0

DNS leak test showing USA cloudflare addresses instead of local NextDNS?

Hi there, I have been using the service for about a week now and have been enjoying the local fast queries and speeds. When I first got my service up and running I had 2 local dns servers powered by nextdns. Now when I am testing for dns leaks I am seeing entries for Cloudflare addresses back to USA - 172.70.37.108

Being in Aus this creates a noticable difference going from <10ms to ~330ms ping response times. Is this a cause of a setting ticked under the performance section in the settings? Again just seeking some clarity about what is causing this. Thanks.

Edit: I have just performed another leak test, no neither NextDNS servers are showing and am getting multiple Cloudflare addresses. I run a PiHole setup and force all traffic through it using the 2x servers provided under my https://my.nextdns.io/ page.

73replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Is it also worth my while just when I do enough of the testing to point directly to the local servers it picks up? Or do those IP's constantly change with regards to nextdns servers? (They differ to what is shown for the 2x ip's shown in my account dashboard) if that makes sense. Thanks!

    Like
  • What do you get for https://test.nextdns.io?

    Like 1
      • Myth0ne
      • Myth0ne
      • 4 wk ago
      • Reported - view

      NextDNS 
       

      {
      "status": "ok",
      "protocol": "UDP",
      "configuration": "fp0254db39e3be6df7",
      "client": "my static ipv4 address here",
      "destIP": "45.90.30.58",
      "anycast": true,
      "server": "vultr-syd-1",
      "clientName": "unknown"
      }
      
      Which is weird because when I run 'leak' tests I seem to get a bunch of USA IP's as well for cloudflare which I've found in the past gives me crap cdn routing and takes ages to resolve pages sometimes. Please see below, my question is should I hard code those 2x highlighted addresses instead of using the provided 2x addresses that are linked to my ip in my nextdns account page. Or do those IP's often change around?
      
      
      Like
  • If you configured only the v4 DNS and you didn't configured or disabled v6 you will have leaks.

    If possible use DoH or DoT as explained in the links I gave you but probably didn't bother reading.

    If you can install the CLI, if not other app/client or some script that can be configured with DoH or DoT. Or disable V6.

    https://github.com/nextdns/nextdns/wiki

    *You can try the servers direct ip's, see if they work... I say they won't and I think you should stick with the ones from your profile.

    Like 1
  • losnad said:
    If you configured only the v4 DNS and you didn't configured or disabled v6 you will have leaks.
    If possible use DoH or DoT as explained in the links I gave you but probably didn't bother reading.

     I did read the article. I can only use v4 or v6 links. I've disabled v6 on my router and pihole config

    When I sign into my dashboard I even get the following - 

    'IPv6

    Your network does not support IPv6'

    Like
  • Bumping for visibility. Is this normal behaviour? When I run these tests I sometimes get only overseas dns server results.. Seems to be really inconsistent and confusing. For instance if I use cloudflare 1.1.1.1 & 1.0.0.1 I only get the two results when I run leak tests.

    Like
  • It's normal to not know, no one was born a master.

    To don't listen, to not read to learn, this is not normal.

    If you have leaks in DNS where NextDNS and other DNS providers appear on the same time it's probably a problem with v6 which is not configured or can't be configured.

    If NextDNS does not appear at all, it is most likely because you did not configured DDNS and your IP is dynamic. I mean is not rocket science. Your IP change, you no longer use NextDNS.

    Set the default NextDNS 45.90.28.0  and 45.90.30.0 and it will act just like any other public DNS like Cloudflare or Google. But you will lose all your settings from the account. If you use the IP from your account you need to either have a fixed IP or update it when is changing, manually or to set up a DDNS.

    It is all explained in your account, here on Knowledge Base. But it is easier to just complain when is clearly nothing wrong with the service but just human error.

    Now, just ignore, again, what I explained and keep having the same problem.

    Like
  • losnad said:
    If you have leaks in DNS where NextDNS and other DNS providers appear on the same time it's probably a problem with v6 which is not configured or can't be configured.
    If NextDNS does not appear at all, it is most likely because you did not configured DDNS and your IP is dynamic. I mean is not rocket science. Your IP change, you no longer use NextDNS.

     I am trying to help us out here to say I am not reading or listening helps nobody and comes off as stubborn.

    It isn't just me as I can see it appearing on other threads here as well.

