0

"dns.nextdns.io" a large number of connection errors

Hey, I am using nextdns cli 1.11.0 under centos8
Recently, it was discovered that a large number of "i/o timeout" appeared in the log, and there was a problem with the local area network DNS resolution.
First of all, I suspect that there may be a problem with the network, so the normal "dns.nextdns.io" IP can be resolved through other DNS service providers "8.8.8.8" nslookup.
as follows:
[root@NextDNS ~]# nslookup dns.nextdns.io
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
dns.nextdns.io canonical name = steering.nextdns.io.
Name: steering.nextdns.io
Address: 37.252.249.233
Name: steering.nextdns.io
Address: 84.17.37.186
Name: steering.nextdns.io
Address: 2a00:11c0:17:429::3
Name: steering.nextdns.io
Address: 2a0b:4341:509:186:5054:ff:fe0e:98d3
I ping the resolved IP, and the results are as follows:
[root@NextDNS ~]# ping 37.252.249.233
PING 37.252.249.233 (37.252.249.233) 56(84) bytes of data.
64 bytes from 37.252.249.233: icmp_seq=1 ttl=47 time=193 ms
64 bytes from 37.252.249.233: icmp_seq=2 ttl=47 time=194 ms
64 bytes from 37.252.249.233: icmp_seq=3 ttl=47 time=194 ms
64 bytes from 37.252.249.233: icmp_seq=4 ttl=47 time=193 ms
64 bytes from 37.252.249.233: icmp_seq=5 ttl=47 time=195 ms
64 bytes from 37.252.249.233: icmp_seq=6 ttl=47 time=185 ms
64 bytes from 37.252.249.233: icmp_seq=7 ttl=47 time=191 ms
64 bytes from 37.252.249.233: icmp_seq=8 ttl=47 time=196 ms
64 bytes from 37.252.249.233: icmp_seq=9 ttl=47 time=193 ms
64 bytes from 37.252.249.233: icmp_seq=10 ttl=47 time=188 ms
64 bytes from 37.252.249.233: icmp_seq=11 ttl=47 time=183 ms
64 bytes from 37.252.249.233: icmp_seq=12 ttl=47 time=194 ms

--- 37.252.249.233 ping statistics ---
12 packets transmitted, 12 received, 0% packet loss, time 23ms
rtt min/avg/max/mdev = 183.424/191.597/195.684/3.737 ms
[root@NextDNS ~]# ping 84.17.37.186
PING 84.17.37.186 (84.17.37.186) 56(84) bytes of data.
64 bytes from 84.17.37.186: icmp_seq=1 ttl=48 time=15.7 ms
64 bytes from 84.17.37.186: icmp_seq=2 ttl=46 time=17.1 ms
64 bytes from 84.17.37.186: icmp_seq=5 ttl=48 time=62.4 ms
64 bytes from 84.17.37.186: icmp_seq=12 ttl=48 time=62.3 ms
64 bytes from 84.17.37.186: icmp_seq=25 ttl=46 time=63.8 ms

--- 84.17.37.186 ping statistics ---
28 packets transmitted, 5 received, 82.1429% packet loss, time 512ms
rtt min/avg/max/mdev = 15.672/44.238/63.776/22.770 ms
[root@NextDNS ~]#

The IP 37.252.249.233 can be pinged through.

I am very confused now. Please help solve this problem. Attached is the relevant log.

https://nextdns.io/diag/c980e7e0-8548-11eb-b436-f1a41f11c9f5

17replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
    • Olivier Poitrey I know this, can I set the domain name prefix of "*.dns.nextdns.io" on the command line?
      For example, "music.dns.nextdns.io/XXXXX".

      Like
    • Carrot eggs in the cli? Is it blocked by SNI?

      Like
    • Olivier Poitrey 

      Currently ipv4 cannot connect to "dns.nextdns.io", ipv6 seems to work, but it is unstable. According to the method provided in the link above, adding a prefix can indeed be accessed through ipv4.

      Whether it was blocked by SNI is not clear to me.

      I am using Hong Kong's VPS to install adguarehome, and the DNS upstream points to nextdns. Then adguardhome provides DOH, DOT, DOQ.
      It would be better if you could connect to nextdns directly.

      Like
    • Olivier Poitrey yes,in the cli

      Like
    • Carrot eggs what do you get for the following commands:

      curl -v https://dns.nextdns.io/info

      curl -v https://dns.nextdns.io/info —resolve dns.nextdns.io:443:37.252.249.233

      curl -v https://dns.nextdns.io/info —resolve dns.nextdns.io:443:2a00:11c0:17:429::3

      curl -v https://blah.dns.nextdns.io/info —resolve blah.dns.nextdns.io:443:37.252.249.233

      curl -kv https://something.cn/info —resolve something.cn:443:37.252.249.233

      Please make sure you manually enter the spaces and dashes as this forum mangles them.

