0

Need help to diagnose/troubleshoot issues with NextDNS

Hello,

 

I am using the Pro variant of NextDNS, since recently I get delays on my network, and sites not opening like docs.ansible.com, it opens after a long time.

 

My network uses two piholes that forward the traffic to the upstream NextDNS server(s) that are defined for my profile. When I remove them and forward them to Google DNS, they instantly open and those issues are gone.

 

This also happends on my phone with its own profile and my laptop.

 

There are no drops in the logs that could explain this.

Please can you do some suggestions on where I can look / dig into?

Thank you

Remko

21 replies

null
    • losnad
    • 1 yr ago
    • Reported - view

    For this particular website check the logs if any of these is blocked: assets.adobedtm.com code.jquery.com use.fontawesome.com www.redhat.com static.redhat.com id.ansible.com www.ansible.com

    If yes, maybe stop using the guilty Blocklist.

    Instead of Google you can check with NextDNS without profile and see that it is also working as well so the problem is not with NextDNS.

    https://help.nextdns.io/t/h7hv05v?r=m1hv07r#m1hv07r

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

       Hello,

       

      Thank you for the response. There are no blocks from any of the domains you mention. For now I disabled everything for my Mobile and laptop and will see what it does. I will get back on this topic in a day to get some good measurements.

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

      So even with a very slimmed version of the filters, docs.ansible.com doesn't open smoothly (at all, it appears to timeout). Disabling NextDNS on my laptop, and reloading the page instantly opens docs.ansible.com.

       

      There are no blocks in the logs at all for this session.

       

      Something appears to be off here, even with disabling the three lists that I am using and other protections, it just doesn't load and hangs on loading the page(s). With a clean browser and restarting the lookup without NextDNS, the page instantly opens.

    • Remko_Lodder
    • 1 yr ago
    • Reported - view

    Looking into a bit more detail about what happends. It appears that docs.ansible.com for example, opens partially, and then 'static.redhat.com' gets not loaded. (these appear to be some fonts). However no filters at all are active for this particular profile. So it should just behave as a transparant DNS proxy instead.

     

    Again when disabling the NextDNS icon in my taskbar, instantly. The dtm.js file below from www.redhat.com itself, cannot be loaded. Disabling this (with likewise filters on my Pi-hole) opens it in milliseconds. Is NextDNS performing proxying of the file or some sort? It feels like NextDNS is loading the file as well and analyzing it perhaps to find bogus stuff in it. But without filters active this should not happen at all. My Pi-hole filters are much more extensive and just do what it should do DNS filter things. For me this is a sign that NextDNS does more then just filtering things, even with filters and all settings -disabled-.

     

    NextDNS docs.ansible.com

     

    Pi-Hole with lots of ads blockers active:

    It blocks some script contents, which is fine, or not, whatever, it loads in 194 ms where the NextDNS enabled variant doesn't load at all and stops after 2.5 minutes.

    • Remko_Lodder
    • 1 yr ago
    • Reported - view

    I might have found the cause referenced in a very different topic (https://help.nextdns.io/t/m1h9y9a/problems-with-paramount-plus-with-nextdns-enabled) that remarked 'disabling Anonymized EDNS Client Subnet'.

     

    I disabled that and it appears to be much smoother (albeit still 50% slower then without nextdns).

    I'll monitor this usage and re-enable some filters to see whether this persists.

     

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

       That was just a one time off difference, it is now stuck again with 2+min loading time (and aborting in Chrome).

       

      All security options + filters are disabled in my profile.

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

       My next attempt will be by not using the MacOS App, but using the upstream DNS servers. That initially gives a different view and a different way how this is handled. The various pages gets loaded a bit slower then not using NextDNS, way faster then using the "app".

    • Remko_Lodder
    • 1 yr ago
    • Reported - view

    I cannot seem to solve this, the delays keep occurring and disabling all settings does not give the results expected.

    Unless someone has an explanation on how to debug and solve this; this is not going to fly. Tonight I will be reverting my setup(s) to use my internal resolvers.

      • NextDNs
      • 1 yr ago
      • Reported - view

       did you try with no profile set on nextdns to ensure nothing is blocked?

