NextDNS CLI on Firewalla revisited (working DHCP host resolution in NextDNS logs)

I ended up rolling my own solution after running into issues with another post here regarding setting up NextDNS CLI on a Firewalla -- I was having problems where setup-router=true wasn't working for me, causing dnsmasq and NextDNS CLI to fight over port 53.

Below is what is working for me on my Firewalla Purple (box v1.974), including device identification in NextDNS logs:

Update:
Nice [un]install scripts provided by Michael Bierman here: https://github.com/mbierman/Firewalla-NextDNS-CLI-install

#!/bin/bash

# install & configure NextDNS CLI on startup of Firewalla
# file goes in: /home/pi/.firewalla/config/post_main.d/
# DNS over HTTPS must be disabled in Firewalla app

# install NextDNS CLI
sudo wget -qO /usr/share/keyrings/nextdns.gpg https://repo.nextdns.io/nextdns.gpg
echo "deb [signed-by=/usr/share/keyrings/nextdns.gpg] https://repo.nextdns.io/deb stable main" | sudo tee /etc/apt/sources.list.d/nextdns.list
unalias apt
sudo apt update
sudo apt install nextdns

# replace -config 123456 with your own NextDNS config ID
# replace 10.10.12.1 with your Firewalla local lan IP
# enable NextDNS caching: https://github.com/nextdns/nextdns/wiki/Cache-Configuration
# set discovery-dns to IP of Firewalla local DNS
# set NextDNS CLI to listen on local network IP (instead of 127.0.0.1 -- allows DHCP host resolution in NextDNS logs)
# define listen port instead of relying on -setup-router
sudo nextdns install -config 123456 -report-client-info -cache-size=10MB -max-ttl=5s -discovery-dns 10.10.12.1 -listen 10.10.12.1:5555

# alternate command to implement conditional configuration: https://github.com/nextdns/nextdns/wiki/Conditional-Configuration
# replace 192.168.122.0/24=abcdef with your own additional network and NextDNS config ID
# sudo nextdns install -config 192.168.122.0/24=abcdef -config 123456 -report-client-info -cache-size=10MB -max-ttl=5s -discovery-dns 10.10.12.1 -listen 10.10.12.1:5555

# Add dnsmasq integration to enable client reporting in NextDNS logs: https://github.com/nextdns/nextdns/wiki/DNSMasq-Integration
cat > /home/pi/.firewalla/config/dnsmasq/mynextdns.conf << EOF
server=10.10.12.1#5555
add-mac
add-subnet=32,128
EOF

# restart Firewalla DNS service
sudo systemctl restart firerouter_dns.service

NextDNS CLI seems to hijack all DNS requests, hence the alternate config option (I created a new NextDNS config to use with devices on one of my VLANs). The DNS servers I specified in the VLAN network config were being ignored (devices show the DNS servers specified by the VLAN config, but NextDNS was still logging/blocking DNS requests to these devices).

Note that NextDNS seems to truncate device names after the first period. You can replace spaces with hyphens or remove them altogether in the Firewalla app for a more informational device name in the NextDNS logs (Firewalla converts spaces in devices names to periods).

There's more I'm probably forgetting to note, but I'm running out of time and have to go prep some food for tomorrow's 4th family celebration. I will update at a later time if something comes to mind, or if there's questions.

Raymond T

February 04, 2025 09:15

Yeah, I think you're onto something there. I was relating my Firewalla box upgrade with the timing that it all stopped. But NextDNS would have run an update on startup also, so the timing also lines up with 1.44.4 NextDNS CLI.

Manual entry in /etc/hosts didn't seem to resolve either.

Interesting thing is, if i run a dig or nsloopup against my Firewalla, it returns the hostname perfectly. So Firewalla knows which hostname to respond for DNS requests, so -discovery-dns setting should be enough. But something is broken with NextDNS.

Michael Bierman

February 08, 2025 21:59

@Raymond nextdns confirmed this is a bug on thier side. I will update my installer once I've confirmed some chagnes are working with their new code.

github.com/mbierman/Firewalla-NextDNS-CLI-install

February 13, 2025 05:43

@Raymond some good news. NextDNS has done a partial fix. The device name is not perfect. If your device is called, "Michael's iPad" only "Michaels" is provided, but the IP address is passed properly. I'm trying get them to fix it properly (e.g. michaels.ipad.lan should be used) we'll see. If you want to weigh in, github.com/nextdns/nextdns/issues/1005

Meanwhile, I've updated my install script. github.com/mbierman/Firewalla-NextDNS-CLI-install/tree/main

Richard Aldridge

April 10, 2025 16:11

I'm having that issue again where the Firewalla restarts the DNS service and kills NextDNS. Am I doing something wrong in the config?

hrmax

April 10, 2025 16:20

Mine stopped working too but I haven't dug into why other than my FWG was restarted but the script should have restarted the CLI.

April 14, 2025 14:53

It runs well for me using the latest nextDNS. Can you share you configuration?

April 14, 2025 14:59

Mine seems stable now after a full uninstall and reinstall

April 14, 2025 15:43

Richard Aldridge When you say full uninstall and reinstall, do you mean with the NextDNS install script or Michael Bierman's script?

April 14, 2025 15:52

Michael's script. The NextDNS script creates port 53 conflict for me.

April 15, 2025 19:05
Edited

Michael Bierman - I removed all traces of nextdns cli that I could find, ran you download script, updated the id, IP, and removed some comments in the script causing failures (bug already created for this), and then ran the actual install script. Everything seemed to work and the nextdns says it's running but no requests appear to be routing to port 5555. Also the nextdns cli install shows a port conflict in the logs.

NextDNS CLI on Firewalla revisited (working DHCP host resolution in NextDNS logs)

Comments

Didn't find what you were looking for?