I ended up rolling my own solution after running into issues with another post here regarding setting up NextDNS CLI on a Firewalla -- I was having problems where setup-router=true wasn't working for me, causing dnsmasq and NextDNS CLI to fight over port 53.
Below is what is working for me on my Firewalla Purple (box v1.974), including device identification in NextDNS logs:
Nice [un]install scripts provided by Michael Bierman here: https://github.com/mbierman/Firewalla-NextDNS-CLI-install
# install & configure NextDNS CLI on startup of Firewalla
# file goes in: /home/pi/.firewalla/config/post_main.d/
# DNS over HTTPS must be disabled in Firewalla app
# install NextDNS CLI
sudo wget -qO /usr/share/keyrings/nextdns.gpg https://repo.nextdns.io/nextdns.gpg
echo "deb [signed-by=/usr/share/keyrings/nextdns.gpg] https://repo.nextdns.io/deb stable main" | sudo tee /etc/apt/sources.list.d/nextdns.list
sudo apt update
sudo apt install nextdns
# replace -config 123456 with your own NextDNS config ID
# replace 10.10.12.1 with your Firewalla local lan IP
# enable NextDNS caching: https://github.com/nextdns/nextdns/wiki/Cache-Configuration
# set discovery-dns to IP of Firewalla local DNS
# set NextDNS CLI to listen on local network IP (instead of 127.0.0.1 -- allows DHCP host resolution in NextDNS logs)
# define listen port instead of relying on -setup-router
sudo nextdns install -config 123456 -report-client-info -cache-size=10MB -max-ttl=5s -discovery-dns 10.10.12.1 -listen 10.10.12.1:5555
# alternate command to implement conditional configuration: https://github.com/nextdns/nextdns/wiki/Conditional-Configuration
# replace 192.168.122.0/24=abcdef with your own additional network and NextDNS config ID
# sudo nextdns install -config 192.168.122.0/24=abcdef -config 123456 -report-client-info -cache-size=10MB -max-ttl=5s -discovery-dns 10.10.12.1 -listen 10.10.12.1:5555
# Add dnsmasq integration to enable client reporting in NextDNS logs: https://github.com/nextdns/nextdns/wiki/DNSMasq-Integration
cat > /home/pi/.firewalla/config/dnsmasq/mynextdns.conf << EOF
# restart Firewalla DNS service
sudo systemctl restart firerouter_dns.service
NextDNS CLI seems to hijack all DNS requests, hence the alternate config option (I created a new NextDNS config to use with devices on one of my VLANs). The DNS servers I specified in the VLAN network config were being ignored (devices show the DNS servers specified by the VLAN config, but NextDNS was still logging/blocking DNS requests to these devices).
Note that NextDNS seems to truncate device names after the first period. You can replace spaces with hyphens or remove them altogether in the Firewalla app for a more informational device name in the NextDNS logs (Firewalla converts spaces in devices names to periods).
There's more I'm probably forgetting to note, but I'm running out of time and have to go prep some food for tomorrow's 4th family celebration. I will update at a later time if something comes to mind, or if there's questions.
Please sign in to leave a comment.