Android DOT shows Unconfigured
Hello,
Context :
- DNS setting from DHCP (IPv4 & IPv6) all set to a NextDNS profile
- WAN IP is a fixed one
Everything is working fine on all the device of the network when using DNS port 53.
Same per device setting DoT or DoH manually.
However, I found a problem using a Meta Quest 2 (running Android), test.nextdns.io shows :
status: OK
protocol: DOT
but no profile shown
(different test with IPv4 or IPv6 with same result...)
But on my.nextdns.io :
it says the device is using NextDNS with no configuration.
So no filtering is working, it resolves everything
Unexpected situation...
I have been able to reproduce that on my phone by just setting in the connexion setting to use "Private DNS" automatically (instead of indicating a custom DoT address)
There is no setting on the Meta Quest 2 to set how to connect to the DNS, it uses "Private DNS" automatically by default (so DoT).
Can you please do something to either :
- handle the request coming in DoT on the custom IP addresses set by DHCP for DNS ?
like for port 53
- refuse the request on those IPs, so the device uses port 53 instead ?
Or maybe you might see another solution.
Thanks !
Best,
Olivier
6 replies
-
Hi,
this problem relates to the automatic Private DNS configuration on Android devices.
On some devices it is set automatically (in the case I described there was no option to set this off).I worked around by filtering outgoing ports on my FW.
But not everyone is able to do so...Hopefully NextDNS will come up with a solution
-
Just to add a little more context :
DoT is handled on specific servers (<ID>.dns.nextdns.io), same for DoH (dns.nextdns.io).
However, the servers defined for classic DNS (port 53) still respond to DoT on port 853...
No filtering / profile configuration is applied in such case.Ideal solutions (from NextDNS):
1- (Best) NextDNS servers could apply the profile configurations on DoT (port 853) request sent on servers IPs (IPv4 & IPv6) defined via DHCP from the router, like for regular DNS (port 53)
2- For the same server IPs, NextDNS servers should not respond to queries on port 853
Alternative solutions from your side:
1- Setup firewall rule to drop request on port 853 except the IPs you defined (allow on those you find for dns.nextdns.io). Ideally you also have rules to filter outgoing request to port 53 too.
2- Define NextDNS servers' IP on the router itself for it's own use and DHCP to broadcast the router's IP instead of NextDNS one's
3- Manually define DoH or DoT on each device
(not always possible... AndroidTVs... MetaQuest... )Those alternative are not ideal and if your router/FW does not support it or don't know how to do it, you will be left with solution 3...
I really hope NextDNS will find a way to correctly handle those cases.
Bests,
Olivier
Content aside
- 2 wk agoLast active
- 6Replies
- 139Views
-
2
Following