NextDNS with various user levels

I would like to be able to use NextDNS with my OPNsense router. I need to use TLS b/c my ISP will hijack my DNS otherwise. I found a guide here (https://www.derekseaman.com/2021/04/how-to-nextdns-opnsense-firewall.html) on how to use the NextDNS CLI with OPNsense but that doesn't seem to be using TLS.

Second issue is that  I would like to setup NextDNS on my router for all traffic, BUT only apply blocking rules to specific devices.  I don't see where I can select a specific profile/rules to specific devices.

11replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • This guide is showing how to use our CLI which is using DoH. DoH is using TLS, your ISP won't be able to hijack your DNS traffic.

    Like 2
  • For first issue, what you should search is "opensense DoT". I dunno why you want cli while the GUI is there. Here's one of the link if it's not enough you can google it more. https://www.dnsknowledge.com/unbound/opnsense-set-up-and-configure-dns-over-tls-dot/

    For your second issue, it's not clear wether you just want to apply blocklist for certain devices and while rest is no block at all. Or you want to create different blocklist for each devices. If it's the first case then you just need to config your router firewall to redirect all dns traffic from non blocked devices to other free dns server while the blocked devices to nextdns.  And if it's the second case then your choice is to install DoH/DoT for all those devices, then you add many new configuration to your account, the link is on the upper left of homepage, then you set each configuration base on you preference. All of them have unique DoH/DoT address. 馃槉

    Like 1
  • I was looking at the CLI b/c it seems that NextDNS did not work well with unbound (in the setup area there is this notice:  As a recursive resolver, Unbound chases CNAMEs. This may result in unexpected behavior when used in conjunction with a blocking DNS resolver like NextDNS. See github.com/NLnetLabs/unbound/issues/132.)   

    To clarify, I have three block lists.  Unblocked, Kids and IoT.  Each of these segments are on their own /24.  Unblocked just has malware protection and the Kids has the most blocking.  Right now I have the NextDNS app installed on all the kids devices but that is cumbersome to manage.  I was hoping to manage this on a UI.

    To this point I have used the (Services > Unbound > General >) Custom Options in OPNsense to setup my TLS (currently it's going to Cloudflare Teams), using this format:


    But in the guide it follows a different format (this would be my full text):

    # TLS Config
    tls-cert-bundle: "/etc/ssl/cert.pem"
    # Forwarding Config
        name: "."
        forward-tls-upstream: yes
        forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
        forward-addr: 2a07:a8c1::#XXXXXX.dns2.nextdns.io

      • SLCW
      • SLCW
      • 1 yr ago
      • Reported - view

      Rafael Diaz Have you considered using separate NextDNS accounts for each device rather than trying to do it all under one umbrella? By doing that, you would be able to apply a custom selection of blocklists and security options to each device. It would make managing logs and analytics a bit more difficult, but the gain in flexibility, and ability to apply blocklists granularly might make it worth the trouble. 

      • DynamicNotSlow
      • Pro subscriber 鉁
      • DynamicNotSlow
      • 1 yr ago
      • Reported - view

      SLCW different Account aren't needed. This can be archived with profiles.

    • DynamicNotSlow How do I send selected users to specific profiles using the CLI version?

  • so I installed the CLI version in OPNsense and it's working to a point.  As a test I added one of my laptops by MAC address to the "blocked" profile and while it is using NextDNS sites are not being blocked.   Looks like everything is using the unblocked profile unless they are using the client app.   I could be wrong but do I lose the ability of knowing which PC is going to which sites if I use the CLI?

    Here is my nextdns.conf file

    listen localhost:53
    log-queries false
    cache-max-age 0s
    bogus-priv true
    control /var/run/nextdns.sock
    report-client-info true
    config 111111
    config CC:48:3A:36:C6:CB=222222
    cache-size 10MB
    max-ttl 5s
    hardened-privacy false
    detect-captive-portals false
    use-hosts true
    timeout 5s
    setup-router false
    auto-activate false

  • I'm going to have to give up on NextDNS.  While I can get it to work properly IF I install the desktop clients on all my devices they can just disable the app by simply clicking on it.  Configuring this at the router level limits me to one profile as the CLI version is not sending subnets to the specific profiles.

    • Rafael Diaz make sure 鈥渃onfig 111111鈥 is last in the config file.

  • Just and update but putting in "config 111111" last did the trick.  Got almost everything working now (except for plex).

    Thank you

    Like 1
Like Follow
  • 1 yr agoLast active
  • 11Replies
  • 763Views
  • 4 Following