NextDNS Installer

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

SomeWhereOverTheRainBow

Very Senior Member
Interesting benchmark, but it does only measure the difference between two block modes. As you mentioned, it does not measure the impact of DNS filtering, would it be local or remote.

The latency to our servers would be the major factor impacting the performance. As most DNS queries are performed in parallel, the performance to your DNS resolver, with local or remote filtering, will have the biggest impact on performance. What you don’t want, is filtering slowing down your DNS query latency. That is why with carefully select the blocklists we propose and avoid impossible to optimize matching methods like regex.
Regex is a powerful and effective way of blocking,but can also be too powerful as it can block false positives easily as well,but it cuts down on the need for massive block list as well. So there are pros and cons.
 

Olivier Poitrey

Regular Contributor
Regex is a powerful and effective way of blocking,but can also be too powerful as it can block false positives easily as well,but it cuts down on the need for massive block list as well. So there are pros and cons.
You can optimize a multi million entries static blocklist much much better than one with a few hundreds regex. I see mostly cons if you ask me :)
 

gattaca

Senior Member
.. Keep in mind that some of those Asus routers have limited compute capacity. One could argue that doing all the matching on router can slow down the overall performance of the router and impact even non DNS traffic to a certain extent.

In general I don't recommend layering blocking services. While it can give the impression that it can catch more stuff, it quickly become very hard to debug false positives. Logging becomes inconsistent and you have to manage whitelisting in two places.

... DNS with browser extension (like uBlock Origin) is an interesting combo. DNS based blocking will protect every apps & devices of your network while browser extension can catch and hide more varieties of ads but will only work in browser.
a) Yes, absolutely. There's only so much CPU in these routers to process frames, I/O etc.. That's why I turn most of the "fluff" off and only use AMTM tooling now.
b) Yes, I agree that is a negative . I still consider it part of the overall security onion.
c) Yes, that's a 3rd layer but everyone in my household won't use uBlock.

FWIW, Gut says Diversion is doing a pretty good job b/c if I have everything setup right, this is all that's getting through to NextDNS.

NOTE: These are the DEFAULT NEXTDNS settings without adding any other Privacy lists.

However, the attractiveness of your services is I could use it as a good alternative for non-ASUS routers. When my MIL calls complaining about she cannot get somewhere... then hopping into NextDNS can fix that easily.

BTW, what happened to the "Advanced Settings" where the filtering was broken out a lot more than I see now. I think it was on the "Security" tab.

upload_2020-2-21_13-26-58.png
 
Last edited:

Olivier Poitrey

Regular Contributor
a) Yes, absolutely. There's only so much CPU in these routers to process frames, I/O etc.. That's why I turn most of the "fluff" off and only use AMTM tooling now.
b) Yes, I agree that is a negative . I still consider it part of the overall security onion.
c) Yes, that's a 3rd layer but everyone in my household won't use uBlock.

FWIW, Gut says Diversion is doing a pretty good job b/c if I have everything setup right, this is all that's getting through to NextDNS.

However, the attractiveness of your services is I could use it as a good alternative for non-ASUS routers. When my MIL calls complaining about she cannot get somewhere... then hopping into NextDNS can fix that easily.

View attachment 21535
Looks like your blocklist settings are very well aligned between the two systems.

The other advantage is that you can keep the same setup while outside of your network.
 

gattaca

Senior Member
^^ Yeap.. without having to use VPN. No way the family would use a VPN... So YES Absolutely!!

BTW, what happened to the "Advanced Settings" where the filtering was broken out a lot more than I see today. I think it was on the "Security" tab. Thanks.

Ah.. Found'm. You guys relocated to "Privacy > Block Lists" Each entry has to be "Added" vs turning them On/Off like earlier.
 
Last edited:

XIII

Very Senior Member
Can anyone else check whether hosts from /etc/ hosts.dnsmasq are resolved?

(space should not be in filename, but I get blocked on this forum if I remove it?)

@Olivier Poitrey added this some time ago, but it does not seem to work anymore (for me) in 1.4.33... :(
 

XIII

Very Senior Member
Can anyone else check whether hosts from /etc/ hosts.dnsmasq are resolved?
Oh wait, that's maybe because I have been told to use WAN DNS for the router itself? (i.e. not the NextDNS CLI client)

But shouldn't the router then still be able to resolve entries from hosts.dnsmasq?

