NextDNS CLI 1.40+ breaks DNS CatchAll IP tables rules

[jinkang23]

• CLI Version: 1.41.0
• Platform: UDM Pro 3.1.16

I have a IPtables rules that acts as a catch-all to redirect all DNS queries on port 53 and 853 to localhost so NextDNS can resolve it.

This worked prior to 1.40 release. I suspect it is due to 1.40+ release using dnsmasq now. However, I can't figure out what I need to modify to make this work. When these rules are added, DNS lookup just hangs.. for example, when I try to go to test.nextdns.io from a client PC, it hangs and never loads.
When I run curl -L https://test.nextdns.io from UDM Pro, it works fine with rules added.

I would appreciate any help in this. Thank you!

Here's what worked when running 1.39.4

iptables -t nat -N NEXTDNS_CATCHALL
iptables -t nat -A PREROUTING ! -d 127.0.0.0/8 ! -s 192.168.20.66 -j NEXTDNS_CATCHALL
iptables -t nat -A NEXTDNS_CATCHALL -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
iptables -t nat -A NEXTDNS_CATCHALL -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
iptables -t nat -A NEXTDNS_CATCHALL -p udp -m udp --dport 853 -j DNAT --to-destination 127.0.0.1:5353
iptables -t nat -A NEXTDNS_CATCHALL -p tcp -m tcp --dport 853 -j DNAT --to-destination 127.0.0.1:5353
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.0.0-192.168.255.255 -j MASQUERADE

Here's two variants I've tried with 1.41.0

iptables -t nat -N NEXTDNS_CATCHALL
iptables -t nat -A PREROUTING ! -d 127.0.0.0/8 ! -s 192.168.20.66 -j NEXTDNS_CATCHALL
iptables -t nat -A NEXTDNS_CATCHALL -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1
iptables -t nat -A NEXTDNS_CATCHALL -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1
iptables -t nat -A NEXTDNS_CATCHALL -p udp -m udp --dport 853 -j DNAT --to-destination 127.0.0.1
iptables -t nat -A NEXTDNS_CATCHALL -p tcp -m tcp --dport 853 -j DNAT --to-destination 127.0.0.1
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.0.0-192.168.255.255 -j MASQUERADE

iptables -t nat -N NEXTDNS_CATCHALL
iptables -t nat -A PREROUTING ! -d 127.0.0.0/8 ! -s 192.168.20.66 -j NEXTDNS_CATCHALL
iptables -t nat -A NEXTDNS_CATCHALL -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1:5342
iptables -t nat -A NEXTDNS_CATCHALL -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5342
iptables -t nat -A NEXTDNS_CATCHALL -p udp -m udp --dport 853 -j DNAT --to-destination 127.0.0.1:5342
iptables -t nat -A NEXTDNS_CATCHALL -p tcp -m tcp --dport 853 -j DNAT --to-destination 127.0.0.1:5342
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.0.0-192.168.255.255 -j MASQUERADE

[paulg1981]

I also had the same issue. Forgot I had setup the catchall rules and it took me a minute to figure out why dns wasn't resolving.

Any help in updating the Catchall rules for the latest versions would be most appreciated.

[vt0r]

Probably out of scope for the nextdns repo, but I also had the same issue and just finally got mine working fully again. After the nextdns activate step, it seems like nextdns is now using dnsmasq and forwarding to the nextdns client from there as an upstream - probably a good move, but it breaks our earlier assumptions. Here is the gist of how I'm currently handling it, which is based on the original nextdns-catchall that we all probably started from: https://gist.github.com/vt0r/2b5702844530aeddb64a3d1232dfea76. Find the new version at the following repository: https://github.com/vt0r/nextdns-catchall . Hope that helps someone!