No internet connection network when nextdns private dns enabled (Android)

I'm using nextdns for quite a while now(happy), but when i'm at the office i get no internet connection when i have private dns enabled on Android. Now when i connect to the wifi when private DNS is off, then enable my proton VPN and then turn nextdns on again it works. Seems like the DNS is then going trough the VPN tunnel right? Did our system admin block TLS, or is there an other reason for this behavior?

10replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • I have this same issue. Started today after phone reboot. Otherwise, all things the same on the device. Other devices on the same wifi work fine. From looking at wireshark, seems port 853 is being blocked from certain devices on IPv6/v4 addresses. If I disconnect from wifi and on to AT&T Mobile, it works. If I connect back to wifi (comcast), it's blocked.  tcptraceroute below:

    from Comcast:

    Tracing the path to dns.nextdns.io ( on TCP port 853 (domain-s), 30 hops max
     1  * * *
     2  * * *
     3  * * *

    ultimately times out.

  • And an update, it almost works:

    Tracing the path to (client_id).dns.nextdns.io ( on TCP port 853 (domain-s), 30 hops max
     1  15.272 ms  11.136 ms  31.627 ms
     2  30.965 ms  33.506 ms  27.931 ms
     3  18.143 ms  22.302 ms  22.363 ms
     4  be-212-rar01.santaclara.ca.sfba.comcast.net (  30.296 ms  27.789 ms  24.554 ms
     5  be-39921-cs02.sunnyvale.ca.ibone.comcast.net (  22.952 ms  35.870 ms  25.392 ms
     6  be-3202-pe02.529bryant.ca.ibone.comcast.net (  25.406 ms  32.048 ms  35.693 ms
     7  ix-xe-8-1-0-2-0.tcore1.pdi-paloalto.as6453.net (  29.147 ms  34.606 ms  40.353 ms
     8  if-ae-2-2.tcore2.pdi-paloalto.as6453.net (  31.982 ms  35.294 ms  25.757 ms
     9  if-ae-5-2.tcore2.sqn-sanjose.as6453.net (  26.277 ms  47.605 ms  38.044 ms
    10  if-ae-22-2.tcore1.sf9-sanfrancisco.as6453.net (  30.406 ms  31.254 ms  30.787 ms
    11  * * *
    12  * * *

    it seems queries to dns.nextdns.io are blocked, but not to clientid.dns.nextdns.io, so now it's a problem at the datacenter (AS 6453/TATA Comms)

  • and for the record, i have android setup correctly under Private DNS: client_id.dns.nextdns.io

  • A further update. Borrowed a friend's iphone 11, fully up to date. Have the official App Store NextDNS client installed on the phone and enabled. DNS does not work over comcast. Works fine over their mobile provider. it would seem in my case, comcast is censoring DNS over TLS on both IPv4 and IPv6.

    • deimos Try to use a VPN that is not blocked by Comcast, then try to use encrypted DNS via a supported browser like Firefox over the VPN you are connected to.

      If it works then probably Comcast is blocking NextDNS, if not it may be a client misconfiguration.

      It's weird to block a DNS provider even if it's encrypted DNS.

  • And more updates:

    TLS to dns.nextdns.io works fine on my wifi and internet connection:

    openssl s_client -connect dns.nextdns.io:853
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = R3
    verify return:1
    depth=0 CN = nextdns.io
    verify return:1

    Set (client_id).dns.nextdns.io, android reports "couldn't connect".

    I setup dns.quad9.net, works fine. set it back to (client_id).dns.nextdns.io, android reports "couldn't connect".

    Set (client_id).dns.nextdns.io, android reports "couldn't connect".

    borrowed a friend's stock oneplus on android 10, installed nextdns app, works fine. firewall sees connection to edge.nextdns.io on 443 as expected.

    borrowed stock iphone 11 with ios up to date, installed nextdns app, configured for same client_id.dns.nextdns.io, fails. firewall sees no attempts to edge.nextdns.io:443.

    I don't understand.

    • deimos I had the same problem. I have a OnePlus8T. Try dns1.nextdns.io or dns2nextdns.io If you use the NextDNS app you most disable the battery optimization option and clear the app cache out.

  • Here's an update:

    1. Iphone 11 Pro, running iOS 14.4, NextDNS app from the app store version 2.01(29). Setup custom config, send device name.

        Mobile: working

        wifi: not working

    Unselect "Use Ultra-Low Latency Network".

        mobile: working

        wifi: working

    I'm still working on the android 10 devices. The 2 non-working android devices are AOSP/LineageOS devices without any google play nonsense. I wiped/reinstalled one of them and the problem persists. Configuring Private DNS, using dns.quad9.net works fine.

    When running the wiretap, here's what I see:

    2021-03-01 12:42:23.961016552    phone-v6    firewall-v6    DNS    108    ✓    Standard query 0x196c AAAA phone.config_id.dns1.nextdns.io

    Interestingly, I set it as phone.config_id.dns.nextdns.io, and it seems something is querying a different subdomain (dns1). App cache? maybe but this is a freshly wiped and installed phone.

    investigation continues...

  • Final update, i have no idea what's wrong. Some devices work, some don't. I swapped out the WAP with my old one running openwrt and everything works.

    In summary, swapping the wireless access point worked better than any debugging.

  • I'm having this same problem right now.  Do I just have to hard reset my router or something??

Like2 Follow
  • 10 mths agoLast active
  • 10Replies
  • 1233Views
  • 8 Following