Running NextDNS Cli on FWB+

Comments

38 comments

  • Avatar
    Firewalla

    Shouldn't be an issue, make sure you read up on resetting the unit incase things blow up. 

    Also in 1.46, we have a new feature to define in your DoH server, see if it works for you or not.  https://help.firewalla.com/hc/en-us/articles/1500012331082

    0
    Comment actions Permalink
  • Avatar
    thobu

    well, what I wasn't able to get working was to tell FWB+ that the DNS server is on the same IP as the FWB+. What should go to the Custom DNS entry? 127.0.0.1 or the actual IP adress?

    0
    Comment actions Permalink
  • Avatar
    thobu

    Ok, I got this running. To summarize:

    1. I installed NextDNS Cli on FWB+
    2. deactivated DoH on Firewalla, also
    3. unchecked the DNS Booster for all devices on the FWB+
    4. Changed the DNS IP to the one of the FWB+ device

    Now, all DNS goes through NextDNS Cli… I think it's working. There's one thing though that I don't understand FWB+ seems to block certain DNS queries. I don't understand the consequences of this currently. See below





    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The domains that "blocked" are actually "not found or invalid domains".  Example "fknmlpacc" is not a domain ...  more information here https://help.firewalla.com/hc/en-us/articles/1500007220942-Firewalla-Blocked-Flows

    Why is your device query these strange things ... you may want take a look

    0
    Comment actions Permalink
  • Avatar
    thobu

    looks like obfuscated dns queries, no?

    0
    Comment actions Permalink
  • Avatar
    thobu

    you can also run NextDNS Cli on a FWR

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    I did this on Gold. 

    Launch a terminal and type "sudo su" 

    1. Create the folder post_main.d by using mkdir (mkdir /home/pi/.firewalla/config/post_main.d)

    2.Create a file called using nano... /home/pi/.firewalla/config/post_main.d/nextdns_init.sh

    3. paste the code below

    4. Save file with nano using Ctrl-X and y to save.

    5. chmod 755 /home/pi/.firewalla/config/post_main.d/nextdns_init.sh

    6. Run the script directly by typing the filename with filepath or reboot. Firewalla.

    The code to paste...

    #!/bin/bash

    sudo wget -qO /usr/share/keyrings/nextdns.gpg https://repo.nextdns.io/nextdns.gpg
    echo "deb [signed-by=/usr/share/keyrings/nextdns.gpg] https://repo.nextdns.io/deb stable main" | sudo tee /etc/apt/sources.list.d/nextdns.list
    sudo apt install apt-transport-https
    sudo apt update
    sudo apt install nextdns

    sudo systemctl stop firerouter_dns.service

    sudo nextdns install -config <config I'd> -report-client-info -setup-router

    sudo systemctl start nextdns.service

    sudo systemctl start firerouter_dns.service

    1
    Comment actions Permalink
  • Avatar
    Stuart Munro

    @josh i am having issues with this do i need to created the post_main.d folder as my directory stops at /home/pi/.firewalla/config/.

     

    do you have a sample config? i did use winscp also to confirm it was not there also besides cli, i used this when i ran opnsense... How-to: NextDNS + OPNsense Firewall - Derek Seaman's IT Blog this runs thru a shell command. can you share your sanitized nextdns_init.sh file please.

     

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    @stuartmunro. You are absolutely right as I forgot to mention the directory needs to be created first. I update the instructions with that info.

    0
    Comment actions Permalink
  • Avatar
    Stuart Munro

    @josh was this the cli you used? Home · nextdns/nextdns Wiki · GitHub,  

    I do get an error "failed to start nextdns.service : interactive authenication required

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    Just clarified it a bit more.

    I usually enable SSH on Firewalla using Mac OSX Terminal or JuiceSSH client for Android. Any ssh client would work. Putty is a popular cross platform solution.

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    Run the commands using "sudo su" first. I'll add that in. Sorry

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    This script is using the NextDNS official debian repo to acquire the debian packages for NextDNS. I believe their curl command downloads and installs it as well, but it starts an interactive installer. For me, NextDNS disappeared after reboot. So for these reasons, I made this script to recreate NextDNS at every reboot with a non-interactive setup. It seemed to work great for me, but there may be better solutions than mine out there.

