0

steering.nextdns.io can't resolve through NextDNS

Hello,

 

I have this weird issue, that I can not resolve dns.nextdns.io (which has a CNAME to steering.nextdns.io) on my device right now, even though other domains work fine.

 

For example:

; <<>> DiG 9.10.6 <<>> nextdns.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57363
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1  ;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nextdns.io.            IN    A  ;; ANSWER SECTION:
nextdns.io.        300    IN    A    104.26.1.148
nextdns.io.        300    IN    A    172.67.72.46
nextdns.io.        300    IN    A    104.26.0.148  ;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 07 16:25:35 CET 2022
;; MSG SIZE  rcvd: 87

But if I run the same query for steering.nextdns.io, I get a servfail:

; <<>> DiG 9.10.6 <<>> steering.nextdns.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4316
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;steering.nextdns.io.        IN    A

;; Query time: 53 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 07 16:26:57 CET 2022
;; MSG SIZE  rcvd: 48

Right now I am using knot-resolver on MacOS 12.2. I used to have similar problems while using stubby as a resolver, which is why I switched to knot. But these issues are still appearing.

I can usually fix this issue by restarting the resolver daemon, but I find it rather annoying to do.

I was able to turn on debug-logging in knot and got this:

[gnutls] (5) REC[0x7febb68c1800]: Preparing Packet Application Data(23) with length: 50 and min pad: 0
[gnutls] (5) REC[0x7febb68c1800]: Sent Packet[1] Application Data(23) in epoch 2 and length: 72
[gnutls] (5) REC[0x7febb68c1800]: SSL 3.3 Application Data packet received. Epoch 2, length: 147
[gnutls] (5) REC[0x7febb68c1800]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x7febb68c1800]: Received Packet Application Data(23) with length: 147
[gnutls] (5) REC[0x7febb68c1800]: Decrypted Packet[0] Handshake(22) with length: 130
[gnutls] (3) ASSERT: buffers.c[get_last_packet]:1186
[gnutls] (4) HSK[0x7febb68c1800]: NEW SESSION TICKET (4) was received. Length 126[126], frag offset 0, frag length: 126, sequence: 0
[gnutls] (3) ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1446
[gnutls] (4) HSK[0x7febb68c1800]: parsing session ticket message
[gnutls] (3) ASSERT: record.c[_gnutls_recv_in_buffers]:1587
[gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1785
[gnutls] (5) REC[0x7febb68c1800]: SSL 3.3 Application Data packet received. Epoch 2, length: 147
[gnutls] (5) REC[0x7febb68c1800]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x7febb68c1800]: Received Packet Application Data(23) with length: 147
[gnutls] (5) REC[0x7febb68c1800]: Decrypted Packet[1] Application Data(23) with length: 130
[gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1785
[select][62742.18] => id: '00279' updating: '.'@'2a07:a8c0::#00853' zone cut: 'nextdns.io.' with rtt 18 to srtt: 72 and variance: 58
[iterat][62742.18] <= rcode: NOERROR
[plan ][62742.18] plan 'steering.nextdns.io.' type 'DS' uid [62742.19]
[iterat][62742.19] 'steering.nextdns.io.' type 'DS' new uid was assigned .20, parent uid .18
[cache ][62742.20] => skipping exact packet: rank 025 (min. 030), new TTL -154
[cache ][62742.20] => trying zone: ., NSEC, hash 0
[cache ][62742.20] => NSEC sname: range search found stale or insecure entry
[cache ][62742.20] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[resolv][62742.20] => id: '08760' querying: '.'@'2a07:a8c0::#00853' zone cut: 'nextdns.io.' qname: 'sTEERInG.nexTDNs.Io.' qtype: 'DS' proto: 'tcp'
[gnutls] (5) REC[0x7febb68c1800]: Preparing Packet Application Data(23) with length: 50 and min pad: 0
