0

Unifi UXG-MAX, not all DNS requests using profile

My problem is that in my profile dashboard, the status keeps alternating every few seconds from "All Good" to "This device is using NextDNS with no profile."  Subsequently I'm getting hit and misses on my content mangement settings.  

My Setup is using a DoH connection from a UXG-MAX gateway.  This is configured with a custom DNS stamp based on the Linux - DNSCrypt stamp provided in the setup guide.  The only difference is I specify my customer ID in the path /<Cust ID/<Dev Name>.   This does seem to work as at times the status is all good, but every second or so the status flips.  Looking at the Log all DNS requests are encrypted, so at least that is working 100%.

On the Gateway, I have blocked all outbound DNS from the LAN, so the gateway is the only path to NextDNS.   I also don't have any secondary DNS services configured. 

Requests to test.nextdns.io mirror this behaviour with some returning (sensitive data removed)

"status": "ok",
"protocol": "DOH",
"client": "xxx.xxx.xxx.xxx",
"srcIP": "xxx.xxx.xxx.xxx",
"destIP": "45.90.30.0",
"anycast": true,
"server": "vultr-ams-1",
"clientName": "dnscrypt"

 

and some returning

"status": "ok",
"protocol": "DOH",
"profile": "------------",
"client": "xxx.xxx.xxx.xxx",
"srcIP": "xxx.xxx.xxx.xxx",
"destIP": "45.142.244.191",
"anycast": false,
"server": "zepto-lon-1",
"clientName": "dnscrypt",
"deviceName": "UXGMax",
"deviceID": "----"

 

This looks to me like an error with load balancing which I assume NextDNS has setup.  One resolver path gets correct response, while another path does not.  Appreciate if anyone has further ideas on what I can do to test / trouble shoot and resolve this.

Many Thanks....Rob  

4 replies

null
    • losnad
    • 11 days ago
    • Reported - view

    Try with this: 

    https://help.nextdns.io/t/60halgj?r=x2hal2j#x2hal2j

    (The website is blocked by Bypass Methods, so either temporary disabled it if you have it on or add to Allowlist). 

    • Rob_Dowding
    • 11 days ago
    • Reported - view

    I got my hopes up.  There was a difference between my stamp and the recommended setting from the post you shared, mine had DNSSEC selected.  I was then thinking, of course, only sites with DNSSEC enabled are the ones that pickup my profile, and the rest don't.  Perfectly explained what I was seeing.  Only when I tried the revised stamp, I'm still seeing the same results.   I also tried the DoH3 stamp, with no success.  

    I'm really not sure if this is a unif problem, or a NextDNS one.  I just think the symptoms do point to load balancing paths acting differently.

    • Mike_V
    • 8 days ago
    • Reported - view

    Did you name your custom encrypted DNS profile "NextDNS"? If so, rename it - add your profile ID or something else to make it unique - as it's conflicting with Unifi's pre-configured NextDNS profile.

      • Rob_Dowding
      • 8 days ago
      • Reported - view

       Thankyou so much.  This indeed fixed the issue.  I've had a ticket open with Unifi for over a week, and they were not able to tell me this.  Your a star!

Login to reply

Content aside

  • 8 days agoLast active
  • 4Replies
  • 94Views
  • 2 Following