextDNS CLI version: 1.41.0
  • Zenarmor is also in use and configured to allow DoH traffic.

Issue Description

Even after installation and configuration, when I visit test.nextdns.io, it shows that my protocol is still UDP. I've also tried disabling Unbound to see if it was causing conflicts, but no luck there.

What I've Tried

  1. Checked all NextDNS CLI configurations.
  2. Allowed DoH traffic in Zenarmor.
  3. Used the bypass function in Zenarmor for test purposes.
  4. Restarted OPNsense.
  5. Restarted NextDNS service via SSH

Questions

  1. Is there anything specific in the OPNsense settings that I should look for?
  2. Are there any known conflicts with Zenarmor?
  3. What logs should I be looking at to troubleshoot this issue?
  4. Are there specific firewall rules I should be checking?

Any insights or guidance on solving this problem would be greatly appreciated. Thank you for taking the time to read my post and for any help you can provide. 

 

C:\Users\Fabio>curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.0:443
* Connecting to hostname: 45.90.28.0
* Connecting to port: 443
*   Trying 45.90.28.0:443...
* Connected to (nil) (45.90.28.0) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* using HTTP/1.x
> GET /info HTTP/1.1
> Host: dns.nextdns.io
> User-Agent: curl/8.0.1
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: application/json
< Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
< Timing-Allow-Origin: *
< Date: Wed, 11 Oct 2023 21:17:38 GMT
< Content-Length: 80
<
{"locationName": " Frankfurt, Germany", "pop": "zepto-fra", "rtt": 5740}* Connection #0 to host (nil) left intact

 

Copy

2 replies

null
    • Fabio_Elia
    • 1 yr ago
    • Reported - view

    No one can help?

    • Arty
    • 11 mths ago
    • Reported - view

    Hi!

    I just had the same issue. I've found the solution in this thread: https://forum.opnsense.org/index.php?topic=25736.0

    Basically you just need the GUI, and go to "DNS over TLS" in the Unbound settings, and add:

    • The NextDNS IP in "Server IP"
    • 853 in "Server port"
    • Your custom hostname (<yourid>.dns.nextdns.io, the URL in your NextDNS profile) in "Verify CN" field

    Everything work as expected for me and I do have DoT while browsing test.nextdns.io.

    Hope it helps!

    Regards,

    Arty

Content aside

  • 11 mths agoLast active
  • 2Replies
  • 1865Views
  • 3 Following