3

NextDNS DoH is Unreliable - "Private DNS server cannot be accessed"

Requesting troubleshooting assistance for an infuriating NextDNS connectivity issue.

For as long as I've been using NextDNS (since it was in beta), I run into random periods of time where DNS resolution dies for a random, brief period of time on devices with NextDNS DOH configured and then comes back without -- without me making any changes on my end, experienced across multiple network types and across multiple device types from different family members.

The workaround is always to temporarily switch to ANY other DoH provider (Cloudflare, Quad9, etc.) until NextDNS connectivity issues resolve themselves.  But, it's getting to a point where I really have to find a solution so the family isn't so infuriated with the connectivity of their devices.

The issue is most noticeable in two scenarios:

  1. Mobile (Android) - where the wifi settings will show "Connected to device. Can't provide internet".  And the Network-->Private DNS setting will show "cannot connect." Turning off Private DNS or switching to Cloudflare/Quad9 immediately resolves the issue.
  2. On my PC Browser (Edge, Chrome) - I have NextDNS DOH configured with a custom client-id (https://dns.nextdns.io/<config-id>/<device-id>. Switching to https://chromium.dns.nextdns.io does not resolve the issue. But, switching to any of the default DoH option in the browser settings allows me to browse again.

Network:

I have a FIOS router where I've assigned NextDNS IPs and have a linkedIP.  Devices for the wife/I have a separate profile with less restrictive filters than the home/kids profile.

There is no "other complexity" in the network -- no pfSense, no DNSSEC, no custom router firmware, no alternate Gateways/DNS Servers, etc.

 

Diag run from Windows 11 (which has DoH configured as well) 

(If there's a way to run a similar Diag from an Android device, please let me know)

https://nextdns.io/diag/e2a02930-3483-11ec-8d35-b5c0642015e2

Testing IPv6 connectivity
  available: false
Fetching https://test.nextdns.io
  status: ok
  client: 72.83.51.16
  protocol: DOH
  dest IP: 45.90.30.239
  server: zepto-iad-1
Fetching PoP name for ultra low latency primary IPv4 (ipv4.dns1.nextdns.io)
Fetch error: Get "https://dns.nextdns.io/info": EOF
Fetching PoP name for ultra low latency secondary IPv4 (ipv4.dns2.nextdns.io)
Fetch error: Get "https://dns.nextdns.io/info": EOF
Fetching PoP name for anycast primary IPv4 (45.90.28.0)
  vultr-ewr: 17.621ms
Fetching PoP name for anycast secondary IPv4 (45.90.30.0)
  zepto-iad: 7.822ms
Pinging PoPs
  anexia-mnz: 10.008ms
  zepto-xrs: 10ms
  zepto-iad: 9.982ms
  anexia-ewr: 17.49ms
  vultr-ewr: 17.643ms
  hydron-clt: 20.055ms
  tier-clt: 22.453ms
  teraswitch-pit: 29.793ms
  router-pit: 29.689ms
  incx-dtw: 30ms
Traceroute for ultra low latency primary IPv4 (170.39.224.134)
    1       10.0.0.1    5ms   3ms   5ms
    2 170.39.224.134    6ms   9ms   7ms
Traceroute for ultra low latency secondary IPv4 (213.227.173.235)
    1       10.0.0.1    5ms   5ms   5ms
    2 213.227.173.235    6ms   7ms   7ms
Traceroute for anycast primary IPv4 (45.90.28.0)
    1       10.0.0.1    6ms   5ms   *
    2     45.90.28.0    7ms   7ms   7ms
Traceroute for anycast secondary IPv4 (45.90.30.0)
    1       10.0.0.1    6ms   6ms   6ms
    2     45.90.30.0   11ms   7ms   7ms

 

The above info suggests to me that the issue is squarely on the NextDNS side and it's DOH service.  Please let me know what additional information is needed to effectively root cause the issue.

11 replies

null
    • NextDNs
    • 3 yrs ago
    • Reported - view

    Looks like something is blocking your HTTPS connection to our service. Do you have the ability to run the following curl commands and show the output?

      • wTm5PK
      • 3 yrs ago
      • Reported - view

       NextDNS Thanks for the assistance. I've attached curl outputs below and let me know what else you need me to try. 

