11 April 2026

📌 Soen in the headphones. NextDNS finally off the shelf.

Had a NextDNS subscription sitting unused for months. Today felt like the right time to actually use it.

The starting point was worse than expected. pfSense had a reverse proxy IP in the DNS field - NPM, which has nothing to do with DNS - and a ticked override box that silently handed all resolution to Virgin Media. The kind of configuration that works until you look at it closely. Nobody had looked at it closely.

Untangling it meant understanding the full stack first. A dig on an internal hostname pointed to 127.0.0.53. resolvectl status showed 192.168.0.101 as the upstream. Pi-hole. Which feeds Unbound. A fully recursive resolver that was already running quietly, resolving directly from root servers, telling nobody anything. It had been there the whole time.

That changed the plan. Replacing Unbound with NextDNS would have been a step backwards in privacy terms. So the architecture stayed intact. Pi-hole and Unbound handle the internal network. pfSense now points to NextDNS for its own resolution instead of the broken config it had before. Clean separation.

The interesting part was the edges. Android got Private DNS configured to the NextDNS profile endpoint. That covered the phone outside the house. But internal domains - everything under jolek78.dev - needed a rewrite rule in NextDNS pointing *.jolek78.dev to 192.168.0.110, otherwise NPM is unreachable from mobile when at home on NextDNS. That solved it.

The laptop took longer to think through. WireGuard is always active, both at home and outside. The tunnel terminates here, DNS goes through Pi-hole regardless of physical location. The config had Google as a fallback, which was the only thing worth fixing. Replaced it with the NextDNS endpoints. The chain is now Pi-hole first, NextDNS second, Cloudflare as last resort. Intentional degradation instead of silent leaking.

root@jolek78-mizar:/etc/wireguard# resolvectl status wg02
Link 9 (wg02)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.101
       DNS Servers: 192.168.0.101 45.90.28.203 45.90.30.203 1.1.1.1
       DNS Domain: ~.

The network works the same as before. Virgin Media no longer sees anything. At least, for now.