0

Problem with NextDNS resolver today

I'm using the Pro plan but today a lot of domains are either slow or not resolving (they're not blocked accordingly to the logs).

Things like duckduckgo.com

Disabling NextDNS solves the issue (using ISP dns).

7replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Please provide a https://nextdns.io/diag

    Like
  • @NextDNS

    (also subscriber)

    I am likewise running into problems where queries on certain domains return failures and take multiple attempts to successfully resolve. Interestingly, in the my.nextdns.io log I can see that the query was permitted, the server just failed to return an answer.

    On my home lan, I use opnsense with unbound configured for dns over tls forwarding to nextdns. Most domains work instantly. It only happens for certain domains, such as zoom and discord, including the domain in the post above for duckduckgo.  And on all devices using nextdns, such as windows, mac, and iphones.

    Even without opnsense- for example, on the iphone with the nextdns app on a mobile network, safari will return "server not found", and it will take multiple attempts for the page to finally load.

    Lan: https://nextdns.io/diag/35cce490-d718-11ec-b229-05f9519eeb77

    Example output from a nslookup on my home lan:

    PS C:\Users\user\Downloads> nslookup zoom.us
    Server:  opnsense
    Address:  10.250.0.1

    *** opnsense can't find zoom.us: Server failed

    And I try again only a few seconds later:

    PS C:\Users\user\> nslookup zoom.us
    Server:  opnsense
    Address:  10.250.0.1

    Non-authoritative answer:
    Name: zoom.us
    Address:  170.114.10.76

    Like
    • Bryan Wiegand zoom has some of their auth DNS misconfigured regarding DNSSEC: https://community.zoom.com/t5/Meetings/Zoom-s-DNS-records-are-misconfigured/td-p/46468

      Like
    • NextDNS will any domain with dnssec configuration issues have problems resolving on nextdns? is it an enforcement issue?

      Like
    • Bryan Wiegand yes, otherwise dnssec would have no point.

      Like
    • NextDNS thanks, it makes sense. It may be worth noting just for the scope of it, all of the domains that have had trouble resolving at times, such as: zoom.us, discord.gg, duckduckgo.com, and frontier.co.uk show similar problems when reviewed on https://dnssec-analyzer.verisignlabs.com/

      I'm not sure what can be done about it if like you said, it is an issue with the service and their dnssec records. If it was a large enough issue.. would it be possible to consider allowing, for certain domains, to disable hardening or split them off into traditional dns on the nexxtdns side? 

      Or maybe there is another solution. As of now, if I need to reliably connect to zoom or discord for example, I have to bypass or disable nextdns.

      Like
    • NextDNS I guess that above request might not reflect how dnssec works. In any case, I got around this by not using unbound via its tls forwarding feature.

      I have set up a nextdnscli docker container to run on a lan server, and set dnsmasq on the opnsense router to forward requests to this container. The problem instantly went away.

      This issue of random dnsec name resolution issues would appear to be an unbound problem:

      Unbound not resolving many domains · Issue #507 · NLnetLabs/unbound · GitHub

      As a minor thing, I wish I could quickly figure out if nextdnscli can resolve lan hostnames for the online logs. mdns appears to not be working. There might be better ways to set this up, but for now I'm happy I seem to have fixed the dnssec name resolution issue.

      Like
Like Follow
  • 1 mth agoLast active
  • 7Replies
  • 298Views
  • 2 Following