It's now located in an actual repo:
Last active
May 11, 2024 20:07
-
-
Save vt0r/2b5702844530aeddb64a3d1232dfea76 to your computer and use it in GitHub Desktop.
NextDNS catch-all for UDM (+IPv6)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # --- | |
| # This file goes in /data/on_boot.d/10-nextdns-catchall.sh (mode a+x) | |
| SERVICE_FILE="nextdns-catchall.service" | |
| SOURCE_FILE_PATH="/data/${SERVICE_FILE}" | |
| SYSTEMD_FILE_PATH="/etc/systemd/system/${SERVICE_FILE}" | |
| # Exit right away if the source file is not present | |
| if [ ! -f $SOURCE_FILE_PATH ]; then | |
| echo "Can't find service file ${SOURCE_FILE_PATH}" | |
| exit 1 | |
| fi | |
| sha256() { | |
| sha256sum $1 | cut -d' ' -f1 | |
| } | |
| INSTALLED_SUM="$(sha256 $SYSTEMD_FILE_PATH)" | |
| SOURCE_SUM="$(sha256 $SOURCE_FILE_PATH)" | |
| if [ "$INSTALLED_SUM" = "$SOURCE_SUM" ]; then | |
| echo "Already installed and up to date. Doing nothing." | |
| exit 0 | |
| fi | |
| cp $SOURCE_FILE_PATH $SYSTEMD_FILE_PATH | |
| systemctl daemon-reload | |
| systemctl enable $SERVICE_FILE | |
| systemctl start $SERVICE_FILE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This file goes in /data/nextdns-catchall.service (mode a+r) | |
| [Unit] | |
| Description=NextDNS Catch all traffic | |
| After=nextdns.service | |
| Requires=nextdns.service | |
| [Install] | |
| WantedBy=multi-user.target nextdns.service | |
| [Service] | |
| Type=oneshot | |
| RemainAfterExit=yes | |
| # Add one of these for each bridge interface that has a LAN IP | |
| # and hosts a LAN subnet (one for each VLAN). Examples: | |
| ExecStart=sysctl -w net.ipv4.conf.br0.route_localnet=1 | |
| # ExecStart=sysctl -w net.ipv4.conf.br100.route_localnet=1 | |
| # ExecStart=sysctl -w net.ipv4.conf.br200.route_localnet=1 | |
| # ... | |
| # Add one of these for each VPN interface (WireGuard, OpenVPN, Teleport) | |
| # ExecStart=sysctl -w net.ipv4.conf.wgsrv1.route_localnet=1 | |
| # ExecStart=sysctl -w net.ipv4.conf.tun0.route_localnet=1 | |
| # ... | |
| ExecStart=/usr/bin/env bash -c "iptables -w 30 -t nat -N NEXTDNS_CATCHALL || iptables -w 30 -t nat -F NEXTDNS_CATCHALL" | |
| ExecStart=/usr/bin/env bash -c "iptables -w 30 -t nat -C PREROUTING -m udp -p udp --dport 53 -j NEXTDNS_CATCHALL >/dev/null 2>&1 || iptables -w 30 -t nat -A PREROUTING -m udp -p udp --dport 53 -j NEXTDNS_CATCHALL" | |
| ExecStart=/usr/bin/env bash -c "iptables -w 30 -t nat -C PREROUTING -m tcp -p tcp --dport 53 -j NEXTDNS_CATCHALL >/dev/null 2>&1 || iptables -w 30 -t nat -A PREROUTING -m tcp -p tcp --dport 53 -j NEXTDNS_CATCHALL" | |
| # Have some internal (or external) DNS servers you want to allow unencrypted queries to? | |
| # The following two examples show how you can add exceptions to the catch all for UDP and TCP | |
| # NOTE: this will allow UNENCRYPTED queries to hit any IP(s) you add here as exceptions, so be careful! | |
| # Allowing any external IPs here defeats the purpose of this script if you need to leave your internal network to reach them! | |
| # You should specify each IP as a CIDR (just append /32), and you can add multiple, comma-separated, right after "-d" (destination) | |
| # -- | |
| # ExecStart=iptables -w 30 -t nat -A NEXTDNS_CATCHALL -p udp -m udp -d 172.27.72.1/32,192.168.0.1/32 --dport 53 -j RETURN | |
| # ExecStart=iptables -w 30 -t nat -A NEXTDNS_CATCHALL -p tcp -m tcp -d 172.27.72.1/32,192.168.0.1/32 --dport 53 -j RETURN | |
| ExecStart=iptables -w 30 -t nat -A NEXTDNS_CATCHALL -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1:5342 | |
| ExecStart=iptables -w 30 -t nat -A NEXTDNS_CATCHALL -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5342 | |
| ExecStart=/usr/bin/env bash -c "ip6tables -w 30 -t nat -N NEXTDNS_CATCHALL || ip6tables -w 30 -t nat -F NEXTDNS_CATCHALL" | |
