0

Ultralow servers instead of Anycast?

Is there any way to use the ultralow resolvers instead of anycast resolvers?

As you can see in the results, there are a lot of routing issues with anycast with my ISP (Jio, India). Currently using YogaDNS to run nextdns. It's been this way for like a month now and I am starting to think the money I spent on the pro plan is being wasted. I have posted reports like this and provided diag tool logs as well in those posts, but no response.
Please shed some light.

20replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Please try using our app. YogaDNS does not support ultralow yet.

    Like
    • Olivier Poitrey Can't get it to install. Always running into the same error on the "Installing TAP Device" part.

      Like 1
    • Olivier Poitrey Also, does this mean no ultralow on native android PrivateDNS?

      I ran some ping tests while on PrivateDNS.

      Ping tests - https://drive.google.com/file/d/1210U3h6yBv4IYTYhE71xc7rViY-DlaE4/view?usp=sharing
      and https://drive.google.com/file/d/121uJhpR36RtmuVtvR5qklsBh4UHHKvAT/view?usp=sharing

      I installed the app and tried taking the test again

      Result - https://drive.google.com/file/d/1228dmHdbxOSotBkRlB56kJBjce2DpLVu/view?usp=sharing
      test.nextdns.io showed the server as serverwala-del in this case.

      Like
      • Gaurav
      • iamtheanon
      • 9 mths ago
      • 1
      • Reported - view

      Jermaine Potts I can confirm that you connect to ultralow on native android Private DNS (I do!). I almost always connect to gc-bom (ultralow) or ls-bom(ultralow2) using DoT.

       

      Also with regards to Jio, everything seems to be quite good now with resolutions happening properly and I usually get a ping of 5ms which is good for me. I use the following configs:

      1. NextDNS CLI - Windows and Mac (I shifted to CLI in Windows since it is not detected as a trojan for me (I know it's a false positive but still! )

      Link for windows you could try: https://github.com/nextdns/nextdns/wiki/Windows

      2. Android - Private DNS

       

      Olivier Poitrey I just wanted to point one thing out here:

      dns2.nextdns.io (only ipv6) fails in resolution

      anycast.dns1.nextdns.io ( with both ipv4 and ipv6) fails in resolution

       

      While this is not causing any latency problems for me. This is something you could look into.

      Like 1
    • Gaurav please try a dig +trace anycast.dns1.nextdns.io and show the result.

      Like
    • Jermaine Potts try uninstalling OpenVPN before reinstalling NextDNS.

      Like
    • Olivier Poitrey I do not have OpenVPN installed on my system. I have the TAP-windows present, which I tried uninstalling and reinstalling nextdns. Still getting errors.

      Like
      • Gaurav
      • iamtheanon
      • 9 mths ago
      • Reported - view

      Olivier Poitrey 

      Results from ping.nextdns.io

      ■ ls-bom                     8 ms  (ultralow2)
        gc-bom                     8 ms  (ultralow1)
        do-blr                    26 ms
        serverwala-del            30 ms
        microhost-del             90 ms
        anexia-dxb               201 ms
        premiumrdp-dxb           270 ms
        zepto-mil                294 ms  (anycast2)
        navico-ruh               343 ms
        premiumrdp-ruh           372 ms
        edis-dxb                 375 ms
        anycast.dns1.nextdns.io   error  (anycast1)
      

      Results from dig +trace anycast.dns1.nextdns.io while running NextDNS CLI

      Gauravs-MacBook-Air ~ % dig +trace anycast.dns1.nextdns.io
      
      ; <<>> DiG 9.10.6 <<>> +trace anycast.dns1.nextdns.io
      ;; global options: +cmd
      . 3169 IN NS i.root-servers.net.
      . 3169 IN NS j.root-servers.net.
      . 3169 IN NS k.root-servers.net.
      . 3169 IN NS l.root-servers.net.
      . 3169 IN NS m.root-servers.net.
      . 3169 IN NS a.root-servers.net.
      . 3169 IN NS b.root-servers.net.
      . 3169 IN NS c.root-servers.net.
      . 3169 IN NS d.root-servers.net.
      . 3169 IN NS e.root-servers.net.
      . 3169 IN NS f.root-servers.net.
      . 3169 IN NS g.root-servers.net.
      . 3169 IN NS h.root-servers.net.
      . 3169 IN RRSIG NS 8 0 518400 20210128050000 20210115040000 42351 . KU0ngHrmY8Vg+6WJk4NUIut0NDGOwIO0ezcPdgxfhfOXv0sEmtP2bP78 xlRg0y3UQd7QlJqca74RWFbWDmOPyRwXCVtZPfTYNpELv23kLRpjgCkX 0ahgcRe8OHfD/XJuXrl6CfU2tSJmYCvoEs4DbGHE9IZZDwD/XlzxIRKT ax0jli8PGUOlU1yu1fA4q54p/QqMGEZYeEh6ZQgAOENDg8gzQVQcgH1p aLihmbyv/tBwLKmVrQSJG1oPiXjpaR63IqOIgIFqPe6xOgY+cpp3NfFj khuGrBolpCRpopvbI0mLX1O8xqRsBnkAYEWSmSD+7WKtDgUHG/caBZLb V+zgYw==
      ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 16 ms
      
