DNS leak test showing USA cloudflare addresses instead of local NextDNS?

Myth0ne
updated 3 yrs ago
119replies

Hi there, I have been using the service for about a week now and have been enjoying the local fast queries and speeds. When I first got my service up and running I had 2 local dns servers powered by nextdns. Now when I am testing for dns leaks I am seeing entries for Cloudflare addresses back to USA - 172.70.37.108

Being in Aus this creates a noticable difference going from <10ms to ~330ms ping response times. Is this a cause of a setting ticked under the performance section in the settings? Again just seeking some clarity about what is causing this. Thanks.

Edit: I have just performed another leak test, no neither NextDNS servers are showing and am getting multiple Cloudflare addresses. I run a PiHole setup and force all traffic through it using the 2x servers provided under my https://my.nextdns.io/ page.

- Kummas
- 3 yrs ago
- Reported - view
Here are my DNS leaks -

[United States of America, AS701 MCI Communications Services Inc. d/b/a Verizon Business]

You use 20 DNS servers:
2a00:1450:400c:c08::110
[Belgium, AS15169 Google LLC]
2a00:1450:400c:c0d::101
[Belgium, AS15169 Google LLC]
2a0b:4342:1a32:f:5054:ff:fe48:d17f
[United States of America, AS35487 Misaka Network Inc.]
2a00:1450:400c:c00::104
[Belgium, AS15169 Google LLC]
2a00:1450:400c:c0d::107
[Belgium, AS15169 Google LLC]
2a00:1450:400c:c08::105
[Belgium, AS15169 Google LLC]
2a00:1450:400c:c00::107
[Belgium, AS15169 Google LLC]
2a00:1450:400c:c01::108
[Belgium, AS15169 Google LLC]
2a00:1450:400c:c1b::105
[Belgium, AS15169 Google LLC]
2a00:1450:400c:c00::105
[Belgium, AS15169 Google LLC]
2a00:1450:400c:c0a::107
[Belgium, AS15169 Google LLC]
2a00:1450:400c:c1b::10c
[Belgium, AS15169 Google LLC]
2a00:1450:400c:c0a::109
[Belgium, AS15169 Google LLC]
74.125.47.11
[Belgium, AS15169 Google LLC]
74.125.47.130
[Belgium, AS15169 Google LLC]
74.125.47.155
[Belgium, AS15169 Google LLC]
74.125.73.70
[Belgium, AS15169 Google LLC]
74.125.73.77
[Belgium, AS15169 Google LLC]
74.125.73.82
[Belgium, AS15169 Google LLC]
199.119.65.94
[United States of America, AS57695 Misaka Network Inc.]
- Kummas
  
  3 yrs ago
  
  Reported - view
  NextDNS some more targeted leaks -
  
  You use 21 DNS servers:
  2a00:1450:400c:c08::119
  [Belgium, AS15169 Google LLC]
  2a0b:4342:1a32:f:5054:ff:fe48:d17f
  [United States of America, AS35487 Misaka Network Inc.]
  2a00:1450:400c:c08::103
  [Belgium, AS15169 Google LLC]
  2a00:1450:400c:c08::117
  [Belgium, AS15169 Google LLC]
  2a00:1450:400c:c0a::10b
  [Belgium, AS15169 Google LLC]
  2a00:1450:400c:c1b::103
  [Belgium, AS15169 Google LLC]
  74.125.47.3
  [Belgium, AS15169 Google LLC]
  74.125.47.13
  [Belgium, AS15169 Google LLC]
  74.125.47.136
  [Belgium, AS15169 Google LLC]
  74.125.47.144
  [Belgium, AS15169 Google LLC]
  74.125.47.147
  [Belgium, AS15169 Google LLC]
  74.125.47.151
  [Belgium, AS15169 Google LLC]
  74.125.73.82
  [Belgium, AS15169 Google LLC]
  74.125.181.4
  [Belgium, AS15169 Google LLC]
  74.125.181.5
  [Belgium, AS15169 Google LLC]
  74.125.181.8
  [Belgium, AS15169 Google LLC]
  172.253.215.13
  [Belgium, AS15169 Google LLC]
  172.253.248.35
  [United States of America, AS15169 Google LLC]
  172.253.248.36
  [United States of America, AS15169 Google LLC]
  172.253.248.41
  [United States of America, AS15169 Google LLC]
  199.119.65.94
  [United States of America, AS57695 Misaka Network Inc.]
  