      In this case, I was using DoH through Windows 11 Edge browser.  In the middle of a browsing session, sites were no longer connecting (browser showed a "<website>'s server IP address could not be found" message.  For reference, all day yesterday, I ran on Cloudflare DoH with zero issues.  And, as I run into these issues, I switches Edge DoH from NextDNS back to Cloudflare and sites begin connecting immediately -- while curl outputs continued to show NextDNS unable to connect.

      C:\Users\admin>curl -v https://dns.nextdns.io/info
      *   Trying 170.39.224.134:443...
      * Connected to dns.nextdns.io (170.39.224.134) port 443 (#0)
      * schannel: disabled automatic use of client certificate
      * schannel: ALPN, offering http/1.1
      * schannel: failed to receive handshake, SSL/TLS connection failed
      * Closing connection 0
      curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
      
      C:\Users\admin>curl -v https://dns.nextdns.io/info --connect-to ::8.8.8.8:443
      * Connecting to hostname: 8.8.8.8
      * Connecting to port: 443
      *   Trying 8.8.8.8:443...
      * Connected to 8.8.8.8 (8.8.8.8) port 443 (#0)
      * schannel: disabled automatic use of client certificate
      * schannel: ALPN, offering http/1.1
      * schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
      * Closing connection 0
      curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
      More details here: https://curl.se/docs/sslcerts.html
      
      curl failed to verify the legitimacy of the server and therefore could not
      establish a secure connection to it. To learn more about this situation and
      how to fix it, please visit the web page mentioned above.
      
      C:\Users\admin>curl -vk https://test.com --connect-to ::45.90.28.0:443
      * Connecting to hostname: 45.90.28.0
      * Connecting to port: 443
      *   Trying 45.90.28.0:443...
      * Connected to 45.90.28.0 (45.90.28.0) port 443 (#0)
      * schannel: disabled automatic use of client certificate
      * schannel: ALPN, offering http/1.1
      * ALPN, server did not agree to a protocol
      > GET / HTTP/1.1
      > Host: test.com
      > User-Agent: curl/7.78.0
      > Accept: */*
      >
      * Mark bundle as not supporting multiuse
      < HTTP/1.1 200 OK
      < Blocked-By: NextDNS
      < Date: Mon, 25 Oct 2021 22:24:21 GMT
      < Content-Length: 0
      <
      * Connection #0 to host 45.90.28.0 left intact
      
      
      // I let 15min pass and tried the curl commands again (nextdns was still failing, but switching to Cloudflare DoH string in the browser allowed sites to connect immediately)
      
      C:\Users\admin>curl -v https://dns.nextdns.io/info
      *   Trying 170.39.224.134:443...
      * Connected to dns.nextdns.io (170.39.224.134) port 443 (#0)
      * schannel: disabled automatic use of client certificate
      * schannel: ALPN, offering http/1.1
      * schannel: failed to receive handshake, SSL/TLS connection failed
      * Closing connection 0
      curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
      
      C:\Users\admin>curl -v https://dns.nextdns.io/info --connect-to ::8.8.8.8:443
      * Connecting to hostname: 8.8.8.8
      * Connecting to port: 443
      *   Trying 8.8.8.8:443...
      * Connected to 8.8.8.8 (8.8.8.8) port 443 (#0)
      * schannel: disabled automatic use of client certificate
      * schannel: ALPN, offering http/1.1
      * schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
      * Closing connection 0
      curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
      More details here: https://curl.se/docs/sslcerts.html
      
      curl failed to verify the legitimacy of the server and therefore could not
      establish a secure connection to it. To learn more about this situation and
      how to fix it, please visit the web page mentioned above.
      
      C:\Users\admin>curl -vk https://test.com --connect-to ::45.90.28.0:443
      * Connecting to hostname: 45.90.28.0
      * Connecting to port: 443
      *   Trying 45.90.28.0:443...
      * Connected to 45.90.28.0 (45.90.28.0) port 443 (#0)
      * schannel: disabled automatic use of client certificate
      * schannel: ALPN, offering http/1.1
      * ALPN, server did not agree to a protocol
      > GET / HTTP/1.1
      > Host: test.com
      > User-Agent: curl/7.78.0
      > Accept: */*
      >
      * Mark bundle as not supporting multiuse
      < HTTP/1.1 200 OK
      < Blocked-By: NextDNS
      < Date: Mon, 25 Oct 2021 22:38:33 GMT
      < Content-Length: 0
      <
      * Connection #0 to host 45.90.28.0 left intact
      
