0

Wrong IPs returned for domain, resulting in certificate errors

Hi,

I'm using NextDNS behind my Adguard installation as root DNS. I've tried to open this URL:

https://www.on1.com/creative-library/frost-and-snow-overlays/

Firefox showed me this error:

 Note for which Sites the certificate should have been issued.

I've tried to resolve the DNS entries manually on my Mac using dig:

dig www.on1.com                                                                                                                                                   at 23:30:31
; <<>> DiG 9.10.6 <<>> www.on1.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19656
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.on1.com.            IN    A
;; ANSWER SECTION:
www.on1.com.        226    IN    A    52.45.242.92
www.on1.com.        226    IN    A    52.6.17.168
;; Query time: 62 msec
;; SERVER: <the IPv6 of my Router with Adguard installed on it>
;; WHEN: Mon Jan 08 23:30:43 CET 2024
;; MSG SIZE  rcvd: 72

While adguard logged these IPs:

Opening that IP shows the certificate that belongs to iot.blackberry.com: https://52.6.50.55/

After a few retries and reloads, the website got finally the right IPs resolved and showed a certificate that was suitable.

I've had this before with a login request to the AWS web console which failed because nextDNS returned a wrong IP not suitable for the requested domain.

Unfortunately I'm unable to see the resolved IPs in the NextDNS log. It just shows me if its an A or AAAA response and that it was DNS over HTTPS.

Any ideas how to proceed or further debug this issue?

1 reply

null
    • Centurio
    • 10 mths ago
    • Reported - view

    Today I've got another faulty resolution for u.gg, resulting again in a firefox certificate warning.

    Nextdns resolved it like this:

    while using dig u.gg resolved:

    dig u.gg                                                        at 21:02:47
    ; <<>> DiG 9.10.6 <<>> u.gg
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9987
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;u.gg.                IN    A
    ;; ANSWER SECTION:
    u.gg.            168    IN    A    52.58.78.215
    u.gg.            168    IN    A    18.196.37.7
    u.gg.            168    IN    A    35.157.84.226
    ;; Query time: 52 msec
    ;; SERVER: <the IPv6 of my Router with Adguard installed on it>
    ;; WHEN: Wed Jan 10 21:02:52 CET 2024
    ;; MSG SIZE  rcvd: 81
    

    This seems to happen now more often.

Content aside

  • 10 mths agoLast active
  • 1Replies
  • 36Views
  • 1 Following