4

DNS leak test showing USA cloudflare addresses instead of local NextDNS?

Hi there, I have been using the service for about a week now and have been enjoying the local fast queries and speeds. When I first got my service up and running I had 2 local dns servers powered by nextdns. Now when I am testing for dns leaks I am seeing entries for Cloudflare addresses back to USA - 172.70.37.108

Being in Aus this creates a noticable difference going from <10ms to ~330ms ping response times. Is this a cause of a setting ticked under the performance section in the settings? Again just seeking some clarity about what is causing this. Thanks.

Edit: I have just performed another leak test, no neither NextDNS servers are showing and am getting multiple Cloudflare addresses. I run a PiHole setup and force all traffic through it using the 2x servers provided under my https://my.nextdns.io/ page.

125replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • very odd, I do random ping & dnsleak tests but never had a problem using http://dnsleaktest.com/

    Like 1
  • I'm seeing similar “leaks“. 

    I use Safari on Big Sur (latest) with the NextDNS app.

    I haven't seen this behavior on https://dnsleaktest.com, but sometimes on https://browserleaks.com/ip, and always on https://www.dns-oarc.net/oarc/services/dnsentropy.

    Those other IPs from the DNS Oarc page are from Cloudflare somehow. 

    Test:

    "status": "ok",
    "protocol": "DOH",

    … … … "anycast": false, … … … … …

    Like
  • And for https://cmdns.dev.dns-oarc.net, I get a C result (while getting an A without NextDNS enabled).

    Like 1
    • Chris Also I got a C rating with NextDNS, if I use Quad9 directly I get an A.

      I am almost certain in earlier days the NextDNS rating was better

      Safari & Chrome on latest MacOS

      Like 1
    • Mike Brust it’s because of the way our ultra low latency solution work. Try with anycast.dns.nextdns.io ans you’ll get an A. This rating is meaningless anyway.

      Like 2
    • NextDNS thank you

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 3 wk ago
      • Reported - view

      NextDNS doesn't help for me in Edge.

      (i clear OS & Browser DNS cache)

      Like
  • On https://browserleaks.com/dns I sometimes also get Google DNS results in addition to the NextDNS one. The example below was with the NextDNS profile running, so it's not just the app I'm seeing this with. Reloading that page 20-30 times will usually trigger it.

    Like
  • And I can now also see it on https://www.dnsleaktest.com.

    Like
  • https://ipx.ac/run now also shows those DNS leaks.

    Like
  • example nextdns leaking to another resolver did not happen with quad9

    nextdns leaking to cloudflare https://1drv.ms/v/s!Ao_cI16Qge_xa3J2wGVU4q-EEj4

    quad9 no leaking https://1drv.ms/v/s!Ao_cI16Qge_xbLJM4djQP7oyM20

    Like 2
  • @Nextdns is there anyone from nextdns looking into this DNs leak issue ? I have similar issues posted in another thread-

    https://help.nextdns.io/t/m1h16c3/block-public-dns-like-google-and-other-malware-dns

    Like 1
  • I have a theory and I would like to ask everyone what are the main browsers you guys use, I for example use Brave and I noticed that several who are having DNS Leak are doing it for Brave and by the looks of it, Brave, well, it contacts Cloudflare and Google servers from time to time, which may be the cause of the mega leak we're noticing:

    If you’re on Linux curl the static1 link. curl --head static1.brave.com, if you want proof of even further telemetry: it lists cloudfare and google, two unnecessary domains, but most importantly telemetry domains.

    Source: https://www.reddit.com/r/privacytoolsIO/comments/nvz9tl/brave_is_not_private/

    I'm asking this, because I decided to change to another DNS provider (ControlD) and the leak hasn't stopped, like, it's gone down, there are no more dozens of servers, at most, only three (All from Cloudflare), but it still goes on, so I decided it would be good to ask which browser you are using and if the leak problem seems to be worse on some specifics than others, as those who seem to use Firefox aren't getting the same level of leaks as those who auditioned for Brave. So, I think it would be good to do this comparison, as it might not be a NextDNS problem, but a browser issue (Since at least for me, I'm testing another Provider and the problem hasn't stopped, but the leak has decreased a lot).