      // I let 5min pass and tried Cloudflare (as nextdns was still failing)
      
      C:\Users\admin>
      C:\Users\admin>curl -vk https://test.com --connect-to ::1.1.1.1:443
      * Connecting to hostname: 1.1.1.1
      * Connecting to port: 443
      *   Trying 1.1.1.1:443...
      * Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
      * schannel: disabled automatic use of client certificate
      * schannel: ALPN, offering http/1.1
      * schannel: ALPN, server accepted to use http/1.1
      > GET / HTTP/1.1
      > Host: test.com
      > User-Agent: curl/7.78.0
      > Accept: */*
      >
      * Mark bundle as not supporting multiuse
      < HTTP/1.1 403 Forbidden
      < Server: cloudflare
      < Date: Mon, 25 Oct 2021 22:43:25 GMT
      < Content-Type: text/html
      < Content-Length: 151
      < Connection: keep-alive
      < CF-RAY: 6a3ef6b6de3f5c70-IAD
      <
      <html>
      <head><title>403 Forbidden</title></head>
      <body>
      <center><h1>403 Forbidden</h1></center>
      <hr><center>cloudflare</center>
      </body>
      </html>
      
      
      C:\Users\admin>curl -v https://1.1.1.1/help
      *   Trying 1.1.1.1:443...
      * Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
      * schannel: disabled automatic use of client certificate
      * schannel: using IP address, SNI is not supported by OS.
      * schannel: ALPN, offering http/1.1
      * schannel: ALPN, server accepted to use http/1.1
      > GET /help HTTP/1.1
      > Host: 1.1.1.1
      > User-Agent: curl/7.78.0
      > Accept: */*
      >
      * schannel: failed to decrypt data, need more data
      * Mark bundle as not supporting multiuse
      < HTTP/1.1 200 OK
      < Date: Mon, 25 Oct 2021 22:43:50 GMT
      < Content-Type: text/html
      < Transfer-Encoding: chunked
      < Connection: keep-alive
      < Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NYVMvKkRvf8%2FDF3AnViesasMIaSJTUM03MyxksT8rUYavh7GLedhNBPjgJPFQWfdZ8DEmTbVGIIs1ZUqkcycKeyQdZByn1zcVQhLEIe8IbkhSc5%2FnrhA96k%3D"}],"group":"cf-nel","max_age":604800}
      < NEL: {"report_to":"cf-nel","max_age":604800}
      < Last-Modified: Wed, 06 Oct 2021 19:17:18 GMT
      < x-rgw-object-type: Normal
      < x-amz-request-id: tx000000000000008fc07c0-00617085fb-6a7e1b7-default
      < Strict-Transport-Security: max-age=31536000
      < Served-In-Seconds: 0.002
      < Cache-Control: public, max-age=14400
      < CF-Cache-Status: REVALIDATED
      < Expires: Tue, 26 Oct 2021 02:58:50 GMT
      < Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      < Set-Cookie: __cf_bm=e3HLwOocAT1GElORmKWsV6lH_FqQXAKZMT4slXRrwnc-1635202730-0-AQUqxZVmq4jaiIkupj2qICczaj5aBZJaXjPOso0uB/+eE4iZIlKA/ZNDSUbBAeon5XUf7tBKir0JQKF1PzFxoU0=; path=/; expires=Mon, 25-Oct-21 23:28:50 GMT; domain=.every1dns.com; HttpOnly; Secure; SameSite=None
      < Server: cloudflare
      < CF-RAY: 6a3f0d494d465e54-IAD
      <
      <!DOCTYPE html><html lang="en-US" prefix="og: http://ogp.me/ns#"><head><title>1.1.1.1 — the Internet’s Fastest, Privacy-First DNS Resolver</title><meta charset="utf-8"><!--|
      ............................................................
      .........1............1............1............1...........
      ........11...........11...........11...........11...........
      .......111..........111..........111..........111...........
      ......1111.........1111.........1111.........1111...........
      ........11...........11...........11...........11...........
      ........11...........11...........11...........11...........
      ........11...........11...........11...........11...........
      ........11...........11...........11...........11...........
      ........11...........11...........11...........11...........
      ........11...........11...........11...........11...........
      ........11...........11...........11...........11...........
      ........11...........11...........11...........11...........
      ........11...........11...........11...........11...........
      ........11....ooo....11....ooo....11....ooo....11...........
      ......111111..ooo..111111..ooo..111111..ooo..111111.........
      ............................................................
      
