0

NextDNS Blocked Domain Resolving to 149.248.211.216 Instead of 0.0.0.0

I'm having a strange issue with NextDNS blocking. I blocked `apifox[.]it[.]com` (a known malicious domain from the ApiFox attack) on the dashboard, but it's not behaving as expected.

The Problem

- When I query the domain, it returns `149.248.211.216` instead of being blocked. But I query other domain I blocked manually like `x.it.com`, it returns `0.0.0.0`, maybe because this domain does not really exist.

- I'm unsure if this IP is the attacker's actual IP or NextDNS's block page IP

- When I toggled "Display Block Page" OFF, the IP stayed as `149.248.211.216` for a while, then changed to `0.0.0.0`

- After turning "Display Block Page" back ON, it still returns `0.0.0.0` instead of the block page IP

- The behavior is inconsistent — sometimes it resolves to the attacker's IP, sometimes to `0.0.0.0`

What I've tried

- Toggling the block page display setting on/off

- Multiple DNS queries using dig

My dig queries show

- Most queries return `149.248.211.216` (with TTL countdown)

- Some queries return `0.0.0.0` (marked as `aa` — authoritative answer)

- The responses are inconsistent even after changing settings

Questions

  1. Is `149.248.211.216` NextDNS's block page server, or is the domain not actually blocked?

  2. Why does it alternate between `149.248.211.216` and `0.0.0.0`?

  3. Should I see a consistent response once a domain is blocked?

  4. Is there a cache issue or something I'm missing in my configuration?

2 replies

null
    • explosic4
    • 7 hrs ago
    • Reported - view

    This is my dig output.

     

    admin@admins-MacBook-Pro ~ % dig @45.90.28.95 apifox.it.com

; <<>> DiG 9.10.6 <<>> @45.90.28.95 apifox.it.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7781
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;apifox.it.com.INA

;; ANSWER SECTION:
apifox.it.com.240INA149.248.211.216

;; Query time: 10 msec
;; SERVER: 45.90.28.95#53(45.90.28.95)
;; WHEN: Thu Mar 26 21:43:30 EDT 2026
;; MSG SIZE  rcvd: 58

admin@admins-MacBook-Pro ~ % dig @45.90.28.95 x.it.com

; <<>> DiG 9.10.6 <<>> @45.90.28.95 x.it.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13438
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;x.it.com.INA

;; ANSWER SECTION:
x.it.com.300INA0.0.0.0

;; Query time: 702 msec
;; SERVER: 45.90.28.95#53(45.90.28.95)
;; WHEN: Thu Mar 26 21:43:48 EDT 2026
;; MSG SIZE  rcvd: 42

admin@admins-MacBook-Pro ~ % dig @45.90.28.95 apifox.it.com

; <<>> DiG 9.10.6 <<>> @45.90.28.95 apifox.it.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30995
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;apifox.it.com.INA

;; ANSWER SECTION:
apifox.it.com.212INA149.248.211.216

;; Query time: 11 msec
;; SERVER: 45.90.28.95#53(45.90.28.95)
;; WHEN: Thu Mar 26 21:43:58 EDT 2026
;; MSG SIZE  rcvd: 58

admin@admins-MacBook-Pro ~ % dig @45.90.28.95 apifox.hk.com

; <<>> DiG 9.10.6 <<>> @45.90.28.95 apifox.hk.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9890
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;apifox.hk.com.INA

;; ANSWER SECTION:
apifox.hk.com.300INA0.0.0.0

;; Query time: 800 msec
;; SERVER: 45.90.28.95#53(45.90.28.95)
;; WHEN: Thu Mar 26 21:44:09 EDT 2026
;; MSG SIZE  rcvd: 47

admin@admins-MacBook-Pro ~ % dig @45.90.28.95 apifox.it.com

; <<>> DiG 9.10.6 <<>> @45.90.28.95 apifox.it.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48105
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;apifox.it.com.INA

;; ANSWER SECTION:
apifox.it.com.169INA149.248.211.216

;; Query time: 16 msec
;; SERVER: 45.90.28.95#53(45.90.28.95)
;; WHEN: Thu Mar 26 21:44:42 EDT 2026
;; MSG SIZE  rcvd: 58

admin@admins-MacBook-Pro ~ % dig @45.90.28.95 apifox.it.com

; <<>> DiG 9.10.6 <<>> @45.90.28.95 apifox.it.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20396
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;apifox.it.com.INA

;; ANSWER SECTION:
apifox.it.com.154INA149.248.211.216

;; Query time: 10 msec
;; SERVER: 45.90.28.95#53(45.90.28.95)
;; WHEN: Thu Mar 26 21:44:57 EDT 2026
;; MSG SIZE  rcvd: 58

admin@admins-MacBook-Pro ~ % dig @45.90.28.95 apifox.it.com

; <<>> DiG 9.10.6 <<>> @45.90.28.95 apifox.it.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43934
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;apifox.it.com.INA

;; ANSWER SECTION:
apifox.it.com.1INA149.248.211.216

;; Query time: 13 msec
;; SERVER: 45.90.28.95#53(45.90.28.95)
;; WHEN: Thu Mar 26 22:16:41 EDT 2026
;; MSG SIZE  rcvd: 47

admin@admins-MacBook-Pro ~ % dig @45.90.28.95 apifox.it.com

; <<>> DiG 9.10.6 <<>> @45.90.28.95 apifox.it.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57946
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;apifox.it.com.INA

;; ANSWER SECTION:
apifox.it.com.298INA0.0.0.0

;; Query time: 11 msec
;; SERVER: 45.90.28.95#53(45.90.28.95)
;; WHEN: Thu Mar 26 22:16:43 EDT 2026
;; MSG SIZE  rcvd: 47

admin@admins-MacBook-Pro ~ % dig @45.90.28.95 apifox.it.com

; <<>> DiG 9.10.6 <<>> @45.90.28.95 apifox.it.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63168
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;apifox.it.com.INA

;; ANSWER SECTION:
apifox.it.com.296INA0.0.0.0

;; Query time: 8 msec
;; SERVER: 45.90.28.95#53(45.90.28.95)
;; WHEN: Thu Mar 26 22:16:44 EDT 2026
;; MSG SIZE  rcvd: 58
    • losnad
    • 5 hrs ago
    • Reported - view

    My advice is to don't use the block page at all, it can cause all kinds of problems without any benefit. 

    https://browserleaks.com/ip will show your IP

    https://browserleaks.com/ip/149.248.211.216 (for example) will shows details about what IP you want to check

    https://dns.nextdns.io/?name=facebook.com&type=A will show you the NextDNS answer of the facebook.com domain (for example)

    If you want to check the answer for your NextDNS profile add your ID from the Setup tab in my.nextdns.io before the question mark like this:

    https://dns.nextdns.io/XXXXXX?name=facebook.com&type=A

    Maybe you are digging to much for no good reason. 😊

Login to reply

Content aside

  • 5 hrs agoLast active
  • 2Replies
  • 12Views
  • 1 Following