0

NextDNS CLI leaking occasionally

NextDNS CLI current version running on ASUS Merlin. The router log shows NextDNS continuously connecting/reconnecting/switching like this:

Oct 16 10:33:50 router nextdns[463]: Connected 103.212.225.153:443 (con=23ms tls=37ms, TCP, TLS13)
Oct 16 10:34:23 router nextdns[463]: Connected 103.212.225.153:443 (con=23ms tls=38ms, TCP, TLS13)
Oct 16 10:35:59 router nextdns[463]: Connected 103.212.225.153:443 (con=23ms tls=38ms, TCP, TLS13)
Oct 16 10:37:39 router nextdns[463]: Connected 103.212.225.153:443 (con=23ms tls=40ms, TCP, TLS13)
Oct 16 10:38:52 router nextdns[463]: Connected 103.212.225.153:443 (con=23ms tls=39ms, TCP, TLS13)
Oct 16 10:39:49 router nextdns[463]: Connected 103.212.225.153:443 (con=23ms tls=38ms, TCP, TLS13)
Oct 16 10:40:58 router nextdns[463]: Connected 207.148.84.39:443 (con=23ms tls=37ms, TCP, TLS13)
Oct 16 10:41:43 router nextdns[463]: Connected 103.212.225.153:443 (con=24ms tls=38ms, TCP, TLS13)
Oct 16 10:43:32 router nextdns[463]: Connected 207.148.84.39:443 (con=26ms tls=45ms, TCP, TLS13)
Oct 16 10:45:13 router nextdns[463]: Connected 103.212.225.153:443 (con=23ms tls=37ms, TCP, TLS13)
Oct 16 10:46:42 router nextdns[463]: Connected 103.212.225.153:443 (con=26ms tls=38ms, TCP, TLS13)
Oct 16 10:48:29 router nextdns[463]: Connected 103.212.225.153:443 (con=23ms tls=37ms, TCP, TLS13)
 

The router itself connects to NextDNS via TLS with Stubby. It uses a separate ID from the devices on the network, which are connecting through the NextDNS CLI on the router via HTTPS.

Sometimes in the NextDNS log for the router's TLS connection, for a few seconds at the same time as one of the "Connected" entries in the router log, devices on the network are bypassing the NextDNS CLI and connecting to NextDNS through Stubby instead.

It seems like the NextDNS CLI is deactivating briefly and switching back to Stubby in the meantime before reactivating.

11replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Which OS? The CLI does not do that but some OS may fallback to the DHCP learned DNS server in case of failure.

    Like
  • Asus Merlin current version. Not sure why there’d be a failure unless NextDNS is failing but not logging anything?

    Like
  • Can you explain your setup?

    I also use AsuswrtMerlin and thought the CLI handled everything (via DOH).

    Why do you still need Stubby?

    Like
    • Rob  I don’t think there’s any choice. In the Asus WAN config tab if you want to use secure dns you turn on DNS over TLS. I’ve done that and pointed it at the two dns servers for my NextDNS config. That allows the router to find a dns server at boot time and it uses DNSMASQ and Stubby to do so. 

      After boot the NextDNS CLI is able to launch and it when it’s activated it modifies /etc/resolv.conf  to point to itself. 

      if you deactivate NextDNS it modifies the resolv.conf file again to use Stubby again. 
       

      So Stubby and dnsmasq are still running while NextDNS is active. What I’ve observed is that for brief periods NextDNS seems to stop serving dns to my lan and Stubby takes over again. Sometimes I’ve seen that /etc/resolv.conf has been modified to point back to stubby and stays that way until I run ’nextdns  activate’. 
       

      Hope this helps explain it. 