    To reiterate some of the suggestions you have made. I have IPv6 straight up disabled from my router. I don't have it set up at all and only utilise ipv4. In regards to a dynamic IP that is also incorrect as I have a static ip given to me by my ISP. 

    So rather than telling me I am not listening and ignoring what is said, if we as fellow people in the tech field where does it now take us with the next troubleshooting steps moving forward now you know this information which might I add I already mentioned in the thread previously?

    Like
  • A quick thing and I'm done, one thing is for sure, NextDNS does not redirect you or the others who have problems to Cloudflare or any other DNS providers. 

    In this situation, there is nothing wrong with NextDNS service.  If you don't know or want to learn how to use it, ask someone to check your setup.

    Like
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      losnad 

      I'd love to learn how to use it. I was considering paying for its very fast local cdn service that I enjoy perhaps I can give the bog standard 45.90.28.0 & 45.90.30.0 services as I utilise all the dns blocking locally from my piholes. 

      Just been seeing a few posts pop up surrounding and getting conflicting information like here - https://www.reddit.com/r/nextdns/comments/odnpia/dns_leak_question/?context=3 where they mention that after 300k queries dns results are rerouted to Google. Then I also saw this one yesterday as well - https://help.nextdns.io/t/83hkphc/connecting-to-a-bunch-of-google-dns-servers?r=h7hk5mt#h7hk5mt

      Like
    • Myth0ne DNS queries are never "redirected" to any other service. After 300k queries, filtering and logging is disabled, that's all.

      Like 1
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      NextDNS 

      Thank you for clarifying! 
      So for your paid service is it just the logging and blocking functionalities for infinite queries that are enabled? As I have PiHole blocking I was using cloudflare but my ISP gets crap routing using them as they are not a ECS dns provider. So I have been enjoying using the fast local NextDNS servers!

      Like
  • Did you link your static public IP from your ISP? If not, you'll need to do that if ipv4 is your only option

    If so, do you have more than one static DNS entry setup on your router's side? If so, pihole recommends only having one entry (setup to your pihole's IP)

    https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245

    Your NextDNS ipv4 DNS servers (from your dashboard) will need to be entered as the ONLY custom ipv4 upstream DNS entries via pihole

    Or You can use Pihole as the DHCP server instead of the router

    https://discourse.pi-hole.net/t/how-do-i-use-pi-holes-built-in-dhcp-server-and-why-would-i-want-to/3026

    Like
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      Greg B. 

      Hi there Greg, Yes I have linked my public static IP from my ISP. I only have my pihole IP as DNS in my router settings and force all request through it. Running AsusWRT in DNSFilter mode so if it detects any devices trying to reach google dns etc outside my specified pihole dns in my router config it redirects it as a request through my router (if that makes sense.)

       

      I have both ipv4 addresses provided by NextDNS in my custom ipv4 upstream dns entries in pihole. That is all, no other servers are used. One thing I did read in that earlier reddit thread is possibly having enabled 'Anonymized EDNS Client Subnet'

      Like
    • Myth0ne ECS is unrelated to this. If dns leak sees non nextdns servers it has nothing to do with nextdns settings but with whatever you have as dns between your testing client and nextdns.

      Like 1
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      NextDNS 

      So you can see the screenshot. I've got it locked down as hard as can be imo. Most times when I run an extended test I get those leaks, sometimes I get nothing which is weird. I am not sure what else could be causing it. I.e. if I change to both OpenDNS (208.67.222.222 · 208.67.220.220) I don't get those leaks perse and just see those 2x servers and nothing else. Sometimes I see a huge string of Google LLC / Cloudflare servers as pictured 

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 3 wk ago
      • Reported - view

      Myth0ne sounds like your device use Google or Cloudflare as fallback and you got problems with NextDNS so fallback is used.

      You need to post your complete setup or nobody can help with more then magic.

      Like
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      DynamicNotSlow 

      Ok so I'll try and be as concise as possible.

