NextDNS ‘TXT CH id.server’ responses expose private information
Hi everyone,
While testing NextDNS, I ran a “dig +short TXT CH id.server” query and was shocked to find it returning a slew of info I assumed was private, but now visible to anyone on the networks I deployed NextDNS to. Here’s an example:
```
proto*nextdns*io. 0 CH TXT "DOH"
server*nextdns*io. 0 CH TXT "foo-bar-1"
profile*nextdns*io. 0 CH TXT "deadbeef1337"
client*nextdns*io. 0 CH TXT "123.213.132.111"
client-name*nextdns*io. 0 CH TXT "unknown-doh"
device-name*nextdns*io. 0 CH TXT "My device name in plain text"
device-id*nextdns*io. 0 CH TXT "A12B34"
smart-ecs*nextdns*io. 0 CH TXT "1.2.3.0/24"
```
The fact that my custom device name is broadcast in clear text is a major privacy issue. Even the device ID and profile hash could be used to fingerprint or track users and NextDNS setups by malicious users/apps/devices on the network.
I propose:
1) Remove the “device-name” field by default.
2) Consider removing “device-id” and “profile” to prevent easy correlation and tracking.
3) If needed add an opt-in flag for advanced users who truly need these identifiers for debugging or whatever.
Even the "client" field could cause an unwitting information leak. For example consider a scenario in which users can only access internet through a proxy or VPN that routes them into another network, but their DNS queries are forwarded to NextDNS through a local forwarder (eg. NextDNS CLI client). In this scenario, users could bypass the proxy/VPN and reveal the public IP address of the local network.
NextDNS is fantastic at protecting DNS queries, but leaking identifiers undermines that trust. Please upvote if you agree.
7 replies
-
Only you can see this. Another client would see their own info. Also, the id is a proxy id. You can’t use it directly.
-
Purely for speculative purposes, and assuming the use of DoT or DoH, I don't understand how a user outside your network on a third-party device could query the DNS server to get sensitive information about your client from a dig +short TXT CH id.server query. The NextDNS server would have to be compromised or misconfigured, someone would have to have falsified the TLS certificates to intercept encrypted traffic, or your own device would have to be compromised.
Content aside
-
1
Votes
- 9 days agoLast active
- 7Replies
- 119Views
-
3
Following