"Private DNS" on Android and pfSense DNS setup conflict?
Hello,
I use NextDNS's DNS, both on the "Private DNS" setting on my Android phone, and on the DNS Resolver custom option of my pfSense router.
It worked for months together (I use my NextDNS phone config , both on 4G and when I'm connected to my router.).
But since a few hours today, without any configuration modifications, my phone tell me no internet connection when I'm connected to the router.
It work great on another wifi (without NextDNS setting), or on my wifi (with nextDNS Settings) but only if I disabled the "Private DNS" setting.
I don't know why...
Is there a conflict when we use both NextDNS setting on router AND on phone together?
Thank you,
-
From your android, what do you get for https://test.nextdns.io
-
Olivier Poitrey thank you for replying :)
On 4g with private DNS :
{ "status": "ok", "protocol": "DOT", "configuration": "fpb9d8a0772d538e04", "client": "redacted", "destIP": "45.90.28.0", "server": "netbarista-par-1", "clientName": "unknown-dot" }On Wifi (so with router DNS resolver with NextDNS) AND with no "private DNS" android setting :{ "status": "ok", "protocol": "DOT", "configuration": "fp63ff6da8091c759a", "client": "redacted", "destIP": "45.90.28.0", "server": "netbarista-par-1", "clientName": "unknown-dot" }And I cannot test on wifi AND private DNS, because these is no DNS resolving (that's the problem I describe here), so no internet :D
-
-
I don't know if it's important but I use mutiwan on router (ADSL, 4G and VPN). And pfSense ask for DNS on all interfaces. (But it was working like this for months..)
-
Can you dig you pfSense for dns.nextdns.io please?
-
A DNs Lookup on pfSense?
Result :
Results
ResultRecord type
37.252.225.79 A 193.168.204.73 A 2a00:11c0:2:998::3 AAAA 2a0e:9900::1:0:0:1:2 AAAA Timings
Name serverQuery time
127.0.0.1 159 msec 45.90.28.181 151 msec 45.90.28.42 183 msec 45.90.30.42 292 msec Or do you need a dig command?
-
Shell Output for drill -V5 -T dns.nextdns.io :
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; . IN NS ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:41 2020 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 42.83.7.199.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:42 2020 ;; MSG SIZE rcvd: 0 . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; Received 492 bytes from 199.7.83.42#53(l.root-servers.net.) in 45 ms ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dns.nextdns.io. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:46 2020 ;; MSG SIZE rcvd: 0 io. 172800 IN NS a2.nic.io. io. 172800 IN NS b0.nic.io. io. 172800 IN NS c0.nic.io. io. 172800 IN NS a0.nic.io. ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 17.148.36.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:46 2020 ;; MSG SIZE rcvd: 0 ;; Received 284 bytes from 192.36.148.17#53(i.root-servers.net.) in 38 ms ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dns.nextdns.io. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:46 2020 ;; MSG SIZE rcvd: 0 nextdns.io. 86400 IN NS dawn.ns.cloudflare.com. nextdns.io. 86400 IN NS lee.ns.cloudflare.com. ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 17.161.22.65.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:46 2020 ;; MSG SIZE rcvd: 0 ;; Received 86 bytes from 65.22.161.17#53(b0.nic.payu.) in 200 ms nextdns.io. 86400 IN NS dawn.ns.cloudflare.com. nextdns.io. 86400 IN NS lee.ns.cloudflare.com. dawn.ns.cloudflare.com.;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dawn.ns.cloudflare.com. IN AAAA ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dawn.ns.cloudflare.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 nextdns.io. 86400 IN NS dawn.ns.cloudflare.com. nextdns.io. 86400 IN NS lee.ns.cloudflare.com. lee.ns.cloudflare.com.;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; lee.ns.cloudflare.com. IN AAAA ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; lee.ns.cloudflare.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dns.nextdns.io. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dns.nextdns.io. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 dns.nextdns.io. 300 IN A 45.90.30.0 dns.nextdns.io. 300 IN A 45.90.28.0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 106.58.245.173.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Mon Dec 21 19:01:48 2020 ;; MSG SIZE rcvd: 0 ;; Received 64 bytes from 173.245.58.106#53(dawn.ns.cloudflare.com.) in 26 ms-
fwehrle from a host on your network, do:
dig @pfsense-ip dns.nextdns.io
-
-
Oh sorry, of course :
dig @192.168.1.1 dns.nextdns.io
; <<>> DiG 9.10.6 <<>> @192.168.1.1 dns.nextdns.io ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.nextdns.io. IN A ;; Query time: 124 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Mon Dec 21 21:12:07 CET 2020 ;; MSG SIZE rcvd: 43-
fwehrle do you have cname folding enabled in settings?