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    You could also use their CLI non-interactive...

    sh -c 'sh -c "$(curl -sL https://nextdns.io/install)" install -config <config-id> -report-client-info -setup-router'

    But you'll still need to restart firerouter_dns and include it in your post_main.d folder

    0
    Comment actions Permalink
  • Avatar
    Stuart Munro

    @josh all good you type garbage you get garbage... typo nxtdns not nextdns.here is what i would suggest

    I used win scp copied the config and uploaded... MAKE SURE YOU CHANGE THE ID for your service....

    once up there i manually did this directory by directory

     

     

     

    root@firewalla:~# cd /home
    root@firewalla:/home# cd pi
    root@firewalla:/home/pi# cd firewalla
    root@firewalla:/home/pi/firewalla# cd config
    root@firewalla:/home/pi/firewalla/config# cd post_main.d/
    root@firewalla:/home/pi/firewalla/config/post_main.d# ls
    nextdns_init.sh
    root@firewalla:/home/pi/firewalla/config/post_main.d# ./nextdns_init.sh
    deb [signed-by=/usr/share/keyring/nextdns.gpg] https://repo.nextdns.io/deb stable main
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following packages will be upgraded:
    apt-transport-https
    1 upgraded, 0 newly installed, 0 to remove and 266 not upgraded.
    Need to get 4,348 B of archives.
    After this operation, 1,024 B of additional disk space will be used.
    Err:1 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.14
    Temporary failure resolving 'us.archive.ubuntu.com'
    E: Failed to fetch http://us.archive.ubuntu.com/ubuntu/pool/universe/a/apt/apt-transport-https_1.6.14_all.deb Temporary failure resolving 'us.archive.ubuntu.com'
    E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
    Err:1 http://us.archive.ubuntu.com/ubuntu bionic InRelease
    Temporary failure resolving 'us.archive.ubuntu.com'
    Err:2 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease
    Temporary failure resolving 'us.archive.ubuntu.com'
    Err:3 https://repo.nextdns.io/deb stable InRelease
    Temporary failure resolving 'repo.nextdns.io'
    Err:4 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
    Temporary failure resolving 'us.archive.ubuntu.com'
    Err:5 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease
    Temporary failure resolving 'us.archive.ubuntu.com'
    Err:6 https://download.docker.com/linux/ubuntu bionic InRelease
    Temporary failure resolving 'download.docker.com'
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    267 packages can be upgraded. Run 'apt list --upgradable' to see them.
    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/bionic/InRelease Temporary failure resolving 'us.archive.ubuntu.com'
    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease Temporary failure resolving 'us.archive.ubuntu.com'
    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease Temporary failure resolving 'us.archive.ubuntu.com'
    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/bionic-security/InRelease Temporary failure resolving 'us.archive.ubuntu.com'
    W: Failed to fetch https://download.docker.com/linux/ubuntu/dists/bionic/InRelease Temporary failure resolving 'download.docker.com'
    W: Failed to fetch https://repo.nextdns.io/deb/dists/stable/InRelease Temporary failure resolving 'repo.nextdns.io'
    W: Some index files failed to download. They have been ignored, or old ones used instead.
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    nextdns is already the newest version (1.37.7).
    0 upgraded, 0 newly installed, 0 to remove and 267 not upgraded.
    NextDNS installed and started using systemd init
    root@firewalla:/home/pi/firewalla/config/post_main.d#

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    You have the wrong directory. There should be a period in front of firewalla.

    The significance is in where the script is located which causes Firewalla to launch the script upon reboot.  Since you successfully installed NextDNS but have the script in the wrong location, it won't run once it gets rebooted.  If it works for you though, that's what matters. 

    0
    Comment actions Permalink
  • Avatar
    JimPanse

    Hey Joshbowen83, thanks for your guide.

    Can you maybe tell me what is going wrong here with me?

    root@firewalla:/home/pi# mkdir /home/pi/.firewalla/config/post_main.d
    root@firewalla:/home/pi# nano /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
    root@firewalla:/home/pi# chmod 755 /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
    root@firewalla:/home/pi# /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
    deb [signed-by=/usr/share/keyring/nextdns.gpg] https://repo.nextdns.io/deb stable main
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following packages will be upgraded:
    apt-transport-https
    1 upgraded, 0 newly installed, 0 to remove and 266 not upgraded.
    Need to get 4,348 B of archives.
    After this operation, 1,024 B of additional disk space will be used.
    Get:1 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.14 [4,348 B]
    Fetched 4,348 B in 0s (13.2 kB/s)
    (Reading database ... 76862 files and directories currently installed.)
    Preparing to unpack .../apt-transport-https_1.6.14_all.deb ...
    Unpacking apt-transport-https (1.6.14) over (1.6.12) ...
    Setting up apt-transport-https (1.6.14) ...
    Hit:1 http://us.archive.ubuntu.com/ubuntu bionic InRelease
    Hit:2 https://download.docker.com/linux/ubuntu bionic InRelease
    Get:3 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
    Get:4 https://repo.nextdns.io/deb stable InRelease [8,490 B]
    Hit:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
    Get:6 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
    Get:7 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [2,354 kB]
    Err:4 https://repo.nextdns.io/deb stable InRelease
    The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
    Get:8 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [1,778 kB]
    Reading package lists... Done
    W: GPG error: https://repo.nextdns.io/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
    E: The repository 'https://repo.nextdns.io/deb stable InRelease' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Unable to locate package nextdns
    /home/pi/.firewalla/config/post_main.d/nextdns_init.sh: line 11: unexpected EOF while looking for matching `''
    /home/pi/.firewalla/config/post_main.d/nextdns_init.sh: line 16: syntax error: unexpected end of file

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    Try...
    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467A7CCC8ACFA0B7

    Then repeat what you did.  Let me know.

