1

NextDNS ‘TXT CH id.server’ responses expose private information

Hi everyone,

 

While testing NextDNS, I ran a “dig +short TXT CH id.server” query and was shocked to find it returning a slew of info I assumed was private, but now visible to anyone on the networks I deployed NextDNS to. Here’s an example:

 

```

proto*nextdns*io. 0 CH TXT "DOH"

server*nextdns*io. 0 CH TXT "foo-bar-1"

profile*nextdns*io. 0 CH TXT "deadbeef1337"

client*nextdns*io. 0 CH TXT "123.213.132.111"

client-name*nextdns*io. 0 CH TXT "unknown-doh"

device-name*nextdns*io. 0 CH TXT "My device name in plain text"

device-id*nextdns*io. 0 CH TXT "A12B34"

smart-ecs*nextdns*io. 0 CH TXT "1.2.3.0/24"

```

 

The fact that my custom device name is broadcast in clear text is a major privacy issue. Even the device ID and profile hash could be used to fingerprint or track users and NextDNS setups by malicious users/apps/devices on the network.

 

I propose:

1) Remove the “device-name” field by default.  

2) Consider removing “device-id” and “profile” to prevent easy correlation and tracking.

3) If needed add an opt-in flag for advanced users who truly need these identifiers for debugging or whatever.

 

Even the "client" field could cause an unwitting information leak. For example consider a scenario in which users can only access internet through a proxy or VPN that routes them into another network, but their DNS queries are forwarded to NextDNS through a local forwarder (eg. NextDNS CLI client). In this scenario, users could bypass the proxy/VPN and reveal the public IP address of the local network.

 

NextDNS is fantastic at protecting DNS queries, but leaking identifiers undermines that trust. Please upvote if you agree.

7 replies

null
    • NextDNs
    • 12 days ago
    • Official response
    • Reported - view

    Only you can see this. Another client would see their own info. Also, the id is a proxy id. You can’t use it directly.

      • Joe.54
      • 9 days ago
      • Reported - view

      I'm sorry if I hadn't made myself clear - I don't want my clients to see anything that's not generic info like protocol and server id. NextDNS/dns0 and AdGuard are literally the only DNS servers that respond with such a treasure trove of information (which is ironic), all others reply either with nothing or just a generic server ID.

      • NextDNs
      • 9 days ago
      • Reported - view

       this is used for debugging. There are countless ways to get the same info. If your security relies on such info being hidden from your network clients, you may want to reevaluate.

      • Joe.54
      • 9 days ago
      • Reported - view

      it indeed feels like NextDNS is running in permanent debug mode, since all other servers carefully hide such info. That's why I've proposed to make this debugging mode only temporary with an opt in toggle in settings. What "countless ways" are you talking about? What other queries will cause NextDNS to leak such info? Sounds scary.

      • NextDNs
      • 9 days ago
      • Reported - view

       I think you are confusing the CHAOS query that will give those info on all queries and the id.server special zone that most servers including us disables. Try a “dig CH youtube.com”, you’ll get the same types of info specific to the queried domain. This is particularly handy on blocked domains, as it will give you which blocklists are blocking the requested domain.

    • gnomedavey
    • 13 days ago
    • Reported - view

    Purely for speculative purposes, and assuming the use of DoT or DoH, I don't understand how a user outside your network on a third-party device could query the DNS server to get sensitive information about your client from a dig +short TXT CH id.server query. The NextDNS server would have to be compromised or misconfigured, someone would have to have falsified the TLS certificates to intercept encrypted traffic, or your own device would have to be compromised.

      • Hamid.5
      • 12 days ago
      • Reported - view

       proto*nextdns*io. 0 CH TXT "DOH"

       

      server*nextdns*io. 0 CH TXT "foo-bar-1"

       

      profile*nextdns*io. 0 CH TXT "deadbeef1337"

       

      client*nextdns*io. 0 CH TXT "123.213.132.111"

       

      client-name*nextdns*io. 0 CH TXT "unknown-doh"

       

      device-name*nextdns*io. 0 CH TXT "My device name in plain text"

       

      device-id*nextdns*io. 0 CH TXT "A12B34"

       

      smart-ecs*nextdns*io. 0 CH TXT "1.2.3.0/24"

       

      ```

       

      The fact that my custom device name is broadcast in clear text is a major privacy issue. Even the device ID and profile hash could be used to fingerprint or track users and NextDNS setups by malicious users/apps/devices on the network.

       

      I propose:

       

      1) Remove the “device-name” field by default.  

       

      2) Consider removing “device-id” and “profile” to prevent easy correlation and tracking.

       

      3) If needed add an opt-in flag for advanced users who truly need these identifiers for debugging or whatever.

       

      Even the "client" field could cause an unwitting information leak. For example consider a scenario in which users can only access internet through a proxy or VPN that routes them into another network, but their DNS queries are forwarded to NextDNS through a local forwarder (eg. NextDNS CLI client). In this scenario, users could bypass the proxy/VPN and reveal the public IP address of the local network.

       

      NextDNS is fantastic at protecting DNS queries, but leaking identifiers undermines that trust. Please upvote if you agree.

       

      Privacy

Content aside

  • 1 Votes
  • 9 days agoLast active
  • 7Replies
  • 119Views
  • 3 Following