0

Keep getting NXDOMAIN for well known sites

During the last week, I keep getting NXDOMAIN responses from NextDNS for very well know sites, such as bbc.co.uk, www.ebay.co.uk etc. These responses typically stop after a few minutes and it starts returning the correct IP. The later it all happens again

For me this is happening about 20 times a day. If I change my router to use Quad 9 instead (still using DoT) this does not happen.

8 replies

null
    • Ian_Morris
    • 2 yrs ago
    • Reported - view

    And again:

     

    This site can’t be reached

    Check if there is a typo in www.amazon.co.uk.

     

    • If spelling is correct, try running windows network Diagnostics.

    DNS_PROBE_FINISHED_NXDOMAIN

    • NextDNs
    • 2 yrs ago
    • Reported - view

    What browser are you using?

    • Ian_Morris
    • 2 yrs ago
    • Reported - view

    Usually Chrome based, Vivaldi or Edge,

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Ian Morris have you set up NextDNS directly in the browser settings?

    • Jared_Epp
    • 2 yrs ago
    • Reported - view

    This is a shot in the dark, but does your router use dnsmasq and is it doing DNSSEC validation? I ran into a similar issue starting about a week ago, and disabling DNSSEC validation in dnsmasq fixed it for me (even though the domains I had trouble with were not DNSSEC signed!). dnsmasq v 2.85.

    I think the advice from NextDNS staff is to stop doing DNSSEC validation on your router, since they are doing it already, and if you're worried about message tampering between your router and their servers, use DoH.

    • Ian_Morris
    • 2 yrs ago
    • Reported - view

    @NextDNS I run NextDNS in my pfsense router configured as per router support page:

    server:
      server:
      forward-zone:
        name: "."
        forward-tls-upstream: yes 
    forward-addr: 45.90.28.0#Router-b25a13.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#Router-b25a13.dns1.nextdns.io
    forward-addr: 45.90.30.0#Router-b25a13.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#Router-b25a13.dns2.nextdns.io
    server:include: /var/unbound/pfb_dnsbl.*conf 

    with the other settings as shown.

    @jared_epp I an running DoT and DNSSEC (whenever it applies) via the DNS Resolver (I am not using pfsense as a forwarder) and so DNSMASQ should not be being used.

    This has been working fine for the last year, but in the last week has been awful. However, switching to QUAD 9 using DoT and DNSSEC works fine; so at least I have options if I can't resolve this.

    • NextDNs
    • 2 yrs ago
    • Reported - view

    Please try without DNSSEC on the client. A DNS firewall like NextDNS breaks DNSSEC validation on the client when blocking or rewriting DNS responses, there is no way around that. Our resolver validates DNSSEC for you and DoT guarantees responses aren’t altered. 

    • Ian_Morris
    • 2 yrs ago
    • Reported - view

    Done, will continue to monitor

Content aside

  • 2 yrs agoLast active
  • 8Replies
  • 222Views
  • 4 Following