How to install NextDNS on Pi-Hole using Secure DNS over HTTPS (DoH)
NextDNS on Pi-Hole install, configure and activate instructions.
Make sure you have a NextDNS account using this link: https://nextdns.io/
1: Install Pi-hole on Debian or Ubunutu. https://docs.pi-hole.net/main/prerequisites/
Some additional tips:
If you have an existing install and used cloudflared DoH – you can uninstall or use a different port instead.
You can even run cloudflared in together with NextDNS by following these instructions but only if you know what you are doing: https://www.cyberciti.biz/faq/configure-ubuntu-pi-hole-for-cloudflare-dns-over-https/
To remove cloudflared use: apt-get remove cloudflared
2: Run all the updates:
sudo apt-get update
sudo apt-get upgrade
sudo pihole -up
2: In console: Install using NextDNS with the following command:
sudo apt-get install curl
sudo apt install apt-transport-https # only necessary on Debian but sometimes Ubunutu
sudo apt update # a second run of this may be needed
sh -c "$(curl -sL https://nextdns.io/install)"
3: Install questions and answers on NextDNS setup:
NextDNS Profile ID: – Look on the website https://my.nextdns.io/ and look for endpoints in setup section after you log in. Its the first entry called “ID”
Report device name? : Y
Setup as router? : n (this is not needed for pi-hole)
Enable caching? n (the pi-hole will do this)
Automatically setup local host DNS? n (not needed for pi-hole)
4: Edit the config (very important)
sudo nano /etc/nextdns.conf
and don’t forget to save when done.
change the local listening port from 53 to 5335
listen localhost:5335
or if your Pi-hole is in a docker use: listen 0.0.0.0:5335
and optionally
listen ip6-localhost:5335
Following is just for reference:
control /var/run/nextdns.sock
cache-max-age 0s
detect-captive-portals false
hardened-privacy false
auto-activate true
listen localhost:5335
listen ip6-localhost:5335
forwarder mycompany.com.=https://dns.nextdns.io/XXXXX ## optional
forwarder mycompany2.com.=https://dns.nextdns.io/XXXXX ## optional
cache-size 100MB
discovery-dns
timeout 5s
max-ttl 10s
mdns all
use-hosts true
setup-router false
config XXXXX ## your ID account in NEXT-DNS
log-queries false
report-client-info true
bogus-priv true
max-inflight-requests 256
5: Restart NextDNS service
sudo nextdns stop
sudo nextdns start
or just use sudo nextdns restart
6: Check the log to see nothing failed
sudo nextdns log
7: Open Pi-hole web interface and go to settings for DNS /admin/settings.php?tab=dns
Deselect any options under Upstream DNS Servers like Google, OpenDNS etc..
Add a Custom1(IPv4) using
127.0.0.1#5335
Don’t forget this is a # not a : before the port number unlike most other systems.
If Pi-hole instantly fails then go back and check your NextDNS setup – possibly restart entire system and recheck config then restart NextDNS plus check that apt-transport-https is installed.
8: Check DNS with:
https://browserleaks.com/dns or https://www.dnsleaktest.com/
References:
Install: https://github.com/nextdns/nextdns/wiki/Debian-Based-Distribution
Commands: https://github.com/nextdns/nextdns/wiki
Debug CLI DNS Test: dig pi-hole.net @127.0.0.1 -p 5335
https://github.com/pi-hole/pi-hole
https://docs.pi-hole.net/core/pihole-command/
UniFi install: https://github.com/nextdns/nextdns/wiki/UnifiOS