    0
    Comment actions Permalink
  • Avatar
    JimPanse

    Thanks for your quick reply.
    After the input I get unfortunately an error message: keyserver receive failed: No data

    Here in full:

    root@firewalla:/home/pi# sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467A7CCC8ACFA0B7
    Executing: /tmp/apt-key-gpghome.DpBJOsnetu/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 467A7CCC8ACFA0B7
    gpg: keyserver receive failed: No data
    root@firewalla:/home/pi# /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
    deb [signed-by=/usr/share/keyring/nextdns.gpg] https://repo.nextdns.io/deb stable main
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    apt-transport-https is already the newest version (1.6.14).
    0 upgraded, 0 newly installed, 0 to remove and 266 not upgraded.
    Hit:1 https://download.docker.com/linux/ubuntu bionic InRelease
    Hit:2 http://us.archive.ubuntu.com/ubuntu bionic InRelease
    Get:3 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
    Hit:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
    Get:6 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
    Get:4 https://repo.nextdns.io/deb stable InRelease [8,490 B]
    Err:4 https://repo.nextdns.io/deb stable InRelease
    The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
    Reading package lists... Done
    W: GPG error: https://repo.nextdns.io/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
    E: The repository 'https://repo.nextdns.io/deb stable InRelease' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Unable to locate package nextdns
    /home/pi/.firewalla/config/post_main.d/nextdns_init.sh: line 11: unexpected EOF while looking for matching `''
    /home/pi/.firewalla/config/post_main.d/nextdns_init.sh: line 16: syntax error: unexpected end of file

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    did you run this..sudo wget -qO /usr/share/keyrings/nextdns.gpg https://repo.nextdns.io/nextdns.gpg

    0
    Comment actions Permalink
  • Avatar
    JimPanse

    Now I did, with the same outcome...

    0
    Comment actions Permalink
  • Avatar
    JimPanse

    Do you have any other ideas to get NextDNS CLI working on the FW Gold?

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    As for the unexpected EOF... Are you replacing the configuration with your specific profile ? (Leave out the symbols).

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    here is the nextdns-init.sh script typed out.  you'll still need to replace the config id.  

    https://drive.google.com/file/d/1K-TT3b6NiLT1BAsvryHpl1rPn9iCFFgu/view?usp=sharing

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    Source: https://github.com/nextdns/nextdns/wiki/Debian-Based-Distribution

    0
    Comment actions Permalink
  • Avatar
    JimPanse

    I had actually forgotten the config ID in the script. Now I have changed it and saved the script. The error message is gone. But it still doesn't work?
    What am I still doing wrong?

    Here is the output:

     

    pi@firewalla:~ (Firewalla) $ /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
    deb [signed-by=/usr/share/keyring/nextdns.gpg] https://repo.nextdns.io/deb stable main
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    apt-transport-https is already the newest version (1.6.14).
    0 upgraded, 0 newly installed, 0 to remove and 266 not upgraded.
    Hit:1 https://download.docker.com/linux/ubuntu bionic InRelease
    Hit:2 http://us.archive.ubuntu.com/ubuntu bionic InRelease
    Get:3 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
    Hit:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
    Get:6 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
    Get:4 https://repo.nextdns.io/deb stable InRelease [8,490 B]
    Err:4 https://repo.nextdns.io/deb stable InRelease
    The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
    Reading package lists... Done
    W: GPG error: https://repo.nextdns.io/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
    E: The repository 'https://repo.nextdns.io/deb stable InRelease' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Unable to locate package nextdns
    sudo: nextdns: command not found
    Failed to start nextdns.service: Unit nextdns.service not found.

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    The problem seems to be the start of the script is not saving the public key. Basically wget is downloading the key, then creating a sources files for NextDNS with echo and tee. Use 'ls' at the file locations mentioned in the script to see if they key is in the keyrings folder and the NextDNS.list is in the sources.d folder. It could be that if you are copying and pasting, the wget command is using the number zero instead of a capital O (which stands for output [to a file]).

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    If you are still unable to get it to work, I put the source of NextDNS's GitHub earlier on. I would contact NextDNS if you have further problems since that part of the code comes directly from them.

    0
    Comment actions Permalink
  • Avatar
    Joshbowen83

    Oh and you have the echo'd statement, but did you pipe it into sudo tee? If not, you may have a blank sources file since it wasn't piped.

    0
    Comment actions Permalink
  • Avatar
    JimPanse

    Ha! Found the mistake! wget uses /usr/share/keyringS/nextdns.gpg

    and echo uses /usr/share/keyring/nextdns.gpg without the "s" on keyring.

    Changed this and now it's working! Thanks a lot!

    0
    Comment actions Permalink

Please sign in to leave a comment.