0

Problem with NextDNS resolver today

I'm using the Pro plan but today a lot of domains are either slow or not resolving (they're not blocked accordingly to the logs).

Things like duckduckgo.com

Disabling NextDNS solves the issue (using ISP dns).

7 replies

null
    • NextDNs
    • 1 yr ago
    • Reported - view

    Please provide a https://nextdns.io/diag

    • Bryan_Wiegand
    • 1 yr ago
    • Reported - view

    @NextDNS

    (also subscriber)

    I am likewise running into problems where queries on certain domains return failures and take multiple attempts to successfully resolve. Interestingly, in the my.nextdns.io log I can see that the query was permitted, the server just failed to return an answer.

    On my home lan, I use opnsense with unbound configured for dns over tls forwarding to nextdns. Most domains work instantly. It only happens for certain domains, such as zoom and discord, including the domain in the post above for duckduckgo.  And on all devices using nextdns, such as windows, mac, and iphones.

    Even without opnsense- for example, on the iphone with the nextdns app on a mobile network, safari will return "server not found", and it will take multiple attempts for the page to finally load.

    Lan: https://nextdns.io/diag/35cce490-d718-11ec-b229-05f9519eeb77

    Example output from a nslookup on my home lan:

    PS C:\Users\user\Downloads> nslookup zoom.us
    Server:  opnsense
    Address:  10.250.0.1

    *** opnsense can't find zoom.us: Server failed

    And I try again only a few seconds later:

    PS C:\Users\user\> nslookup zoom.us
    Server:  opnsense
    Address:  10.250.0.1

    Non-authoritative answer:
    Name: zoom.us
    Address:  170.114.10.76

      • NextDNs
      • 1 yr ago
      • Reported - view

      Bryan Wiegand zoom has some of their auth DNS misconfigured regarding DNSSEC: https://community.zoom.com/t5/Meetings/Zoom-s-DNS-records-are-misconfigured/td-p/46468

      • Bryan_Wiegand
      • 1 yr ago
      • Reported - view

      NextDNS will any domain with dnssec configuration issues have problems resolving on nextdns? is it an enforcement issue?

      • NextDNs
      • 1 yr ago
      • Reported - view

      Bryan Wiegand yes, otherwise dnssec would have no point.

      • Bryan_Wiegand
      • 1 yr ago
      • Reported - view

      NextDNS thanks, it makes sense. It may be worth noting just for the scope of it, all of the domains that have had trouble resolving at times, such as: zoom.us, discord.gg, duckduckgo.com, and frontier.co.uk show similar problems when reviewed on https://dnssec-analyzer.verisignlabs.com/

      I'm not sure what can be done about it if like you said, it is an issue with the service and their dnssec records. If it was a large enough issue.. would it be possible to consider allowing, for certain domains, to disable hardening or split them off into traditional dns on the nexxtdns side? 

      Or maybe there is another solution. As of now, if I need to reliably connect to zoom or discord for example, I have to bypass or disable nextdns.

      • Bryan_Wiegand
      • 1 yr ago
      • Reported - view

      NextDNS I guess that above request might not reflect how dnssec works. In any case, I got around this by not using unbound via its tls forwarding feature.

      I have set up a nextdnscli docker container to run on a lan server, and set dnsmasq on the opnsense router to forward requests to this container. The problem instantly went away.

      This issue of random dnsec name resolution issues would appear to be an unbound problem:

      Unbound not resolving many domains · Issue #507 · NLnetLabs/unbound · GitHub

      As a minor thing, I wish I could quickly figure out if nextdnscli can resolve lan hostnames for the online logs. mdns appears to not be working. There might be better ways to set this up, but for now I'm happy I seem to have fixed the dnssec name resolution issue.

Content aside

  • 1 yr agoLast active
  • 7Replies
  • 600Views
  • 2 Following