      Like
    • Olivier Poitrey See attachment for test results

      Like
    • Carrot eggs please use two dashes before the resolve argument (--)

      Like
    • Olivier Poitrey See attachment for test results

      Like
    • Olivier Poitrey 

      [root@NextDNS ~]# curl -v https://blah.dns.nextdns.io/info --resolve blah.dns.nextdns.io:443:37.252.249.233
      * Added blah.dns.nextdns.io:443:37.252.249.233 to DNS cache
      * Hostname blah.dns.nextdns.io was found in DNS cache
      *   Trying 37.252.249.233...
      * TCP_NODELAY set
      * Connected to blah.dns.nextdns.io (37.252.249.233) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
        CApath: none
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, CERT verify (15):
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, Finished (20):
      * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.3 (OUT), TLS handshake, [no content] (0):
      * TLSv1.3 (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=nextdns.io
      *  start date: Mar 13 23:55:09 2021 GMT
      *  expire date: Jun 11 23:55:09 2021 GMT
      *  subjectAltName: host "blah.dns.nextdns.io" matched cert's "*.dns.nextdns.io"
      *  issuer: C=US; O=Let's Encrypt; CN=R3
      *  SSL certificate verify ok.
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * TLSv1.3 (OUT), TLS app data, [no content] (0):
      * TLSv1.3 (OUT), TLS app data, [no content] (0):
      * TLSv1.3 (OUT), TLS app data, [no content] (0):
      * Using Stream ID: 1 (easy handle 0x558a35b4f4a0)
      * TLSv1.3 (OUT), TLS app data, [no content] (0):
      > GET /info HTTP/2
      > Host: blah.dns.nextdns.io
      > User-Agent: curl/7.61.1
      > Accept: */*
      >
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
      * TLSv1.3 (IN), TLS app data, [no content] (0):
      * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
      * TLSv1.3 (OUT), TLS app data, [no content] (0):
      * TLSv1.3 (IN), TLS app data, [no content] (0):
      * TLSv1.3 (IN), TLS app data, [no content] (0):
      * TLSv1.3 (IN), TLS app data, [no content] (0):
      < HTTP/2 200
      < access-control-allow-origin: *
      < content-type: application/json
      < strict-transport-security: max-age=63072000; includeSubDomains; preload
      < timing-allow-origin: *
      < content-length: 74
      < date: Mon, 15 Mar 2021 11:09:29 GMT
      <
      * TLSv1.3 (IN), TLS app data, [no content] (0):
      * Connection #0 to host blah.dns.nextdns.io left intact
      {"locationName": "🇭🇰 Hong Kong", "pop": "anexia-hkg", "rtt": 177425}[root@NextDNS ~]#

      Like
    • Carrot eggs thx, what about:

      curl -vk https://37.252.249.233/info

      Like
    • Olivier Poitrey There are two results, see the attachment.

      Like
    • Carrot eggs it fails randomly. Does this happen with other commands?

      Like
    • Olivier Poitrey 

      I am not very clear about other commands. I only deployed nextdns on this VM.

      If it fails randomly, think about the discarding strategy of the firewall, it should be blocked by SNI.

      Like
    • Olivier Poitrey After being unable to connect to nextdns.io for a long time, the last entry will appear in the log
      Mar 15 20:04:13 NextDNS systemd[1]: nextdns.service: Main process exited, code=killed, status=9/KILL
      Mar 15 20:04:13 NextDNS systemd[1]: nextdns.service: Failed with result'signal'.

      Like
    • Olivier Poitrey 

      I looked at some blocked domain names and found some sensitive words, such as "xi-jin-ping" in the picture below. This is the pinyin of our country’s leader’s name. From the Great  Firewall, this is a sensitive word and it is easy to be Block out, think this website contains sensitive information. I don't know why this person uses the pinyin of the national leader, but he is a saboteur.

       

      Therefore, it is recommended to turn off the pan-domain name resolution and only keep the ones you are using. Otherwise, the Great Firewall will block the entire nextdns in China.

      I am a paying user. Nextdns can protect my online privacy from being censored and block ads. I deployed it on all my devices. But now I can only use nextdns through the self-built adguardhome in Hong Kong. For this I still need to spend more money on VPS, I am sad. I hope that nextdns can solve the problem of not being used in China.

      Like
    • Olivier Poitrey 

      Like
Like Follow
  • 1 mth agoLast active
  • 17Replies
  • 128Views
  • 2 Following