I’ve been trying to set up NextDNS on my Omnia and ran into an issue where NextDNS is unable to apply my custom DNS rules. NextDNS uses unique DoT hostnames to identify users’ configurations, but knot resolver does not seem to pass on the hostname at the start of the connection, and thus NextDNS does not identify my configuration. I believe this is because knot resolver does not support TLS Server Name Indication (SNI).
For those unfamiliar with NextDNS, it is essentially a cloud-hosted Pi-Hole; it allows fine grained control over DNS requests and can (optionally) log requests and provide analytics. To enable customization of dns and adblocking rules, NextDNS gives each configuration a unique ID that is incorporated into the IPv6 address (“2a07:a8c0::unique-id”), DNS-over-HTTPS URL (“https://dns.nextdns.io/unique-id”) or DNS-over-TLS hostname (“unique-id.dns.nextdns.io”). When using DoT, NextDNS relies on SNI to identify which configuration to apply.
I would appreciate any suggestions on how I might get NextDNS to work either via DoT or DoH, preferably in a way that is somewhat compatible with TOS and unlikely to break with future TOS updates.
- I’m on TOS 4 stable
- The SNI issue is unique to DoT. I chose DoT because it is somewhat documented in the wiki.
- NextDNS should work fine with DoH, but I have not found a way to set up DoH on Omnia.
Steps to reproduce:
Per resolver.conf README, create a 99_nextdns.conf in /etc/resolver/dns-servers with the following content:
ipv6=“2a07:a8c0::id redacted ea:af24 2a07:a8c1::id redacted”
Enable the new NextDNS entry as DNS Forwarder under the DNS tab in Foris.
Visit my NextDNS page and see the following message:
This device is using NextDNS with no configuration.
Make sure you use the DNS-over-TLS endpoint shown below.