NextDNS and DNS over TLS Server List ?

[cowboy]

I installed recently NextDNS on my RT-AC88U Router. Till now I really like NextDNS as I changed from OpenDNS. In the Asuswrt-Merlin settings I have turned on DNSSEC. Now I want to try DNS over TLS.
But what should I insert into the DNS-over-TLS Server List ? In the Dropdown there is no NextDNS entry.
Any help ?

 

[MvW]

Are you using the NextDNS CLI client (as you mention you 'installed NextDNS' ? If so, the only thing that matters (in the screenshot you posted) are your WAN DNS servers, the rest of your settings will be ignored as soon as the NextDNS CLI client is active.

 

[Zastoff]

I installed recently NextDNS on my RT-AC88U Router. Till now I really like NextDNS as I changed from OpenDNS. In the Asuswrt-Merlin settings I have turned on DNSSEC. Now I want to try DNS over TLS.
But what should I insert into the DNS-over-TLS Server List ? In the Dropdown there is no NextDNS entry.
Any help ?

View attachment 32217

To use your personal NextDNS servers with DoT
(Manually enter on Address and TLS Hostname and add it with +)
Server1:
Address: 45.90.28.0 TLS Hostname: exxxxx.dns1.nextdns.io
Server2:
Address: 45.90.30.0 TLS Hostname: exxxxx.dns2.nextdns.io
(Your TLS Hostname can be found under router guides/stubby on https://my.nextdns.io/)
This should do it

 

[cowboy]

Are you using the NextDNS CLI client (as you mention you 'installed NextDNS' ? If so, the only thing that matters (in the screenshot you posted) are your WAN DNS servers, the rest of your settings will be ignored as soon as the NextDNS CLI client is active.

Yes I installed NextDNS through SSH with the description from here: nextDns AsuswrtMerlin

How can I verify if I am using DNS over TLS ? Cloudflare has a website for that if I would be using there DNS. Is there something similar with NextDNS ?

How can I know if I am using DNS Over TLS or DNS over HTTPS ?

 

[cowboy]

To use your personal NextDNS servers with DoT
(Manually enter on Address and TLS Hostname and add it with +)
Server1:
Address: 45.90.28.0 TLS Hostname: exxxxx.dns1.nextdns.io
Server2:
Address: 45.90.30.0 TLS Hostname: exxxxx.dns2.nextdns.io
(Your TLS Hostname can be found under router guides/stubby on https://my.nextdns.io/)
This should do it

thanks, perfect

 

[iJorgen]

How can I verify if I am using DNS over TLS ? Cloudflare has a website for that if I would be using there DNS. Is there something similar with NextDNS ?

How can I know if I am using DNS Over TLS or DNS over HTTPS ?

Just browse to https://test.nextdns.io and you will see info about your connection. Should be "DOH" if you are using the CLI today.

Another good address is https://ping.nextdns.io to see what servers are selected and their latency.

 

[Zastoff]

Yes I installed NextDNS through SSH with the description from here: nextDns AsuswrtMerlin

How can I verify if I am using DNS over TLS ? Cloudflare has a website for that if I would be using there DNS. Is there something similar with NextDNS ?

How can I know if I am using DNS Over TLS or DNS over HTTPS ?

You can not use the NextDNS cli and DNS over TLS in router gui at the same time.
If you want to test NextDNS with DoT, First uninstall the NextDNS cli

 

[MvW]

Follow @Zastoff 's instructions. NextDNS CLI is a DoH proxy, so if you want try DoT instead of DoH follow the instructions outlined above.

 

[New2This]

You can also see how things are being connected,once you log into your NextDNS account, under the logs tab. Have been running DoT almost a month now (through unbound)

 

[cowboy]

You can also see how things are being connected,once you log into your NextDNS account, under the logs tab. Have been running DoT almost a month now (through unbound)

Yes you are right I missed that. It is on hovering over the keylock icon in the logs tab.

 

[cowboy]

Just browse to https://test.nextdns.io and you will see info about your connection. Should be "DOH" if you are using the CLI today.

Another good address is https://ping.nextdns.io to see what servers are selected and their latency.

Ok this is nice to know. Yes i am using the DOH protocol know. Hope that soon we can choose from the CLI which protocol to run.

 

[cowboy]

You can not use the NextDNS cli and DNS over TLS in router gui at the same time.
If you want to test NextDNS with DoT, First uninstall the NextDNS cli

I was looking at the CLI Options (Nextdns Config). Unfortunately there is no option to switching to DOT instead of DOH. Hope this will be added soon.

What does the option hardened-privacy mean ?

 

[cowboy]

Also forgot to ask, what is in your opinion better, the NextDNS CLI or the Native Merlin settings ? I mean I could uninstall NextDNS CLI and use the Merlin Settings.

 

[MvW]

What does the option hardened-privacy mean ?

That has been deprecated in the meantime. Instead you can now select on the website in which country and for how long you want your logfiles to stored. It's on the Settings page, last tab.

 

[MvW]

Also forgot to ask, what is in your opinion better, the NextDNS CLI or the Native Merlin settings ? I mean I could uninstall NextDNS CLI and use the Merlin Settings.

I'm using the CLI Client from when I started using NextDNS. It's regularly updated and it works stable and flawless. I don't have any experience with setting it up manually in the WebUI, and DoH fits my needs, so I see no reason to switch to DoT . Also I'm not sure whether the other solutions (Asuswrt-Merlin WAN DNS config, dnscrypt and maybe others) also communicate local client names back to NextDNS and I prefer to see activitity per client.

 

[iJorgen]

Also forgot to ask, what is in your opinion better, the NextDNS CLI or the Native Merlin settings ? I mean I could uninstall NextDNS CLI and use the Merlin Settings.

I have always used the CLI on the router to get local DNS-caching (performance/redundance), reporting of device-names on my LAN and some other options to tweak settings like TTL and multiple profiles. Soon the CLI will also support DoQ and HTTP/3, so for full functionality I would recommend using the CLI on your router. On my mobile devices I have the NextDNS app pointing to my config, so I have the same logging/filtering/privacy/protection when on the go.

Can't say what's best for your needs, but this setup works great for me...

 

[redline122]

iJorgen (or others) - I am running NextDNS as a daemon/CLI. However, I am unable to enter the commands to use multiple profiles. I tried to pipe the config lines at CLI, but I keep getting errors. What's the proper syntax at the shell prompt for when I want to pin a MAC address to a specific NextDNS configuration profile?

 

[MvW]

iJorgen (or others) - I am running NextDNS as a daemon/CLI. However, I am unable to enter the commands to use multiple profiles. I tried to pipe the config lines at CLI, but I keep getting errors. What's the proper syntax at the shell prompt for when I want to pin a MAC address to a specific NextDNS configuration profile?

It's explained in the wiki. Just skip sudo shown in the example in the page I linked below, the rest seems clear (I don't use it myself):

nextdns config set \
    -config 10.0.4.0/24=12345 \
    -config 00:1c:42:2e:60:4a=67890 \
    -config abcdef
nextdns restart

Source: https://github.com/nextdns/nextdns/wiki/Conditional-Configuration