0

Android DOT shows Unconfigured

Hello,

Context :
- DNS setting from DHCP (IPv4 & IPv6) all set to a NextDNS profile
- WAN IP is a fixed one

Everything is working fine on all the device of the network when using DNS port 53.
Same per device setting DoT or DoH manually.

However, I found a problem using a Meta Quest 2 (running Android), test.nextdns.io shows :
status: OK
protocol: DOT
but no profile shown
(different test with IPv4 or IPv6 with same result...)

But on my.nextdns.io :
it says the device is using NextDNS with no configuration.
So no filtering is working, it resolves everything

Unexpected situation...

I have been able to reproduce that on my phone by just setting in the connexion setting to use "Private DNS" automatically (instead of indicating a custom DoT address)

There is no setting on the Meta Quest 2 to set how to connect to the DNS, it uses "Private DNS" automatically by default (so DoT).

Can you please do something to either :

- handle the request coming in DoT on the custom IP addresses set by DHCP for DNS ?
  like for port 53

- refuse the request on those IPs, so the device uses port 53 instead ?

Or maybe you might see another solution.

Thanks !

Best,

Olivier

6 replies

null
    • Olivier_P
    • 3 wk ago
    • Reported - view

    Hi,

    this problem relates to the automatic Private DNS configuration on Android devices.
    On some devices it is set automatically (in the case I described there was no option to set this off).

    I worked around by filtering outgoing ports on my FW.
    But not everyone is able to do so...

     

    Hopefully NextDNS will come up with a solution 

    • Olivier_P
    • 3 wk ago
    • Reported - view

    Just to add a little more context :

     

    DoT is handled on specific servers (<ID>.dns.nextdns.io), same for DoH (dns.nextdns.io).

    However, the servers defined for classic DNS (port 53) still respond to DoT on port 853...
    No filtering / profile configuration is applied in such case.

     

    Ideal solutions (from NextDNS):

    1- (Best) NextDNS servers could apply the profile configurations on DoT (port 853) request sent on servers  IPs (IPv4 & IPv6) defined via DHCP from the router,  like for regular DNS (port 53)

    2- For the same server IPs, NextDNS servers should not respond to queries on port 853

     

    Alternative solutions from your side:

    1- Setup firewall rule to drop request on port 853 except the IPs you defined (allow on those you find for dns.nextdns.io). Ideally you also have rules to filter outgoing request to port 53 too.

    2- Define NextDNS servers' IP on the router itself for it's own use and DHCP to broadcast the router's IP instead of NextDNS one's

    3- Manually define DoH or DoT on each device
    (not always possible... AndroidTVs... MetaQuest... )

    Those alternative are not ideal and if your router/FW does not support it or don't know how to do it, you will be left with solution 3...

    I really hope NextDNS will find a way to correctly handle those cases.

    Bests,

    Olivier

      • NextDNs
      • 3 wk ago
      • Reported - view

       Thanks for your detailed analysis. We are evaluating 1.

      • NextDNs
      • 3 wk ago
      • Reported - view

       to help us understand, any reason you are not setting the DNS on your router as the forwarder and keep using the local DNS provided by your router on your network? This is the recommended setup and it would fix this issue.

      • Olivier_P
      • 3 wk ago
      • Reported - view

       thanks for your reply.

      To understand better, here is some context.

      Home site: I have a UDM Pro and deployed several VLANs, some with their own NextDNS profile.
      Naively, I cannot use different ND profile on different VLAN if I use the UDMP as DNS provider.
      So, the DNS servers to use are provided by DHCP (IPv6 too).

      Other sites (parents): they have different routers provided by the ISP.
      If we use the router as DNS provider, it's with the DNS of the ISP.
      To define others, it's done through DHCP.

      It's frequent to see external DNS servers defined on DHCP as it is easy to do.
      But maybe not the most efficient regarding cache on the network...

      On my UDMP, I end up defining several FW rules to manage the DNS request from my VLANs by filtering ports and IPs.

      • NextDNs
      • 3 wk ago
      • Reported - view

      with a UDM Pro, we recommend using our CLI (https://nextdns.io/cli). There is a thread on this forum about how to use it with multiple VLANs.

Content aside

  • 3 wk agoLast active
  • 6Replies
  • 141Views
  • 2 Following