this is the basic configuration for nextdns combine with pfSense dns resolver to use both.
SSH access is turned off by default on pfSense. To enable it, go to System -> Advanced -> Enable Secure Shell
Use any terminal to ssh into pfSense using username and password. it can be default or custom user if you have created for your firewall.
Windows : You can use putty
Mac or Linux : You can use default terminal app or third party one like iterm in mac etc.
If you are ssh into firewall using main admin account then press 8) Shell to enter shell mode. Otherwise you can use directly shell command to enter in main shell by executing su - admin to enter in admin shell and enter password to login.
This wiki describes steps to install the NextDNS CLI. For router, in out case pfSense, it is recommended way and only required single line command.
sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'
Follow the wizard and enter your config id from the NextDNS setup page.
The installation script will create a vanilla configuration. We need to modify it to make it play nice with
- pfSense
- support all our subnets.
For more advanced usecases, like supporting different profiles, Cache configuration, split horizon i.e. conditional configuration (e.g. different configuration for a kids, iot, guest subnets), follow their guide here.
To edit the configuration file, in the pfSense GUI, navigate to Diagonistics -> Edit File and open the configuration file located at /usr/local/etc/nextdns.conf. You have to add whole path and press Load and after edit press Save to write back settings.
You can also edit this file by ssh into pfSense and use vi or nano or your favorite editor. I'm using vi and edit by executing vi /usr/local/etc/nextdns.conf.
I have provided basic template and you can use as it is or modify as per your need if you have some other configuration and didn't match with this template.
There are other things need to modify it.
- discovery-dns Unbound, by default, listens on port 53. In the next step, we will change it to something else like 5555 in the template. You can use different port as well and replace 5555 with your port and make sure that port isn't use by any other process. You can check it by executing
netstat -an | grep LISTEN. - listen ip:53 We need a listen entry for every subnet we want to route through NextDNS. In the template those are 192.168.1.1 and 192.168.10.1. We also need an entry for localhost so pfSense can resolve domains. You can also pfSense as your main DNS server and assign DNS server IP in every interface.
- config The config ID from the NextDNS setup page.
- forwarder domain=ip:port To forward internal domain resolution to unbound, we need to tell NextDNS to route all queries for domain.com or internal.domain.com or lab.domain.com etc. to unbound.
Go to Services -> DNS Resolver and change the following settings.
- Change port other than 53.
That's all you need to configure to work NextDNS with pfSense.
- Restart Unbound service from GUI and make sure
53port is released. You can also check it by executingnetstat -an | grep LISTEN. - Restart nextdns service by ssh into pfSense using shell
nextdns restart. If it won't work for you, usesh -c "nextdns restart". - Verify logs by executing
nextdns logorsh -c "nextdns log"if previous one is not worked for you.
You'll see all external and local domain resolved in nextdns logs if everything works as expected.