13

Support Discovery of Designated Resolvers (RFC9462)

Hi,

I have previously posted a Q&A about DDR support https://help.nextdns.io/t/h7hcqly/nextdns-will-support-ddr-encrypted-upgrade-to-use-ultralow-server

I suggest NextDNS support DDR, so that devices/browsers will automatically upgrade to use encrypted DNS with ultralow servers, when devices/browsers use the network with DNS as NextDNS (45.90.28.x/25.90.30.x).

And now DDR is standard with RFC 9462 https://datatracker.ietf.org/doc/rfc9462/

Currently, NextDNS does not support DDR

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @45.90.28.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53899
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; AUTHORITY SECTION:
arpa.                   2997    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2024070800 1800 900 604800 86400
;; Query time: 57 msec
;; SERVER: 45.90.28.0#53(45.90.28.0)
;; WHEN: Mon Jul 08 14:02:01 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 123

But, DNS0.eu already has DDR support

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @193.110.81.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2932
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     60      IN      SVCB    1 dns0.eu. alpn="h3,h2" port=443 ipv4hint=194.68.44.243,5.181.25.70 ipv6hint=2a03:f80:40:639d::1,2a03:90c0:4c0:2903::49 key7="/"
_dns.resolver.arpa.     60      IN      SVCB    1 dns0.eu. alpn="dot,doq" port=853 ipv4hint=194.68.44.243,5.181.25.70 ipv6hint=2a03:f80:40:639d::1,2a03:90c0:4c0:2903::49
;; ADDITIONAL SECTION:
dns0.eu.                60      IN      A       194.68.44.243
dns0.eu.                60      IN      A       5.181.25.70
dns0.eu.                60      IN      AAAA    2a03:f80:40:639d::1
dns0.eu.                60      IN      AAAA    2a03:90c0:4c0:2903::49
;; Query time: 201 msec
;; SERVER: 193.110.81.0#53(193.110.81.0)
;; WHEN: Mon Jul 08 14:01:10 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 316

Also, I checked Google DNS, OpenDNS, Quad9, Cloudflare DNS all support DDR

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40765
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     86400   IN      SVCB    1 dns.google. alpn="dot"
_dns.resolver.arpa.     86400   IN      SVCB    2 dns.google. alpn="h2,h3" key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.google.             86400   IN      A       8.8.8.8
dns.google.             86400   IN      A       8.8.4.4
dns.google.             86400   IN      AAAA    2001:4860:4860::8888
dns.google.             86400   IN      AAAA    2001:4860:4860::8844
;; Query time: 66 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 08 13:59:16 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 224


; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @208.67.220.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4387
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1410
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     300     IN      SVCB    5 dns.opendns.com. alpn="dot" port=853 ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53
_dns.resolver.arpa.     300     IN      SVCB    5 dns.umbrella.com. alpn="dot" port=853 ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53
_dns.resolver.arpa.     300     IN      SVCB    10 dns.opendns.com. alpn="h2" ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53 key7="/dns-query{?dns}"
_dns.resolver.arpa.     300     IN      SVCB    10 dns.umbrella.com. alpn="h2" ipv4hint=208.67.220.220,208.67.222.222 ipv6hint=2620:119:35::35,2620:119:53::53 key7="/dns-query{?dns}"
_dns.resolver.arpa.     300     IN      SVCB    20 doh.opendns.com. alpn="h2" ipv4hint=146.112.41.2 ipv6hint=2620:119:fc::2 key7="/dns-query{?dns}"
_dns.resolver.arpa.     300     IN      SVCB    20 doh.umbrella.com. alpn="h2" ipv4hint=146.112.41.2 ipv6hint=2620:119:fc::2 key7="/dns-query{?dns}"
;; Query time: 54 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Mon Jul 08 13:59:44 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 620


; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31720
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     60      IN      SVCB    1 dns.quad9.net. alpn="dot" port=853 ipv4hint=9.9.9.9,149.112.112.112 ipv6hint=2620:fe::fe
_dns.resolver.arpa.     60      IN      SVCB    2 dns.quad9.net. alpn="h2" port=443 ipv4hint=9.9.9.9,149.112.112.112 ipv6hint=2620:fe::fe key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.quad9.net.          60      IN      A       9.9.9.9
dns.quad9.net.          60      IN      A       149.112.112.112
dns.quad9.net.          60      IN      AAAA    2620:fe::fe
;; Query time: 49 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Jul 08 14:00:08 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 289


; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45634
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     300     IN      SVCB    1 one.one.one.one. alpn="h2,h3" port=443 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001 key7="/dns-query{?dns}"
_dns.resolver.arpa.     300     IN      SVCB    2 one.one.one.one. alpn="dot" port=853 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001
;; ADDITIONAL SECTION:
one.one.one.one.        300     IN      A       1.1.1.1
one.one.one.one.        300     IN      A       1.0.0.1
one.one.one.one.        300     IN      AAAA    2606:4700:4700::1111
one.one.one.one.        300     IN      AAAA    2606:4700:4700::1001
;; Query time: 34 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Jul 08 14:00:48 SE Asia Standard Time 2024
;; MSG SIZE  rcvd: 358

Hopefully the NextDNS team will consider this idea. Thanks!

10 replies

null
    • Kiyanokoji
    • 1 mth ago
    • Reported - view

    Up vote

    • minhtri
    • 1 mth ago
    • Reported - view

    up vote

    • Hanh_Nguyen
    • 1 mth ago
    • Reported - view

    Good Idea 

    • Chien_Bui
    • 1 mth ago
    • Reported - view

    up vote

    • mie6996
    • 1 mth ago
    • Reported - view

    great idea 

    • Hung_Tran
    • 1 mth ago
    • Reported - view

    Vote idea

    • vhpcdpgl
    • 1 mth ago
    • Reported - view

    5 stars!

    • kingsmanvn
    • 1 mth ago
    • Reported - view

    up vote!

    • Agi_Ga
    • 1 mth ago
    • Reported - view

    @BigDargon can you tell, which dig commands you did use in that case?

      • BigDargon
      • 1 mth ago
      • Reported - view

       

      dig _dns.resolver.arpa TYPE64 @45.90.28.0
Login to reply

Content aside

  • 13 Likes
  • 1 mth agoLast active
  • 10Replies
  • 149Views
  • 10 Following