      PiHole's x2 I have one on ethernet, one on wifi at the other end at the house running in a master/slave config in high availbility with keepalived. I run a virtual ip dns (192.168.1.20) Both Piholes are configured to use custom ipv4 DNS which is listed above my linked IP in my NextDNS dashboard page. Setup for the HA pihole is found here - https://www.reddit.com/r/pihole/comments/czlynq/tutorial_how_to_run_2_pihole_servers_in_ha_high/

      Running Asus Merlin software on RTAC68u router. My router is my dhcp server. Both WAN & LAN DNS is set to my virtual ip (192.168.1.20) meaning when master pihole dies or loses connection slave pihole kicks in and handles queries. This is due to having DNSFilter enabled with the mode set to the router with both piholes given a no filter exception. Essentially meaning that if a device were to try and reach outside dns the it will hit the router and be forced back through the pihole. More on that here but is very common on the snbforums - https://www.snbforums.com/threads/way-to-block-devices-from-reaching-out-to-google-dns-on-ac68u.73426/#post-698075

       

      I don't seem to have the issue as previously mentioned when I use OpenDNS or Quad9 etc other DNS systems. In fact I went to great measures and even added a URL and IP filter to block out common dns and doh filters on my piholes as well.

       

      https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt
      https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt

      Hope that makes sense without being too confusing or technical. If you need clarification on anything let me know!

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 3 wk ago
      • Reported - view

      Myth0ne and what's your settings for your devices?

      Like
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      DynamicNotSlow Sorry I thought that was self explanatory. Everything is set to DHCP so router servers out the IP and DNS which points back to the PiHole using the 2 ipv4 adddresses provided in the nextdns dashboard

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 3 wk ago
      • Reported - view

      Myth0ne what happens if you shutdown your Pi‘s?

      did you still get cloudflare?

      Like
    • Myth0ne pi-hole uses dnsmasq which by default will read /etc/resolv.conf in addition to define servers as upstream. I would recommend trying our CLI instead of pi-hole just to confirm it is not a pi-hole issue.

      Like 2
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      DynamicNotSlow I wouldn't get any result as they act as my lan dns servers. I may have resolved the issue by just flat out blocking those IP's in my router firewall as a preventative measure.

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 3 wk ago
      • Reported - view

      Myth0ne this is the theory, but testing would give answers at which point the problem starts.

      Like
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      DynamicNotSlow So with unblocking those IP's on my firewalll, The Pi's turned off I get no dns resolution (to be expected) until I turned them back on.

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 3 wk ago
      • Reported - view

      Myth0ne Okay. Now it would make sense testing without Pi's and adding NextDNS directly in your router. Start with non-encrypted version first

      Like
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      DynamicNotSlow Confirmed to still have cloudflare leaks even turning Pi's off and adding NextDNS directly onto the wan/lan dns pages.

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 3 wk ago
      • Reported - view

      Myth0ne then your router directly add this as fallback or your end device. 
       

      test with mobile phone but use mobile network instead of WiFi 

      Like
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      DynamicNotSlow I wish you were right, when I change my dns on my pi's to others e.g. (OpenDNS) I don't get these leaks. Do you just get the 2x results for an extended test on dnsleaktest.com? I just tried using the preferred method on my Android phone below and getting multiple servers in the leak test still to back to USA. Seems like it may just be how nextdns is routing things.

       

       Go to Settings → Network & internet → Advanced → Private DNS.

      2. Select the Private DNS provider hostname option.

      3. Enter xxxx.dns.nextdns.io and hit Save.

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 3 wk ago
      • Reported - view

      Myth0ne yes i only get one server:

      Like
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      DynamicNotSlow Hmm, sometimes I get 2 results from dns.nextdns.io
      Othertimes I get the screenshot in the original post I submitted. More often than not however it is those pesky cloudflare addresses. It's a shame because I can't manually set that ip address either (e.g. in your case setting 95.179.134.211

      Like
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      NextDNS so we've confirmed this seems to happen even using the given ip directly on the router. Is this just where I'm located that I seem to get these others CloudFlare servers popping up when I test?

      Like
    • Myth0ne it has to be something with your setup, the location does not mater. What router do you have? If you install the nextdns app on your device, does it still happen?

      Like 1
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      NextDNS yes, I've confirmed I get it using private dns on android device using LTE. I got an Asus RT-AC68u running merlin 386.2_6 more info on the setup was in an earlier comment here - https://help.nextdns.io/t/q6hkgrc?r=35hk552

      Like
    • Myth0ne please run a https://nextdns.io/diag without nextdns configured on your network.

      Like 1
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • Reported - view

      NextDNS Sure will report back in a moment. I'll use OpenDNS as my resolver instead for purposes of testing.

      Like
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • 1
      • Reported - view
      • Myth0ne
      • Myth0ne
      • 3 wk ago
      • 1
      • Reported - view

      NextDNS Do I need to test with nextdns configured on the network with the diag tool?

