0

Stubby with client private subnet eDNS does not work

stubby.check.json stubby.log

I think this is a recent problem as I've not experienced it before and I'm not sure if it's due to stubby update or NextDNS backend change or both.

Essentially, the issue is that if I set the following option on stubby:

# /etc/stubby/stubby.yml
edns_client_subnet_private: 1

it can no longer receive responses from NextDNS but instead returns SERVFAIL for everything.

My setup is the following:

  • stubby version 0.4.3
  • openssl version 3.0.7
  • Diagnostic at: https://nextdns.io/diag/d02b9a20-8890-11ed-9265-c57d23fcea7f
  • relevant config:
  • # /etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
round_robin_upstreams: 1
idle_timeout: 10000
dnssec: GETDNS_EXTENSION_TRUE
upstream_recursive_servers:
## Next DNS
  - address_data: 45.90.28.0
    tls_auth_name: "name-xxxxxx.dns1.nextdns.io"
  - address_data: 45.90.30.0
    tls_auth_name: "name-xxxxxx.dns2.nextdns.io"

     

If I change the edns_client_subnet_private setting to 0, then everything works correctly. I would, however, prefer to keep the private subnet enabled.

1 reply

null
    • pink_cactus
    • 1 yr ago
    • Reported - view

    I'd try two things:
    Updating your config to remove the number 1 and 2 (they made a change recently)  

        tls_auth_name: "devicename-xxxxxx.dns.nextdns.io"

    OR removing the dnssec line (per some other post on here, its redundant) 

Login to reply

Content aside

  • 1 yr agoLast active
  • 1Replies
  • 181Views
  • 2 Following