0

NextDNS is breaking zoom!

I think this is a bug. NextDNS can’t resolve zoom.us nor its sub-domains (like my-organization.zoom.us) Here are the steps to reproduce:

  1. Use next dns (I use it with pfsense).
  2. Run this command (on MacOS or Linux) 
    dig zoom.us

     

When it’s bugged out, NextDNS responds with a blank “A” record.  I’ve noticed that it doesn’t always happen. But it always seems to happen at the worst time. And when I dig at another DNS server it works.

As a work around, I can go into my OS’s network settings and change my DNS to quad 9 or something. (But I use NextDNS for privacy so this solution kinda sucks because I have to remember to change it back).    

16 replies

null
    • Michael.2
    • 2 yrs ago
    • Reported - view

    I forgot to mention, that I’m not blocking anything. I went through every tab and disabled every setting that blocks domains. 

      • Hey
      • 2 yrs ago
      • Reported - view

      Michael  Any updates?

    • Hey
    • 2 yrs ago
    • Reported - view

    It works for me, try to see the logs and watch for anything that's blocking it.

    NRD could block it as it was blocking a Plex server for me at one point.

    Check and disable Blocka Page as it can create problems if you use it.

    Disable DNS Rebidning and see if it works if not turn DNS Rebindig back on as it's a major security feature in my opinion

    Its unlikely but also try to disable Bypass Methods if you use the future and see if that works.

      • Michael.2
      • 2 yrs ago
      • Reported - view

      Hey Thanks for the reply. Yes, it working right now (Sat March 5th 2022 @ 8:30AM).

      I didn’t see any blocked queries, but I only logs for 1 hour (and I’d rather keep the logs off). 

      I checked all the setting you mentioned:

      • NRD is off 
      • I can’t find any settings that block domains and the Block Page is disabled (Denylist is empty, Block lists has nothing, and I re-checked every setting)
      • I have DNS rebinding turned off (though that feature looks pretty cool and I might start using)
      • Bypass methods are turned off too (under Parental Controls)

      All of the above settings were turned off when I last experienced the problem. I do have Anonymized EDNS Client subnet turned on though.

      Next time I see the problem I will jump into the Logs and Analytics to see what’s going on (if I can). 

      • Hey
      • 2 yrs ago
      • Reported - view

      Michael Alright great to hear that it's fixed, knowing how important Zoom was for me with online education. Wanted to see if everyrhint was fine.

      • Michael.2
      • 2 yrs ago
      • Reported - view

      Hey It’s hit or miss still. A few mins after I posted my reply, it didn’t work.

      Before, I said NextDNS responded with a blank “A” message but that’s not right. I should have said there was a SERVFAIL. Here is the output (changed for privacy): 

      > dig <MY-ORG>.zoom.us
; <<>> DiG 9.9.7-P3 <<>> <MY-ORG>.zoom.us
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: *****
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1  ;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;<MY-ORG>.zoom.us.             IN      A  ;; Query time: 297 msec
;; SERVER: 192.168.*.*#53(192.168.*.*)
;; WHEN: Sat Mar 05 08:55:36 PST 2022
;; MSG SIZE  rcvd: 46
      • Hey
      • 2 yrs ago
      • Reported - view

      Michael Could you try to disable the ECD option as I've seen users having problems with that before. If it's still continuing hopefully the NextDNS team can help.

      • Michael.2
      • 2 yrs ago
      • Reported - view

      Hey I still get the issue when EDNS is disabled. Here’s the output from NS lookup (changed for privacy): 

      > nslookup <MY-ORG>.zoom.us
Server:         192.168.*.*
Address:        192.168.*.*#53

** server can't find <MY-ORG>.zoom.us: SERVFAIL

      One minute it will work and the next it won’t.   

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Michael what is running on 192.168…:53 to serve DNS?

      • Michael.2
      • 2 yrs ago
      • Reported - view

      NextDNS Thanks for the replying in this thread. pfsense (my router) is running at that IP address (I replaced two of the octets with * for privacy). My pfsense router uses DNS resolver and all the computers in my home use it as their DNS server.

      pfsense (DNS resolver) was configured using the documentation provided under the “Setup” tab. I set the custom options field with a value that starts with: 

      server:
  forward-zone:
    name: "."
    forward-tls-upstream: yes

      Overall, DNS has been working well (except zoom). All my queries use TLS and the logs show that next dns has been providing DNS records. Even when zoom.us doesn’t work, all other dns lookups seem to work.

    • NextDNs
    • 2 yrs ago
    • Reported - view

    Please share the actual hostname with an issue in DM so we can try to reproduce.

    • Michael.2
    • 2 yrs ago
    • Reported - view

    In case it’s helpful, I ran into the problem just now when I ran the nslookup and date commands: 

    > nslookup zoom.us
Server:         192.168.63.1
Address:        192.168.63.1#53
** server can't find zoom.us: SERVFAIL

> date
Sun Mar  6 16:21:39 PST 2022

    Then a few minutes later it worked: 

    > nslookup zoom.us
Server:         192.168.63.1
Address:        192.168.63.1#53  Non-authoritative answer:
Name:   zoom.us
Address: 170.114.10.76

> date
Sun Mar  6 16:24:19 PST 2022

    Is this what you need? 

    • Steve.1
    • 2 yrs ago
    • Reported - view

    This happened to me too. If I remember correctly it was caused by the Settings > Block Page option. Try turning it off. They should remove this option anyway. Causes a lot of problems.

    This was on my kids profile and I still have all options on security page turned on.

    Try this, If not then try adding zoom.us in allow list untill it's resolved.

    • Michael.2
    • 2 yrs ago
    • Reported - view

    Looks like the problem is zoom has misconfigured their DNS servers. Thank you @NextDNS for helping with this problem. If anyone else is running into this problem and you're running pfsense, Here is a work around:

    Configure DNS Resolver so that "DNSSEC Support" is turned off.

    It's honestly a pretty bad solution, but it might be better than nothing. Hopefully zoom will fix their servers. And hopefully nobody gets in trouble for being late to a meeting... 

      • Kyle_B
      • 2 yrs ago
      • Reported - view

      Michael Thanks Michael, this solved the issue I was having with pfsense\nextdns\zoom as well.

    • Tom_T
    • 1 yr ago
    • Reported - view
    Michael said:
    Configure DNS Resolver so that "DNSSEC Support" is turned off.

     That's a bit of a deal-breaker though. Is there any particular way to make it so Zoom is exempt from DNSSEC?

Login to reply

Content aside

  • 1 yr agoLast active
  • 16Replies
  • 605Views
  • 8 Following