-
Olivier Poitrey No. Nor on the phone settings, nor on the router's setting.
(I have 2 differents NextDNS settings for phone and router)
-
fwehrle do you have DNSSEC validation enabled on pfSense?
-
Olivier Poitrey Yes
-
fwehrle can you please disable it. It shouldn't create an issue with this domain, but it won't work with DNS filtering anyway. Once done, please repeat the same dig and provide the output.
-
-
Ok.. I think I understand.
I never had more than 3-4% of DNSSEC request in NextDNS logs. that's why..
But the DNSSEC setting was on since months. Why is it broken only today?
Do you change something on your side?
-
fwehrle yes, we working on a change that might create this issue, so debugging output would help us understand.
-
Olivier Poitrey
Ok, good new. Ask me if you need to debug some things.
Is there a solution to enable DNSSEC both on router, on phone, AND on phone when connected to the router wifi?
It's look like there is no DNSSEC on router anymore (but it is normal as I disabled it on DNS resolver :)
-
fwehrle you can help by providing the output of the dig command that was failing before.
Regarding DNSSEC, we are validating DNSSEC for you. As we need to modify responses for filtering, it is discouraged to validate DNSSEC on the client as validation will break when a domain is blocked or rewritten (rewrite feature, safe search feature etc.).
-
-
I juste uncheck this setting in pfSense and now it works on the phone again. Thank you
-
Et voila :
dig @192.168.1.1 dns.nextdns.io
; <<>> DiG 9.10.6 <<>> @192.168.1.1 dns.nextdns.io
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51419
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns.nextdns.io. IN A;; ANSWER SECTION:
dns.nextdns.io. 60 IN A 37.252.225.79
dns.nextdns.io. 60 IN A 193.168.204.73;; Query time: 111 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Dec 21 23:17:58 CET 2020
;; MSG SIZE rcvd: 75 -
I've noticed android devices have not had connectivity for approximately 36 hours. I use a similar setup as Fwehrle. Turning off DNSSEC in PfSense does not eliminate the "Private server cannot be accessed" message on android users devices. Any other thoughts for how to solve this?
Thanks
With DNSSEC enabled:
; <<>> DiG 9.14.12 <<>> 192.168.1.1 dns.nextdns.io ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13674 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;192.168.1.1. IN A ;; AUTHORITY SECTION: . 1274 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020122101 1800 900 604800 86400 ;; Query time: 52 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 21 19:31:34 PST 2020 ;; MSG SIZE rcvd: 115 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46083 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.nextdns.io. IN A ;; Query time: 656 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 21 19:31:35 PST 2020 ;; MSG SIZE rcvd: 43With DNSSEC disabled:
; <<>> DiG 9.14.12 <<>> 192.168.1.1 dns.nextdns.io ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;192.168.1.1.INA ;; AUTHORITY SECTION: .1242INSOAa.root-servers.net. nstld.verisign-grs.com. 2020122101 1800 900 604800 86400 ;; Query time: 43 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 21 19:39:46 PST 2020 ;; MSG SIZE rcvd: 115 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57872 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.nextdns.io.INA ;; ANSWER SECTION: dns.nextdns.io.60INA162.220.221.25 dns.nextdns.io.60INA45.32.79.76 ;; Query time: 43 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 21 19:39:46 PST 2020 ;; MSG SIZE rcvd: 75-
eBKv6q you forgot the @ before the IP of you router in the dig command. Can you try with it please?