EDIT: Oh, I would need to enable "Wan: Use local caching DNS server as system resolver (default: No)" for that?
 

dave14305

Part of the Furniture
Oh wait, that's maybe because I have been told to use WAN DNS for the router itself? (i.e. not the NextDNS CLI client)

But shouldn't the router then still be able to resolve entries from hosts.dnsmasq?
hosts.dnsmasq is a function of dnsmasq, so if you have the local caching resolver option set to No (as usually recommended), the router won't be able to resolve local names since it would not use dnsmasq.
 

ShelaMonster

Occasional Visitor
hosts.dnsmasq is a function of dnsmasq, so if you have the local caching resolver option set to No (as usually recommended), the router won't be able to resolve local names since it would not use dnsmasq.
upload_2020-2-24_17-28-56.png

So would this be correct?
Currently set to using these settings:
upload_2020-2-24_17-29-36.png


But for some reason NextDNS is only wanting to report the device name from the device itself, rather than the "custom" names set in the Router client table.

Should I remove NextDNS and re-add it?
I changed the "use local caching" option to -YES- after installing the NextDNS router client.
 

dave14305

Part of the Furniture
View attachment 21598
So would this be correct?
Currently set to using these settings:
View attachment 21599

But for some reason NextDNS is only wanting to report the device name from the device itself, rather than the "custom" names set in the Router client table.

Should I remove NextDNS and re-add it?
I changed the "use local caching" option to -YES- after installing the NextDNS router client.
Are you adding these custom names in the DHCP tab? It won’t detect custom names set in the client list from Network Map.
 

ShelaMonster

Occasional Visitor
Are you adding these custom names in the DHCP tab? It won’t detect custom names set in the client list from Network Map.
Yes, otherwise my SmartTVs get bogus names like this:
upload_2020-2-24_21-40-3.png


If custom naming doesn't work, I'll disable device reporting and swap back to not use the local caching.
I'm a stickler for naming of devices, especially if they don't support naming on the device itself.
 

iJorgen

Occasional Visitor
View attachment 21598
But for some reason NextDNS is only wanting to report the device name from the device itself, rather than the "custom" names set in the Router client table..
Same issue here on my AC86U. It ignores the friendly names I have given to each device. Not a major issue but would be nice to have it perfect :)

One error still shows at startup, but the others are gone now

Code:
May  5 05:05:22 nextdns[1127]: Activate: activate: 127.0.0.1:53: no address found
 

Olivier Poitrey

Regular Contributor
Same issue here on my AC86U. It ignores the friendly names I have given to each device. Not a major issue but would be nice to have it perfect :)

One error still shows at startup, but the others are gone now

Code:
May  5 05:05:22 nextdns[1127]: Activate: activate: 127.0.0.1:53: no address found
Can you please open an issue on github regarding this issue, so I don’t forget to take a look?
 

kannanni

Occasional Visitor
Hi,

I managed to install nextdns on my ac68u and to get it running on default settings, tested a few websites from one of my devices and is filtering ads etc.
Want to make sure i've got the rest of the settings ok: My dns settings on the router are:
1.jpg


nextdns website is detecting traffic using their dns with my profile id, also did a dns leak test and came up with correct nextdns numbers..
syslog is now clear from previous unlimited rebinding attacks when on DoT mode.

Please let me know if i have forgotten to set anything important
 

dave14305

Part of the Furniture
Hi,

I managed to install nextdns on my ac68u and to get it running on default settings, tested a few websites from one of my devices and is filtering ads etc.
Want to make sure i've got the rest of the settings ok: My dns settings on the router are:
View attachment 21650

nextdns website is detecting traffic using their dns with my profile id, also did a dns leak test and came up with correct nextdns numbers..
syslog is now clear from previous unlimited rebinding attacks when on DoT mode.

Please let me know if i have forgotten to set anything important
You will be fine with those settings. The nextdns application will temporarily disable the DNS rebind and DNSSEC settings when it starts. Leave them enabled in the GUI so that if you stop nextdns or it fails for any reason, you will fallback to your WAN DNS settings and still have those protections enabled through dnsmasq.
 

Reny

New Around Here
Hello guys,

I just installed NextDNS on my AC68U router without problems. :)

I have a question, considering NextsDNS up and running on my router, all DNS query will be over HTTPS or TLS?

Thanks
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top