3

"Private DNS" on Android and pfSense DNS setup conflict?

Hello,

I use NextDNS's DNS, both on the "Private DNS" setting on my Android phone, and on the DNS Resolver custom option of my pfSense router.

It worked for months together (I use my NextDNS phone config , both on 4G and when I'm connected to my router.).

But since a few hours today, without any configuration modifications,  my phone tell me no internet connection when I'm connected to the router.

It work great on another wifi (without NextDNS setting), or on my wifi (with nextDNS Settings) but only if I disabled the "Private DNS" setting.

I don't know why...

Is there a conflict when we use both NextDNS setting on router AND on phone together?

Thank you,

45 replies

null
    • olivier
    • 4 yrs ago
    • Reported - view

    From your android, what do you get for https://test.nextdns.io

      • fwehrle
      • 4 yrs ago
      • Reported - view

      Olivier Poitrey thank you for replying :)

      On 4g with private DNS :

      {
      "status": "ok",
      "protocol": "DOT",
      "configuration": "fpb9d8a0772d538e04",
      "client": "redacted",
      "destIP": "45.90.28.0",
      "server": "netbarista-par-1",
      "clientName": "unknown-dot"
      }
      On Wifi (so with router DNS resolver with NextDNS) AND with no "private DNS" android setting :
      {
      "status": "ok",
      "protocol": "DOT",
      "configuration": "fp63ff6da8091c759a",
      "client": "redacted",
      "destIP": "45.90.28.0",
      "server": "netbarista-par-1",
      "clientName": "unknown-dot"
      }

      And I cannot test on wifi AND private DNS, because these is no DNS resolving (that's the problem I describe here), so no internet :D

    • fwehrle
    • 4 yrs ago
    • Reported - view

    I don't know if it's important but I use mutiwan on router (ADSL, 4G and VPN).  And pfSense ask for DNS on all interfaces. (But it was working like this for months..)

    • olivier
    • 4 yrs ago
    • Reported - view

    Can you dig you pfSense for dns.nextdns.io please?

    • fwehrle
    • 4 yrs ago
    • Reported - view

    A DNs Lookup on pfSense?

    Result :

    Results

    ResultRecord type

    37.252.225.79 A
    193.168.204.73 A
    2a00:11c0:2:998::3 AAAA
    2a0e:9900::1:0:0:1:2 AAAA

    Timings

    Name serverQuery time

    127.0.0.1 159 msec
    45.90.28.181 151 msec
    45.90.28.42 183 msec
    45.90.30.42 292 msec

    Or do you need a dig command?

    • fwehrle
    • 4 yrs ago
    • Reported - view

    Shell Output for drill -V5 -T dns.nextdns.io :

    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; . IN NS
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:41 2020
    ;; MSG SIZE  rcvd: 0
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 42.83.7.199.in-addr.arpa. IN PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:42 2020
    ;; MSG SIZE  rcvd: 0
    . 518400 IN NS a.root-servers.net.
    . 518400 IN NS b.root-servers.net.
    . 518400 IN NS c.root-servers.net.
    . 518400 IN NS d.root-servers.net.
    . 518400 IN NS e.root-servers.net.
    . 518400 IN NS f.root-servers.net.
    . 518400 IN NS g.root-servers.net.
    . 518400 IN NS h.root-servers.net.
    . 518400 IN NS i.root-servers.net.
    . 518400 IN NS j.root-servers.net.
    . 518400 IN NS k.root-servers.net.
    . 518400 IN NS l.root-servers.net.
    . 518400 IN NS m.root-servers.net.
    ;; Received 492 bytes from 199.7.83.42#53(l.root-servers.net.) in 45 ms
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; dns.nextdns.io. IN A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:46 2020
    ;; MSG SIZE  rcvd: 0
    io. 172800 IN NS a2.nic.io.
    io. 172800 IN NS b0.nic.io.
    io. 172800 IN NS c0.nic.io.
    io. 172800 IN NS a0.nic.io.
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 17.148.36.192.in-addr.arpa. IN PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:46 2020
    ;; MSG SIZE  rcvd: 0
    ;; Received 284 bytes from 192.36.148.17#53(i.root-servers.net.) in 38 ms
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; dns.nextdns.io. IN A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:46 2020
    ;; MSG SIZE  rcvd: 0
    nextdns.io. 86400 IN NS dawn.ns.cloudflare.com.
    nextdns.io. 86400 IN NS lee.ns.cloudflare.com.
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 17.161.22.65.in-addr.arpa. IN PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:46 2020
    ;; MSG SIZE  rcvd: 0
    ;; Received 86 bytes from 65.22.161.17#53(b0.nic.payu.) in 200 ms
    