-
Olivier Poitrey oops sorry
With DNSSEC enabled:
; <<>> DiG 9.14.12 <<>> @192.168.1.1 dns.nextdns.io ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26573 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.nextdns.io.INA ;; Query time: 522 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Dec 22 18:51:50 PST 2020 ;; MSG SIZE rcvd: 43With DNSSEC disabled:
; <<>> DiG 9.14.12 <<>> @192.168.1.1 dns.nextdns.io ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63676 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.nextdns.io.INA ;; ANSWER SECTION: dns.nextdns.io.60INA162.220.221.25 dns.nextdns.io.60INA45.32.79.76 ;; Query time: 43 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Dec 22 18:50:45 PST 2020 ;; MSG SIZE rcvd: 75Thanks
-
eBKv6q so same problem, please disable DNSSEC validation and it should work.
-
Hi Olivier Poitrey , I've disabled DNSSEC but android devices are still showing the same error. I'm testing with a Pixel 3, I've tried restarting the device and turning Private DNS off and back on. As soon as I hit Save it says it couldn't connect to the private DNS server.
Thanks
-
-
Please unable to connect private dns since a week on nokia android 10. It always says no internet but was working flawlessly since 8 months. Is their any fix or when issue resolved
-
Olivier Poitrey following up on this. I last posted on Dec 23rd. A few days later the issue went away with no configuration changes on my end. I assumed something was adjusted in NextDNS. As of approximately 12 hours ago the "Private DNS cannot be accessed" message is back for android devices.
Thanks
-
eBKv6q do you have cname flattening enabled in the settings tab?
-
Olivier Poitrey the CNAME Flattening setting is disabled. Thanks
-
eBKv6q was it disabled, or disabling it fixed the issue?
-
Olivier Poitrey Sorry, to clarify the CNAME Flattening setting is and always was disabled for my account. The problem is still occurring.
-
eBKv6q do you have dnssec validation setup on your router? Does it fix if you disable (I know you tried in the past, but this is a different issue).
-
Olivier Poitrey I still have dnssec disabled on the router. Its been off since my initial post on Dec 23rd.
-
eBKv6q If your using Pfsense then it's probably Pfsense and not NextDNS. Your android devices are not being allowed to reach the surface. It stays within the local network. Adjustments would need to be made to allow your devices to get through Pfsense or it will be automatically blocked.
-
-
Any updates on this issue? I've experienced the same "Private server cannot be accessed" on android devices for the last 2 weeks.
Thanks
-
I have been experiencing the same "Private server cannot be accessed" error, with no changes having been made on my network. I am on Verizon FiOS and using the G1100 router.
I am not aware of any way to enable dnssec on the router. Also, I have CNAME flattening disabled.
Any other suggestions on resolving this?
-
wTm5PK Can you try:
1. Using "dns.nextdns.io"
2. Using "anycast.dns.nextdns.io"
And for which one(s) you're getting the issue?
-
Romain Cointepas can you clarify what we should be trying? Should we visit the two URLs in our browser, or try swapping Android Private DNS to the format device-ID.anycast.dns.nextdns.io rather than the normal device-ID.dns.nextdns.io ?
Thanks
-
Romain Cointepas anycast.dns.nextdns.io fails to connect consistently, but I have never used that prior to the test you suggested.
I was originally using dns.nextdns.io when receiving the error. It appears to be working now, but I was sometimes able to get it to work by manually switching from dns.nextdns.io to hardcoding dns2.nextdns.io.
-
eBKv6q They are connections made to the URLs. Just testing to see if a valid connection can be established. If not, well then there's a problem.
-
-
El mismo problema, conectado a red wifi no conecta el dns privado y tampoco tengo acceso a la red.
-
Hello,
Is there any update on this or additional information we can provide to troubleshoot?
Thanks
-
Hi guys,
Since a few days, witout any settings changes, this troubles append again.
I double check my router's and nextdns settings : dnssec option is disabled, and cname flat too.
Any changes in your side?
What can i test/do to solve my problem?
Thank you very much, and have a nice day
-
This happened a few days ago, maybe it applies:
https://help.nextdns.io/t/h7h1tfs/problem-with-doh-on-mikrotik-router-since-yesterday
-
fwehrle Your devices are running profiles and Pfsense is also running NextDNS cli?
-
-
Thank you.
I don't know if it apply, since I don't know how to check the CA on pfSense.
I ask for it on the other post. Wait and see..