      
      
      • NextDNs
      • 3 yrs ago
      • Reported - view

      wTm5PK what do you get for curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.0:443

      • wTm5PK
      • 3 yrs ago
      • Reported - view

      NextDNS 

      C:\Users\admin>curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.0:443
      * Connecting to hostname: 45.90.28.0
      * Connecting to port: 443
      *   Trying 45.90.28.0:443...
      * Connected to 45.90.28.0 (45.90.28.0) port 443 (#0)
      * schannel: disabled automatic use of client certificate
      * schannel: ALPN, offering http/1.1
      * ALPN, server did not agree to a protocol
      > GET /info HTTP/1.1
      > Host: dns.nextdns.io
      > User-Agent: curl/7.78.0
      > Accept: */*
      >
      * Mark bundle as not supporting multiuse
      < HTTP/1.1 200 OK
      < Access-Control-Allow-Origin: *
      < Content-Type: application/json
      < Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
      < Timing-Allow-Origin: *
      < Date: Tue, 26 Oct 2021 02:21:04 GMT
      < Content-Length: 86
      <
      {"locationName": "🇺🇸 New York, United States", "pop": "vultr-ewr", "rtt": 15104}* Connection #0 to host 45.90.28.0 left intact
      
      • wTm5PK
      • 3 yrs ago
      • Reported - view

      NextDNS 

      I upgrade the Curl for Windows version to the latest.  Here's a re-run of the tests, in case it makes a different in your troubleshooting -- since the original run of curl commands resulted in SSL/TLS connection failed issues. Though, please also remember that the issue in question is not from Windows cmd line -- where I can always ping, resolve dns, etc; rather, it's with the DoH/DoT implementations of NextDNS within my PC browser AND on multiple Android phones)

      C:\Users\admin>curl --version
      curl 7.79.1 (x86_64-pc-win32) libcurl/7.79.1 OpenSSL/3.0.0 (Schannel) zlib/1.2.11 brotli/1.0.9 zstd/1.5.0 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.46.0 libgsasl/1.10.0
      Release-Date: 2021-09-22
      Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
      Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP UnixSockets zstd
      
      C:\Users\admin>curl -v https://dns.nextdns.io/info
      *   Trying 170.39.224.134:443...
      * Connected to dns.nextdns.io (170.39.224.134) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      *  CAfile: C:\Program Files\curl\bin\curl-ca-bundle.crt
      * TLSv1.0 (OUT), TLS header, Certificate Status (22):
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.2 (IN), TLS header, Certificate Status (22):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS header, Finished (20):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, CERT verify (15):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Finished (20):
      * TLSv1.2 (OUT), TLS header, Finished (20):
      * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.3 (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=dns.nextdns.io
      *  start date: Aug 28 00:00:00 2021 GMT
      *  expire date: Nov 26 23:59:59 2021 GMT
      *  subjectAltName: host "dns.nextdns.io" matched cert's "dns.nextdns.io"
      *  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
      *  SSL certificate verify ok.
      * Using HTTP2, server supports multiplexing
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * Using Stream ID: 1 (easy handle 0x21c30c70aa0)
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      > GET /info HTTP/2
      > Host: dns.nextdns.io
      > user-agent: curl/7.79.1
      > accept: */*
      >
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      < HTTP/2 200
      < access-control-allow-origin: *
      < content-type: application/json
      < strict-transport-security: max-age=63072000; includeSubDomains; preload
      < timing-allow-origin: *
      < content-length: 83
      < date: Tue, 26 Oct 2021 02:39:20 GMT
      <
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      {"locationName": "🇺🇸 Reston, United States", "pop": "zepto-xrs", "rtt": 9422}* Connection #0 to host dns.nextdns.io left intact
      
