How to Use Locally Caching DNS forwarding on an OpenBSD Laptop Without Breaking Captive Portals

## Introduction

Hey there! I use OpenBSD on laptops primarily, and since I’ve got that neurospice, I don’t have a consistent workplace. I find myself working at nature reserves, coffee shops, and libraries. I’m a fan of ad-blocking and privacy, especially when it can be done easily without fiddling with browser extensions. Tools like PiHole are cool, but they’re tied to the network they reside on, which doesn’t work for me.

There is a service called NextDNS that can act as a DNS resolver with its own blocklist manager WebUI. However, as far as I can tell, their command-line utility is inconsistent and unreliable on OpenBSD. It’s also not a port, so I’d rather not use it unless it’s at least tested by the ports@ list.

I was reading about forwarding DNS to NextDNS and remembered that `unwind` comes with OpenBSD. Cool! So, just configure `undwind` to forward all DNS requests to NextDNS, right? Not so simple. Many places I work from use captive portals for wireless access, and I need to temporarily use the network’s DNS server to connect to the portal in Firefox. So, how do I handle this?

Fortunately, unwind makes client DNS fallback simple.

## Here's my `/etc/unwind.conf`:

       auth="devicename-xxxxxx.dns.nextdns.io"

       forwarder {
               45.90.28.80 authentication name $auth DoT
               45.90.30.80 authentication name $auth DoT
               2a07:a8c0:: authentication name $auth DoT
               2a07:a8c1:: authentication name $auth DoT
       }

       preference {
               DoT
               autoconf
       }

This uses a macro, `auth` to send the authentication name to the correct server ip.

You should swap `xxxxxx` out for your nextdns key, and `devicename` for your desired device identifier.

Note: Change out the first ipv4 ip with what your my.nextdns.io page says, mine used to be 45.90.28.0 many moons ago, but looks like my account migrated to a different server ip at some point. The ipv6 ips seem to be consistent regardless of account though.

The preference block ensures that DoT is queried first, then falling back to the autoconf from your network. In the case of captive portals, having a fallback is nice.

tags: openbsd, laptop, internet-privacy, online-privacy, guide, unbound-dns, nextdns, unwind, dns

You are viewing proxied material from tilde.team. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.