For some time people know I’ve become a fan of the new service provided by NextDNS and it just got better. In my first post about the service, the only issue I really had was the lack of a block page and lack of direct integration with the Ubiquiti Secure Gateway (USG) product. Well as of this past weekend that is no more! Why is this great? Well it means all those devices on my network that can’t run the native client all now have Secure DNS lookups added along with the already in use ad and tracker blocking. This is a huge leap forward for privacy on your personal network and I commend the team at NextDNS and those helping on the bug thread. So what do you need to do to make it work?
How to Install and Configure NextDNS on the Ubiquiti Secure Gateway
First check out the thread about this installation as there is some good info there. I will point out this does not yet work on the Dream Machine. This assumes you already have a NextDNS profile setup
Make sure you have the latest USG firmware loaded and SSH into your USG and run the following command
sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'
Follow the prompts to setup this as a new device on your existing NextDNS profile
Now at this point in your logs you might see duplicate entries like this which seem odd. The exact same device ID and IP Address with two entries, one secure DNS the other not.
The solution to this is that you probably still have the NextDNS servers in your UBNT controller WAN interface. To finish the setup and get 100% secure DNS lookups where the USG is the DNS server for DHCP scopes simple set the WAN network DNS servers to 127.0.0.1 and publish the change.
Once you make this last simple change observe! All your clients that are not running the native NextDNS agent like AppleTV’s, FireSticks, and NAS devices are 100% Secure DNS!
For me this solidified my decision to move to NextDNS for both secure DNS as well as Pi-Hole-As-A-Service like filtering all in one place. They even added the option to save your logs outside of the US, and I’ve been working with them on some odd route failover issues specific to Comcast. They are always willing to help and work on new integrations and issues. Once again if you haven’t even tried this service please do and provide feedback to the team there!