
"Private DNS" on Android and pfSense DNS setup conflict?
Hello,
I use NextDNS's DNS, both on the "Private DNS" setting on my Android phone, and on the DNS Resolver custom option of my pfSense router.
It worked for months together (I use my NextDNS phone config , both on 4G and when I'm connected to my router.).
But since a few hours today, without any configuration modifications, my phone tell me no internet connection when I'm connected to the router.
It work great on another wifi (without NextDNS setting), or on my wifi (with nextDNS Settings) but only if I disabled the "Private DNS" setting.
I don't know why...
Is there a conflict when we use both NextDNS setting on router AND on phone together?
Thank you,
-
From your android, what do you get for https://test.nextdns.io
-
Can you dig you pfSense for dns.nextdns.io please?
-
Shell Output for drill -V5 -T dns.nextdns.io :
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; . IN NS ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:41 2020 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 42.83.7.199.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:42 2020 ;; MSG SIZE rcvd: 0 . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; Received 492 bytes from 199.7.83.42#53(l.root-servers.net.) in 45 ms ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dns.nextdns.io. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:46 2020 ;; MSG SIZE rcvd: 0 io. 172800 IN NS a2.nic.io. io. 172800 IN NS b0.nic.io. io. 172800 IN NS c0.nic.io. io. 172800 IN NS a0.nic.io. ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 17.148.36.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:46 2020 ;; MSG SIZE rcvd: 0 ;; Received 284 bytes from 192.36.148.17#53(i.root-servers.net.) in 38 ms ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dns.nextdns.io. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:46 2020 ;; MSG SIZE rcvd: 0 nextdns.io. 86400 IN NS dawn.ns.cloudflare.com. nextdns.io. 86400 IN NS lee.ns.cloudflare.com. ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 17.161.22.65.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:46 2020 ;; MSG SIZE rcvd: 0 ;; Received 86 bytes from 65.22.161.17#53(b0.nic.payu.) in 200 ms nextdns.io. 86400 IN NS dawn.ns.cloudflare.com. nextdns.io. 86400 IN NS lee.ns.cloudflare.com. dawn.ns.cloudflare.com.;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dawn.ns.cloudflare.com. IN AAAA ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dawn.ns.cloudflare.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 nextdns.io. 86400 IN NS dawn.ns.cloudflare.com. nextdns.io. 86400 IN NS lee.ns.cloudflare.com. lee.ns.cloudflare.com.;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; lee.ns.cloudflare.com. IN AAAA ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; lee.ns.cloudflare.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dns.nextdns.io. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dns.nextdns.io. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 dns.nextdns.io. 300 IN A 45.90.30.0 dns.nextdns.io. 300 IN A 45.90.28.0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 106.58.245.173.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 ;; Received 64 bytes from 173.245.58.106#53(dawn.ns.cloudflare.com.) in 26 ms
-
Oh sorry, of course :
dig @192.168.1.1 dns.nextdns.io
; <<>> DiG 9.10.6 <<>> @192.168.1.1 dns.nextdns.io ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.nextdns.io. IN A ;; Query time: 124 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Mon Dec 21 21:12:07 CET 2020 ;; MSG SIZE rcvd: 43
-
Et voila :
dig @192.168.1.1 dns.nextdns.io
; <<>> DiG 9.10.6 <<>> @192.168.1.1 dns.nextdns.io
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51419
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns.nextdns.io. IN A;; ANSWER SECTION:
dns.nextdns.io. 60 IN A 37.252.225.79
dns.nextdns.io. 60 IN A 193.168.204.73;; Query time: 111 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Dec 21 23:17:58 CET 2020
;; MSG SIZE rcvd: 75 -
I've noticed android devices have not had connectivity for approximately 36 hours. I use a similar setup as Fwehrle. Turning off DNSSEC in PfSense does not eliminate the "Private server cannot be accessed" message on android users devices. Any other thoughts for how to solve this?
Thanks
With DNSSEC enabled:
; <<>> DiG 9.14.12 <<>> 192.168.1.1 dns.nextdns.io ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13674 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;192.168.1.1. IN A ;; AUTHORITY SECTION: . 1274 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020122101 1800 900 604800 86400 ;; Query time: 52 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 21 19:31:34 PST 2020 ;; MSG SIZE rcvd: 115 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46083 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.nextdns.io. IN A ;; Query time: 656 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 21 19:31:35 PST 2020 ;; MSG SIZE rcvd: 43
With DNSSEC disabled:
; <<>> DiG 9.14.12 <<>> 192.168.1.1 dns.nextdns.io ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;192.168.1.1.INA ;; AUTHORITY SECTION: .1242INSOAa.root-servers.net. nstld.verisign-grs.com. 2020122101 1800 900 604800 86400 ;; Query time: 43 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 21 19:39:46 PST 2020 ;; MSG SIZE rcvd: 115 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57872 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.nextdns.io.INA ;; ANSWER SECTION: dns.nextdns.io.60INA162.220.221.25 dns.nextdns.io.60INA45.32.79.76 ;; Query time: 43 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 21 19:39:46 PST 2020 ;; MSG SIZE rcvd: 75
-
Olivier Poitrey following up on this. I last posted on Dec 23rd. A few days later the issue went away with no configuration changes on my end. I assumed something was adjusted in NextDNS. As of approximately 12 hours ago the "Private DNS cannot be accessed" message is back for android devices.
Thanks
-
I have been experiencing the same "Private server cannot be accessed" error, with no changes having been made on my network. I am on Verizon FiOS and using the G1100 router.
I am not aware of any way to enable dnssec on the router. Also, I have CNAME flattening disabled.
Any other suggestions on resolving this?