    Like
      • Chris
      • Chris.6
      • 1 mth ago
      • 2
      • Reported - view

      Shadow Colossus I only ever use Safari and Firefox (on macOS Big Sur) and the tests I posted above were all done with those two browsers, so I don't think it's specific to Brave/Chromium.

      Like 2
    • Chris I didn't say specific, I said that on some browsers the leak seems to be worse than on others. For example, from what I've seen, the leak looks worse in Brave than in Firefox, but there's still a leak, you know? so my theory is that something is happening inside browsers that is causing DNS leaks. Or it could be a problem that is affecting these two providers in particular for some reason, I just know that before using ControlD, I was using NextDNS through YogaDNS in the recommended documentation settings and there was a huge leak to Google and Cloudflare, so, I thought Brave can be worse because they contact the servers of these two constantly differently from other browsers. But well, as I said, it's a theory, nothing concrete.

      Like
      • Chris
      • Chris.6
      • 1 mth ago
      • 1
      • Reported - view

      Shadow Colossus I can say that I have not seen any differences between Firefox and Safari and get between 3 and 87 additional DNS servers listed, usually from Cloudflare and Google, tested on 3-4 different sites listed above.  

      Like 1
      • Kummas
      • Kummas
      • 1 mth ago
      • 1
      • Reported - view

      Shadow Colossus  I have a python code that runs on time to time, the leaks do appear and I have it configured as per the nextdns documentation in my router.

      Like 1
    • Kummas 

      So I throw my theory in the trash. I honestly have no idea what else it might be. Has anyone here thought of trying to post about these leak issues on privacytoolsIO? Because of what kind, in the situation we're finding ourselves in, the only reason we know these leaks are happening is because people here do periodic DNS leak tests from what I understand, imagine how many people who might be going through that and don't know because they don't do the dns leak tests periodically?

      Honestly, I don't use NextDNS for privacy, but for security, but there are people who use NextDNS together with VPN and I think NextDNS is very wrong to know of a problem involving massive leak for more than a month without giving any official statement at least warning people who use their service along with VPN about the huge leak that is happening for them to take appropriate action until the problem is fixed. So, I'm actually going to wait a few more days before deciding whether or not I should post about it on Reddit myself, because honestly, it certainly shouldn't be an issue on our side considering that every day a new person appears with the same problem.

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 1 mth ago
      • 1
      • Reported - view

      Shadow Colossus Edge on Windows, Safari on iOS: no leaks

      Like 1
      • Rownan
      • Rounak_Kabir
      • 3 wk ago
      • 2
      • Reported - view

      Shadow Colossus And interestingly it doesn't happen with some other ones like Quad9, BlahDNS, Cloudfare, CZ.NIC or AdGuard DNS. This easily outweighs the similarities you found between NextDNS and ControlID.

      I'd really like to see if someone with a paid plan faces this. I don't suspect anything fishy but I want to be absolutely sure that this problem has hit many indefinitely.

      And it's really sad to see NextDNS sit quietly on this issue for so long. Just like you said they could've issued a public warning or at least communicated that they're looking into this issue. 

      Like 2
      • Chris
      • Chris.6
      • 3 wk ago
      • 2
      • Reported - view

      Rownan I've been using the paid plan since day 1 and have this issue. 

      Like 2
    • Rownan You know, the worst thing about what's going on is that they've been accused of a leak issue before involving Email and it took a guy to post on Privacy's Reddit for NextDNS to publicly speak about the possible issue : https://www.reddit.com/r/privacy/comments/jswghu/nextdns_is_leaking_your_email_address_to/ - They already have a history involving this type of issue, which makes the situation even worse, as you would expect they would have learned the first time something like this rebounded and got really bad for them that they didn't talk or respond on the subject until it reached a level they could no longer ignore. Honestly, the way it's going, I believe it's a matter of time before someone decides to do the same thing this guy did to try to get NextDNS to inform their users about it if they continue to be silent. Thank you for your contribution.

