0

Ultralow servers instead of Anycast?

Is there any way to use the ultralow resolvers instead of anycast resolvers?

As you can see in the results, there are a lot of routing issues with anycast with my ISP (Jio, India). Currently using YogaDNS to run nextdns. It's been this way for like a month now and I am starting to think the money I spent on the pro plan is being wasted. I have posted reports like this and provided diag tool logs as well in those posts, but no response.
Please shed some light.

21 replies

null
    • olivier
    • 3 yrs ago
    • Reported - view

    Please try using our app. YogaDNS does not support ultralow yet.

      • Jermaine_Potts
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey Can't get it to install. Always running into the same error on the "Installing TAP Device" part.

      • Jermaine_Potts
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey Also, does this mean no ultralow on native android PrivateDNS?

      I ran some ping tests while on PrivateDNS.

      Ping tests - https://drive.google.com/file/d/1210U3h6yBv4IYTYhE71xc7rViY-DlaE4/view?usp=sharing
      and https://drive.google.com/file/d/121uJhpR36RtmuVtvR5qklsBh4UHHKvAT/view?usp=sharing

      I installed the app and tried taking the test again

      Result - https://drive.google.com/file/d/1228dmHdbxOSotBkRlB56kJBjce2DpLVu/view?usp=sharing
      test.nextdns.io showed the server as serverwala-del in this case.

      • iamtheanon
      • 3 yrs ago
      • Reported - view

      Jermaine Potts I can confirm that you connect to ultralow on native android Private DNS (I do!). I almost always connect to gc-bom (ultralow) or ls-bom(ultralow2) using DoT.

       

      Also with regards to Jio, everything seems to be quite good now with resolutions happening properly and I usually get a ping of 5ms which is good for me. I use the following configs:

      1. NextDNS CLI - Windows and Mac (I shifted to CLI in Windows since it is not detected as a trojan for me (I know it's a false positive but still! )

      Link for windows you could try: https://github.com/nextdns/nextdns/wiki/Windows

      2. Android - Private DNS

       

      Olivier Poitrey I just wanted to point one thing out here:

      dns2.nextdns.io (only ipv6) fails in resolution

      anycast.dns1.nextdns.io ( with both ipv4 and ipv6) fails in resolution

       

      While this is not causing any latency problems for me. This is something you could look into.

      • olivier
      • 3 yrs ago
      • Reported - view

      Gaurav please try a dig +trace anycast.dns1.nextdns.io and show the result.

      • olivier
      • 3 yrs ago
      • Reported - view

      Jermaine Potts try uninstalling OpenVPN before reinstalling NextDNS.

      • Jermaine_Potts
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey I do not have OpenVPN installed on my system. I have the TAP-windows present, which I tried uninstalling and reinstalling nextdns. Still getting errors.

      • iamtheanon
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey 

      Results from ping.nextdns.io

      ■ ls-bom                     8 ms  (ultralow2)
        gc-bom                     8 ms  (ultralow1)
        do-blr                    26 ms
        serverwala-del            30 ms
        microhost-del             90 ms
        anexia-dxb               201 ms
        premiumrdp-dxb           270 ms
        zepto-mil                294 ms  (anycast2)
        navico-ruh               343 ms
        premiumrdp-ruh           372 ms
        edis-dxb                 375 ms
        anycast.dns1.nextdns.io   error  (anycast1)
      