      Like
  • Are you in Australia? I am and this is what my router reports constantly.

    nextdns[5421]: Connected 103.212.225.153:443 (con=7ms tls=15ms, TCP, TLS13)
    Nov  1 15:53:49 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=13ms, TCP, TLS13)
    Nov  1 15:54:50 nextdns[5421]: Connected 103.212.225.153:443 (con=7ms tls=15ms, TCP, TLS13)
    Nov  1 15:55:45 nextdns[5421]: Connected 103.212.225.153:443 (con=7ms tls=14ms, TCP, TLS13)
    Nov  1 15:58:27 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=14ms, TCP, TLS13)
    Nov  1 16:00:49 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=14ms, TCP, TLS13)
    Nov  1 16:01:43 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=13ms, TCP, TLS13)
    Nov  1 16:02:26 nextdns[5421]: Connected 103.212.225.153:443 (con=7ms tls=13ms, TCP, TLS13)
    Nov  1 16:05:48 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=14ms, TCP, TLS13)
    Nov  1 16:07:33 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=15ms, TCP, TLS13)
    Nov  1 16:10:45 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=14ms, TCP, TLS13)
    Nov  1 16:13:57 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=15ms, TCP, TLS13)
    Nov  1 16:16:46 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=14ms, TCP, TLS13)
    Nov  1 16:19:45 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=14ms, TCP, TLS13)
    Nov  1 16:21:02 nextdns[5421]: Connected 207.148.84.39:443 (con=7ms tls=14ms, TCP, TLS13

    This occurs on all Merlin builds I've tested. Currently using latest build. Ax86u clean flash nothing else changed or added just installed the nextdns client.

    I'm with Aussie broadband in Sydney.

    Like
    • Zac I’m with a different ISP in Australia and my log looks very similar. Constant and very frequent reconnections. 

      Like
      • Zac
      • Zac_bitschkat
      • 3 wk ago
      • Reported - view

      A User ok so what I think is going on here is that our isps route to nextdns servers through an ix. This somehow must be causing the issues. I will try test with Telstra as I know they definitely don't. Which ISP you with by the way.

      Like
  • traceroute to 207.148.84.39 (207.148.84.39), 30 hops max, 60 byte packets

    1 loop180150640.bng1.vdc01.syd.aussiebb.net (180.150.64.1) 7.582 ms 7.537 ms 7.515 ms

    2 HundredGigE0-0-0-8.core2.vdc01.syd.aussiebb.net (180.150.1.186) 7.469 ms 7.475 ms 7.458 ms

    3 be2.core2.nextdc-s1.syd.aussiebb.net (202.142.143.203) 7.441 ms 7.424 ms 8.093 ms

    4 as20473.syd.edgeix.net.au (202.77.88.33) 8.081 ms 8.750 ms 8.735 ms

     5 10.74.5.5 (10.74.5.5) 8.020 ms 8.005 ms 7.975 ms

     6 10.74.1.98 (10.74.1.98) 7.936 ms 7.462 ms 10.74.1.102 (10.74.1.102) 7.410 ms

     Traceroute results if anybody is looking at this and can confirm my theory.

    Like
      • Zac
      • Zac_bitschkat
      • 3 wk ago
      • Reported - view

      traceroute to anycast.dns1.nextdns.io (45.90.28.0), 30 hops max, 60 byte packets
      1 loop180150640.bng1.vdc01.syd.aussiebb.net (180.150.64.1) 7.524 ms 7.505 ms 7.492 ms
      2 HundredGigE0-0-0-8.core2.vdc01.syd.aussiebb.net (180.150.1.186) 7.439 ms 7.462 ms 7.453 ms
      3 be2.core2.nextdc-s1.syd.aussiebb.net (202.142.143.203) 7.420 ms 8.022 ms 8.004 ms
       4  218.100.53.28 (218.100.53.28)  7.306 ms  7.296 ms  7.278 ms
       5  31.217.251.97 (31.217.251.97)  7.283 ms  7.266 ms  7.247 ms
       6  31.217.251.91 (31.217.251.91)  7.809 ms  7.569 ms  7.533 ms
       7  31.217.251.102 (31.217.251.102)  7.495 ms  7.485 ms  7.467 ms
      8 sy5-colo-a.gslnetworks.com.au (103.137.13.225) 7.449 ms 7.431 ms 7.414 ms

      For now I've set it up manually with only using the 1st dns which abb have a direct link with. Not sure this will work properly but anyways. DoT will do for now till I work out what's going on.

