0

dns.nextdns.io IP addresses

Is there a list of IP addresses to which dns.nextdns.io can resolve to?

I have seen many different IP and different parts of the world.

The reason I am asking for is as below

On my home firewall, I have two different ISP connections, and I need the DNS traffic to exit from ISP1 only with a fallback on to the ISP2. I need this info to update the firewall rules. So far I have discovered following

103.127.28.0/22

45.90.28.0/22

217.146.10.0/24

191.96.50.0/23

45.76.16.0/20

15 replies

null
    • Pankaj_Gupta
    • 2 yrs ago
    • Reported - view

    This looks like geo load balancing to me and not anycast because it is not choosing best for me but best for them.

    I am getting random resolution for the domain and getting IPs across the world. So far I have seen following countries.

    India

    Singapore

    HongKong

    USA

    Japan

    Infact the nextdns own range (which I believe is anycast) 45.90.28.0/22 (AS34939) is not available in India. They serve in India either via AS134926 or AS42473 but I don't get their addresses resolved everytime

    I am based in India and it should resolve to India based server otherwise the DNS latencies goes for a toss.

    Now coming back to my original ask. If anyone has the list, please share if possible

    My ISP1 has a better worldwide network and hence I need to exit all the DNS request via that. It will be really helpful

      • Hey
      • 2 yrs ago
      • Reported - view

      Pankaj Gupta For you to force pick a server you don't need any of that, I don't even understand what you're going to do with the IP range in the first place. You can use DNS over https, do a ping and forcefully pick the server closest to you. It's not recommend but if you really just want it you can have it. You're looking for something and asking for something completely different. 

      ultralow.dns1.nextdns.io/yourid

      ultralow.dns2.nextdns.io/yourid

      anycast.dns1.nextdns.io/yourid

      anycast.dns2.nextdns.io/yourid

      Choose from one of those by doing a test on ping.nextdns.io and pick the one closest.

      • Pankaj_Gupta
      • 2 yrs ago
      • Reported - view

      Hey Many thanks.. I didn't know there is something like this exists to find out the ultralow for you, hence was trying to solve it in a different way

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Pankaj Gupta if the selected IP via DNS steering (ultralow) is not the best latency for you, please provide a https://nextdns.io/diag with nextdns NOT configured so we can investigate.

      Note that we always try to pick the best PoP for you. There is no better PoP for us than the one with lowest latency for you. Ultralow can sometime have issues picking the best path for various reasons (that applies to anycast too for different reasons). The diag can help us understand the issue and most of the time fix it.

      • Pankaj_Gupta
      • 2 yrs ago
      • Reported - view
      • Hey
      • 2 yrs ago
      • Reported - view

      Pankaj Gupta Yeah I was like, I don't understand what's going on lol. Blocking the IPs would hurt you in a possible server failure where NextDNS would try to change the server from the one that's down to something that works. So I was a bit shocked. Anyways let's hope the NextDNS team can help you. Also my first message could come out as a bit iffy and it wasn't my intent I was shocked at that moment so I could have phrased it a lot better. 

      • Pankaj_Gupta
      • 2 yrs ago
      • Reported - view

      Hey 

      I was not planning to block any IP. I only was trying to force the DNS resolution via always via ISP1 with fallback to ISP2. Apologies if I wasn't clear

      BTW I noticed that most problematic devices are IOS with profile installed. Androids with DOT private DNS resolves to the nearest one most of the times

      • Hey
      • 2 yrs ago
      • Reported - view

      Pankaj Gupta It varies but yeah, I'm using a device with Android 11 and DOT and haven't had a single issue and I connect to the fastest server closest to me with the best ping in my country even compared to Cloudflares 1.1.1.1. And about the ISP 1 and ISP 2 if you're using multiple ISPs linking IPs on two configurations should help you with using NextDNS consistently. 

      • Pankaj_Gupta
      • 2 yrs ago
      • Reported - view

      Hey 

      This would be great. How can I install multiple profiles on the devices??

      • Hey
      • 2 yrs ago
      • Reported - view

      Pankaj Gupta Link your first ISPs IP to your main configuration, create a new configuration, make it identical to your main and link your second IP to the other configuration. As long as your router points to NextDNS it should at worse change configs when you go from ISP1 to ISP2 so logging could be a bit iffy but it would work consistently. This will work only if you have a static IP, if your router is new you might have DoH or DoT options that should be easier than doing all of that.

      • Pankaj_Gupta
      • 2 yrs ago
      • Reported - view

      Hey 

      I am using OPNSense as the home firewall and I tried to install nextdns cli but it always fails to start. On the other hand, if I use Unbound, it has totally different UI as compared to PFSense and I am not sure how to map my config-id with the IP address

      Is following possible in OPNSense?? Can I replace the anycast IP with the ultralow IP

      server:
        forward-zone:
          name: "."
          forward-tls-upstream: yes
          forward-addr: 45.90.28.0#xxxxxx.dns1.nextdns.io
          forward-addr: 45.90.30.0#xxxxxx.dns2.nextdns.io
      
      • Hey
      • 2 yrs ago
      • Reported - view

      Pankaj Gupta I just Googled about OPNSense and Dynamic DNS and it seems to support is so you should be able to constantly link your IP no matter what ISP to your account and you shouldn't need two configuration if that all works properly.

      • Pankaj_Gupta
      • 2 yrs ago
      • Reported - view

      Hey 

      Linking the IP always works but that is plain text going on port 53. I wanted to encrypt

      I tried unbound on raspberry pi with following configuration

      server:
          logfile: "/var/log/unbound/unbound.log"
          verbosity: 1
          tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
          interface: 0.0.0.0
          access-control: 192.168.0.0/16 allow
          access-control: 127.0.0.1 allow
          access-control: ::1 allow
          access-control: 0.0.0.0/0 deny
          access-control: ::/0 deny
      forward-zone:
          name: "."
          forward-tls-upstream: yes
          forward-addr: 103.127.29.198#xxxxxx.ultralow.dns2.nextdns.io
          forward-addr: 217.146.10.59#xxxxxx.ultralow.dns1.nextdns.io
          forward-addr: 45.90.28.0#xxxxxx.dns1.nextdns.io
          forward-addr: 45.90.30.0#xxxxxx.dns2.nextdns.io
      

      It ignores the first two lines always and picks up the last two only

      • Pankaj_Gupta
      • 2 yrs ago
      • Reported - view

      Hey
      Never mind. Following works

      forward-zone:
          name: "."
          forward-tls-upstream: yes
          forward-addr: 103.127.29.198#xxxxxx.dns2.nextdns.io
          forward-addr: 217.146.10.59#xxxxxx.dns1.nextdns.io
          forward-addr: 45.90.28.0#xxxxxx.dns1.nextdns.io
          forward-addr: 45.90.30.0#xxxxxx.dns2.nextdns.io
      
      • Hey
      • 2 yrs ago
      • Reported - view

      Pankaj Gupta Nice, tbh I don't know much about OPNSense so I was just trying to understand from Google and try to get it working so yeah thankfully you got it working my understanding was quite limited for me to do much lol.

Content aside

  • 2 yrs agoLast active
  • 15Replies
  • 8473Views
  • 3 Following