Realised I haven’t updated this in a long while (life happened).
Couple of weeks ago I started to play with NextDNS — and I really recommend anyone that’s something privacy minded and cares about the stuff happening on their network.
I’ve set up several configs (home, parents, FlatTurtle TurtleBox (the NUCs controlling the screens)) and Servers. Once it’s out of beta and better supported on Unifi and Ubiquiti hardware I might deploy it to our public WiFi (well, most access points don’t look like that — but you get the point) networks too.
Looking at the logs was an eye-opener seeing what goes through your network. You can play around and block (or whitelist) certain domains.
I figured out my Devialet does an insane amount of requests to cache.radioline.fr for example. This domain has a 30s TTL. It shows that the majority of my DNS requests are actually automated pings and not in any way human traffic.
I’ve turned off dnsmasq (
DNSMASQ_OPTS="-p0") and have NextDNS listen to :53 directly.
Note that every EdgeOS update seems to wipe out the NextDNS installation, and requires a fresh install… Pain in the ass and doesn’t seem like that’s fixable.
This is my ERL NextDNS config (
hardened-privacy false bogus-priv true log-queries false cache-size 10MB cache-max-age 0s report-client-info true timeout 5s listen :53 use-hosts true setup-router false auto-activate true config 34xyz8 detect-captive-portals false max-ttl 0s
All right — next thing I’ve noticed is that my Google Home devices are not sending any DNS requests — which means the devices use hard coded DNS servers.
I have a separate vlan (
eth1.90) for Google Home (includes my Android TV, OSMC, Nest Home Hub and all other GHome and Chromecast devices). For this vlan I set up a deflector to be able to cast and ping/ssh from my “main” network/vlan to GHome vlan.
Using this guide I redirected all external DNS traffic to the ERL so I can monitor what’s happening. The important part was the following:
yeri@sg-erl# show service nat rule 4053
This allows to “catch” all UDP and TCP connections to :53 and redirect them the ERL DNS server (10.3.34.1). The GHome devices were acting a bit weird after committing the change, but a reboot of the device fixed it.
Note that you need to set this up per vlan. If you want to catch DNS requests for your Guest or IoT vlan, you’ll need to do the same.