      C:\Users\admin>
      C:\Users\admin>curl -v https://dns.nextdns.io/info --connect-to ::8.8.8.8:443
      * Connecting to hostname: 8.8.8.8
      * Connecting to port: 443
      *   Trying 8.8.8.8:443...
      * Connected to 8.8.8.8 (8.8.8.8) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      *  CAfile: C:\Program Files\curl\bin\curl-ca-bundle.crt
      * TLSv1.0 (OUT), TLS header, Certificate Status (22):
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.2 (IN), TLS header, Certificate Status (22):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS header, Finished (20):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.3 (IN), TLS handshake, CERT verify (15):
      * TLSv1.3 (IN), TLS handshake, Finished (20):
      * TLSv1.2 (OUT), TLS header, Finished (20):
      * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.3 (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=dns.google
      *  start date: Oct  4 02:43:35 2021 GMT
      *  expire date: Dec 27 02:43:34 2021 GMT
      *  subjectAltName does not match dns.nextdns.io
      * SSL: no alternative certificate subject name matches target host name 'dns.nextdns.io'
      * Closing connection 0
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
      * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
      * old SSL session ID is stale, removing
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.3 (OUT), TLS alert, close notify (256):
      curl: (60) SSL: no alternative certificate subject name matches target host name 'dns.nextdns.io'
      More details here: https://curl.se/docs/sslcerts.html
      
      curl failed to verify the legitimacy of the server and therefore could not
      establish a secure connection to it. To learn more about this situation and
      how to fix it, please visit the web page mentioned above.
      
      C:\Users\admin>
      C:\Users\admin>curl -vk https://test.com --connect-to ::45.90.28.0:443
      * Connecting to hostname: 45.90.28.0
      * Connecting to port: 443
      *   Trying 45.90.28.0:443...
      * Connected to 45.90.28.0 (45.90.28.0) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * TLSv1.0 (OUT), TLS header, Certificate Status (22):
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.2 (IN), TLS header, Certificate Status (22):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS header, Finished (20):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, CERT verify (15):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Finished (20):
      * TLSv1.2 (OUT), TLS header, Finished (20):
      * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.3 (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=dns.nextdns.io
      *  start date: Aug 28 00:00:00 2021 GMT
      *  expire date: Nov 26 23:59:59 2021 GMT
      *  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
      *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
      * Using HTTP2, server supports multiplexing
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * Using Stream ID: 1 (easy handle 0x1a3991b0cf0)
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      > GET / HTTP/2
      > Host: test.com
      > user-agent: curl/7.79.1
      > accept: */*
      >
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      < HTTP/2 200
      < blocked-by: NextDNS
      < content-length: 0
      < date: Tue, 26 Oct 2021 02:40:21 GMT
      <
      * Connection #0 to host 45.90.28.0 left intact
      
      C:\Users\admin>
      C:\Users\admin>curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.0:443
      * Connecting to hostname: 45.90.28.0
      * Connecting to port: 443
      *   Trying 45.90.28.0:443...
      * Connected to 45.90.28.0 (45.90.28.0) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      *  CAfile: C:\Program Files\curl\bin\curl-ca-bundle.crt
      * TLSv1.0 (OUT), TLS header, Certificate Status (22):
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.2 (IN), TLS header, Certificate Status (22):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS header, Finished (20):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, CERT verify (15):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Finished (20):
      * TLSv1.2 (OUT), TLS header, Finished (20):
      * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.3 (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=dns.nextdns.io
      *  start date: Aug 28 00:00:00 2021 GMT
      *  expire date: Nov 26 23:59:59 2021 GMT
      *  subjectAltName: host "dns.nextdns.io" matched cert's "dns.nextdns.io"
      *  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
      *  SSL certificate verify ok.
      * Using HTTP2, server supports multiplexing
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * Using Stream ID: 1 (easy handle 0x246a3b40cf0)
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      > GET /info HTTP/2
      > Host: dns.nextdns.io
      > user-agent: curl/7.79.1
      > accept: */*
      >
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
      * TLSv1.2 (OUT), TLS header, Supplemental data (23):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      < HTTP/2 200
      < access-control-allow-origin: *
      < content-type: application/json
      < strict-transport-security: max-age=63072000; includeSubDomains; preload
      < timing-allow-origin: *
      < content-length: 86
      < date: Tue, 26 Oct 2021 02:40:35 GMT
      <
      * TLSv1.2 (IN), TLS header, Supplemental data (23):
      {"locationName": "🇺🇸 New York, United States", "pop": "vultr-ewr", "rtt": 14519}* Connection #0 to host 45.90.28.0 left intact
      • wTm5PK
      • 3 yrs ago
      • Reported - view

      NextDNS Here are the curl outputs from my Android 12 device when NextDNS DoH flaked out yet again today.  Please let me know how to proceed with troubleshooting.