      Like 1
      • Myth0ne
      • Myth0ne
      • 2 wk ago
      • Reported - view

      NextDNS Any update on this? Seems I don't get these leak issues when using DNS over HTTPS when using Quad9 for example

      Like
  • Seems to be happening regardless of browser used, confirmed to have the same results across MS Edge, Chrome & Firefox with the same results. As some other threads show they have a google backbone mine seem to be cloudflare. Something funky going on.

    Like
  • So sometimes the leak test works 'as expected' and shows my primary and fallback as nextdns. Other times I'll get both nextdns and cloudflare addresses and sometimes just cloudflare as mentioned in the original post. Seems to be completely random every time I run a test.

    Like
      • Myth0ne
      • Myth0ne
      • 2 wk ago
      • Reported - view

      Myles Pearlstein Cool, glad to know I am not the only one. I thought something funky had been going on.

      Like
      • Myth0ne
      • Myth0ne
      • 2 wk ago
      • Reported - view

      Myles Pearlstein So interesting findings. I actually switched over earlier to using a similar service from Cloudflare for Teams. Using their 2x given IPv4 addresses I only get the 1 listed dns server. 

       

      Is it possible to get any more investigation into this? @NextDNS ?

      Like
      • Myth0ne
      • Myth0ne
      • 2 wk ago
      • Reported - view

      Myles Pearlstein Very unfortunate indeed. I ran the test they asked and haven't heard word for a while now. I've since moved to a DOH implementation and seemed to of reduced it to only 1 server outside my location on very rare occassion.

      Perhaps you or someone else could chime in do I lose all of my settings (under performance heading) in the settings menu in NextDNS config to speed up browsing if you surpass the 300k queries? Or is it just the white/blacklisting?

      Because agreed, if I were to pay for the product I'd much prefer to look at an alternative that doesn't return these weird results without any good reasonable explanation.

      Like
  • I think that this service is used by hundreds of thousands of people and the few that have problems with it are thinking that the service is broken, it doesn't work. Isn't it funny?
    Maybe some are expecting NextDNS to come to their house and fix it for them.

    They are offering instructions, apps, tools, recommendations... If you want to go your way, you should own it, you should know what you are doing.

    Like
      • Myth0ne
      • Myth0ne
      • 2 wk ago
      • Reported - view

      losnad What does this comment achieve? You've already made your point several times on this post and have offered zero benefit lol. I've been working with NextDNS and running their diagnostic tool to look into it further. I don't expect them to come and fix it, just seeing a few people with similar queries I was hoping to find the root cause or if its perhaps if this is all intended by design.

      Like
      • losnad
      • losnad
      • 2 wk ago
      • Reported - view

      By design it is like this on all my browsers and devices. Just different servers, but only from NextDNS. I just tested on Firefox, Brave, Opera and even on my TV browser.

      Like
      • Myth0ne
      • Myth0ne
      • 2 wk ago
      • Reported - view

      losnad Too easy, do you know if the edns and cname flattening etc if queries surpass 300k queries on a free plan or are all those disabled as well as blocklists and whitelists?

      Like
    • Myth0ne none of those settings and nothing on NextDNS server side could explain those leaks. A DNS leak is a client side issue.

      Like 1
      • Myth0ne
      • Myth0ne
      • 2 wk ago
      • Reported - view

      NextDNS Thanks running DoH seems to be looking pretty good about now. So do I lose the EDNS functionality and other browsing speed performance tweaks if my queries are over 300k for the month?

      Like
    • Myth0ne when over 300k your configuration is no longer used. It is like using NextDNS with no configuration : 0 filtering, 0 logging, no EDNS, no CNAME folding and so on. It is like running unbound with default settings sort of.

      Like 2
      • Myth0ne
      • Myth0ne
      • 2 wk ago
      • Reported - view

      NextDNS Great to know!
      One last thing, even going into my config and going back to past 30 days, even 3 months says I only used ~120k queries although I have a message saying I have surpassed 250k queries and nearing the limit?

       

      Also have set up DOH as explained. Says only about 93% of queries are DOH. Is there a way to also see what request perhaps are not using DOH? Cheers!

      Like
    • Myth0ne the number of queries is in your account (upper right) and it includes all the configurations of your account. There are no ways for now to filter logs per protocol.

      Like 2
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 12 days ago
      • Reported - view

      Myth0ne scroll 2 Posts up. 
       

