0

NextDNS Blocked on Xfinity?

I've posted about this elsewhere but haven't gotten a good response.  This is a really weird issue.

I recently started getting a DNS error out of nowhere when browsing the web. All of a sudden, I couldn't connect to any websites. I'm on Comcast/Xfinity internet when this happens. I changed DNS providers to OpenDNS to check, and DNS lookups are normal, I'm able to browse.  I change it back to NextDNS, and I'm blocked again.

Here's the really weird thing - when I connect to my VPN service, NextDNS works perfectly fine.

It seems that NextDNS is being blocked on my Comcast internet connection and I have no idea why.  For the record, Quad9 is also being blocked with the same issue.  All of the other secure DNS providers seem to work exactly as intended.

Here's where it gets really weird - it looks like something is tampering with SSL which is why the connection fails.  

If I browse to https://dns.nextdns.io/ on my VPN, I get a blank website which is fine, not expecting anything to be there - and the SSL cert appears normal. But when I drop my VPN, here's what I get in Chrome (Brave):

---

This site can’t provide a secure connection

dns.nextdns.io sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

---

And I don't see any SSL cert to verify.

 

If I try in Firefox, I get this:

---

Secure Connection Failed

An error occurred during a connection to dns.nextdns.io. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

---

This seems like some sort of failed man-in-the-middle attack to me, or just some weird tampering.  But I've only seen this on the two DNS sites I mentioned - nowhere else.

 

I have no idea how to contact someone from NextDNS support, so I'm posting here.  Hopefully someone will see this.  I also have no idea how to contact someone at Xfinity who will have the slightest clue what I'm talking about.

 

And in case it's useful, here's the traceroutes:

Xfinity:

{Note that I did a traceroute for dns.nextdns.io - it was apparently redirected to steering.}

>tracert dns.nextdns.io

Tracing route to steering.nextdns.io [191.96.51.196]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.0.0.1
  2     8 ms     8 ms    16 ms  96.120.28.137
  3     9 ms     7 ms     7 ms  96.110.167.145
  4     7 ms     7 ms     7 ms  24.153.88.109
  5     8 ms     8 ms     8 ms  96.108.34.137
6 13 ms 9 ms 14 ms be-32211-cs01.350ecermak.il.ibone.comcast.net [96.110.40.49]
7 10 ms 9 ms 15 ms be-2112-pe12.350ecermak.il.ibone.comcast.net [96.110.33.210]
  8    10 ms     9 ms     8 ms  50.208.232.90
9 9 ms 15 ms 10 ms 0.ae11.cr1.ord6.scnet.net [204.93.204.73]
10 9 ms 8 ms 9 ms 0.ae1.ar4.ord6.scnet.net [204.93.204.113]
11 10 ms 9 ms 9 ms unknown.servercentral.net [50.31.158.46]
12 9 ms 8 ms 8 ms dns.nextdns.io [191.96.51.196]

Nothing specific comes up for that IP address - only the entire 191.0.0.0 subnet is managed by "Latin American and Caribbean IP address Regional Registry (LACNIC)"

 

---

VPN:

 1     *        *        *     Request timed out.
2 9 ms 9 ms 10 ms ip-69.39.231.129.servernap.net [69.39.231.129]
3 10 ms 10 ms 10 ms BE105.csr2.Chi3.Servernap.net [66.252.0.178]
4 11 ms 11 ms 10 ms ae12.pr1.Chi2.Servernap.net [66.252.0.70]
5 19 ms 13 ms 13 ms 20473.chi.equinix.com [208.115.137.46]
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
9 12 ms 11 ms 11 ms dns.nextdns.io [45.76.16.236]

That seems like a legit address for NextDNS, and it responds properly to dns requests and I get a proper SSL cert from it.

Could this be some sort of DNS poisoning on Comcast?  I can't believe more people aren't having this problem.

Can anyone get me in contact with a human at NextDNS?

2replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Xfinity blocks dns*.nextdns.io when their Safe Browsing feature is enabled. You need to disable this feature from Xfinity or use bootstrap IP.

    Like
      • Jon
      • Jon.1
      • 6 mths ago
      • Reported - view

      NextDNS Weird - they must have enabled it for us out of nowhere.  Never had a problem up until a week or two ago.  I'll try that.  Thanks!

      Like
Like Follow
  • 6 mths agoLast active
  • 2Replies
  • 110Views
  • 2 Following