      Like
  • I'm seeing something similar. At first I was getting "cache fallback HTTP/2.0: doh resolve: context deadline exceeded" errors, then it changed to only reporting the following connections:

    Nov 14 03:41:54 rpi-nextdns-01 nextdns[2769]: Query 192.168.4.1 UDP A time-osx.g.aaplimg.com. (qry=63/res=12) cache fallback HTTP/2.0: doh resolve: context deadline exceeded
    Nov 14 03:41:55 rpi-nextdns-01 nextdns[2769]: Query 192.168.4.1 UDP 65 30-courier.push.apple.com. (qry=66/res=12) 5005ms : doh resolve: context deadline exceeded
    Nov 14 03:41:55 rpi-nextdns-01 nextdns[2769]: Query 192.168.4.1 UDP A 1-courier.push.apple.com. (qry=65/res=12) cache fallback HTTP/2.0: doh resolve: dial tcp 131.100.2.149:443: i/o timeout
    Nov 14 03:41:55 rpi-nextdns-01 nextdns[2769]: Query 192.168.4.1 UDP A 30-courier.push.apple.com. (qry=66/res=12) 5001ms : doh resolve: context deadline exceeded
    Nov 14 03:41:55 rpi-nextdns-01 nextdns[2769]: Query 192.168.4.1 UDP A 1-courier.sandbox.push.apple.com. (qry=73/res=12) cache fallback HTTP/2.0: doh resolve: context deadline exceeded
    Nov 14 03:41:55 rpi-nextdns-01 nextdns[2769]: Query 192.168.4.1 UDP A api.apple-cloudkit.com. (qry=63/res=12) cache fallback HTTP/2.0: doh resolve: context deadline exceeded
    Nov 14 03:42:02 rpi-nextdns-01 nextdns[2769]: Connected 131.100.2.149:443 (con=5ms tls=7ms, TCP, TLS13)
    Nov 14 03:49:46 rpi-nextdns-01 nextdns[2769]: Connected 131.100.2.149:443 (con=7ms tls=16ms, TCP, TLS13)
    Nov 14 03:50:46 rpi-nextdns-01 nextdns[2769]: Connected 131.100.2.149:443 (con=5ms tls=14ms, TCP, TLS13)
    Nov 14 03:52:39 rpi-nextdns-01 nextdns[2769]: Connected 131.100.2.149:443 (con=4ms tls=16ms, TCP, TLS13)
    Nov 14 04:04:07 rpi-nextdns-01 nextdns[2769]: Connected 131.100.2.149:443 (con=4ms tls=13ms, TCP, TLS13)
    Nov 14 04:04:53 rpi-nextdns-01 nextdns[2769]: Connected 131.100.2.149:443 (con=4ms tls=15ms, TCP, TLS13)
    Nov 14 04:07:24 rpi-nextdns-01 nextdns[2769]: Connected 131.100.2.149:443 (con=5ms tls=14ms, TCP, TLS13)
    Nov 14 04:08:26 rpi-nextdns-01 nextdns[2769]: Connected 131.100.2.149:443 (con=4ms tls=13ms, TCP, TLS13)
    Nov 14 04:09:25 rpi-nextdns-01 nextdns[2769]: Connected 131.100.2.149:443 (con=4ms tls=14ms, TCP, TLS13)
    Nov 14 04:10:22 rpi-nextdns-01 nextdns[2769]: Connected 131.100.2.149:443 (con=4ms tls=15ms, TCP, TLS13)

    No detailed logs for all the device queries like I'm used to.

    Like
  • OK, turns out I had log queries set to false. Ran this command to set it to true and now I'm seeing what I expected. BTW, no idea I could modify the config this way, must have missed it in the docs somewhere..

    nextdns config set -log-queries=true

    I'm not seeing those reconnections as often either so that must be good as well.

    Like
Like Follow
  • 13 days agoLast active
  • 11Replies
  • 187Views
  • 6 Following