NextDNS Now Works With The Ubiquiti Secure Gateway • Chris Colotti's Blog

NextDNS Now Works With The Ubiquiti Secure Gateway

For some time people know I’ve become a fan of the new service provided by NextDNS and it just got better.  In my first post about the service, the only issue I really had was the lack of a block page and lack of direct integration with the Ubiquiti Secure Gateway (USG) product.  Well as of this past weekend that is no more!  Why is this great?  Well it means all those devices on my network that can’t run the native client all now have Secure DNS lookups added along with the already in use ad and tracker blocking.  This is a huge leap forward for privacy on your personal network and I commend the team at NextDNS and those helping on the bug  thread.  So what do you need to do to make it work?

How to Install and Configure NextDNS on the Ubiquiti Secure Gateway

First check out the thread about this installation as there is some good info there.  I will point out this does not yet work on the Dream Machine.  This assumes you already have a NextDNS profile setup

Make sure you have the latest USG firmware loaded and SSH into your USG and run the following command

sh -c 'sh -c "$(curl -sL"'

Follow the prompts to setup this as a new device on your existing NextDNS profile

Now at this point in your logs you might see duplicate entries like this which seem odd.  The exact same device ID and IP Address with two entries, one secure DNS the other not.

The solution to this is that you probably still have the NextDNS servers in your UBNT controller WAN interface.  To finish the setup and get 100% secure DNS lookups where the USG is the DNS server for DHCP  scopes simple set the WAN network DNS servers to and publish the change.

Once you make this last simple change observe!  All your clients that are not running the native NextDNS agent like AppleTV’s, FireSticks, and NAS devices are 100% Secure DNS!


For me this solidified my decision to move to NextDNS for both secure DNS as well as Pi-Hole-As-A-Service like filtering all in one place.  They even added the option to save your logs outside of the US, and I’ve been working with them on some odd route failover issues specific to Comcast.  They are always willing to help and work on new integrations and issues.  Once again if you haven’t even tried this service please do and provide feedback to the team there!

About Chris Colotti

Chris is currently a Principal Architect at Cohesity. In his role he spends the majority of his time supporting Cohesity events and creating outward facing content. He also acts as an active interface between the field and engineering/product management as customer zero in the TAG production lab. Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.


  1. Thanks for the article! I was able to get NextDNS installed but it won’t start. It is complaining that systemd-resolv is already running on port 53

    Any suggestions?


  2. Is this persistent or do i lose this after an upgrade of the usg?

Leave a Reply

Your email address will not be published. Required fields are marked *