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

      yes even with just using the dns resolvers without profile its the same. Docs.ansible.com is a link that demonstrates this easily for me.

      • NextDNs
      • 1 yr ago
      • Reported - view

       I can't reproduce the issue by just using nextdns, with or without blocklists enabled.

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

      So how do we then proceed? The issue is there, and is frustrating my users at home. I can repeatedly trigger this for 'dtm.js' from 'docs.ansible.com', as one example. This file contains references to other sites, but -without nextdns- it loads within milliseconds. I dont see any drops/blocks, I didn't see that with my blocklists either, but still Apple Appstore, docs.ansible.com, nu.nl, our streaming media services, all had issues -with- nextdns, and -not- without nextdns (using almost the same blocklists on the central piholes at home).

      • NextDNs
      • 1 yr ago
      • Reported - view

       it would be interesting to see the output of a dig for an impacted domain with and without nextdns to see the difference.

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

      Not sure what kind of dig operation you would like to see. I dont think doing a dig will solve this. It looks like NextDNS is interfering with the traffic itself. Parts of the page from docs.ansible.com gets loaded fine, but some parts like dtm.js are not. But nevertheless here goes:

      ~ % dig docs.ansible.com <<< With NextDNS

      ; <<>> DiG 9.10.6 <<>> docs.ansible.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16287
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;docs.ansible.com.        IN    A

      ;; ANSWER SECTION:
      docs.ansible.com. 263 IN A 104.26.0.234
      docs.ansible.com. 263 IN A 104.26.1.234
      docs.ansible.com. 263 IN A 172.67.68.251

      ;; Query time: 75 msec
      ;; SERVER: 192.0.2.42#53(192.0.2.42)
      ;; WHEN: Fri Sep 08 20:02:31 CEST 2023
      ;; MSG SIZE  rcvd: 93

      ~ % dig docs.ansible.com <<< without NextDNS

      ; <<>> DiG 9.10.6 <<>> docs.ansible.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31685
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;docs.ansible.com.        IN    A

      ;; ANSWER SECTION:
      docs.ansible.com. 265 IN A 172.67.68.251
      docs.ansible.com. 265 IN A 104.26.1.234
      docs.ansible.com. 265 IN A 104.26.0.234

      ;; Query time: 43 msec
      ;; SERVER: mydns#53(mydnsip)
      ;; WHEN: Fri Sep 08 20:02:37 CEST 2023
      ;; MSG SIZE  rcvd: 93

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

       Reading a bit around more then just this thread, but also much wider on the internet, I notice that more people have issues with the App. I am using that same App. Disabling it and using the CLI gives a quicker response.

      What is the App doing that gives these results? It seems like it is doing some sort of TCP proxy to intercept and do "things" with a request, like the one for dtm.js on docs.ansible.com. Can you confirm that please?

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

      That only works until you 'sleep' the machine. If you then unlock the machine, I need to disconnect and connect to the WiFi network again.

      This is not feeling OK, it annoys me. I never had this with PiHole; I would expect from a paid service that it at least gives the same results as my local resolvers, and having features on top of that. In this case the features are there, but the results are not.

      • NextDNs
      • 1 yr ago
      • Reported - view

       I'm interested by the dig on the resource that stales in the page, not the main domain.

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

       OK, please make that more clear next time :)

      Added below; for now the direct opening of the page suddenly appears to work better, although that could still be caching on my end, it seems at least far quicker then before, while nu.nl still has some similar issues.

       

      You however did not respond to the question whether the App does some TCP inspection. It appears that it does, why else would www.redhat.com suddenly be so sluggish (like a lot of other sites) and suddenly this seems to be fixed?

      % dig www.redhat.com <<-- My internal PiHole.

