0

dns.nextdns.io website certificate revoked

As of 13.03.2021 I'm getting hundreds of certificate revocation errors from my Antivirus provider ESET Internet Security for domain dns.nextdns.io.

Seems to pop up for every DNS query my computer makes.

Using Nextdns on Windows 11 with that new Encrypted DNS feature. Worked for months until today almost without any issues.

{
"status": "ok",
"protocol": "DOH",
"profile": "***",
"client": "***",
"srcIP": "***",
"destIP": "45.90.30.90",
"anycast": true,
"server": "anexia-mow-1",
"clientName": "unknown-doh",
"deviceName": "***",
"deviceID": "***"
}

6 replies

null
    • Pro subscriber ✓
    • DynamicNotSlow
    • 2 yrs ago
    • Reported - view

    ESET hijack your https connections with own certificate for all sites. Stop using it

    • Hey
    • 2 yrs ago
    • Reported - view

    Checked myself and dns.nextdns.io is using ZeroSSL, and I haven't seen anything that might point to it actually being "untrustworthy" there are bad reviews on Trustpilot but nearly all of them are about them being Free before and turning into a paid SSL solution (ZeroSSL was a LetsEncrypt frontend and now they make their own SSL certificates and are a paid solution from what I've gathered.) The complaints had nothing to do with their security so it's safe.

    Here is a statement from Esets website.

    "ESET SSL (Secure socket layer) scanning is a feature that allows or denies network communications based on a system of certificates that legitimate web services use to identify themselves. In some cases, a legitimate web service or network device might be denied by ESET SSL scanning because its certificate changes frequently, or it does not use an SSL certificate. You can create exceptions to SSL scanning in ESET Windows home products that will allow communications with these services or devices."

    (https://support.eset.com/en/kb3487-allow-ssl-communication-with-specific-online-services-and-wireless-devices-in-eset-windows-home-products)

    So it seems to be a false positive, allowing it should do the trick. The url above has the quote and a tutorial on how to exclude it in the Eset settings.

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Hey doesn’t make sense trying to fix broken „security“ solutions.

      • Hey
      • 2 yrs ago
      • Reported - view

      DynamicNotSlow it's a tool that they already own, if they prefer to have it, fixing it is better than getting rid of it.

    • Arturs
    • 2 yrs ago
    • Reported - view

    First of all, both ESET and NextDNS are paid services to me, so "stop using it" is not a good option. Have been using them for years without issues.

    ESET is not a broken product, it's HTTPS scanning is a feature that most paid and endpoint antivirus providers offer.

    Seems like the website use ZeroSSL indeed, but DNS queries are made to different servers at different times and one of them is Russia related so thats why ESET thinks it's revoked (maybe it really is/was). Because it was working for year or so without issues and started recently.

      • Hey
      • 2 yrs ago
      • Reported - view

      Arturs As with any AV there is a risk of FPs I would personally whitelist it until it stops getting triggered. Interesting though, I also use an AV on a laptop (Trend Micro since I prefer more of the AI/ML approach that they have been taking for a while) and it hasn't been triggered as well as major browsers so I'd say I'm pretty confident that it's a FP.

Content aside

  • 2 yrs agoLast active
  • 6Replies
  • 504Views
  • 2 Following