Need help with NextDNS update issue

KiwiGuy · January 7, 2026, 6:21am

So, I’ve managed to get IPv6 working with NextDNS but am having issues with their MT updating config:

/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem
/certificate set [find where name~"cacert"] trusted=yes

/ip dns static add name=dns.nextdns.io address=45.90.28.0
/ip dns static add name=dns.nextdns.io address=45.90.30.0
/ip dns static add name=dns.nextdns.io address=2a07:a8c0::
/ip dns static add name=dns.nextdns.io address=2a07:a8c1::

/ip dns set servers=45.90.28.0,45.90.30.0
/ip dns set use-doh-server=https://dns.nextdns.io/fda4c2 verify-doh-cert=yes

which, when entered returns:

> /tool fetch url=https://curl.se/ca/cacert.pem
      status: finished
  downloaded: 219KiB  
       total: 219KiB  
    duration: 0s      
[nuiadmin@Home Router AX] > ress=45.90.28.0
syntax error (line 1 column 5)
[nuiadmin@Home Router AX] > /ip dns static add name=dns.nextdns.io address=45.90.30.0
[nuiadmin@Home Router AX] > /ip dns static add name=dns.nextdns.io address=2a07:a8c0::
[nuiadmin@Home Router AX] > /ip dns static add name=dns.nextdns.io address=2a07:a8c1::
[nuiadmin@Home Router AX] > 
[nuiadmin@Home Router AX] > /ip dns set servers=45.90.28.0,45.90.30.0

It adds the DNS settings, but i think it has something to do with certificates. But that’s just a stab in the dark.

Hopefully someone will be able to help.

Cheers.

tangent · January 7, 2026, 6:33am

As of the past few RouterOS releases, you no longer need to add a third-party cert bundle. The default cert set should be fine for this:

/certificate settings
set builtin-trust-store=container,dns

Also, your IPv6 static addresses should be the special per-client ones that identify you to NextDNS. (2a07:a8c0::XX:YYYY)

I would also drop the IPv4 ones for this same reason: any time you fall back to that address, you fall into the generic client bucket, which prevents NextDNS from doing the things you have configured it to do anytime your public IP changes on them.

KiwiGuy · January 7, 2026, 6:49am

Thanks for this, but this was returned:

/certificate/settings> set builtin-trust-store=container,dns
expected end of command (line 1 column 5)

I have an IPv4 script that I’ve run successfully when I point NextDNS to DuckDNS. The script is as follows:

:local duckdnsToken "xxxxxxx"
:local duckdnsHostname "xxxxxx"

:global previousIP ""

/tool fetch url="https://api.ipify.org" mode=https dst-path=mypublicip.txt
:local currentIP [/file get mypublicip.txt contents]

:log info "Fetched current IP as $currentIP"

:if ($currentIP != $previousIP) do={
    :log info "DuckDNS: Update needed"
    :set previousIP $currentIP

    :local url "https://www.duckdns.org/update?domains=$duckdnsHostname&token=$duckdnsToken&ip=$currentIP"
    /tool fetch url=($url) mode=https dst-path=("/net_duckdns.txt")
    :delay 2
    :local reply [/file get net_duckdns.txt contents]
    :log info "DuckDNS update complete. Reply: $reply"
} else {
    :log info "DuckDNS: No update needed"
}

Can this be modified for both IPv4 and 6? If so, how? I think I’d prefer this way as opposed to the other.

KiwiGuy · January 7, 2026, 9:08am

Ai to the rescue! Script redone and working great.