0

DOH - what IPv4 to use?

I did not find and answer to this via searching; apologies if I missed some other post.

--> I have  Peplink router on a non-fixed IP address, and am setting up DOH (DNS -over-HTTPS) with NextDNS so that I will not have problems with staying synched to my blocking profile.

However: To set this up, I must provide both the URL (https://dns.nextdns.io/XXXXXX) with the X's being one's profile identifier I believe, _AND_ IPv4 addresses. Which IPv4 addresses should I use?

The ones listed on the NextDNS site, 45.90.28.63 and 45.90.30.63 did not seem to work.

The 'Anycast' versions of these, 45.90.28.0 and 45.90.30.0 , _do_ work, but are not listed on the site anywhere.

If I use 'nslookup dns.nextdns.io' or ping for the same address, I get utterly different IPs, 104.238.X.X and 209.209.X.X which may or may not be linked to my profile ID, and which do not show up on the NextDNS website. I have not tried these yet, but suspect they might be the ones I should use (?)

PS: Neither nslookup nor ping works for the URL given for my DOH (i.e., https://dns.nextdns.io/XXXXXX or a permutation of that which still includes the XXXXXX's).

--> So which IPv4's should I be using to set up DOH on NextDNS? The Anycast versions? The ones from nslookup? Other?

Many thanks!

8 replies

null
    • Calvin_Hobbes
    • 3 mths ago
    • Reported - view

    DOH only requires the URL of the server.   Makes no sense to ask for IP address 

    • NAS
    • 3 mths ago
    • Reported - view

    Many thanks for the reply!

    Doesn't the router need a DNS itself, at least on boot, in order to resolve that DOH URL? I assumed that was why it was asking.

    I am not clear how the router could make that initial connection without being told its IP address or being given an IP address for a DNS that can resolve the IP of the URL for it.

    I suspect I do not understand this. Regardless my router (Peplink) definitely asks for an IP address (two, actually; presume one is a fallback) when entering the URL for DOH. And once I do that, DOH does seem to be working.

    Does anyone else run into this, and if so what IPv4's do you enter there?

      • Calvin_Hobbes
      • 3 mths ago
      • Reported - view

      Never mind what I said before.   The instructions do indeed call for using iP4 or ip6 addresses.

      If you're using iP4 you have to "link" your IP using their instructions.  The method depends on the type of router and they give several examples on the Router instructions (customized for your configuration)

       If you're lucky enough to have ip6 available, no linking is required because there's enough address space for every profile to have their own.

       

      Sorry for the confusion.

       

       That's a good question and I wondered that myself after replying.   I'm not using it on a router, I'm using it on MacOS and iPad.    However, it occurred  to me the same issue would apply...how does it resolve the URL if it doesn't have an existing DNS server.?   I don't know the answer.    What IP did you enter?  I'm guessing one of the well known ones such as 1.1.1.1, 8.8.8.8 or 9.9.9.9

      I'll post a new question asking  how the domain portion of the URL gets resolved before using DOH.

    • Calvin_Hobbes
    • 3 mths ago
    • Reported - view

    If I use 'nslookup dns.nextdns.io' or ping for the same address, I get utterly different IPs, 104.238.X.X and 209.209.X.X which may or may not be linked to my profile ID, and which do not show up on the NextDNS website.

    I believe that's how anycast works.   The IP4 address you are given acts as a "virtual IP" which is supposed to connect you to the best anycast server, which is what you're seeing with nslookup.

    I did notice your IP4 address is different than mine, but on the same subnet.   I think they must have a few iP4 servers depending on your configuration ID.

    I hope I'm not adding to your confusion.   I'm just another user, that's happy with the service and mostly understand how it works, but not entirely.

    • NAS
    • 3 mths ago
    • Reported - view

    For anyone coming across this thread in the future:

    1. Yes, an IPv4 is required for the initial DOH lookup.

    "A network observer can see the initial old style DNS lookup for the encrypted DNS server name."

    https://defensivecomputingchecklist.com/indexold.php#dohdot

    2. You should be able to use the IPv4's NextDNS gives you (not the ".0" anycast versions). I eventually got versions of those (with a .number number) to work.

    3. I WOULD use those, or Quad9 or whatever, since if you use nslookup to get the actual addresses of the servers in (current) use they are quite different -- NOT the main NextDNS IPv4's. Using WHOIS, they look like cloud service providers that NextDNS presumably uses _and thus may shift_ if there are uptime issues. Using the main NextDNS IPv4's will insulate you from that; otherwise if they shift cloud service providers and you were linked to thosecloud providers IP's instead of their NextDNS IPs, I suspect you lose your DNS resolving (read: internet) until you dig into your router and fix the DNS address(es). For more details on how NextDNS is choosing their cloud service folks to maintain high reliability, c.f.:

    NextDNS Anycast discussion: https://help.nextdns.io/t/h7hmvak/what-is-anycast-and-ultralow

    • R_P_M
    • 3 mths ago
    • Reported - view

    Some devices and applications require an IP address together with the DoH string, this is called bootstrapping.

    The correct IPs to be used with bootstrapping are the 45.90.28.0 & 45.90.30.0 which you mentioned earlier.

    All of the 45.90.28.*** and 45.90.30.*** subnets are Anycast addresses, just for your info. 

      • Calvin_Hobbes
      • 3 mths ago
      • Reported - view

       Thank you!  I was an IT guy, but retired right around the same time as DOH was becoming a thing.   It hadn’t occurred to me that there’s a bootstrapping process needed for DOH, but it totally makes sense now.   I always enjoyed analyzing pcap files for UDP port 53 to see what was happening on the network.   As a user, I’m happy most traffic is getting encrypted now, but I’m sure there’s more pain for the folks who need to figure out why some network application isn’t working 

    • jonathanjone
    • 3 mths ago
    • Reported - view

    When considering which IPv4 address to use for DNS over HTTPS (DoH) setup, it’s important to ensure that your network configuration aligns with your device's capabilities. If you’re using an Intel Evo laptop, you’ll benefit from its enhanced connectivity features, like Wi-Fi 6 and Thunderbolt 4, which are designed to handle advanced network tasks more efficiently.

    For setting up DoH on your Intel Evo laptop, you can use public IPv4 addresses provided by trusted DNS services such as:

    - Google Public DNS: `8.8.8.8` and `8.8.4.4`
    - Cloudflare: `1.1.1.1` and `1.0.0.1`
    - Quad9: `9.9.9.9` and `149.112.112.112`

    These addresses are known for reliability and security, which should complement the robust networking capabilities of your Intel Evo laptop. Just make sure to update your DNS settings in your network configuration to point to the chosen IPv4 addresses, and your DoH setup should work smoothly on your Intel Evo device.

    Thank You!

    Jonathan Jone

Login to reply

Content aside

  • 3 mths agoLast active
  • 8Replies
  • 848Views
  • 4 Following