      ;; Received 52 bytes from 198.41.0.4#53(a.root-servers.net) in 17 ms
      
      
      Like
    • Gaurav what about "dig whoami.akamai.net @45.90.28.0"

      Like
      • Gaurav
      • iamtheanon
      • 9 mths ago
      • Reported - view

      Olivier Poitrey 

      % dig whoami.akamai.net @45.90.28.0
      
      ; <<>> DiG 9.10.6 <<>> whoami.akamai.net @45.90.28.0
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51836
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 512
      ;; QUESTION SECTION:
      ;whoami.akamai.net. IN A
      
      ;; ANSWER SECTION:
      whoami.akamai.net. 7 IN A 172.217.34.69
      
      ;; Query time: 46 msec
      ;; SERVER: 45.90.28.0#53(45.90.28.0)
      ;; WHEN: Tue Jan 19 06:41:01 IST 2021
      ;; MSG SIZE  rcvd: 62
      
      Like
    • Gaurav something is highjacking your DNS queries and blocks our hostname. This thing is running on Google cloud. It can be a security solution you run on your network or you ISP capturing DNS traffic. Because of this, you won't be able to use ultra low latency steering.

      Like
      • Gaurav
      • iamtheanon
      • 9 mths ago
      • Reported - view

      Olivier Poitrey 

      How do you figure that something is hijacking my queries. 

      When I visit test.nextdns.io, I am shown as being connected to gc-bom.

      Isn't gc standing for Google Cloud and I figured that Nextdns servers are being shown in the hostname so it's ok. 

       

      In addition on ping.nextdns.io gc-bom which I connect to is shown as Ultra low frequency.

      Further I connect to gc-bom with the same results displayed not just on my Mac using CLI on my Wifi but also on my mobile data connection (another ISP).

      The same results are displayed on both devices and connections using a dns leak test as well. 

      If someone is truly hijacking any ways to get around that?

      Like
    • Gaurav this is a bit confusing. The google cloud IP shown does not belong to gc-bom PoP (it’s not us). You can apparently use ultralow because your default resolver seems to only block hostnames resolving to our anycast IPs. So I guess it’s fine for now, until they figure it out and block ultra low hostnames too. The only way to configure nextdns will then be to use DoH or DoT with bootstrap IPs (not relying on default resolver to resolve dns.nextdns.io).

      Like 1
      • Gaurav
      • iamtheanon
      • 9 mths ago
      • Reported - view

      Olivier Poitrey So, in the DNS Leak Tests I am always shown the IP "34.93.164.22" with hostname "dns.nextdns.io" and ISP as "Google Cloud". This is also consistent. I always get just 1 DNS Server at dnsleaktest.com

      So, is this IP not for NextDNS. Are you referring to the following IP (172.217.34.69) shown in my answer above?

      I have tried the query again and I get the following output from a different ISP. Is this also being hijacked?

       

      dig whoami.akamai.net @45.90.28.0
      
      ; <<>> DiG 9.10.6 <<>> whoami.akamai.net @45.90.28.0
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8513
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1220
      ;; QUESTION SECTION:
      ;whoami.akamai.net. IN A
      
      ;; ANSWER SECTION:
      whoami.akamai.net. 68 IN A 156.146.56.172
      
      ;; Query time: 110 msec
      ;; SERVER: 45.90.28.0#53(45.90.28.0)
      ;; WHEN: Tue Jan 19 12:40:42 IST 2021
      ;; MSG SIZE  rcvd: 62

      Is using a VPN the only way to prevent such hijacking?

      Like
    • Gaurav the dnsleaktest is testing your DoT setup, which can’t be highjacked. A workaround would be to use our cli client at the router level.

      https://nextdns.io/cli

      Like
      • Gaurav
      • iamtheanon
      • 9 mths ago
      • Reported - view

      Olivier Poitrey I think you have misunderstood. I am currently using DoH using CLI only (on Mac) which is what I used for both these outputs. My router sadly doesn't support the CLI Configurations. I suppose I will need to look for a new router which supports the CLI. 

      Also both of these outputs were from fixed LAN and not any mobile hotspots (I think you thought I am using a hotspot from my android phone which uses DoT) or anything of that sort. 

      Like
    • Gaurav your mac is fine with cli. Your android might have issue if using private DNS if your ISP blocks dns.nextdns.io. It you install cli at the router level, your android with private DNS will be protected against this type of blocking. I hope it clearer; it’s confusing as there are multiple layers of DNS in play.

      Like 1
    • Olivier Poitrey I think something similar is at play with Jio Fiber too. I started using the official app on windows to get ultralow servers on your instruction. I was successful, but there was no secondary resolver. Only one server used to be connected, the rest of them gave errors on the ping page. I did some dns tests, and due to having no secondary server, my DNS requests are split between nextdns and offical ISP dns, which is cumbersome to say the least. The queries keep rotating between serverwala-del and Jio DNS back and forth. Guess Jio has us defeated. :/

      Like
  • Olivier Poitrey It seems disabling IPv6 altogether enabled the use of ultralow servers when using the windows app. Now it doesn't rotate between ISP DNS and NextDNS. Sticks to the Delhi servers. Unfortunately, no way to disable IPv6 on android (DoT) since the router is heavily locked down and doesn't allow disabling IPv6 at router level.

    Like
Like Follow
  • 9 mths agoLast active
  • 20Replies
  • 678Views
  • 3 Following