Running NextDNS Cli on FWB+
I was wondering if I can move ahead with installing NextDNS Cli on my FWB+. Currently I run NextDNS Cli on another Raspberry using it's IP for DoH but would rather want to do run it directly on the FWB+. Is there anything I need to be aware of?
Thanks
-
I did this on Gold.
Launch a terminal and type "sudo su"
1. Create the folder post_main.d by using mkdir (mkdir /home/pi/.firewalla/config/post_main.d)
2.Create a file called using nano... /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
3. paste the code below
4. Save file with nano using Ctrl-X and y to save.
5. chmod 755 /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
6. Run the script directly by typing the filename with filepath or reboot. Firewalla.
The code to paste...
#!/bin/bash
sudo wget -qO /usr/share/keyrings/nextdns.gpg https://repo.nextdns.io/nextdns.gpg
echo "deb [signed-by=/usr/share/keyrings/nextdns.gpg] https://repo.nextdns.io/deb stable main" | sudo tee /etc/apt/sources.list.d/nextdns.list
sudo apt install apt-transport-https
sudo apt update
sudo apt install nextdnssudo systemctl stop firerouter_dns.service
sudo nextdns install -config <config I'd> -report-client-info -setup-router
sudo systemctl start nextdns.service
sudo systemctl start firerouter_dns.service
-
Shouldn't be an issue, make sure you read up on resetting the unit incase things blow up.
Also in 1.46, we have a new feature to define in your DoH server, see if it works for you or not. https://help.firewalla.com/hc/en-us/articles/1500012331082
-
Ok, I got this running. To summarize:
- I installed NextDNS Cli on FWB+
- deactivated DoH on Firewalla, also
- unchecked the DNS Booster for all devices on the FWB+
- Changed the DNS IP to the one of the FWB+ device
Now, all DNS goes through NextDNS Cli… I think it's working. There's one thing though that I don't understand FWB+ seems to block certain DNS queries. I don't understand the consequences of this currently. See below
-
The domains that "blocked" are actually "not found or invalid domains". Example "fknmlpacc" is not a domain ... more information here https://help.firewalla.com/hc/en-us/articles/1500007220942-Firewalla-Blocked-Flows
Why is your device query these strange things ... you may want take a look
-
@josh i am having issues with this do i need to created the post_main.d folder as my directory stops at /home/pi/.firewalla/config/.
do you have a sample config? i did use winscp also to confirm it was not there also besides cli, i used this when i ran opnsense... How-to: NextDNS + OPNsense Firewall - Derek Seaman's IT Blog this runs thru a shell command. can you share your sanitized nextdns_init.sh file please.
-
@josh was this the cli you used? Home · nextdns/nextdns Wiki · GitHub,
I do get an error "failed to start nextdns.service : interactive authenication required
-
This script is using the NextDNS official debian repo to acquire the debian packages for NextDNS. I believe their curl command downloads and installs it as well, but it starts an interactive installer. For me, NextDNS disappeared after reboot. So for these reasons, I made this script to recreate NextDNS at every reboot with a non-interactive setup. It seemed to work great for me, but there may be better solutions than mine out there.
-
You could also use their CLI non-interactive...
sh -c 'sh -c "$(curl -sL https://nextdns.io/install)" install -config <config-id> -report-client-info -setup-router'
But you'll still need to restart firerouter_dns and include it in your post_main.d folder
-
@josh all good you type garbage you get garbage... typo nxtdns not nextdns.here is what i would suggest
I used win scp copied the config and uploaded... MAKE SURE YOU CHANGE THE ID for your service....
once up there i manually did this directory by directory
root@firewalla:~# cd /home
root@firewalla:/home# cd pi
root@firewalla:/home/pi# cd firewalla
root@firewalla:/home/pi/firewalla# cd config
root@firewalla:/home/pi/firewalla/config# cd post_main.d/
root@firewalla:/home/pi/firewalla/config/post_main.d# ls
nextdns_init.sh
root@firewalla:/home/pi/firewalla/config/post_main.d# ./nextdns_init.sh
deb [signed-by=/usr/share/keyring/nextdns.gpg] https://repo.nextdns.io/deb stable main
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
apt-transport-https
1 upgraded, 0 newly installed, 0 to remove and 266 not upgraded.
Need to get 4,348 B of archives.
After this operation, 1,024 B of additional disk space will be used.
Err:1 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.14
Temporary failure resolving 'us.archive.ubuntu.com'
E: Failed to fetch http://us.archive.ubuntu.com/ubuntu/pool/universe/a/apt/apt-transport-https_1.6.14_all.deb Temporary failure resolving 'us.archive.ubuntu.com'
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
Err:1 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Temporary failure resolving 'us.archive.ubuntu.com'
Err:2 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease
Temporary failure resolving 'us.archive.ubuntu.com'
Err:3 https://repo.nextdns.io/deb stable InRelease
Temporary failure resolving 'repo.nextdns.io'
Err:4 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
Temporary failure resolving 'us.archive.ubuntu.com'
Err:5 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease
Temporary failure resolving 'us.archive.ubuntu.com'
Err:6 https://download.docker.com/linux/ubuntu bionic InRelease
Temporary failure resolving 'download.docker.com'
Reading package lists... Done
Building dependency tree
Reading state information... Done
267 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/bionic/InRelease Temporary failure resolving 'us.archive.ubuntu.com'
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease Temporary failure resolving 'us.archive.ubuntu.com'
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease Temporary failure resolving 'us.archive.ubuntu.com'
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/bionic-security/InRelease Temporary failure resolving 'us.archive.ubuntu.com'
W: Failed to fetch https://download.docker.com/linux/ubuntu/dists/bionic/InRelease Temporary failure resolving 'download.docker.com'
W: Failed to fetch https://repo.nextdns.io/deb/dists/stable/InRelease Temporary failure resolving 'repo.nextdns.io'
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree
Reading state information... Done
nextdns is already the newest version (1.37.7).
