NextDNS with various user levels
I would like to be able to use NextDNS with my OPNsense router. I need to use TLS b/c my ISP will hijack my DNS otherwise. I found a guide here (https://www.derekseaman.com/2021/04/how-to-nextdns-opnsense-firewall.html) on how to use the NextDNS CLI with OPNsense but that doesn't seem to be using TLS.
Second issue is that I would like to setup NextDNS on my router for all traffic, BUT only apply blocking rules to specific devices. I don't see where I can select a specific profile/rules to specific devices.
This guide is showing how to use our CLI which is using DoH. DoH is using TLS, your ISP won't be able to hijack your DNS traffic.
For first issue, what you should search is "opensense DoT". I dunno why you want cli while the GUI is there. Here's one of the link if it's not enough you can google it more. https://www.dnsknowledge.com/unbound/opnsense-set-up-and-configure-dns-over-tls-dot/
For your second issue, it's not clear wether you just want to apply blocklist for certain devices and while rest is no block at all. Or you want to create different blocklist for each devices. If it's the first case then you just need to config your router firewall to redirect all dns traffic from non blocked devices to other free dns server while the blocked devices to nextdns. And if it's the second case then your choice is to install DoH/DoT for all those devices, then you add many new configuration to your account, the link is on the upper left of homepage, then you set each configuration base on you preference. All of them have unique DoH/DoT address.
I was looking at the CLI b/c it seems that NextDNS did not work well with unbound (in the setup area there is this notice: As a recursive resolver, Unbound chases CNAMEs. This may result in unexpected behavior when used in conjunction with a blocking DNS resolver like NextDNS. See github.com/NLnetLabs/unbound/issues/132.)
To clarify, I have three block lists. Unblocked, Kids and IoT. Each of these segments are on their own /24. Unblocked just has malware protection and the Kids has the most blocking. Right now I have the NextDNS app installed on all the kids devices but that is cumbersome to manage. I was hoping to manage this on a UI.
To this point I have used the (Services > Unbound > General >) Custom Options in OPNsense to setup my TLS (currently it's going to Cloudflare Teams), using this format:
But in the guide it follows a different format (this would be my full text):
# TLS Config
# Forwarding Config
so I installed the CLI version in OPNsense and it's working to a point. As a test I added one of my laptops by MAC address to the "blocked" profile and while it is using NextDNS sites are not being blocked. Looks like everything is using the unblocked profile unless they are using the client app. I could be wrong but do I lose the ability of knowing which PC is going to which sites if I use the CLI?
Here is my nextdns.conf file
I'm going to have to give up on NextDNS. While I can get it to work properly IF I install the desktop clients on all my devices they can just disable the app by simply clicking on it. Configuring this at the router level limits me to one profile as the CLI version is not sending subnets to the specific profiles.
Just and update but putting in "config 111111" last did the trick. Got almost everything working now (except for plex).
- 2 yrs agoLast active