      Like
  • are you guys using a vpn? or diffrent dns providers

    Like 1
    • juliank No, I'm not using VPN and I just started using another DNS provider when I noticed that NextDNS was leaking even following the step-by-step tutorial to see if the problem also happened in another provider.

      Like 1
      • juliank
      • juliank
      • 1 mth ago
      • 1
      • Reported - view

      Shadow Colossus well if you have dns leak issues, the other haves too, try use the legacy dns and put them at the manual DNS in your windows pc ethernet/wifi adapter

      Like 1
    • juliank But I did all that and it didn't stop, that's what I mean.

      Like
      • juliank
      • juliank
      • 1 mth ago
      • 1
      • Reported - view

      Shadow Colossus disable all other ethernet adapters, only not nextdns and ur own internet, if that doesnt fix anything ur isp is forcing dns servers

      Like 1
    • juliank 

      First, I've already disabled everything and to answer the second part... It can't be DNS hijacking by my ISP because the leaks were for Cloudflare, Google, OpenDNS, Woodynet. My ISP doesn't use any of these DNS servers. I think it's easier to say that it's NextDNS that may be suffering from DNS hijacking in this situation, since there were more than 10 different servers from various DNS providers when using it.

      So I'm pretty sure it's not my ISP forcing DNS servers in my case.

      Like 1
      • Chris
      • Chris.6
      • 1 mth ago
      • 1
      • Reported - view

      Shadow Colossus That's the same case for me. My ISP has its own DNS servers and I only ever see Cloudflare, Google, etc. when connected to NextDNS. Also, as mentioned before, this doesn't always happen. So the DNS works without leaks most of the time, just not always.

      I also notice that NextDNS often loses configuration without changing anything (orange status, This device is using NextDNS with no configuration). A few minutes later, the status is green again. The app is enabled all the time.

      Like 1
      • juliank
      • juliank
      • 1 mth ago
      • Reported - view

      Shadow Colossus how do you know your isp doesnt use them?

      Like
      • Chris
      • Chris.6
      • 1 mth ago
      • 1
      • Reported - view

      juliank in my case, technical documentation and strict privacy laws, as well as the correlation of this starting just when I started using NextDNS a few weeks ago and never seeing it before.

      Like 1
    • juliank Because my ISP has its own DNS servers. Not to mention that I did the tests with NextDNS and with a system without any DNS server from any known internet provider. In the first case there is a lot of leakage and in the second, only my ISP's DNS servers appear without any other IP from another provider. So yeah, I'm pretty sure it's not my ISP.

      Like 1
  • Myth0ne said:
    So for your paid service is it just the logging and blocking functionalities for infinite queries that are enabled?

    Yeah. The paid plan gives you unlimited full-service queries. For $2/mo, it's one of the better deals on the internet.

    Like 1
  • Same here, I tried using all DNS providers known to me from BlahDNS to Google and in all usual configurations. Tested on multiple websites.

    None of them leaked except for NextDNS. Another interesting point to note is that after testing with other DNS providers when I switch to NextDNS, some of servers from the previous tests show up on https://browserleaks.com/dns , such as WoodyNet of Quad9 or Cloudfare, Ashburn (which is very frequent in the results) . However, this is not true for other providers, when switched to say BlahDNS I only see the servers that I saw previous month.

    I'll be adding pictures once I redo the tests later since I forgot to take some screenshots.

    However, something is wrong NextDNS's side for sure. It maybe a bug given how frequent it is with other users as well.

