NextDNS Now Works With The Ubiquiti Secure Gateway

For some time people know I’ve become a fan of the new service provided by NextDNS and it just got better.  In my first post about the service, the only issue I really had was the lack of a block page and lack of direct integration with the Ubiquiti Secure Gateway (USG) product.  Well as of this past weekend that is no more!  Why is this great?  Well it means all those devices on my network that can’t run the native client all now have Secure DNS lookups added along with the already in use ad and tracker blocking.  This is a huge leap forward for privacy on your personal network and I commend the team at NextDNS and those helping on the bug  thread.  So what do you need to do to make it work?

How to Install and Configure NextDNS on the Ubiquiti Secure Gateway

First check out the thread about this installation as there is some good info there.  I will point out this does not yet work on the Dream Machine.  This assumes you already have a NextDNS profile setup

Make sure you have the latest USG firmware loaded and SSH into your USG and run the following command

sh -c 'sh -c "$(curl -sL"'

Follow the prompts to setup this as a new device on your existing NextDNS profile

Now at this point in your logs you might see duplicate entries like this which seem odd.  The exact same device ID and IP Address with two entries, one secure DNS the other not.

The solution to this is that you probably still have the NextDNS servers in your UBNT controller WAN interface.  To finish the setup and get 100% secure DNS lookups where the USG is the DNS server for DHCP  scopes simple set the WAN network DNS servers to and publish the change.

Once you make this last simple change observe!  All your clients that are not running the native NextDNS agent like AppleTV’s, FireSticks, and NAS devices are 100% Secure DNS!


For me this solidified my decision to move to NextDNS for both secure DNS as well as Pi-Hole-As-A-Service like filtering all in one place.  They even added the option to save your logs outside of the US, and I’ve been working with them on some odd route failover issues specific to Comcast.  They are always willing to help and work on new integrations and issues.  Once again if you haven’t even tried this service please do and provide feedback to the team there!

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.


  1. Thanks for the article! I was able to get NextDNS installed but it won’t start. It is complaining that systemd-resolv is already running on port 53

    Any suggestions?


  2. Is this persistent or do i lose this after an upgrade of the usg?

  3. Is there a way to update to the latest release of NextDNS CLI without uninstalling and reinstalling?

  4. Hi Chris and thank you for the article. Out of curiosity, have you had any issues with NextDNS and the Unifi Controller? I’m asking because after I installed NextDNS on my USG I noticed that all the devices switched to “disconnected”.

    • I did not have issues with devices at all disconnecting. The USG needs the WAN DNS to point to but I have found the UDM/UDM pro does not like that. The devices should be using the USG .1 address as their DNS and they COULD disconnect depending on your settings for adoption. I always use IP for the adoption in the devices not DNS…

  5. Thanks so much for this! I ran the CLI interface, and as far as I can tell everything’s working OK.

    With that said, originally when I set up my USG, I found that I had to manually change the DNS settings under both of my networks (using the app, under Settings > Networks > select network > Edit > DHCP Server). They’re still set (manually) to my old DNS settings. Should I just blank them out? If not, what should they be set to?

    • If you are talking about the LAN networks I always left does blank if you force them to your old DNS you’re clients are not getting the benefit, just leave the default settings for DNS on the LAN side.

Leave a Reply

Your email address will not be published. Required fields are marked *