DNS Forwarding using DNS over TLS


Are there any plans to allow a DNS over TLS endpoint using a URL?

For example, I’d like to use NextDNS profiles with DoT but the ‘name-server’ option in VyOS only allows an IP address and port 853

In order for it to work with NextDNS the name-server would need to accept my_profile_name.dns.nextdns.io without a port number

I agree that having DNS over TLS support baked into VyOS would be very nice.

On a side note, as you know, next to resolving, NextDNS offers a few perks (like per-device stats), for which you need the NextDNS daemon. That works beautifully.

Works like this:

root@gw:~# /bin/sh -c '/bin/sh -c "$(curl -sL https://nextdns.io/install)"'
INFO: OS: vyos
INFO: GOOS: linux
INFO: NEXTDNS_BIN: /usr/bin/nextdns
i) Install NextDNS
e) Exit
Choice (default=i): i
INFO: Installing NextDNS...
Get:1 https://repo.nextdns.io/deb stable InRelease [9,398 B]
Get:2 https://repo.nextdns.io/deb stable/main amd64 Packages [424 B]
Fetched 9,822 B in 1s (9,760 B/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,331 kB of archives.
After this operation, 8,589 kB of additional disk space will be used.
Get:1 https://repo.nextdns.io/deb stable/main amd64 nextdns amd64 1.37.3 [3,331 kB]
Fetched 3,331 kB in 1s (2,649 kB/s)
Selecting previously unselected package nextdns.
(Reading database ... 63698 files and directories currently installed.)
Preparing to unpack .../nextdns_1.37.3_amd64.deb ...
Unpacking nextdns (1.37.3) ...
Setting up nextdns (1.37.3) ...
NextDNS installed and started using systemd init
localepurge: Disk space freed in /usr/share/locale: 0 KiB
localepurge: Disk space freed in /usr/share/man: 0 KiB

Total disk space freed by localepurge: 0 KiB

NextDNS Configuration ID: xxxxxx (get it from portal)

Sending your devices name lets you filter analytics and logs by device.
Report device name? [Y|n]: Y
Accept DNS request from other network hosts.
Setup as a router? (y/n): y
Make nextdns CLI cache responses. This improves latency and reduces the amount
of queries sent to NextDNS.
Enable caching? (y/n): y
Instant refresh will force low TTL on responses sent to clients so they rely
on CLI DNS cache. This will allow changes on your NextDNS config to be applied
on you LAN hosts without having to wait for their cache to expire.
Enable instant refresh? (y/n): y
Changes DNS settings of the host automatically when nextdns is started.
If you say no here, you will have to manually configure DNS to
Automatically setup local host DNS? [Y|n]: y
NextDNS installed and started using systemd init

Congratulations! NextDNS is now installed.
1 Like

Looks like I’ll need to remove the DoT entry I currently have in place if I go this route. Per device reporting is very intriguing

I’ll try it over the weekend

try mosdns, it is opensource and has better performance.

1 Like

The install command doesn’t work in operational or configuration. No errors reported it just returns to the command line. I also tried adding DEBUG=1 with the same result

/bin/sh -c '/bin/sh -c "$(curl -sL https://nextdns.io/install)"'

Version: VyOS 1.5-rolling-202311160736
Release train: current

Built by: autobuild@vyos.net
Built on: Thu 16 Nov 2023 08:52 UTC

Hmm, strange. No troubles here with that exact command on a stock install of 1.5-rolling-202311300023. The script does sudo work itself so you can run it as a non-priviledged user.

Doublecheck: can you access other https URLs without troubles? (Rule out firewall, DNS, NAT issues.)

I removed the ‘s’ from the curl command and the error is
curl (6) could not resolve host nextdns.io

I’m a little confused because this works from the router
nslookup google.com

This does not
dig google.com
communications error to ::1:53 connection refused
communications error to connection refused
no servers could be reached

It might be better to install the docker variant of nextdns since installing stuff directly on the router is bad practice. VyOS supports running containers out of the box. See: Container — VyOS 1.5.x (circinus) documentation

Pihole might be a nicer ‘free’ alternative… but, pick your posoin.

1 Like

@Surcharge1623 Did you set a nameserver for the system itself using for example set system name-server Then commit and repeat the NextDNS install command. You can check which resolvers are set by issuing cat /etc/resolv.conf.

On the container topic: I generally agree that installing 3rd party software directly onto the router is bad practice. However, the NextDNS daemon is nicely systemd enabled, runs only the DNS daemon and CLI tools, and a config file is created in /etc. No firewall rules are changed and no other changes are made. A big downside to the direct install approach is you don’t keep the NextDNS config and daemon/tools on upgrade.So maybe that’s a good reason to run it in a container anyway.

Good luck.

1 Like

@roedie I looked at the container list and most of the containers are years old except for one that was updated yesterday. It is configured to get around the China Great Firewall. I think I’ll pass that one :wink:

@marc_s I was missing the system dns name-servers once I added them the dig command worked perfectly

I can see the individual devices making the DNS requests now. Up until now, I’ve interrogating my wife and kids like a TV show detective when I see anything questionable in the NextDNS logs. You’ve helped protect the innocent in my household Thanks @marc_s !

1 Like

You could also run latest version of adguard in a container and use next dns over tls check out the instructions since you get hosts of other features like adblock ,individual devices bypass,etc



And Adguard container in combination with free uncensored https://www.quad9.net/
offers you DNSCrypt, DNS-over-HTTPS or TLS

1 Like