[gnutls] (5) REC[0x7febb68c1800]: Sent Packet[2] Application Data(23) in epoch 2 and length: 72
[gnutls] (5) REC[0x7febb68c1800]: SSL 3.3 Application Data packet received. Epoch 2, length: 147
[gnutls] (5) REC[0x7febb68c1800]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x7febb68c1800]: Received Packet Application Data(23) with length: 147
[gnutls] (5) REC[0x7febb68c1800]: Decrypted Packet[2] Application Data(23) with length: 130
[gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1785
[select][62742.20] => id: '08760' updating: '.'@'2a07:a8c0::#00853' zone cut: 'nextdns.io.' with rtt 11 to srtt: 64 and variance: 59
[iterat][62742.20] <= rcode: NOERROR
[resolv][62742.20] => resuming yielded answer
[valdtr][62742.20] <= bad NODATA proof
[cache ][62742.20] => stashed packet: rank 025, TTL 5, DS steering.nextdns.io. (140 B)
[resolv][62742.00] request failed, answering with empty SERVFAIL
[resolv][62742.20] finished in state: 8, queries: 6, mempool: 49200 B
[plan ][00000.00] plan 'dns.nextdns.io.' type 'A' uid [19017.00]
[iterat][19017.00] 'dns.nextdns.io.' type 'A' new uid was assigned .01, parent uid .00
[cache ][19017.01] => satisfied by exact CNAME: rank 060, new TTL 114
[iterat][19017.01] <= rcode: NOERROR
[iterat][19017.01] <= cname chain, following
[plan ][00000.00] plan 'steering.nextdns.io.' type 'A' uid [19017.02]
[valdtr][19017.01] <= answer valid, OK
[iterat][19017.02] 'steering.nextdns.io.' type 'A' new uid was assigned .03, parent uid .00
[cache ][19017.03] => skipping exact RR: rank 030 (min. 030), new TTL -4219
[cache ][19017.03] => trying zone: ., NSEC, hash 0
[cache ][19017.03] => NSEC sname: range search found stale or insecure entry
[cache ][19017.03] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[plan ][19017.03] plan '.' type 'DNSKEY' uid [19017.04]
[iterat][19017.04] '.' type 'DNSKEY' new uid was assigned .05, parent uid .03
[cache ][19017.05] => satisfied by exact RRset: rank 060, new TTL 82422
[iterat][19017.05] <= rcode: NOERROR
[valdtr][19017.05] <= parent: updating DNSKEY
[valdtr][19017.05] <= answer valid, OK
[iterat][19017.03] 'steering.nextdns.io.' type 'A' new uid was assigned .06, parent uid .00
[plan ][19017.06] plan 'io.' type 'DS' uid [19017.07]
[iterat][19017.07] 'io.' type 'DS' new uid was assigned .08, parent uid .06
[cache ][19017.08] => satisfied by exact RRset: rank 060, new TTL 78189
[iterat][19017.08] <= rcode: NOERROR
[valdtr][19017.08] <= DS: OK
[valdtr][19017.08] <= parent: updating DS
[valdtr][19017.08] <= answer valid, OK
[iterat][19017.06] 'steering.nextdns.io.' type 'A' new uid was assigned .09, parent uid .00
[plan ][19017.09] plan 'io.' type 'DNSKEY' uid [19017.10]
[iterat][19017.10] 'io.' type 'DNSKEY' new uid was assigned .11, parent uid .09
[cache ][19017.11] => satisfied by exact RRset: rank 060, new TTL 1948
[iterat][19017.11] <= rcode: NOERROR
[valdtr][19017.11] <= parent: updating DNSKEY
[valdtr][19017.11] <= answer valid, OK
[iterat][19017.09] 'steering.nextdns.io.' type 'A' new uid was assigned .12, parent uid .00
[plan ][19017.12] plan 'nextdns.io.' type 'DS' uid [19017.13]
[iterat][19017.13] 'nextdns.io.' type 'DS' new uid was assigned .14, parent uid .12
[cache ][19017.14] => satisfied by exact RRset: rank 060, new TTL 1094
[iterat][19017.14] <= rcode: NOERROR
[valdtr][19017.14] <= DS: OK
[valdtr][19017.14] <= parent: updating DS
[valdtr][19017.14] <= answer valid, OK
[iterat][19017.12] 'steering.nextdns.io.' type 'A' new uid was assigned .15, parent uid .00
[plan ][19017.15] plan 'nextdns.io.' type 'DNSKEY' uid [19017.16]
[iterat][19017.16] 'nextdns.io.' type 'DNSKEY' new uid was assigned .17, parent uid .15
