HTTP/3 DoH Periodically Shuts Off & no DNSSEC validation of certain nextdns.io

1. While I don’t use the NextDNS app, I do use a third party DNS configuration app on iOS 16.x to plug into the doh3.dns.nextdns.io server by configuring that particular DNS server along with my NextDNS profile configuration. Apple supports DNS override in this way, and it usually works fine.

- However, and this happens quite randomly,

— sometimes when I reboot my phone I’m only getting “DOH”, not “DOH3”, as is evident when I hit test.nextdns.io or if I expand the NextDNS log entries to see which protocol is being used. I need to either reboot my phone once or twice or just wait until it automatically kicks over to DOH3.

    — other times, I’ll be connected with DOH3, and then without warning the protocol drops to DOH.  I don’t particularly notice anything changing other than internet seems to slow down a bit, but the main reason I know for sure this is happening is that I view the logs every now and then, and for random periods of time the protocol switches to DOH, then back to DOH3.  Sometimes the flipping happens over the course of three minutes, sometimes I’m on DOH-only for hours before it finally switches back to DOH3, and sometimes it never switches back to DOH3.

In my opinion this should not be happening.  The HTTP/3 connection should never be failing, and if it does, the NextDNS server should be smart enough to “reset things” as soon as it notices DOH3 is not being served up.  
 

Any ideas?  I use cellular only, no WiFi, and I wondered if my cellular company is blocking HTTP/3 sometimes??  I doubt they have the capability to do this because they have no way to override the DNS configuration…

2. When I view the RAW DNS query logs, I see that DNSSEC is used when resolving favicons.nextdns.io and api.nextdns.io, however, when resolving my.nextdns.io, router.nextdns.io, and test.nextdns.io (and I believe “ping” too), DNSSEC is NOT used (at least according to the logs. I would think all queries for *.nextdns.io hosts would be protected by DNSSEC? Any ideas?

— It would be nice if you could show more info in the logs so that the user doesn’t have to expand log entries to see the protocol that was used for a given query as well as whether or not DNSSEC was available/used.

3. Finally, HOW do I get DNS over QUIC working?? There’s no equivalent doq.dns.nextdns.io server like there is for doh3.dns.nextdns.io. Also, when I connect using TLS/DOT, the test.nextdns.io report tells me “DOT” is the protocol being used, not “DOQ”. I’ve read some posts on here where people are seeing “DOQ” as the status, and I’m wondering how they’re configuring things to get DOQ to kick in.

— Is it true that in general DOQ is preferable over DOH3, in terms of speed & security?

4.  Finally, my configuration always connects to vultr-atl (anycast) despite the fact A) I’m physically located closest to the “dtw” servers, and, the ping times for the “dtw” servers are (usually) faster.  In fact, a lot of the ping times for other servers are faster than the “atl” server, but every single time it connects to “atl” regardless.

— Is there a way to force the configuration to connect to a particular server every time?

— I’m thinking that by configuring the host name as “doh3.dns.nextdns.io”, that is forcing “anycast” and maybe “atl” is the only “anycast” server?

— Is “anycast” preferable over “ultralow”, in terms of speed & security?

— btw, when I do a ping, there’s almost always an error when pinging “teraswitch-pit”, every time, every day.  Is that server down?