  Conclusion:DNS may be leaking.
- NextDNs
  
  3 yrs ago
  
  Reported - view
  Kummas are you using a VPN? Which platform is it? How did you setup nextdns?
- Kummas
  
  3 yrs ago
  
  Reported - view
  NextDNS same as mentioned before, openwrt with dnsmasq configuration. This probably happened one time today for every 5 mins crontab check for dnsleak. No VPN and the configuration is as per the NextDNS standard or steps!
- NextDNs
  
  3 yrs ago
  
  Reported - view
  Kummas can you please show your dnsmasq config?
- Kummas
  
  3 yrs ago
  
  Reported - view
  NextDNS Is there anyway to chat through emails personally on the configuration info? Also, who is constant company which appears on the leaks?
  
  207.246.91.188
  [United States of America, AS20473 The Constant Company LLC]
  2001:19f0:5:663d:5400:2ff:fece:2f14
  [United States of America, AS20473 The Constant Company LLC]
- NextDNs
  
  3 yrs ago
  
  Reported - view
  Kummas you can DM us (only for private info). The AS20473 is one of our hosting providers, this is not a leak.
- Shadow_Colossus
- 3 yrs ago
- Reported - view
I noticed that I commented that ControlD was also experiencing a leak similar to NextDNS I forgot to print a screenshot showing about it, so I decided to come here to show that this is a problem that is not only affecting NextDNS, but that it is also affecting another service similar to NextDNS (I hope this information can be useful for the quest to find a solution to this problem.):
- Shadow_Colossus
- 3 yrs ago
- Reported - view
https://www.reddit.com/r/Windscribe/comments/p452iw/dns_leak/ - I found this when I was back about DNS leakage and I think this might be useful for some people. Me for example, I don't understand how they fixed it, but it has something to do with the Windows settings that changed after an update. I hope this can be useful.
- San.1
- 3 yrs ago
- Reported - view
It is quite possible that NextDNS is using Cloudflare and Google as their hosting provider. They might be running microservices at the edge from these companies. Hence, it doesn't mean that NextDNS is leaking our DNS requests to Cloudflare or Google, instead the resolutions are happening at the hosting provided by both these companies.

To bolster my theory, I can see Digitalocean as the ISP in my DNS leak test. This means, NexDNS has a server at DO close to my location to support my DNS Queries.
- Teddy_Rogers
- 3 yrs ago
- Reported - view
Here to chime in and repeat a lot of what has already been mentioned here. I have the same problem with DNS leaks and I have noticed this has been happening (and like this) for months. Does not matter if it is router, OS, browser, etc. configured. Does not matter if IPV4 or IPV6 is used or not used. When running the DNS leak test some times it is fine some times it is not. If you keep repeating the test it happens eventually. It is not unknown for the test to report back with hundreds of servers. Doing a test now and it says, "Found 163 Servers, 8 ISP, 9 Locations".

I have noticed if only DOH is configured and when running the Browser Leaks test some of the DNS queries are not being resolved over DOH. You can watch the queries been resolved in the logs tab and enabling live logging. The lock icon is missing from some of these queries.

To confirm, if I use another DNS resolver such as Cloudflare, Quad9, etc. this never happens. Only NextDNS. I suspect it is a misconfiguration or issue with NextDNS servers and its been like this for a long time.
- NextDNs
  
  3 yrs ago
  
  Reported - view
  Teddy Rogers there is no “bad server configuration” that would lead to that in the way our infra is built. The leak has too happen on the client side or somewhere in the middle.
  