| ExecStart=/usr/bin/env bash -c "ip6tables -w 30 -t nat -C PREROUTING -m udp -p udp --dport 53 -j NEXTDNS_CATCHALL >/dev/null 2>&1 || ip6tables -w 30 -t nat -A PREROUTING -m udp -p udp --dport 53 -j NEXTDNS_CATCHALL" | |
| ExecStart=/usr/bin/env bash -c "ip6tables -w 30 -t nat -C PREROUTING -m tcp -p tcp --dport 53 -j NEXTDNS_CATCHALL >/dev/null 2>&1 || ip6tables -w 30 -t nat -A PREROUTING -m tcp -p tcp --dport 53 -j NEXTDNS_CATCHALL" | |
| ExecStart=ip6tables -w 30 -t nat -A NEXTDNS_CATCHALL -p udp -m udp --dport 53 -j DNAT --to-destination ::1:5342 | |
| ExecStart=ip6tables -w 30 -t nat -A NEXTDNS_CATCHALL -p tcp -m tcp --dport 53 -j DNAT --to-destination ::1:5342 | |
| ExecStop=iptables -w 30 -t nat -D PREROUTING -m udp -p udp --dport 53 -j NEXTDNS_CATCHALL | |
| ExecStop=iptables -w 30 -t nat -D PREROUTING -m tcp -p tcp --dport 53 -j NEXTDNS_CATCHALL | |
| ExecStop=-iptables -w 30 -t nat -D PREROUTING ! -d 127.0.0.0/8 -m udp -p udp --dport 53 -j NEXTDNS_CATCHALL | |
| ExecStop=-iptables -w 30 -t nat -D PREROUTING ! -d 127.0.0.0/8 -m tcp -p tcp --dport 53 -j NEXTDNS_CATCHALL | |
| ExecStop=iptables -w 30 -t nat -F NEXTDNS_CATCHALL | |
| ExecStop=iptables -w 30 -t nat -X NEXTDNS_CATCHALL | |
| ExecStop=ip6tables -w 30 -t nat -D PREROUTING -m udp -p udp --dport 53 -j NEXTDNS_CATCHALL | |
| ExecStop=ip6tables -w 30 -t nat -D PREROUTING -m tcp -p tcp --dport 53 -j NEXTDNS_CATCHALL | |
| ExecStop=-ip6tables -w 30 -t nat -D PREROUTING ! -d ::1 -m udp -p udp --dport 53 -j NEXTDNS_CATCHALL | |
| ExecStop=-ip6tables -w 30 -t nat -D PREROUTING ! -d ::1 -m tcp -p tcp --dport 53 -j NEXTDNS_CATCHALL | |
| ExecStop=ip6tables -w 30 -t nat -F NEXTDNS_CATCHALL | |
| ExecStop=ip6tables -w 30 -t nat -X NEXTDNS_CATCHALL |
Also, I'm going to move this whole thing into a real git repo and will share the link here when done. This ensures we can have real issue tracking, pull requests, etc.
EDIT - done. Added a README file to the top of the list that points to the new repository. You can find it here:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Made some changes to
nextdns-catchall.serviceagain, and they should be fully backwards compatible. Here's the list:WantedBy) fornextdns.service. This ensures systemd will try to start this after nextdns starts127.0.0.1/8(like dnsmasq) with less specific ones that just match UDP/TCP on port 53. This goes back to circumventing the built-in dnsmasq server, as the nextdns-injected config can potentially get ignored. This has the added benefit of also redirecting some queries sent by the UDM itself - though not all>/dev/null 2>&1to silence error output from the firstiptables -Ccommands that check for existence of a specific rule. It doesn't need to be printing a failure every time, as that's misleading. The command we run after the OR (||) does succeed and outputs nothing, so we stop that here.127.0.0.1/8in PREROUTING tables, since the rule format changed a bit in the latest edit. These ExecStop commands are prefixed with-, as they're expected to fail after the first time, and we don't want those expected failures to impact the stop of our service.I'd recommend anyone using this to update. Before applying the updates, you can run
systemctl stop nextdns-catchall.serviceif you want to manually clean up rules first. If you do not do this stop step first, then after updating/data/nextdns-catchall.serviceand running/data/on_boot.d/10-nextdns-catchall.sh, you may want to run asystemctl restart nextdns-catchall.service(once) just for good measure to make sure that extra cleanup happens, if necessary. This will only need to happen once on this change, due to the way the rules added to (and removed from on stop) thePREROUTINGtables changed slightly.