      ~ $ curl -v https://dns.nextdns.io/info
      *   Trying 2a0e:6902:2002:12b:5054:ff:fed7:6b78:443...
      * Connected to dns.nextdns.io (2a0e:6902:2002:12b:5054:ff:fed7:6b78) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *  CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
      *  CApath: /data/data/com.termux/files/usr/etc/tls/certs
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.3 (IN), TLS handshake, CERT verify (15):
      * TLSv1.3 (IN), TLS handshake, Finished (20):
      * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.3 (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=dns.nextdns.io
      *  start date: Aug 28 00:00:00 2021 GMT
      *  expire date: Nov 26 23:59:59 2021 GMT
      *  subjectAltName: host "dns.nextdns.io" matched cert's "dns.nextdns.io"
      *  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
      *  SSL certificate verify ok.
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * Using Stream ID: 1 (easy handle 0xb400006fe7b06010)
      > GET /info HTTP/2
      > Host: dns.nextdns.io
      > user-agent: curl/7.77.0
      > accept: */*
      >
      * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
      * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
      < HTTP/2 200
      < access-control-allow-origin: *
      < content-type: application/json
      < strict-transport-security: max-age=63072000; includeSubDomains; preload
      < timing-allow-origin: *
      < content-length: 84
      < date: Wed, 27 Oct 2021 02:30:59 GMT
      <
      * Connection #0 to host dns.nextdns.io left intact
      {"locationName": "🇺🇸 Reston, United States", "pop": "zepto-xrs", "rtt": 28068}
      ~ $
      ~ $
      ~ $
      ~ $ curl -v https://dns.nextdns.io/info --connect-to ::8.8.8.8:443
      * Connecting to hostname: 8.8.8.8
      * Connecting to port: 443
      *   Trying 8.8.8.8:443...
      * Connected to 8.8.8.8 (8.8.8.8) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *  CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
      *  CApath: /data/data/com.termux/files/usr/etc/tls/certs
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.3 (IN), TLS handshake, CERT verify (15):
      * TLSv1.3 (IN), TLS handshake, Finished (20):
      * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.3 (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=dns.google
      *  start date: Oct  4 02:43:35 2021 GMT
      *  expire date: Dec 27 02:43:34 2021 GMT
      *  subjectAltName does not match dns.nextdns.io
      * SSL: no alternative certificate subject name matches target host name 'dns.nextdns.io'
      * Closing connection 0
      * TLSv1.3 (OUT), TLS alert, close notify (256):
      curl: (60) SSL: no alternative certificate subject name matches target host name 'dns.nextdns.io'
      More details here: https://curl.se/docs/sslcerts.html
      
      curl failed to verify the legitimacy of the server and therefore could not
      establish a secure connection to it. To learn more about this situation and
      how to fix it, please visit the web page mentioned above.
      ~ $
      ~ $
      ~ $ 
      ~ $ curl -vk https://test.com --connect-to ::45.90.28.0:443
      * Connecting to hostname: 45.90.28.0
      * Connecting to port: 443
      *   Trying 45.90.28.0:443...
      * Connected to 45.90.28.0 (45.90.28.0) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *  CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
      *  CApath: /data/data/com.termux/files/usr/etc/tls/certs
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.3 (IN), TLS handshake, CERT verify (15):
      * TLSv1.3 (IN), TLS handshake, Finished (20):
      * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.3 (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=dns.nextdns.io
      *  start date: Aug 28 00:00:00 2021 GMT
      *  expire date: Nov 26 23:59:59 2021 GMT
      *  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
      *  SSL certificate verify ok.
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * Using Stream ID: 1 (easy handle 0xb40000703c5f1380)
      > GET / HTTP/2
      > Host: test.com
      > user-agent: curl/7.77.0
      > accept: */*
      >
      * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
      * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
      < HTTP/2 200
      < blocked-by: NextDNS
      < content-length: 0
      < date: Wed, 27 Oct 2021 02:31:27 GMT
      <
      * Connection #0 to host 45.90.28.0 left intact
      ~ $
      ~ $
      ~ $
      ~ $ curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.0:443
      * Connecting to hostname: 45.90.28.0
      * Connecting to port: 443
      *   Trying 45.90.28.0:443...
      * Connected to 45.90.28.0 (45.90.28.0) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *  CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
      *  CApath: /data/data/com.termux/files/usr/etc/tls/certs
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.3 (IN), TLS handshake, CERT verify (15):
      * TLSv1.3 (IN), TLS handshake, Finished (20):
      * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.3 (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=dns.nextdns.io
      *  start date: Aug 28 00:00:00 2021 GMT
      *  expire date: Nov 26 23:59:59 2021 GMT
      *  subjectAltName: host "dns.nextdns.io" matched cert's "dns.nextdns.io"
      *  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
      *  SSL certificate verify ok.
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * Using Stream ID: 1 (easy handle 0xb400007e6d54f010)
      > GET /info HTTP/2
      > Host: dns.nextdns.io
      > user-agent: curl/7.77.0
      > accept: */*
      >
      * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
      * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
      < HTTP/2 200
      < access-control-allow-origin: *
      < content-type: application/json
      < strict-transport-security: max-age=63072000; includeSubDomains; preload
      < timing-allow-origin: *
      < content-length: 86
      < date: Wed, 27 Oct 2021 02:32:26 GMT
      <
      * Connection #0 to host 45.90.28.0 left intact
      {"locationName": "🇺🇸 New York, United States", "pop": "vultr-ewr", "rtt": 32202}
      ~ $
      