    nextdns.io. 86400 IN NS dawn.ns.cloudflare.com.
    nextdns.io. 86400 IN NS lee.ns.cloudflare.com.
    dawn.ns.cloudflare.com.;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; dawn.ns.cloudflare.com. IN AAAA
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:48 2020
    ;; MSG SIZE  rcvd: 0
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; dawn.ns.cloudflare.com. IN A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:48 2020
    ;; MSG SIZE  rcvd: 0
    nextdns.io. 86400 IN NS dawn.ns.cloudflare.com.
    nextdns.io. 86400 IN NS lee.ns.cloudflare.com.
    lee.ns.cloudflare.com.;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; lee.ns.cloudflare.com. IN AAAA
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:48 2020
    ;; MSG SIZE  rcvd: 0
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; lee.ns.cloudflare.com. IN A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:48 2020
    ;; MSG SIZE  rcvd: 0
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; dns.nextdns.io. IN A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:48 2020
    ;; MSG SIZE  rcvd: 0
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; dns.nextdns.io. IN A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:48 2020
    ;; MSG SIZE  rcvd: 0
    dns.nextdns.io. 300 IN A 45.90.30.0
    dns.nextdns.io. 300 IN A 45.90.28.0
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 106.58.245.173.in-addr.arpa. IN PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Mon Dec 21 19:01:48 2020
    ;; MSG SIZE  rcvd: 0
    ;; Received 64 bytes from 173.245.58.106#53(dawn.ns.cloudflare.com.) in 26 ms
      • olivier
      • 4 yrs ago
      • Reported - view

      fwehrle from a host on your network, do:

      dig @pfsense-ip dns.nextdns.io
    • fwehrle
    • 4 yrs ago
    • Reported - view

    Oh sorry, of course :

     

    dig @192.168.1.1 dns.nextdns.io

    ; <<>> DiG 9.10.6 <<>> @192.168.1.1 dns.nextdns.io
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54436
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dns.nextdns.io.            IN    A
    ;; Query time: 124 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Mon Dec 21 21:12:07 CET 2020
    ;; MSG SIZE  rcvd: 43
    
      • olivier
      • 4 yrs ago
      • Reported - view

      fwehrle do you have cname folding enabled in settings?

      • fwehrle
      • 4 yrs ago
      • Reported - view

      Olivier Poitrey No. Nor on the phone settings, nor on the router's setting.

      (I have 2 differents NextDNS settings for phone and router)

      • olivier
      • 4 yrs ago
      • Reported - view

      fwehrle do you have DNSSEC validation enabled on pfSense?

      • fwehrle
      • 4 yrs ago
      • Reported - view

      Olivier Poitrey Yes

      • olivier
      • 4 yrs ago
      • Reported - view

      fwehrle can you please disable it. It shouldn't create an issue with this domain, but it won't work with DNS filtering anyway. Once done, please repeat the same dig and provide the output.

    • fwehrle
    • 4 yrs ago
    • Reported - view

    Ok.. I think I understand.

    I never had more than 3-4% of DNSSEC request in NextDNS logs. that's why..

    But the DNSSEC setting was on since months. Why is it broken only today?

    Do you change something on your side?

      • olivier
      • 4 yrs ago
      • Reported - view

      fwehrle yes, we working on a change that might create this issue, so debugging output would help us understand.

      • fwehrle
      • 4 yrs ago
      • Reported - view

      Olivier Poitrey 

      Ok, good new. Ask me if you need to debug some things.

      Is there a solution to enable DNSSEC both on router, on phone, AND on phone when connected to the router wifi?

      It's look like there is no DNSSEC on router anymore (but it is normal as I disabled it on DNS resolver :)

      • olivier
      • 4 yrs ago
      • Reported - view

      fwehrle you can help by providing the output of the dig command that was failing before.

      Regarding DNSSEC, we are validating DNSSEC for you. As we need to modify responses for filtering, it is discouraged to validate DNSSEC on the client as validation will break when a domain is blocked or rewritten (rewrite feature, safe search feature etc.).

