5

NextDNS will support `DDR Encrypted Upgrade` to use ultralow server?

Ultralow servers are a great feature of NextDNS. I'm a user in Vietnam, with this feature my DNS queries don't have to go anycast (when using encrypted DNS).

Recently, I found out that dns0.eu works with help from a NextDNS partner. And dns0.eu supports many new features than NextDNS, including `DDR Encrypted Upgrade`. This feature is in development, but Microsoft (possibly Apple) is also integrating it into Windows 11.

Hopefully, NextDNS will support this feature and it will help devices running Windows 11 to find an ultralow server to connect to.

I make a query with the dns0.eu service with the result

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @193.110.81.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40340
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     60      IN      SVCB    1 dns0.eu. alpn="h3,h2" port=443 ipv4hint=194.30.136.105,85.190.230.43 key7="/"
_dns.resolver.arpa.     60      IN      SVCB    1 dns0.eu. alpn="dot,doq" port=853 ipv4hint=194.30.136.105,85.190.230.43
;; ADDITIONAL SECTION:
dns0.eu.                60      IN      A       194.30.136.105
dns0.eu.                60      IN      A       85.190.230.43
;; Query time: 215 msec
;; SERVER: 193.110.81.0#53(193.110.81.0)
;; WHEN: Fri Mar 24 10:29:42 SE Asia Standard Time 2023
;; MSG SIZE  rcvd: 188

But currently, NextDNS still does not support it

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @45.90.28.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18830
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; AUTHORITY SECTION:
arpa.                   3493    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023032301 1800 900 604800 86400
;; Query time: 53 msec
;; SERVER: 45.90.28.0#53(45.90.28.0)
;; WHEN: Fri Mar 24 10:31:31 SE Asia Standard Time 2023
;; MSG SIZE  rcvd: 123

Meanwhile, services like Google DNS or Cloudflare DNS already support this feature

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61763
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     86400   IN      SVCB    1 dns.google. alpn="dot"
_dns.resolver.arpa.     86400   IN      SVCB    2 dns.google. alpn="h2,h3" key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.google.             86400   IN      A       8.8.8.8
dns.google.             86400   IN      A       8.8.4.4
dns.google.             86400   IN      AAAA    2001:4860:4860::8888
dns.google.             86400   IN      AAAA    2001:4860:4860::8844
;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 24 10:32:37 SE Asia Standard Time 2023
;; MSG SIZE  rcvd: 224
; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63516
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     300     IN      SVCB    1 one.one.one.one. alpn="h2" port=443 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001 key7="/dns-query{?dns}"
_dns.resolver.arpa.     300     IN      SVCB    2 one.one.one.one. alpn="dot" port=853 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001
;; ADDITIONAL SECTION:
one.one.one.one.        300     IN      AAAA    2606:4700:4700::1111
one.one.one.one.        300     IN      AAAA    2606:4700:4700::1001
one.one.one.one.        300     IN      A       1.1.1.1
one.one.one.one.        300     IN      A       1.0.0.1
;; Query time: 69 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Mar 24 10:32:59 SE Asia Standard Time 2023
;; MSG SIZE  rcvd: 355

 

Reference:

https://datatracker.ietf.org/doc/draft-ietf-add-ddr/

https://techcommunity.microsoft.com/t5/networking-blog/making-doh-discoverable-introducing-ddr/ba-p/2887289

https://blog.cloudflare.com/announcing-ddr-support/

6 replies

null
    • duytoanvns
    • 2 wk ago
    • Reported - view

    Vote

    • NextDNs
    • 2 wk ago
    • Reported - view

    DDR is not compatible with profile based DNS systems like NextDNS

      • BigDargon
      • 2 wk ago
      • Reported - view

       Thanks for your reply!

      Currently, some users are having the following problem: The modem's DNS server is 8.8.8.8/208.67.222.222, Windows has installed NextDNS, but the browser sets the default encrypted DNS (based on the system DNS).

      At this time, based on the TYPE65 record, the browser switches to using Google DNS or OpenDNS, bypassing Windows' NextDNS.

      If DDR is supported, when the DNS server sets the anycast IP address of NextDNS. Clients/browsers in the network will automatically upgrade the encrypted DNS with an ultralow server, like dns0.eu.

      • NextDNs
      • 2 wk ago
      • Reported - view

       we are aware of this issue. Windows DNS upgrade system is designed a bit backwards and won’t work with profile based DNS out of the gate. You need to set encrypted DNS manually or use an app.

      • BigDargon
      • 2 wk ago
      • Reported - view

       Thanks for the reply!

      P/s: By the way, let's take a look at the idea of partnering with Akamai to enable ECS optimized CDN servers. Thank you!

      • BigDargon
      • 11 days ago
      • Reported - view

      I found Apple's information about Discovery of Designated Resolvers (DDR) being built into iOS 16 and macOS Ventura https://developer.apple.com/videos/play/wwdc2022/10079/?time=831

Login to reply

Content aside

  • 5 Likes
  • 11 days agoLast active
  • 6Replies
  • 473Views
  • 5 Following