Posted: Wed Feb 08, 2023 4:16 Post subject: Force IPV6 DNS server, disable (or block) IPV4 DNS
As the subject goes... is it possible, reasonable, or wise to force DNS requests via IPV6 to NextDNS?
I'm behind CGNAT so it's virtually impossible to use their "link IP" method like I used to use (before CGNAT), but they do have other options (DoT, DoH, or IPV6) as a work-around solution which don't require linking your IPV4 IP. I see in other posts that dd-wrt will not support DoT and DoH so that seems to leave me with one hope/option of using IPV6.
It seems like turning on IPV4 AND IPV6 is easy, but it seems like both will be running together instead of forcing DNS via IPV6, right? If they work together, then I assume most DNS will bypass NextDNS... so can I force IPV6 DNS?
and then you can put as much ipv4 and ipv6 dns servers you want. Usually dns6 servers has low latency...
Back days I told that every router has dns6 fields along with dns4 fields... but he was not willing to put dns6 on setup page...
I tried the setup per the snap shot... but my nextdns profile hostname (static) seems to change IPs rather quickly... so the IP you define in the additional options isn't static in the same way 1.1.1.1 is very static....
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Thu Feb 09, 2023 9:50 Post subject:
hatcreek68 wrote:
I tried the setup per the snap shot... but my nextdns profile hostname (static) seems to change IPs rather quickly... so the IP you define in the additional options isn't static in the same way 1.1.1.1 is very static....
So... I'm confused and at a loss here.
but you must add ID to dnsmasq so that nextdns knows what should block... it works as a proxy...
Thanks for being patient with me here... so as one solution to my issue... can I ask(beg) for support for DoT / nextDNS setup... it's still not working so must not be clear to me, or not setup correctly yet.
- I see this format for DoT... URL pg 17 ... server-tls 9.9.9.9:853 -host-name: dns.quad9.net (and using Use Additional Servers Only, ENABLE)
So for DoT I should just put:
server-tls 45.90.xx.xx:853 -host-name: 25xxx.dns.nextdns.io
(I'm just putting my nextdns IPv4 server as a guess here...?) and then my hostname?
↑ Except I tried this... and it either broke DNS totally and could only ping by IP, or still gave the error "using nextDNS with no profile"; away from home, just recall it didn't work.
IPv6... I tried NO ipv4 DNS settings, and only my nextDNS IPv6 DNS under basic setup / ipv6... but this failed, and in testing, I can't ping ipv6 addresses in ANY configuration (even when WAN is working) so I gave up on IPv6 for now.
I'm also wondering if maybe I'm just running too new of a version for my R6700 router... am i just hitting bugs and not config issues.
Oh man - I've never noticed there is a router tab to click on in nextDNS and if gives you this format, plus your ID as the last line as you said later. I'll try this when I get home as (i hope) the easiest way to close out this problem... and get nextDNS working like it used to already be working...
Still a thorn in my side that I can't figure out DoH/DoT setup, but having it work with any solution is better than broken.
I found settings that work... see snapshots
---
But since the network demons never let you rest... new issues.
ISP 1: CGNAT, dynamic IP: settings per snapshot are working. But of coarse, this gateway is now deactivated since I was in the middle of upgrading to business service (same Co., new gateway/modem), but I got to play with both for a while and saw that when I just switch the upstream gateway... one worked, one did not.
ISP 2: CGNAT, static IP "business internet"; exact same settings per snapshot DO NOT WORK and apparently the gateway is able to override my DNS, and override "ignore WAN DNS"... and force me to ISP/openDNS server which breaks nextDNS
---
So... new post or new question.... how to actually ignore ISP DNS? when the setting isn't enough? Or did ISP 1 just work by accident and I have something mis-configured still?
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Fri Feb 10, 2023 7:00 Post subject:
it should work no metter if you are behind CGNAT... it is not important if your IP changes (static ot dynamic) becasue you are identified with your ID which is same all the time for profile (you can have multiple profiles on the same account). SmartDNS DOH/DOT with nextdns servers worked for me just fine on ddwrt...
but I suggest you to try NextDNS CLI but just during setup when setup wizard asks you dou you want to use nextdns for cache choose NO...
it will choose best dns6 low latency and works just like charm...
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Feb 10, 2023 7:16 Post subject:
On Setup page MTU is set to manual, which is very uncommon maybe you need that but ususally Automatic will work.
Shortcut Forwarding Engine is SFE, a better choice usually is CTF and FA for Flow acceleration
Local DNS is set to 127.0.0.1 also very uncommon usually default 0.0.0.0 is the right choice for routers in Gateway mode, this actually means that DNSMasq will query itself as upstream resolver and thus creates a loop.
Static DNS 1, 2 and 3 are empty and Ignore DNS WAN is enabled so there are actually no upstream resolvers.
I returned to normal settings per EGC, turned off smartdns and dnsmasq add'l settings and just tried to get linked IP settings working, and they don't (even though they used to), which is mostly what started this whole thread.
Per the snap shot settings and trying various DNS servers as static dns 1 (1.1.1.1, 8.8.8.8, 9.9.9.9 and my nextDNS ipv4....) everything is getting redirected or trapped by T-mobile to use openDNS... (as reported by https://whoismydns.com/ and nextdns setup page) the only successful change I can make is force it to adguard public dns servers... i assume this works b/c adguard uses opendns.
So - if my ISP is locking to openDNS / blocking other DNS... something like DoH should be the answer? Setting this up can finally break through T-mobile network and get nextDNS to post as my DNS provider (same verification as above), but I can't get the settings right to actually link to my profile.