[cache ][19017.17] => satisfied by exact RRset: rank 060, new TTL 2370
[iterat][19017.17] <= rcode: NOERROR
[valdtr][19017.17] <= parent: updating DNSKEY
[valdtr][19017.17] <= answer valid, OK
[iterat][19017.15] 'steering.nextdns.io.' type 'A' new uid was assigned .18, parent uid .00
[resolv][19017.18] => id: '21955' querying: '.'@'2a07:a8c0::#00853' zone cut: 'nextdns.io.' qname: 'StEerINg.Nextdns.iO.' qtype: 'A' proto: 'tcp'
[gnutls] (5) REC[0x7febb68c1800]: Preparing Packet Application Data(23) with length: 50 and min pad: 0
[gnutls] (5) REC[0x7febb68c1800]: Sent Packet[3] Application Data(23) in epoch 2 and length: 72
[gnutls] (5) REC[0x7febb68c1800]: SSL 3.3 Application Data packet received. Epoch 2, length: 147
[gnutls] (5) REC[0x7febb68c1800]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x7febb68c1800]: Received Packet Application Data(23) with length: 147
[gnutls] (5) REC[0x7febb68c1800]: Decrypted Packet[3] Application Data(23) with length: 130
[gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1785
[select][19017.18] => id: '21955' updating: '.'@'2a07:a8c0::#00853' zone cut: 'nextdns.io.' with rtt 12 to srtt: 58 and variance: 57
[iterat][19017.18] <= rcode: NOERROR
[plan ][19017.18] plan 'steering.nextdns.io.' type 'DS' uid [19017.19]
[iterat][19017.19] 'steering.nextdns.io.' type 'DS' new uid was assigned .20, parent uid .18
[cache ][19017.20] => skipping exact packet: rank 025 (min. 030), new TTL 0
[cache ][19017.20] => trying zone: ., NSEC, hash 0
[cache ][19017.20] => NSEC sname: range search found stale or insecure entry
[cache ][19017.20] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[resolv][19017.20] => id: '20831' querying: '.'@'2a07:a8c0::#00853' zone cut: 'nextdns.io.' qname: 'steerINg.NeXTdNS.iO.' qtype: 'DS' proto: 'tcp'
[gnutls] (5) REC[0x7febb68c1800]: Preparing Packet Application Data(23) with length: 50 and min pad: 0
[gnutls] (5) REC[0x7febb68c1800]: Sent Packet[4] Application Data(23) in epoch 2 and length: 72
[gnutls] (5) REC[0x7febb68c1800]: SSL 3.3 Application Data packet received. Epoch 2, length: 147
[gnutls] (5) REC[0x7febb68c1800]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x7febb68c1800]: Received Packet Application Data(23) with length: 147
[gnutls] (5) REC[0x7febb68c1800]: Decrypted Packet[4] Application Data(23) with length: 130
[gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1785
[select][19017.20] => id: '20831' updating: '.'@'2a07:a8c0::#00853' zone cut: 'nextdns.io.' with rtt 11 to srtt: 52 and variance: 55
[iterat][19017.20] <= rcode: NOERROR
[resolv][19017.20] => resuming yielded answer
[valdtr][19017.20] <= bad NODATA proof
[cache ][19017.20] => stashed packet: rank 025, TTL 5, DS steering.nextdns.io. (140 B)
[resolv][19017.00] request failed, answering with empty SERVFAIL
[resolv][19017.20] finished in state: 8, queries: 6, mempool: 49200 B
[plan ][00000.00] plan 'steering.nextdns.io.' type 'A' uid [50256.00]
[iterat][50256.00] 'steering.nextdns.io.' type 'A' new uid was assigned .01, parent uid .00
[cache ][50256.01] => skipping exact RR: rank 030 (min. 030), new TTL -4229
[cache ][50256.01] => trying zone: ., NSEC, hash 0
[cache ][50256.01] => NSEC sname: range search found stale or insecure entry
[cache ][50256.01] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[plan ][50256.01] plan '.' type 'DNSKEY' uid [50256.02]
[iterat][50256.02] '.' type 'DNSKEY' new uid was assigned .03, parent uid .01
[cache ][50256.03] => satisfied by exact RRset: rank 060, new TTL 82412
[iterat][50256.03] <= rcode: NOERROR
[valdtr][50256.03] <= parent: updating DNSKEY
[valdtr][50256.03] <= answer valid, OK
[iterat][50256.01] 'steering.nextdns.io.' type 'A' new uid was assigned .04, parent uid .00