      
      • wTm5PK
      • 3 yrs ago
      • Reported - view

      NextDNS An update today on logs I provided would be much appreciated.

      There are clearly "issues" going on on the NextDNS service side, rather than on my (client) side.

      DNSPerf shows NextDNS at 96.95% Uptime for the "last 30 days" (effectively Oct 2021) and 97.04% Uptime for Sept 2021.  All other "top 10" DNS providers are into the 99.5%+ range during that period.

      A proper "service status page" would certainly go a long way, but there has to be some form of communication with customers when the service is drastically degraded. Does that exist anywhere on the help pages?

      • NextDNs
      • 3 yrs ago
      • Reported - view

      wTm5PK what you see on dnsperf is unrelated to a service issue. DNSPerf changed their configuration in regard to our service on September  29th for two days, breaking their ability to monitor us. They fixed it later but couldn't fix the missing data. In two days, the uptime for our service on dnsperf will be back to normal.

      • wTm5PK
      • 3 yrs ago
      • Reported - view

      NextDNS thanks for the clarification.  So, how do we move forward with troubleshooting this issue - which is still occurring, though not as persistently as it was a few days ago.

    • Javier_Sanchez
    • 3 yrs ago
    • Reported - view

    I've also been experiencing the same issue and it's driving me nuts. I've a device running Cloudflare Teams from work and that device works while all the devices on the network they loose connectivity 3/4 times a day at random times taking 1/2 mins for them to come back online.

    Here's my curl output:

      curl -v https://dns.nextdns.io/info
    *   Trying 2a00:11c0:8:4::9...
    * TCP_NODELAY set
    * Connected to dns.nextdns.io (2a00:11c0:8:4::9) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/cert.pem
      CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
    * ALPN, server accepted to use h2
    * Server certificate:
    *  subject: CN=dns.nextdns.io
    *  start date: Aug 28 00:00:00 2021 GMT
    *  expire date: Nov 26 23:59:59 2021 GMT
    *  subjectAltName: host "dns.nextdns.io" matched cert's "dns.nextdns.io"
    *  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
    *  SSL certificate verify ok.
    * Using HTTP2, server supports multi-use
    * Connection state changed (HTTP/2 confirmed)
    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    * Using Stream ID: 1 (easy handle 0x7fd2b500c000)
    > GET /info HTTP/2
    > Host: dns.nextdns.io
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
    < HTTP/2 200
    < access-control-allow-origin: *
    < content-type: application/json
    < strict-transport-security: max-age=63072000; includeSubDomains; preload
    < timing-allow-origin: *
    < content-length: 86
    < date: Mon, 25 Oct 2021 18:12:39 GMT
    <
    * Connection #0 to host dns.nextdns.io left intact
    {"locationName": " London, United Kingdom", "pop": "anexia-lon", "rtt": 10897}* Closing connection 0

     

    Running DoH on a Fritzbox 7590, I've just disabled DoH to see if that will make a difference, will report.

      • orchid_rock
      • 2 yrs ago
      • Reported - view

      Javier Sanchez I have lately myself issues with NextDNS over DoH setup through my iPhone, however I’m using the same router as you with DNS server provided by my ISP but over DoH which I never have issues with. I use that as fallback when NextDNS is extremely slow. 

Content aside

  • 3 Likes
  • 2 yrs agoLast active
  • 11Replies
  • 4061Views
  • 5 Following