0 upgraded, 0 newly installed, 0 to remove and 267 not upgraded.
NextDNS installed and started using systemd init
root@firewalla:/home/pi/firewalla/config/post_main.d# -
You have the wrong directory. There should be a period in front of firewalla.
The significance is in where the script is located which causes Firewalla to launch the script upon reboot. Since you successfully installed NextDNS but have the script in the wrong location, it won't run once it gets rebooted. If it works for you though, that's what matters.
-
Hey Joshbowen83, thanks for your guide.
Can you maybe tell me what is going wrong here with me?
root@firewalla:/home/pi# mkdir /home/pi/.firewalla/config/post_main.d
root@firewalla:/home/pi# nano /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
root@firewalla:/home/pi# chmod 755 /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
root@firewalla:/home/pi# /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
deb [signed-by=/usr/share/keyring/nextdns.gpg] https://repo.nextdns.io/deb stable main
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
apt-transport-https
1 upgraded, 0 newly installed, 0 to remove and 266 not upgraded.
Need to get 4,348 B of archives.
After this operation, 1,024 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.14 [4,348 B]
Fetched 4,348 B in 0s (13.2 kB/s)
(Reading database ... 76862 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_1.6.14_all.deb ...
Unpacking apt-transport-https (1.6.14) over (1.6.12) ...
Setting up apt-transport-https (1.6.14) ...
Hit:1 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 https://download.docker.com/linux/ubuntu bionic InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:4 https://repo.nextdns.io/deb stable InRelease [8,490 B]
Hit:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
Get:6 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [2,354 kB]
Err:4 https://repo.nextdns.io/deb stable InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
Get:8 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [1,778 kB]
Reading package lists... Done
W: GPG error: https://repo.nextdns.io/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
E: The repository 'https://repo.nextdns.io/deb stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package nextdns
/home/pi/.firewalla/config/post_main.d/nextdns_init.sh: line 11: unexpected EOF while looking for matching `''
/home/pi/.firewalla/config/post_main.d/nextdns_init.sh: line 16: syntax error: unexpected end of file -
Thanks for your quick reply.
After the input I get unfortunately an error message: keyserver receive failed: No dataHere in full:
root@firewalla:/home/pi# sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467A7CCC8ACFA0B7
Executing: /tmp/apt-key-gpghome.DpBJOsnetu/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 467A7CCC8ACFA0B7
gpg: keyserver receive failed: No data
root@firewalla:/home/pi# /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
deb [signed-by=/usr/share/keyring/nextdns.gpg] https://repo.nextdns.io/deb stable main
Reading package lists... Done
Building dependency tree
Reading state information... Done
apt-transport-https is already the newest version (1.6.14).
0 upgraded, 0 newly installed, 0 to remove and 266 not upgraded.
Hit:1 https://download.docker.com/linux/ubuntu bionic InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Hit:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
Get:6 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:4 https://repo.nextdns.io/deb stable InRelease [8,490 B]
Err:4 https://repo.nextdns.io/deb stable InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
Reading package lists... Done
W: GPG error: https://repo.nextdns.io/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
E: The repository 'https://repo.nextdns.io/deb stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package nextdns
/home/pi/.firewalla/config/post_main.d/nextdns_init.sh: line 11: unexpected EOF while looking for matching `''
/home/pi/.firewalla/config/post_main.d/nextdns_init.sh: line 16: syntax error: unexpected end of file -
did you run this..sudo wget -qO /usr/share/keyrings/nextdns.gpg https://repo.nextdns.io/nextdns.gpg
-
here is the nextdns-init.sh script typed out. you'll still need to replace the config id.
https://drive.google.com/file/d/1K-TT3b6NiLT1BAsvryHpl1rPn9iCFFgu/view?usp=sharing
-
-
I had actually forgotten the config ID in the script. Now I have changed it and saved the script. The error message is gone. But it still doesn't work?
What am I still doing wrong?Here is the output:
pi@firewalla:~ (Firewalla) $ /home/pi/.firewalla/config/post_main.d/nextdns_init.sh
deb [signed-by=/usr/share/keyring/nextdns.gpg] https://repo.nextdns.io/deb stable main
Reading package lists... Done
Building dependency tree
Reading state information... Done
apt-transport-https is already the newest version (1.6.14).
0 upgraded, 0 newly installed, 0 to remove and 266 not upgraded.
Hit:1 https://download.docker.com/linux/ubuntu bionic InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Hit:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
Get:6 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:4 https://repo.nextdns.io/deb stable InRelease [8,490 B]
Err:4 https://repo.nextdns.io/deb stable InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
Reading package lists... Done
W: GPG error: https://repo.nextdns.io/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467A7CCC8ACFA0B7
E: The repository 'https://repo.nextdns.io/deb stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package nextdns
sudo: nextdns: command not found
Failed to start nextdns.service: Unit nextdns.service not found. -
The problem seems to be the start of the script is not saving the public key. Basically wget is downloading the key, then creating a sources files for NextDNS with echo and tee. Use 'ls' at the file locations mentioned in the script to see if they key is in the keyrings folder and the NextDNS.list is in the sources.d folder. It could be that if you are copying and pasting, the wget command is using the number zero instead of a capital O (which stands for output [to a file]).
Please sign in to leave a comment.
Comments
38 comments