"dns.nextdns.io" a large number of connection errors

Olivier Poitrey I know this, can I set the domain name prefix of "*.dns.nextdns.io" on the command line?
For example, "music.dns.nextdns.io/XXXXX".

Olivier Poitrey 

Currently ipv4 cannot connect to "dns.nextdns.io", ipv6 seems to work, but it is unstable. According to the method provided in the link above, adding a prefix can indeed be accessed through ipv4.

Whether it was blocked by SNI is not clear to me.

I am using Hong Kong's VPS to install adguarehome, and the DNS upstream points to nextdns. Then adguardhome provides DOH, DOT, DOQ.
It would be better if you could connect to nextdns directly.

Olivier Poitrey yes,in the cli

Olivier Poitrey See attachment for test results

Olivier Poitrey See attachment for test results

Olivier Poitrey 

[root@NextDNS ~]# curl -v https://blah.dns.nextdns.io/info --resolve blah.dns.nextdns.io:443:37.252.249.233
* Added blah.dns.nextdns.io:443:37.252.249.233 to DNS cache
* Hostname blah.dns.nextdns.io was found in DNS cache
*   Trying 37.252.249.233...
* TCP_NODELAY set
* Connected to blah.dns.nextdns.io (37.252.249.233) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=nextdns.io
*  start date: Mar 13 23:55:09 2021 GMT
*  expire date: Jun 11 23:55:09 2021 GMT
*  subjectAltName: host "blah.dns.nextdns.io" matched cert's "*.dns.nextdns.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x558a35b4f4a0)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /info HTTP/2
> Host: blah.dns.nextdns.io
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 200
< access-control-allow-origin: *
< content-type: application/json
< strict-transport-security: max-age=63072000; includeSubDomains; preload
< timing-allow-origin: *
< content-length: 74
< date: Mon, 15 Mar 2021 11:09:29 GMT
<
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection #0 to host blah.dns.nextdns.io left intact
{"locationName": " Hong Kong", "pop": "anexia-hkg", "rtt": 177425}[root@NextDNS ~]#

Olivier Poitrey There are two results, see the attachment.

Olivier Poitrey 

I am not very clear about other commands. I only deployed nextdns on this VM.

If it fails randomly, think about the discarding strategy of the firewall, it should be blocked by SNI.

Olivier Poitrey After being unable to connect to nextdns.io for a long time, the last entry will appear in the log
Mar 15 20:04:13 NextDNS systemd[1]: nextdns.service: Main process exited, code=killed, status=9/KILL
Mar 15 20:04:13 NextDNS systemd[1]: nextdns.service: Failed with result'signal'.

Olivier Poitrey 

I looked at some blocked domain names and found some sensitive words, such as "xi-jin-ping" in the picture below. This is the pinyin of our country’s leader’s name. From the Great  Firewall, this is a sensitive word and it is easy to be Block out, think this website contains sensitive information. I don't know why this person uses the pinyin of the national leader, but he is a saboteur.

Therefore, it is recommended to turn off the pan-domain name resolution and only keep the ones you are using. Otherwise, the Great Firewall will block the entire nextdns in China.

I am a paying user. Nextdns can protect my online privacy from being censored and block ads. I deployed it on all my devices. But now I can only use nextdns through the self-built adguardhome in Hong Kong. For this I still need to spend more money on VPS, I am sad. I hope that nextdns can solve the problem of not being used in China.

Olivier Poitrey