       

      ; <<>> DiG 9.10.6 <<>> www.redhat.com

      ;; global options: +cmd

      ;; Got answer:

      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40349

      ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

       

      ;; OPT PSEUDOSECTION:

      ; EDNS: version: 0, flags:; udp: 512

      ;; QUESTION SECTION:

      ;www.redhat.com. IN A

       

      ;; ANSWER SECTION:

      www.redhat.com. 1583 IN CNAME ds-www.redhat.com.edgekey.net.

      ds-www.redhat.com.edgekey.net. 21451 IN CNAME ds-www.redhat.com.edgekey.net.globalredir.akadns.net.

      ds-www.redhat.com.edgekey.net.globalredir.akadns.net. 3571 IN CNAME e3396.dscx.akamaiedge.net.

      e3396.dscx.akamaiedge.net. 20 IN A 23.209.235.30

       

      ;; Query time: 37 msec

      ;; SERVER: myresolver#53(myresolverip)

      ;; WHEN: Sat Sep 09 21:08:35 CEST 2023

      ;; MSG SIZE  rcvd: 201

       

      % dig www.redhat.com <<-- NextDNS without using any profile

       

      ; <<>> DiG 9.10.6 <<>> www.redhat.com

      ;; global options: +cmd

      ;; Got answer:

      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22525

      ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

       

      ;; OPT PSEUDOSECTION:

      ; EDNS: version: 0, flags:; udp: 1232

      ;; QUESTION SECTION:

      ;www.redhat.com. IN A

       

      ;; ANSWER SECTION:

      www.redhat.com. 996 IN CNAME ds-www.redhat.com.edgekey.net.

      ds-www.redhat.com.edgekey.net. 15088 IN CNAME ds-www.redhat.com.edgekey.net.globalredir.akadns.net.

      ds-www.redhat.com.edgekey.net.globalredir.akadns.net. 996 IN CNAME e3396.dscx.akamaiedge.net.

      e3396.dscx.akamaiedge.net. 20 IN A 23.209.235.30

       

      ;; Query time: 61 msec

      ;; SERVER: 192.0.2.42#53(192.0.2.42)

      ;; WHEN: Sat Sep 09 21:08:44 CEST 2023

      ;; MSG SIZE  rcvd: 201

       

      % dig www.redhat.com <<-- NextDNS with profile applied

       

      ; <<>> DiG 9.10.6 <<>> www.redhat.com

      ;; global options: +cmd

      ;; Got answer:

      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26091

      ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

       

      ;; OPT PSEUDOSECTION:

      ; EDNS: version: 0, flags:; udp: 1232

      ;; QUESTION SECTION:

      ;www.redhat.com. IN A

       

      ;; ANSWER SECTION:

      www.redhat.com. 864 IN CNAME ds-www.redhat.com.edgekey.net.

      ds-www.redhat.com.edgekey.net. 14956 IN CNAME ds-www.redhat.com.edgekey.net.globalredir.akadns.net.

      ds-www.redhat.com.edgekey.net.globalredir.akadns.net. 864 IN CNAME e3396.dscx.akamaiedge.net.

      e3396.dscx.akamaiedge.net. 6 IN A 184.24.165.36

       

      ;; Query time: 83 msec

      ;; SERVER: 192.0.2.42#53(192.0.2.42)

      ;; WHEN: Sat Sep 09 21:10:56 CEST 2023

      ;; MSG SIZE  rcvd: 201

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

       Can you, next to confirming (or denying) the use of the TCP inspection, also why this dig is needed? A page not opening or very slowly when some resources just opens fine, seems interesting to request the dig output?

      • NextDNs
      • 1 yr ago
      • Reported - view

       the app is capturing dns packets to proxy them over HTTPs. No other traffic is touched.

      • Remko_Lodder
      • 1 yr ago
      • Reported - view

      Okay, clear answer. What could be a reason then for this 'hanging' behaviour when using the NextDNS facilities vs using my local resolvers? The browser and website are both the same, the only difference is the resolver; the adlists that I have used on NextDNS are less then I use at my Pihole installations; and even disabled there is still a very notable difference. (well until so far that is, something did change until now and that is that the docs.ansible.com site loads normally; which didn't do before I started this thread).

       

      So far thanks for the support! it is appreciated that it appears to be working better now. I'll slowly re-introduce the most important critics of my usages, my family members ;-)

Login to reply

Content aside

  • 1 yr agoLast active
  • 21Replies
  • 276Views
  • 2 Following