What's new

NextDNS behind CGNAT does weird things

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ithryn

New Around Here
I have a niche problem and I'm not sure where to ask. I am happily using T-Mobile home internet. (Great speeds, cheap, only other option in my area is satellite.) However, I'm behind CGNAT and have no stable/discoverable IP4 address. I am also unable to customize DNS servers on the T-Mo 5G gateway. I have a paid NextDNS account with custom adblockers and content filters that I'd love to use.

When I connect devices to NextDNS (through their app or via DoH) I get "This device is using NextDNS, but with another configuration." In other words it can find the stock NextDNS resolvers, but does not use my personal account and filters.

I have an ASUS RT-88CU laying around, which is running Merlin. It connects to the T-Mo internet and creates its own subnetwork just fine, and I can set my custom NextDNS addresses in Merlin. However, this results in the weird effect of NextDNS flipping back and forth between the green "All good! This device is using your custom config" and the red "This device is using NextDNS in another configuration" - I can watch it flip every 2-3 seconds. All I figure is that NextDNS is "finding" me behind the CGNAT and then "losing" me and then "finding" me again.

What would you do in this case?

Currently I have a Wireguard VPN (Tailscale) which can connect all my devices, punching through the CGNAT with no problem. What if I set up a Digital Ocean VPS as an exit node on Wireguard? Then point the ASUS router at the exit node VPS. Then point the exit node VPS to NextDNS as its DNS resolver. Is that an efficient solution, or is there something better?

Only thing I don't like is the idea of home internet traffic going through Tailscale going through the VPS going through NextDNS...lots of parts to break. Any advice is appreciated!
 
T-Mobile home internet. (Great speeds, cheap, only other option in my area is satellite.) However, I'm behind CGNAT and have no stable/discoverable IP4 address.

TMHI is not CGNAT - it looks like it, but it is a different mechanism all together (464XLAT) - so IPV4 definitely takes a back seat to IPV6 traffic...

As @ColinTaylor mentions - talk to NextDNS, and be clear with them that your broadband pipe is TMHI...
 
Contact NextDNS support, that's what you're paying them for.
Turns out NextDNS only has community support. Email support is for business accounts.

I posted to NextDNS community support forums, we'll see I guess. Maybe I should try a pihole instead?

Edit: just for the sake of anyone finding this thread, I realized my ASUS router (AC-88U) offers DNS filtering built-in from OpenDNS, Cleanbrowsing, Komodo etc. It's actually working over my T-Mobile internet. So that's a good measure for now until I figure this out.
 
Last edited:
What did you end up doing? I just got TMHI, ASUS router is stable again, and I'm debating ad blocking solutions. I paid for NextDNS and used it on the router for a while, though I'm not thrilled with the product as a whole. I've also used Adguard Home and now trying that on the router. Problem is, it doesn't work well with identifying IPv6 clients. I'd prefer not to install mobile configs on devices, but seems like that's the only route to be able to ID my kid's devices.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top