2

NextDNS will support `DDR Encrypted Upgrade` to use ultralow server?

Ultralow servers are a great feature of NextDNS. I'm a user in Vietnam, with this feature my DNS queries don't have to go anycast (when using encrypted DNS).

Recently, I found out that dns0.eu works with help from a NextDNS partner. And dns0.eu supports many new features than NextDNS, including `DDR Encrypted Upgrade`. This feature is in development, but Microsoft (possibly Apple) is also integrating it into Windows 11.

Hopefully, NextDNS will support this feature and it will help devices running Windows 11 to find an ultralow server to connect to.

I make a query with the dns0.eu service with the result

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @193.110.81.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40340
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     60      IN      SVCB    1 dns0.eu. alpn="h3,h2" port=443 ipv4hint=194.30.136.105,85.190.230.43 key7="/"
_dns.resolver.arpa.     60      IN      SVCB    1 dns0.eu. alpn="dot,doq" port=853 ipv4hint=194.30.136.105,85.190.230.43
;; ADDITIONAL SECTION:
dns0.eu.                60      IN      A       194.30.136.105
dns0.eu.                60      IN      A       85.190.230.43
;; Query time: 215 msec
;; SERVER: 193.110.81.0#53(193.110.81.0)
;; WHEN: Fri Mar 24 10:29:42 SE Asia Standard Time 2023
;; MSG SIZE  rcvd: 188

But currently, NextDNS still does not support it

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @45.90.28.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18830
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; AUTHORITY SECTION:
arpa.                   3493    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023032301 1800 900 604800 86400
;; Query time: 53 msec
;; SERVER: 45.90.28.0#53(45.90.28.0)
;; WHEN: Fri Mar 24 10:31:31 SE Asia Standard Time 2023
;; MSG SIZE  rcvd: 123

Meanwhile, services like Google DNS or Cloudflare DNS already support this feature

; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61763
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     86400   IN      SVCB    1 dns.google. alpn="dot"
_dns.resolver.arpa.     86400   IN      SVCB    2 dns.google. alpn="h2,h3" key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.google.             86400   IN      A       8.8.8.8
dns.google.             86400   IN      A       8.8.4.4
dns.google.             86400   IN      AAAA    2001:4860:4860::8888
dns.google.             86400   IN      AAAA    2001:4860:4860::8844
;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 24 10:32:37 SE Asia Standard Time 2023
;; MSG SIZE  rcvd: 224
; <<>> DiG 9.16.28 <<>> _dns.resolver.arpa type64 @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63516
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dns.resolver.arpa.            IN      SVCB
;; ANSWER SECTION:
_dns.resolver.arpa.     300     IN      SVCB    1 one.one.one.one. alpn="h2" port=443 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001 key7="/dns-query{?dns}"
_dns.resolver.arpa.     300     IN      SVCB    2 one.one.one.one. alpn="dot" port=853 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001
;; ADDITIONAL SECTION:
one.one.one.one.        300     IN      AAAA    2606:4700:4700::1111
one.one.one.one.        300     IN      AAAA    2606:4700:4700::1001
one.one.one.one.        300     IN      A       1.1.1.1
one.one.one.one.        300     IN      A       1.0.0.1
;; Query time: 69 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Mar 24 10:32:59 SE Asia Standard Time 2023
;; MSG SIZE  rcvd: 355

 

Reference:

https://datatracker.ietf.org/doc/draft-ietf-add-ddr/

https://techcommunity.microsoft.com/t5/networking-blog/making-doh-discoverable-introducing-ddr/ba-p/2887289

https://blog.cloudflare.com/announcing-ddr-support/

Reply

null

Content aside

  • 2 Likes
  • 1 yr agoLast active
  • 320Views
  • 3 Following