search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.32k stars 347 forks source link

Feature request: Support NextDNS for DOT #2045

Open patrickhousley opened 7 months ago

patrickhousley commented 7 months ago

What's the feature 🧐

Can you add support for using NextDNS as a DOT provider?

https://my.nextdns.io/

Extra information and references

No response

patrickhousley commented 7 months ago

This is their Unbound setting for my DNS account.

Unbound
Use the following in unbound.conf:
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#[redacted].dns.nextdns.io
  forward-addr: 2a07:a8c0::#[redacted].dns.nextdns.io
  forward-addr: 45.90.30.0#[redacted].dns.nextdns.io
  forward-addr: 2a07:a8c1::#[redacted].dns.nextdns.io

The forward addresses are going to be unique to each persons account. The [redacted] part is the profile ID from the NextDNS account.

qdm12 commented 7 months ago

What's their DNS over HTTPs address as well?

All DNS work is paused until #1742 gets finished. This will move away from Unbound to do more fun things using my own Go code (and will resolve a lot of Gluetun issues). I can however look into incorporating nextdns into the list of providers at https://github.com/qdm12/dns/tree/v2.0.0-beta/pkg/provider but the minimum requirement is to have DNS over TLS + DNS over HTTPs for now.

patrickhousley commented 7 months ago

@qdm12 If you want to drop me an email at patrick<dot>f<dot>housley<at>protonmail<dot>com I will set you up with access to a pro service,

patrickhousley commented 7 months ago

image

aetha commented 2 months ago

I use NextDNS too and I figured I'd provide some more info.

They provide methods to label your devices by name in your personal account logs, rather than just by IP address. (I find this helpful to diagnose issues, and have Switzerland set as my storage location for privacy.)

Identify your devices

Follow the instructions below to identify your devices in Analytics and Logs.

DNS-over-TLS/QUIC

Prepend the name to the provided domain (the name should only contain a-z, A-Z, 0-9 and -). Use -- for spaces. For "John Router", you would use John--Router-XXXXXX.dns.nextdns.io as your DNS-over-TLS endpoint.

DNS-over-HTTPS

Append the name to the provided URL (the name should be URL encoded). For "John's Firefox", you would use https://dns.nextdns.io/XXXXXX/John's%20Firefox as your DNS-over-HTTPS endpoint.

Where 'XXXXXX' is the user's 6-digit hexadecimal profile identifier. These personal DoT domains seem to resolve to the same IP address as plain 'dns.nextdns.io', so I think the device/profile subdomain only needs to be used inside the TLS connection.

dns.nextdns.io is geolocation routed to a nearby endpoint. Their main servers are in the US and reside in their allocated block 45.90.28.0/22 (45.90.28.0 - 45.90.31.255). NextDNS's own DoH proxy daemon seems to connect first to a US server, then uses it to resolve to a closer endpoint. Log for example:

nextdns[13318]: Connected 45.90.30.0:443 (con=9ms tls=68ms, TCP, TLS13)
nextdns[13318]: Connected 103.137.14.21:443 (con=7ms tls=52ms, TCP, TLS13)
nextdns[13318]: Switching endpoint: https://dns.nextdns.io#103.137.14.21,67.219.103.157