Support Discovery of Designated Resolvers (RFC9462)
Hi,
I have previously posted a Q&A about DDR support https://help.nextdns.io/t/h7hcqly/nextdns-will-support-ddr-encrypted-upgrade-to-use-ultralow-server
I suggest NextDNS support DDR, so that devices/browsers will automatically upgrade to use encrypted DNS with ultralow servers, when devices/browsers use the network with DNS as NextDNS (45.90.28.x/25.90.30.x).
And now DDR is standard with RFC 9462 https://datatracker.ietf.org/doc/rfc9462/
Currently, NextDNS does not support DDR
; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @45.90.28.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53899
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa. IN SVCB
;; AUTHORITY SECTION:
arpa. 2997 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024070800 1800 900 604800 86400
;; Query time: 57 msec
;; SERVER: 45.90.28.0#53(45.90.28.0)
;; WHEN: Mon Jul 08 14:02:01 SE Asia Standard Time 2024
;; MSG SIZE rcvd: 123
But, DNS0.eu already has DDR support
; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @193.110.81.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2932
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;_dns.resolver.arpa. IN SVCB
;; ANSWER SECTION:
_dns.resolver.arpa. 60 IN SVCB 1 dns0.eu. alpn="h3,h2" port=443 ipv4hint=194.68.44.243,5.181.25.70 ipv6hint=2a03:f80:40:639d::1,2a03:90c0:4c0:2903::49 key7="/"
_dns.resolver.arpa. 60 IN SVCB 1 dns0.eu. alpn="dot,doq" port=853 ipv4hint=194.68.44.243,5.181.25.70 ipv6hint=2a03:f80:40:639d::1,2a03:90c0:4c0:2903::49
;; ADDITIONAL SECTION:
dns0.eu. 60 IN A 194.68.44.243
dns0.eu. 60 IN A 5.181.25.70
dns0.eu. 60 IN AAAA 2a03:f80:40:639d::1
dns0.eu. 60 IN AAAA 2a03:90c0:4c0:2903::49
;; Query time: 201 msec
;; SERVER: 193.110.81.0#53(193.110.81.0)
;; WHEN: Mon Jul 08 14:01:10 SE Asia Standard Time 2024
;; MSG SIZE rcvd: 316
Also, I checked Google DNS, OpenDNS, Quad9, Cloudflare DNS all support DDR
; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40765
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
;; QUESTION SECTION:
;_dns.resolver.arpa. IN SVCB
;; ANSWER SECTION:
_dns.resolver.arpa. 86400 IN SVCB 1 dns.google. alpn="dot"
_dns.resolver.arpa. 86400 IN SVCB 2 dns.google. alpn="h2,h3" key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.google. 86400 IN A 8.8.8.8
dns.google. 86400 IN A 8.8.4.4
dns.google. 86400 IN AAAA 2001:4860:4860::8888
dns.google. 86400 IN AAAA 2001:4860:4860::8844
;; Query time: 66 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 08 13:59:16 SE Asia Standard Time 2024
;; MSG SIZE rcvd: 224
; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @208.67.220.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4387
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1410
;; QUESTION SECTION:
;_dns.resolver.arpa. IN SVCB
;; ANSWER SECTION:
_dns.resolver.arpa. 300 IN SVCB 5 dns.opendns.com. alpn="dot" port=853 ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53
_dns.resolver.arpa. 300 IN SVCB 5 dns.umbrella.com. alpn="dot" port=853 ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53
_dns.resolver.arpa. 300 IN SVCB 10 dns.opendns.com. alpn="h2" ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53 key7="/dns-query{?dns}"
_dns.resolver.arpa. 300 IN SVCB 10 dns.umbrella.com. alpn="h2" ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53 key7="/dns-query{?dns}"
_dns.resolver.arpa. 300 IN SVCB 20 doh.opendns.com. alpn="h2" ipv4hint=146.112.41.2 ipv6hint=2620:119:fc::2 key7="/dns-query{?dns}"
_dns.resolver.arpa. 300 IN SVCB 20 doh.umbrella.com. alpn="h2" ipv4hint=146.112.41.2 ipv6hint=2620:119:fc::2 key7="/dns-query{?dns}"
;; Query time: 54 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Mon Jul 08 13:59:44 SE Asia Standard Time 2024
;; MSG SIZE rcvd: 620
; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31720
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa. IN SVCB
;; ANSWER SECTION:
_dns.resolver.arpa. 60 IN SVCB 1 dns.quad9.net. alpn="dot" port=853 ipv4hint=9.9.9.9,149.112.112.112 ipv6hint=2620:fe::fe
_dns.resolver.arpa. 60 IN SVCB 2 dns.quad9.net. alpn="h2" port=443 ipv4hint=9.9.9.9,149.112.112.112 ipv6hint=2620:fe::fe key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.quad9.net. 60 IN A 9.9.9.9
dns.quad9.net. 60 IN A 149.112.112.112
dns.quad9.net. 60 IN AAAA 2620:fe::fe
;; Query time: 49 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Jul 08 14:00:08 SE Asia Standard Time 2024
;; MSG SIZE rcvd: 289
; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45634
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa. IN SVCB
;; ANSWER SECTION:
_dns.resolver.arpa. 300 IN SVCB 1 one.one.one.one. alpn="h2,h3" port=443 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001 key7="/dns-query{?dns}"
_dns.resolver.arpa. 300 IN SVCB 2 one.one.one.one. alpn="dot" port=853 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001
;; ADDITIONAL SECTION:
one.one.one.one. 300 IN A 1.1.1.1
one.one.one.one. 300 IN A 1.0.0.1
one.one.one.one. 300 IN AAAA 2606:4700:4700::1111
one.one.one.one. 300 IN AAAA 2606:4700:4700::1001
;; Query time: 34 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Jul 08 14:00:48 SE Asia Standard Time 2024
;; MSG SIZE rcvd: 358
Hopefully the NextDNS team will consider this idea. Thanks!
11 replies
-
Up vote
-
up vote
-
Good Idea
-
up vote
-
great idea
-
Vote idea
-
5 stars!
-
up vote!
-
@BigDargon can you tell, which dig commands you did use in that case?
-
May be worth noting that Little Snitch’s encrypted DNS mechanism (on macOS) seems to block DDR so all of the above addresses indicate no support until I disable it. Not sure if that’s a bug or not.
I think they could support this for dns.nextdns.io and apple/chrome/firefox/windows.dns.nextdns.io domains pretty easily.
For profile domains though, they would need to move to an IPv6-only model so a unique address could be assigned to every profile domain (like to abcdef.dns.nextdns.io). Then it still wouldn’t work until the DNS records propagated (up to 72 hours) or if the user was forced onto an IPv4-only ISP like Optimum.
Then they would need to allow pre-configuration of domains on the server side for custom DNS Over TLS domains (like to My--Device-abcdef.dns.nextdns.io).
Content aside
-
14
Likes
- 1 mth agoLast active
- 11Replies
- 196Views
-
11
Following