    Like 1
  • Here are my DNS leaks -

     [United States of America, AS701 MCI Communications Services Inc. d/b/a Verizon Business]

    You use 20 DNS servers:
    2a00:1450:400c:c08::110
     [Belgium, AS15169 Google LLC]
    2a00:1450:400c:c0d::101
     [Belgium, AS15169 Google LLC]
    2a0b:4342:1a32:f:5054:ff:fe48:d17f
     [United States of America, AS35487 Misaka Network Inc.]
    2a00:1450:400c:c00::104
     [Belgium, AS15169 Google LLC]
    2a00:1450:400c:c0d::107
     [Belgium, AS15169 Google LLC]
    2a00:1450:400c:c08::105
     [Belgium, AS15169 Google LLC]
    2a00:1450:400c:c00::107
     [Belgium, AS15169 Google LLC]
    2a00:1450:400c:c01::108
     [Belgium, AS15169 Google LLC]
    2a00:1450:400c:c1b::105
     [Belgium, AS15169 Google LLC]
    2a00:1450:400c:c00::105
     [Belgium, AS15169 Google LLC]
    2a00:1450:400c:c0a::107
     [Belgium, AS15169 Google LLC]
    2a00:1450:400c:c1b::10c
     [Belgium, AS15169 Google LLC]
    2a00:1450:400c:c0a::109
     [Belgium, AS15169 Google LLC]
    74.125.47.11
     [Belgium, AS15169 Google LLC]
    74.125.47.130
     [Belgium, AS15169 Google LLC]
    74.125.47.155
     [Belgium, AS15169 Google LLC]
    74.125.73.70
     [Belgium, AS15169 Google LLC]
    74.125.73.77
     [Belgium, AS15169 Google LLC]
    74.125.73.82
     [Belgium, AS15169 Google LLC]
    199.119.65.94
     [United States of America, AS57695 Misaka Network Inc.]

    Like 1
    • Kummas what is your platform? How is nextdns setup? Are you using a VPN? 

      Like 1
      • Kummas
      • Kummas
      • 3 wk ago
      • 1
      • Reported - view

      NextDNS OpenWRT router with Dnsmasq . The leaks are determined through the crontab python script that hits an API from bash.ws. Like I said on the other posts, the leak happens on time to time. There are instances that my home network was compromised with the ring alarm by hijacking nextdns by blocking “ring.solutions”. The workaround was just adding ring.solutions to the allow list.

      Like 1
      • Kummas
      • Kummas
      • 3 wk ago
      • 1
      • Reported - view

      NextDNS Forgot to mention, no VPN used.

      Like 1
      • Kummas
      • Kummas
      • 2 wk ago
      • 1
      • Reported - view

      NextDNS  some more targeted  leaks -

      You use 21 DNS servers:
      2a00:1450:400c:c08::119
       [Belgium, AS15169 Google LLC]
      2a0b:4342:1a32:f:5054:ff:fe48:d17f
       [United States of America, AS35487 Misaka Network Inc.]
      2a00:1450:400c:c08::103
       [Belgium, AS15169 Google LLC]
      2a00:1450:400c:c08::117
       [Belgium, AS15169 Google LLC]
      2a00:1450:400c:c0a::10b
       [Belgium, AS15169 Google LLC]
      2a00:1450:400c:c1b::103
       [Belgium, AS15169 Google LLC]
      74.125.47.3
       [Belgium, AS15169 Google LLC]
      74.125.47.13
       [Belgium, AS15169 Google LLC]
      74.125.47.136
       [Belgium, AS15169 Google LLC]
      74.125.47.144
       [Belgium, AS15169 Google LLC]
      74.125.47.147
       [Belgium, AS15169 Google LLC]
      74.125.47.151
       [Belgium, AS15169 Google LLC]
      74.125.73.82
       [Belgium, AS15169 Google LLC]
      74.125.181.4
       [Belgium, AS15169 Google LLC]
      74.125.181.5
       [Belgium, AS15169 Google LLC]
      74.125.181.8
       [Belgium, AS15169 Google LLC]
      172.253.215.13
       [Belgium, AS15169 Google LLC]
      172.253.248.35
       [United States of America, AS15169 Google LLC]
      172.253.248.36
       [United States of America, AS15169 Google LLC]
      172.253.248.41
       [United States of America, AS15169 Google LLC]
      199.119.65.94
       [United States of America, AS57695 Misaka Network Inc.]