      Results from dig +trace anycast.dns1.nextdns.io while running NextDNS CLI

      Gauravs-MacBook-Air ~ % dig +trace anycast.dns1.nextdns.io
      
      ; <<>> DiG 9.10.6 <<>> +trace anycast.dns1.nextdns.io
      ;; global options: +cmd
      . 3169 IN NS i.root-servers.net.
      . 3169 IN NS j.root-servers.net.
      . 3169 IN NS k.root-servers.net.
      . 3169 IN NS l.root-servers.net.
      . 3169 IN NS m.root-servers.net.
      . 3169 IN NS a.root-servers.net.
      . 3169 IN NS b.root-servers.net.
      . 3169 IN NS c.root-servers.net.
      . 3169 IN NS d.root-servers.net.
      . 3169 IN NS e.root-servers.net.
      . 3169 IN NS f.root-servers.net.
      . 3169 IN NS g.root-servers.net.
      . 3169 IN NS h.root-servers.net.
      . 3169 IN RRSIG NS 8 0 518400 20210128050000 20210115040000 42351 . KU0ngHrmY8Vg+6WJk4NUIut0NDGOwIO0ezcPdgxfhfOXv0sEmtP2bP78 xlRg0y3UQd7QlJqca74RWFbWDmOPyRwXCVtZPfTYNpELv23kLRpjgCkX 0ahgcRe8OHfD/XJuXrl6CfU2tSJmYCvoEs4DbGHE9IZZDwD/XlzxIRKT ax0jli8PGUOlU1yu1fA4q54p/QqMGEZYeEh6ZQgAOENDg8gzQVQcgH1p aLihmbyv/tBwLKmVrQSJG1oPiXjpaR63IqOIgIFqPe6xOgY+cpp3NfFj khuGrBolpCRpopvbI0mLX1O8xqRsBnkAYEWSmSD+7WKtDgUHG/caBZLb V+zgYw==
      ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 16 ms
      
      ;; Received 52 bytes from 198.41.0.4#53(a.root-servers.net) in 17 ms
      
      
      • olivier
      • 3 yrs ago
      • Reported - view

      Gaurav what about "dig whoami.akamai.net @45.90.28.0"

      • iamtheanon
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey 

      % dig whoami.akamai.net @45.90.28.0
      
      ; <<>> DiG 9.10.6 <<>> whoami.akamai.net @45.90.28.0
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51836
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 512
      ;; QUESTION SECTION:
      ;whoami.akamai.net. IN A
      
      ;; ANSWER SECTION:
      whoami.akamai.net. 7 IN A 172.217.34.69
      
      ;; Query time: 46 msec
      ;; SERVER: 45.90.28.0#53(45.90.28.0)
      ;; WHEN: Tue Jan 19 06:41:01 IST 2021
      ;; MSG SIZE  rcvd: 62
      
      • olivier
      • 3 yrs ago
      • Reported - view

      Gaurav something is highjacking your DNS queries and blocks our hostname. This thing is running on Google cloud. It can be a security solution you run on your network or you ISP capturing DNS traffic. Because of this, you won't be able to use ultra low latency steering.

      • iamtheanon
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey 

      How do you figure that something is hijacking my queries. 

      When I visit test.nextdns.io, I am shown as being connected to gc-bom.

      Isn't gc standing for Google Cloud and I figured that Nextdns servers are being shown in the hostname so it's ok. 

       

      In addition on ping.nextdns.io gc-bom which I connect to is shown as Ultra low frequency.

      Further I connect to gc-bom with the same results displayed not just on my Mac using CLI on my Wifi but also on my mobile data connection (another ISP).

      The same results are displayed on both devices and connections using a dns leak test as well. 

      If someone is truly hijacking any ways to get around that?

      • olivier
      • 3 yrs ago
      • Reported - view

      Gaurav this is a bit confusing. The google cloud IP shown does not belong to gc-bom PoP (it’s not us). You can apparently use ultralow because your default resolver seems to only block hostnames resolving to our anycast IPs. So I guess it’s fine for now, until they figure it out and block ultra low hostnames too. The only way to configure nextdns will then be to use DoH or DoT with bootstrap IPs (not relying on default resolver to resolve dns.nextdns.io).

      • iamtheanon
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey So, in the DNS Leak Tests I am always shown the IP "34.93.164.22" with hostname "dns.nextdns.io" and ISP as "Google Cloud". This is also consistent. I always get just 1 DNS Server at dnsleaktest.com

      So, is this IP not for NextDNS. Are you referring to the following IP (172.217.34.69) shown in my answer above?

      I have tried the query again and I get the following output from a different ISP. Is this also being hijacked?