  For every report of a DNS leak, please provide more info on the platform used and how nextdns is setup (with as much details as possible). Leaks can happen for different reasons and we can’t help without more details on your setup.
- benot
  
  3 yrs ago
  
  Reported - view
  benot said:
  1dr
  
  NextDNS I think this video was very clear to explain dns leaking to another server
- Mr_Johnson
- 2 yrs ago
- Reported - view
I have had similar issues. Let's put on our tinfoil thinking caps and consider a far simpler explanation I think we have to consider that this is mostly the NSA and at times the UK and other intelligence agencies routing entire domains through their national networks for packet sniffing or whatever Snowden had mentioned this before. The Ashburn location is just the whois registered address, at least one of the geolocations in Ashburn is that registered address. The other precise Ashburn geolocation always returns a specific location to a specific parking place in Ashburn. It's likely DNS spoofing or cache poisoning or something. I've really been digging into whois and doing multiple trace routes and checking multiple geolocation protocols. If NextDNS has servers in the USA then they are required by CALEA to provide access to the USA government just like any other ISP or phone company in the USA is required to do so, Cloudflare Google, etc.
- Mr_Johnson
  
  2 yrs ago
  
  Reported - view
  Mr. Johnson when one reads about the various taps that individual IT workers and phone company workers have discussed over the last 10 years or so simply a tap and then a spoof is enough. All that nextdns or any DNS provider would know at the highest level is that a court order was sent requiring calea compliance. Yes. I agree after my exhaustive research with this issue that the NextDNS rep was right in his speculation. It's something "in the middle.".
- NOway
- 2 yrs ago
- Reported - view
I think maybe I was able to spot this "DNS Leak" or at least I was able to reproduce it several times and noticed this pattern.

I'm using DOH, so not much to explain about the configuration, so I went to www.dnsleaktest.com with no other browser tabs open and the result of the first image below.

So I went to nextdns settings and logs and check the option to update the logs automatically and did a new test and the result is the second image.

Using the site ncheck.tools I had the same result but using this site and just a refresh in the log using the browser's F5, these "leaks" also appear.

I can't explain why this is happening, but this is probably the "problem" that many users are reporting here on the community and elsewhere on the internet like reddit.

Hope this helps.
- NOway
- 2 yrs ago
- Reported - view
Complementing the tests, the problem occurs with Chrome, Edge and Firefox. I decided to do a test with Adguard using the same method and the problem also occurred, only in this case the dns leak occurs for cloudflare while in nextdns it occurs with google. In both services and in any of the 3 browsers immediately changing the DOH to Quad9 or Google Dns the problem disappears. The only similarity between nextdns and adguard I see the ".io" domain in the control panel.
- Hey
  
  2 yrs ago
  
  Reported - view
  Cassius M I think it could be something to do with the browsers and setting a custom DNS possibly some sort of a backup system or them checking if other DNS services are working etc.
- NOway
  
  2 yrs ago
  
  Reported - view
  Hey
  
  I don't think so, because this "leak" only occurs with nextdns and adguard, both on the log page or with the log page open.
  
  Anyway, I only posted this information so that people who are complaining could reproduce it and who knows, the nextdns staff could give some idea of why this happens, but I believe that this will hardly happen...
  
  I stopped using nextdns exactly because of this, lack of support, problem with routes where here in Brazil I am always redirected to servers in the USA no matter which configuration I use, and believe me I tested all possible ones.
  
  As I said, I just posted what I found to try to help users who still use the service and in a way were concerned and try to help the nextdns team to give a plausible position to users.
  
  I appreciate your help too.
- Pierre_Cartier
- 2 yrs ago
- Reported - view
Personnally I don't trust 100% all those DNS leak tools.

For instance the one I always use, because I found ressourcefull, is https://browserleaks.com/ip

Despite a correct configuration on my side I always end up with 2 DNS when I do a test. The one from my VPN and the one from NextDNS. However when I refresh the page I only get NextDNS. Never understood why. Oh well!

Content aside

4 Likes
3 yrs agoLast active
119Replies
6271Views
17 Following

DNS leak test showing USA cloudflare addresses instead of local NextDNS?

119 replies

Content aside

Home

Tags