      Conclusion:DNS may be leaking.

      Like 1
    • Kummas are you using a VPN? Which platform is it? How did you setup nextdns?

      Like 1
      • Kummas
      • Kummas
      • 2 wk ago
      • 1
      • Reported - view

      NextDNS same as mentioned before, openwrt with dnsmasq configuration. This probably happened one time today for every 5 mins crontab check for dnsleak. No VPN and the configuration is as per the NextDNS standard or steps! 

      Like 1
    • Kummas can you please show your dnsmasq config?

      Like 1
      • Kummas
      • Kummas
      • 2 wk ago
      • 1
      • Reported - view

      NextDNS Is there anyway to chat through emails personally on the configuration info? Also, who is constant company which appears on the leaks?

      207.246.91.188
       [United States of America, AS20473 The Constant Company LLC]
      2001:19f0:5:663d:5400:2ff:fece:2f14
       [United States of America, AS20473 The Constant Company LLC]

      Like 1
    • Kummas you can DM us (only for private info). The AS20473 is one of our hosting providers, this is not a leak.

      Like 1
  • I noticed that I commented that ControlD was also experiencing a leak similar to NextDNS I forgot to print a screenshot showing about it, so I decided to come here to show that this is a problem that is not only affecting NextDNS, but that it is also affecting another service similar to NextDNS (I hope this information can be useful for the quest to find a solution to this problem.): 

    Like 1
  • https://www.reddit.com/r/Windscribe/comments/p452iw/dns_leak/ - I found this when I was back about DNS leakage and I think this might be useful for some people. Me for example, I don't understand how they fixed it, but it has something to do with the Windows settings that changed after an update. I hope this can be useful.

    Like
  • It is quite possible that NextDNS is using Cloudflare and Google as their hosting provider. They might be running microservices at the edge from these companies. Hence, it doesn't mean that NextDNS is leaking our DNS requests to Cloudflare or Google, instead the resolutions are happening at the hosting provided by both these companies. 

    To bolster my theory, I can see Digitalocean as the ISP in my DNS leak test. This means, NexDNS has a server at DO close to my location to support my DNS Queries.

    Like 1
  • Here to chime in and repeat a lot of what has already been mentioned here. I have the same problem with DNS leaks and I have noticed this has been happening (and like this) for months. Does not matter if it is router, OS, browser, etc. configured. Does not matter if IPV4 or IPV6 is used or not used. When running the DNS leak test some times it is fine some times it is not. If you keep repeating the test it happens eventually. It is not unknown for the test to report back with hundreds of servers. Doing a test now and it says, "Found 163 Servers, 8 ISP, 9 Locations".

    I have noticed if only DOH is configured and when running the Browser Leaks test some of the DNS queries are not being resolved over DOH. You can watch the queries been resolved in the logs tab and enabling live logging. The lock icon is missing from some of these queries.

    To confirm, if I use another DNS resolver such as Cloudflare, Quad9, etc. this never happens. Only NextDNS. I suspect it is a misconfiguration or issue with NextDNS servers and its been like this for a long time.

    Like 2
    • Teddy Rogers there is no “bad server configuration” that would lead to that in the way our infra is built. The leak has too happen on the client side or somewhere in the middle.

      For every report of a DNS leak, please provide more info on the platform used and how nextdns is setup (with as much details as possible). Leaks can happen for different reasons and we can’t help without more details on your setup.

      Like 1
      • benot
      • benot
      • 2 wk ago
      • 1
      • Reported - view
      benot said:
      1dr

       NextDNS I think this video was very clear to explain dns leaking to another server

      Like 1
Like4 Follow
  • 4 Likes
  • 9 days agoLast active
  • 125Replies
  • 1954Views
  • 17 Following