       

      dig whoami.akamai.net @45.90.28.0
      
      ; <<>> DiG 9.10.6 <<>> whoami.akamai.net @45.90.28.0
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8513
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1220
      ;; QUESTION SECTION:
      ;whoami.akamai.net. IN A
      
      ;; ANSWER SECTION:
      whoami.akamai.net. 68 IN A 156.146.56.172
      
      ;; Query time: 110 msec
      ;; SERVER: 45.90.28.0#53(45.90.28.0)
      ;; WHEN: Tue Jan 19 12:40:42 IST 2021
      ;; MSG SIZE  rcvd: 62

      Is using a VPN the only way to prevent such hijacking?

      • olivier
      • 3 yrs ago
      • Reported - view

      Gaurav the dnsleaktest is testing your DoT setup, which can’t be highjacked. A workaround would be to use our cli client at the router level.

      https://nextdns.io/cli

      • iamtheanon
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey I think you have misunderstood. I am currently using DoH using CLI only (on Mac) which is what I used for both these outputs. My router sadly doesn't support the CLI Configurations. I suppose I will need to look for a new router which supports the CLI. 

      Also both of these outputs were from fixed LAN and not any mobile hotspots (I think you thought I am using a hotspot from my android phone which uses DoT) or anything of that sort. 

      • olivier
      • 3 yrs ago
      • Reported - view

      Gaurav your mac is fine with cli. Your android might have issue if using private DNS if your ISP blocks dns.nextdns.io. It you install cli at the router level, your android with private DNS will be protected against this type of blocking. I hope it clearer; it’s confusing as there are multiple layers of DNS in play.

      • Jermaine_Potts
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey I think something similar is at play with Jio Fiber too. I started using the official app on windows to get ultralow servers on your instruction. I was successful, but there was no secondary resolver. Only one server used to be connected, the rest of them gave errors on the ping page. I did some dns tests, and due to having no secondary server, my DNS requests are split between nextdns and offical ISP dns, which is cumbersome to say the least. The queries keep rotating between serverwala-del and Jio DNS back and forth. Guess Jio has us defeated. :/

      • Tobias.1
      • 11 mths ago
      • Reported - view

       exatamente, é como usar DoH no Mikrotik, precisa ser entrada estática pra garantir que não será contornada as configurações, e só uma dica, ultralow não é melhor que anycast, esse conceito técnico está completamente errado, gerando várias falhas de segurança, vou te resumir, se vc define anycast, que é global, tem lá seus servidores Master, e somente eles tem o controle de tudo, independente de qual país está, e é ele que chama os servidores slaves(steering) espalhados pelo mundo, baseando-se no IP, só aí mora um problema q já detectei e ninguém escuta, vou te dar um exemplo, tem o Facebook do Brasil, próximo de mim tem um CDN, da capital mais próxima, porém o DNS sempre procura consultar aqui, no mesmo IP, mesmo domínio sempre(ultralow) porém isto é completamente equivocado, estão limitando por operadoras, só consultando no IP da operadora, e não nos IPs das aplicações espalhados pelo país, não tem rotação das consultas, fica estática, facilitando até mesmo pra mim usar pra ter internet de graça, nem vou falar de ddos, por isso a enxurrada de ataques todos os dias, isso que vcs usam não é anycast correto, o correto pra eliminar vulnerabilidades é da forma q falei, rotacionando consultas em todos os servidores das aplicações, não limitado a operadora como é feito, até porquê o ECS, o ESNI, ECH e etc... Vai tudo pro ralo, se tá consultando no servidor da operadora e somente em um peer ultralow, se foi tudo, é só ilusão, rede anycast não fica presa, rotaciona em segundos as consultas, ttl de 60 segundos, sempre rotacionando em todos os servidores das aplicações como já mencionei, então estão confundindo ultralow, baixa latência em consultas DNS são irrelevantes, desde q anycast esteja bem configurado pra evitar falhas que já detectei.

    • Jermaine_Potts
    • 3 yrs ago
    • Reported - view

    Olivier Poitrey It seems disabling IPv6 altogether enabled the use of ultralow servers when using the windows app. Now it doesn't rotate between ISP DNS and NextDNS. Sticks to the Delhi servers. Unfortunately, no way to disable IPv6 on android (DoT) since the router is heavily locked down and doesn't allow disabling IPv6 at router level.

Content aside

  • 11 mths agoLast active
  • 21Replies
  • 4230Views
  • 4 Following