14

Support Discovery of Designated Resolvers (RFC9462)

Hi,

I have previously posted a Q&A about DDR support https://help.nextdns.io/t/h7hcqly/nextdns-will-support-ddr-encrypted-upgrade-to-use-ultralow-server

I suggest NextDNS support DDR, so that devices/browsers will automatically upgrade to use encrypted DNS with ultralow servers, when devices/browsers use the network with DNS as NextDNS (45.90.28.x/25.90.30.x).

And now DDR is standard with RFC 9462 https://datatracker.ietf.org/doc/rfc9462/

Currently, NextDNS does not support DDR

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @45.90.28.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53899
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; AUTHORITY SECTION:
arpa.                   2997    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2024070800 1800 900 604800 86400
;; Query time: 57 msec
;; SERVER: 45.90.28.0#53(45.90.28.0)
;; WHEN: Mon Jul 08 14:02:01 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 123

But, DNS0.eu already has DDR support

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @193.110.81.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2932
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     60      IN      SVCB    1 dns0.eu. alpn="h3,h2" port=443 ipv4hint=194.68.44.243,5.181.25.70 ipv6hint=2a03:f80:40:639d::1,2a03:90c0:4c0:2903::49 key7="/"
_dns.resolver.arpa.     60      IN      SVCB    1 dns0.eu. alpn="dot,doq" port=853 ipv4hint=194.68.44.243,5.181.25.70 ipv6hint=2a03:f80:40:639d::1,2a03:90c0:4c0:2903::49
;; ADDITIONAL SECTION:
dns0.eu.                60      IN      A       194.68.44.243
dns0.eu.                60      IN      A       5.181.25.70
dns0.eu.                60      IN      AAAA    2a03:f80:40:639d::1
dns0.eu.                60      IN      AAAA    2a03:90c0:4c0:2903::49
;; Query time: 201 msec
;; SERVER: 193.110.81.0#53(193.110.81.0)
;; WHEN: Mon Jul 08 14:01:10 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 316

Also, I checked Google DNS, OpenDNS, Quad9, Cloudflare DNS all support DDR

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40765
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     86400   IN      SVCB    1 dns.google. alpn="dot"
_dns.resolver.arpa.     86400   IN      SVCB    2 dns.google. alpn="h2,h3" key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.google.             86400   IN      A       8.8.8.8
dns.google.             86400   IN      A       8.8.4.4
dns.google.             86400   IN      AAAA    2001:4860:4860::8888
dns.google.             86400   IN      AAAA    2001:4860:4860::8844
;; Query time: 66 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 08 13:59:16 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 224


; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @208.67.220.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4387
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1410
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     300     IN      SVCB    5 dns.opendns.com. alpn="dot" port=853 ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53
_dns.resolver.arpa.     300     IN      SVCB    5 dns.umbrella.com. alpn="dot" port=853 ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53
_dns.resolver.arpa.     300     IN      SVCB    10 dns.opendns.com. alpn="h2" ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53 key7="/dns-query{?dns}"
_dns.resolver.arpa.     300     IN      SVCB    10 dns.umbrella.com. alpn="h2" ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53 key7="/dns-query{?dns}"
_dns.resolver.arpa.     300     IN      SVCB    20 doh.opendns.com. alpn="h2" ipv4hint=146.112.41.2 ipv6hint=2620:119:fc::2 key7="/dns-query{?dns}"
_dns.resolver.arpa.     300     IN      SVCB    20 doh.umbrella.com. alpn="h2" ipv4hint=146.112.41.2 ipv6hint=2620:119:fc::2 key7="/dns-query{?dns}"
;; Query time: 54 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Mon Jul 08 13:59:44 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 620


; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31720
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     60      IN      SVCB    1 dns.quad9.net. alpn="dot" port=853 ipv4hint=9.9.9.9,149.112.112.112 ipv6hint=2620:fe::fe
_dns.resolver.arpa.     60      IN      SVCB    2 dns.quad9.net. alpn="h2" port=443 ipv4hint=9.9.9.9,149.112.112.112 ipv6hint=2620:fe::fe key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.quad9.net.          60      IN      A       9.9.9.9
dns.quad9.net.          60      IN      A       149.112.112.112
dns.quad9.net.          60      IN      AAAA    2620:fe::fe
;; Query time: 49 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Jul 08 14:00:08 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 289


; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45634
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     300     IN      SVCB    1 one.one.one.one. alpn="h2,h3" port=443 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001 key7="/dns-query{?dns}"
_dns.resolver.arpa.     300     IN      SVCB    2 one.one.one.one. alpn="dot" port=853 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001
;; ADDITIONAL SECTION:
one.one.one.one.        300     IN      A       1.1.1.1
one.one.one.one.        300     IN      A       1.0.0.1
one.one.one.one.        300     IN      AAAA    2606:4700:4700::1111
one.one.one.one.        300     IN      AAAA    2606:4700:4700::1001
;; Query time: 34 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Jul 08 14:00:48 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 358

Hopefully the NextDNS team will consider this idea. Thanks!

11 replies

null
    • Kiyanokoji
    • 5 mths ago
    • Reported - view

    Up vote

    • minhtri
    • 5 mths ago
    • Reported - view

    up vote

    • Hanh_Nguyen
    • 5 mths ago
    • Reported - view

    Good Idea 

    • Chien_Bui
    • 5 mths ago
    • Reported - view

    up vote

    • mie6996
    • 5 mths ago
    • Reported - view

    great idea 

    • Hung_Tran
    • 5 mths ago
    • Reported - view

    Vote idea

    • vhpcdpgl
    • 5 mths ago
    • Reported - view

    5 stars!

    • kingsmanvn
    • 5 mths ago
    • Reported - view

    up vote!

    • Agi_Ga
    • 5 mths ago
    • Reported - view

    @BigDargon can you tell, which dig commands you did use in that case?

      • BigDargon
      • 5 mths ago
      • Reported - view

       

      dig _dns.resolver.arpa TYPE64 @45.90.28.0
    • Patrick_Dark
    • 1 mth ago
    • Reported - view

    May be worth noting that Little Snitch’s encrypted DNS mechanism (on macOS) seems to block DDR so all of the above addresses indicate no support until I disable it. Not sure if that’s a bug or not.

    I think they could support this for dns.nextdns.io and apple/chrome/firefox/windows.dns.nextdns.io domains pretty easily.

    For profile domains though, they would need to move to an IPv6-only model so a unique address could be assigned to every profile domain (like to abcdef.dns.nextdns.io). Then it still wouldn’t work until the DNS records propagated (up to 72 hours) or if the user was forced onto an IPv4-only ISP like Optimum.

     Then they would need to allow pre-configuration of domains on the server side for custom DNS Over TLS domains (like to My--Device-abcdef.dns.nextdns.io).

Content aside

  • 14 Likes
  • 1 mth agoLast active
  • 11Replies
  • 196Views
  • 11 Following