    • fwehrle
    • 4 yrs ago
    • Reported - view

    I juste uncheck this setting in pfSense and now it works on the phone again. Thank you

    • fwehrle
    • 4 yrs ago
    • Reported - view

    Et voila :

    dig @192.168.1.1 dns.nextdns.io

    ; <<>> DiG 9.10.6 <<>> @192.168.1.1 dns.nextdns.io
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51419
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dns.nextdns.io.            IN    A

    ;; ANSWER SECTION:
    dns.nextdns.io. 60 IN A 37.252.225.79
    dns.nextdns.io. 60 IN A 193.168.204.73

    ;; Query time: 111 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Mon Dec 21 23:17:58 CET 2020
    ;; MSG SIZE  rcvd: 75

    • eBKv6q
    • 4 yrs ago
    • Reported - view

    I've noticed android devices have not had connectivity for approximately 36 hours. I use a similar setup as Fwehrle. Turning off DNSSEC in PfSense does not eliminate the "Private server cannot be accessed" message on android users devices. Any other thoughts for how to solve this?

    Thanks

    With DNSSEC enabled:

    ; <<>> DiG 9.14.12 <<>> 192.168.1.1 dns.nextdns.io
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13674
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;192.168.1.1. IN A
    
    ;; AUTHORITY SECTION:
    . 1274 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020122101 1800 900 604800 86400
    
    ;; Query time: 52 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Dec 21 19:31:34 PST 2020
    ;; MSG SIZE rcvd: 115
    
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46083
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dns.nextdns.io. IN A
    
    ;; Query time: 656 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Dec 21 19:31:35 PST 2020
    ;; MSG SIZE rcvd: 43
    

     

    With DNSSEC disabled:

    ; <<>> DiG 9.14.12 <<>> 192.168.1.1 dns.nextdns.io
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 510
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;192.168.1.1.INA
    
    ;; AUTHORITY SECTION:
    .1242INSOAa.root-servers.net. nstld.verisign-grs.com. 2020122101 1800 900 604800 86400
    
    ;; Query time: 43 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Dec 21 19:39:46 PST 2020
    ;; MSG SIZE  rcvd: 115
    
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57872
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dns.nextdns.io.INA
    
    ;; ANSWER SECTION:
    dns.nextdns.io.60INA162.220.221.25
    dns.nextdns.io.60INA45.32.79.76
    
    ;; Query time: 43 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Dec 21 19:39:46 PST 2020
    ;; MSG SIZE  rcvd: 75
    
      • olivier
      • 4 yrs ago
      • Reported - view

      eBKv6q you forgot the @ before the IP of you router in the dig command. Can you try with it please?

      • eBKv6q
      • 4 yrs ago
      • Reported - view

      Olivier Poitrey oops sorry

      With DNSSEC enabled:

      ; <<>> DiG 9.14.12 <<>> @192.168.1.1 dns.nextdns.io
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26573
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;dns.nextdns.io.INA
      
      ;; Query time: 522 msec
      ;; SERVER: 192.168.1.1#53(192.168.1.1)
      ;; WHEN: Tue Dec 22 18:51:50 PST 2020
      ;; MSG SIZE  rcvd: 43
      

       

      With DNSSEC disabled:

      ; <<>> DiG 9.14.12 <<>> @192.168.1.1 dns.nextdns.io
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63676
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;dns.nextdns.io.INA
      
      ;; ANSWER SECTION:
      dns.nextdns.io.60INA162.220.221.25
      dns.nextdns.io.60INA45.32.79.76
      
      ;; Query time: 43 msec
      ;; SERVER: 192.168.1.1#53(192.168.1.1)
      ;; WHEN: Tue Dec 22 18:50:45 PST 2020
      ;; MSG SIZE  rcvd: 75
      

      Thanks

      • olivier
      • 4 yrs ago
      • Reported - view

      eBKv6q so same problem, please disable DNSSEC validation and it should work.

      • eBKv6q
      • 4 yrs ago
      • Reported - view

      Hi Olivier Poitrey , I've disabled DNSSEC but android devices are still showing the same error. I'm testing with a Pixel 3, I've tried restarting the device and turning Private DNS off and back on. As soon as I hit Save it says it couldn't connect to the private DNS server.

      Thanks

    • Hani_Ahmad_Farooqui
    • 3 yrs ago
    • Reported - view

    Please unable to connect private dns since a week on nokia android 10. It always says no internet but was working flawlessly since 8 months. Is their any fix or when issue resolved

Content aside

  • 3 Likes
  • 3 yrs agoLast active
  • 45Replies
  • 2465Views
  • 9 Following