[plan ][50256.04] plan 'io.' type 'DS' uid [50256.05]
[iterat][50256.05] 'io.' type 'DS' new uid was assigned .06, parent uid .04
[cache ][50256.06] => satisfied by exact RRset: rank 060, new TTL 78179
[iterat][50256.06] <= rcode: NOERROR
[valdtr][50256.06] <= DS: OK
[valdtr][50256.06] <= parent: updating DS
[valdtr][50256.06] <= answer valid, OK
[iterat][50256.04] 'steering.nextdns.io.' type 'A' new uid was assigned .07, parent uid .00
[plan ][50256.07] plan 'io.' type 'DNSKEY' uid [50256.08]
[iterat][50256.08] 'io.' type 'DNSKEY' new uid was assigned .09, parent uid .07
[cache ][50256.09] => satisfied by exact RRset: rank 060, new TTL 1938
[iterat][50256.09] <= rcode: NOERROR
[valdtr][50256.09] <= parent: updating DNSKEY
[valdtr][50256.09] <= answer valid, OK
[iterat][50256.07] 'steering.nextdns.io.' type 'A' new uid was assigned .10, parent uid .00
[plan ][50256.10] plan 'nextdns.io.' type 'DS' uid [50256.11]
[iterat][50256.11] 'nextdns.io.' type 'DS' new uid was assigned .12, parent uid .10
[cache ][50256.12] => satisfied by exact RRset: rank 060, new TTL 1084
[iterat][50256.12] <= rcode: NOERROR
[valdtr][50256.12] <= DS: OK
[valdtr][50256.12] <= parent: updating DS
[valdtr][50256.12] <= answer valid, OK
[iterat][50256.10] 'steering.nextdns.io.' type 'A' new uid was assigned .13, parent uid .00
[plan ][50256.13] plan 'nextdns.io.' type 'DNSKEY' uid [50256.14]
[iterat][50256.14] 'nextdns.io.' type 'DNSKEY' new uid was assigned .15, parent uid .13
[cache ][50256.15] => satisfied by exact RRset: rank 060, new TTL 2360
[iterat][50256.15] <= rcode: NOERROR
[valdtr][50256.15] <= parent: updating DNSKEY
[valdtr][50256.15] <= answer valid, OK
[iterat][50256.13] 'steering.nextdns.io.' type 'A' new uid was assigned .16, parent uid .00
[resolv][50256.16] => id: '32354' querying: '.'@'2a07:a8c0::#00853' zone cut: 'nextdns.io.' qname: 'sTeEriNg.NExtDNs.iO.' qtype: 'A' proto: 'tcp'
[gnutls] (5) REC[0x7febb68c1800]: Preparing Packet Application Data(23) with length: 50 and min pad: 0
[gnutls] (5) REC[0x7febb68c1800]: Sent Packet[5] Application Data(23) in epoch 2 and length: 72
[gnutls] (5) REC[0x7febb68c1800]: SSL 3.3 Application Data packet received. Epoch 2, length: 147
[gnutls] (5) REC[0x7febb68c1800]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x7febb68c1800]: Received Packet Application Data(23) with length: 147
[gnutls] (5) REC[0x7febb68c1800]: Decrypted Packet[5] Application Data(23) with length: 130
[gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1785
[select][50256.16] => id: '32354' updating: '.'@'2a07:a8c0::#00853' zone cut: 'nextdns.io.' with rtt 11 to srtt: 47 and variance: 52
[iterat][50256.16] <= rcode: NOERROR
[plan ][50256.16] plan 'steering.nextdns.io.' type 'DS' uid [50256.17]
[iterat][50256.17] 'steering.nextdns.io.' type 'DS' new uid was assigned .18, parent uid .16
[cache ][50256.18] => skipping exact packet: rank 025 (min. 030), new TTL -5
[cache ][50256.18] => trying zone: ., NSEC, hash 0
[cache ][50256.18] => NSEC sname: range search found stale or insecure entry
[cache ][50256.18] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[resolv][50256.18] => id: '11969' querying: '.'@'2a07:a8c0::#00853' zone cut: 'nextdns.io.' qname: 'sTeerINg.NEXtDns.io.' qtype: 'DS' proto: 'tcp'

 

What I find extremely weird is that it is the same issue I had with stubby. Knot was installed through homebrew and the config file has only been changed to make use of the nextDNS servers. Any ideas?

1 reply

null
    • NextDNs
    • 2 yrs ago
    • Reported - view

    Does it still happen? Did you setup knot to enforce dnssec?

Content aside

  • 2 yrs agoLast active
  • 1Replies
  • 278Views
  • 2 Following