0

DNS over TLS using a FritzBox in Germany

Hi!

I am seeing some issues over time when I use NextDNS with a FritzBox in Germany. The FritzBox is a DSL router and it allows you to set a DNS over TLS server. I am using here the allocated DNS server according to setup instructions:

fritzbox-XXXXXX.dns.nextdns.io

This seems to work initially but after a couple of days when I check my DNS Server settings in the FritzBox I get the following:

#Telekom DNS Servers (Fallback option)
2003:180:2:7000::53 
2003:180:2:9000::53 
217.237.151.115 
217.237.148.102 

# NextDNS DNS Servers
2a07:a8c1:: (DoT verschlüsselt)
45.90.30.0 (DoT verschlüsselt)
45.90.28.0 (DoT verschlüsselt)
217.146.22.163 
116.203.147.209 
2a00:11c0:e:ffff:1::d 
2a01:4f8:c0c:fa3f::1 (aktuell genutzt für Standardanfragen)

From this I can see that this server: 2a01:4f8:c0c:fa3f::1 (aktuell genutzt für Standardanfragen) is at the moment used for all queries. This seems to be a NextDNS non-DoT Server which I have never entered anywhere. 

Initially when I enter the NextDNS DoT Server I get this as the DNS Server used:

2003:180:2:7000::53 
2003:180:2:9000::53 
217.237.151.115 
217.237.148.102 
2a00:11c0:e:ffff:1::d (DoT verschlüsselt)
2a01:4f8:c0c:fa3f::1 (DoT verschlüsselt)
217.146.22.163 (DoT verschlüsselt)
116.203.147.209 (aktuell genutzt für Standardanfragen - DoT verschlüsselt)

After a few days it reverts to the above and DNS queries are getting very slow.

10 replies

null
    • Pro subscriber ✓
    • DynamicNotSlow
    • 2 yrs ago
    • Reported - view

    Make a screenshot from your settings

    • Andreas_Schmid
    • 2 yrs ago
    • Reported - view

    I assume a screenshot of the DNS configuration page ...

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Andreas Schmid with that settings, you’re using ISP DNS.

       

      fallback doesn’t mean it’s only used if main DNS isn’t reachable. It’s used if it’s faster than others. 

      • Andreas_Schmid
      • 2 yrs ago
      • Reported - view

      DynamicNotSlow this is not exactly what the product description says:

      Fallback auf unverschlüsselte Namensauflösung im Internet zulassen

      In den Voreinstellungen der FRITZ!Box ist diese Einstellung aktiviert.

      Wenn diese Einstellung aktiviert ist, dann werden DNS-Anfragen unverschlüsselt ausgeführt, wenn alle unter "Auflösungsnamen der DNS-Server" eingetragenen Server ausfallen. Ein Server fällt aus, wenn er nicht erreichbar ist oder die Zertifikatsprüfung nicht erfolgreich war.

      Wenn diese Einstellung deaktiviert ist, dann findet kein Fallback statt. Wenn alle unter "Auflösungsnamen der DNS-Server" eingetragenen Server ausfallen, dann werden keine DNS-Anfragen mehr ausgeführt und die Internetkommunikation ist nicht mehr möglich.

      Translating the main part: If this option is activated DNS queries are carried out unencrypted only if all of the DoT servers are not available. 

      Also my NextDNS Dashboard shows:

       

      So if I am using my IPS DNS I wonder how those 2m queries end up on my NextDNS dashboard. Strangely also the logs are consistent with what I am doing, e.g. a dig on a specific domain.

      Just wonder how this is all possible if I am using my ISP DNS because of my settings?

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Andreas Schmid I miss the word „too“ after ISP.  Sorry. 
       

      if you want only using NextDNS - no matter if encrypted or not, you need to enter NextDNS server at both IPv4 and IPv6 settings on the top of your screenshot. Remember that this can break your DNS too as written in other topics. 

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Andreas Schmid you can also verify this with https://bash.ws/dnsleak

    • Andreas_Schmid
    • 2 yrs ago
    • Reported - view

    @DynamicNotSlow all good, just wanted to point out that's not the case.

    I use dnsleaktest.com to verify this as well and it looks good to me:

     

    • Andreas_Schmid
    • 2 yrs ago
    • Reported - view

    Anyway back to topic. I just now configured NextDNS again as DoT in my FritzBox again and the DNS used now are like this:

     

    If in a few days my Internet starts to slow down again because of these DNS servers changing I post another screenshot.

    • Andreas_Schmid
    • 2 yrs ago
    • Reported - view

    So I am back after 6 days as the problems occur again. Strange behavior that websites don't load on first try, when you hit reload it works or load very slowly, online meetings stutter, etc. 

    Then my router shows this as DNS entries:

     

    As compared to the settings in the previous post there are new DNS Servers now being used and they are causing these problems.

    The two new servers 116.203.147.209 (Hetzner) and 217.146.22.163 (ANEXIA) are servers in local data centers and not anymore from Misaka Network.

    Also confirmed by dnsleaktest.com:

     

    So the NextDNS steering server seem to switch from Misaka CDN to local data center DNS servers and this where the problems start.

      • Michael_Schroettle
      • 2 yrs ago
      • Reported - view

      Andreas Schmid hav you found a solution to this problem. I have noticed that the same is happening in my installation, too (Fritz 7590AX).

      Thanks for update

      Michael

Content aside

  • 2 yrs agoLast active
  • 10Replies
  • 4197Views
  • 2 Following