      „when over 300k your configuration is no longer used. It is like using NextDNS with no configuration : 0 filtering, 0 logging, no EDNS, no CNAME folding and so on. It is like running unbound with default settings sort of.“

      Like
      • Myth0ne
      • Myth0ne
      • 12 days ago
      • Reported - view

      DynamicNotSlow Didn't know if EDNS and ECS were the same or not. Thanks for verifying.

      Like
    • Myth0ne EDNS0 defines a DNS record (OPT) used to help designing extensions for the DNS protocol. ECS is one of those extensions, it stands for EDNS0 Client Subnet. DNSSEC is another example of extension partially relying on EDNS0.

      Like 1
  • I'm facing the same issue.

    I have run tests on 3 different computers, all the results showed Ashburn Cloudflare as DNS provider.

    Just let you know, I always block outgoing 53 port .

    This is really weird, isn't it?  Why do I get the same Ashburn results as  @myth0ne

    Like
  • The same thing happens to me when using NextDNS DoT on my router. Every once in a while it just hits cloudflare. But most of the time it doesn't. I am also using this on an ASUS router with Merlin firmware.

    Like
  • "status": "ok",
    "protocol": "DOT",
    "destIP": "45.90.28.247",
    "anycast": true,
    "server": "vultr-lax-1",
    "clientName": "unknown-dot"
    
    Like
  •  

    I also got the Ashburn result. Perhaps this issue is on @dnsleaktest side.

    client: apple-profile

    Like
      • losnad
      • losnad
      • 2 days ago
      • 1
      • Reported - view

      You also got Ashburn but yours is from

      - 208.69.32.0 - 208.69.39.255
      City Ashburn ISP Cisco OpenDNS, LLC

      The others are from

      - 172.64.0.0 - 172.71.255.255
      City Ashburn ISP Cloudflare, Inc.

      Dnsleaktest.com is
      23.239.16.110
      Hostname li685-110.members.linode.com

      23.239.0.0 - 23.239.31.255
      City Atlanta ISP Linode, LLC

      It's interesting how people from different places get Ashburn like it's some kind of center of the internet.

      Maybe might be a better option to try https://browserleaks.com/dns
      It has many more useful tools.

      Like 1
  • Same problem. Android on 4g with private dns is giving me leaks. Tried different apps, all showing the same. 

    I have paid account.

    test.nextdns.io returned

    {
    "status": "ok",
    "protocol": "DOT",
    "configuration": "fpef9e64ccdabf8a56",
    "client": "82.132.230.210",
    "destIP": "209.250.226.191",
    "anycast": false,
    "server": "vultr-lon-1",
    "clientName": "unknown-dot"
    }
    Like
      • juliank
      • juliank
      • yesterday
      • Reported - view

      nbxas turn on at parrents control block other dns services, 

      Like
      • nbxas
      • nbxas
      • yesterday
      • Reported - view

      juliank if you mean Block Bypass Methods, then it is turned on

      Like
      • nbxas
      • nbxas
      • yesterday
      • Reported - view

      nbxas I've tried using cloudflare as private dns for phone, then only one cloudflare server comes up on dnsleak test. As soon as switch to nextdns as private dns, multiple dns servers appears on dnsleak. Mainly Cisco Opendns, and sometimes even Google dns appears. It looks like this is something to do with NextDNS

      Like
  • Hello. I join the discussion, periodically check DNS leakage. Recently, the same problem is observed only with NextDNS. The problem is both on the PC and on the iPhone.

    Like
      • zerowon
      • zerowon
      • yesterday
      • Reported - view

      UPD: At the moment, the problem disappeared

      Like
  • Most of these leaks posted are showing different countries, Are most in this thread using a vpn? 

    Like 1
  • For everybody in this thread reproducing the issue, could you please try with another DNS leak test service than dnsleaktest.com and report on if you can reproduce the issue or not?

    The fact all leaks to different DNS providers are located in ashburn is highly suspicious and suggests a bug on dnsleaktest.com itself. The reason why it would only happen with us is a mystery though.

    Like
  • I don’t currently have NextDNS setup on my router anymore as it was causing issues for someone else’s device in the house. But, I will say browserleaks also showed odd behavior. It showed about a dozen google dns addresses as well as Cloudflare. I’ve never seen this happen with any other DNS. I don’t actually know what to make of these results as this shouldn’t be possible. Just wanted to report the odd results.

    Like
Like Follow
  • 5 hrs agoLast active
  • 73Replies
  • 861Views
  • 9 Following