NextDNS breaks smart lock Nuki Bridge communication
I am using NextDNS on my iPhone.
At home I am using Nuki Smart Lock with its Bridge (for remote management).
If NextDNS is enabled, my iPhone cannot reach the Nuki Service, see attachment.
Odd is that there are no blocked entries in the NextDNS protocol.
If I disable NextDNS, it works again (see second screenshot)
According to Nuki the communication is RESTAPI via port 443
3rd attachment are the NextDNS entries which show up when app communicates
21 replies
-
Most likely it’s rebinding protection doing it’s job. Try disabling rebinding protection
-
Hi , rebinding protection was/is disabled already
-
In that case, you could manually add a rewrite rule as a workaround, although that doesn’t explain or fix the underlying problem
-
Calvin Hobbes odd thing is if I am on mobile network (LTE), I see a successful request.
I am assuming that Nuki app does not handle well the concept of DNS requests via VPN in iOS.
Being locally in my wifi (same network as Nuki), no DNS request is being made and the app works just fine.
-
Mike Brust when you’re on LTE, it likely resolves to a public address. For local DNS use rewrites. It’s under the settings tab.
-
Calvin Hobbes thanks again. But within LAN/local Wifi everything works, no rewrites needed.
Only when I am on LTE (outside of my network) the communication is broken because of NextDNS
at home: with or without NextDNS -> it works
not at home:
- with NextDNS -> it does not work, although request is responded, see above
- without NextDNS -> it does work as expected
I am not sure how NextDNS intercepts the requests, I guess it is done by the VPN/network setting, where NextDNS is selected.
-
Mike Brust Got it. I misunderstood the original problem. In the image you posted the IP address is not visible.
Can you do the following:
At home: show the IP you receive with NextDNS and without NextDNS.
Away: show the IP you receive with NextDNS and without NextDNS
I believe when you are at home, Internet is not involved. It's bluetooth. You could probably disable your iphone WiFi and it will still work. That would be a worthwhile test to see if my theory is correct.
The smartlock talks to the bridge over bluetooth. The bridge connects to the server through the Internet. When you use the app outside your home, it connects to the server which talks to the bridge.
With NextDNS it could be getting the wrong answer for the server. Without NextDNS is gets the correct answer. I have a theory why that is, but let's wait until we know for sure. If I'm right, I will try to explain why. If I'm wrong, it would just make additional confusion :)
Lastly, do you have an English link to the product information? If I can view product information, I could do less guessing :)
-
Mike Brust In addition to my previous, do you have a Mac? There are some terminal commands that would make diagnostic easier than using iPhone. Windows could be used too, but I'm more familiar with Mac terminal.
One other thing. You said communication is RESTAPI via port 443. DNS does not care about that. DNS translates name to IP address. Once the app knows the IP address, the protocol and port number are handled independently of DNS.
-
Mike Brust
I did a little bit more checking, because I am curious. Right now at 11:48am in my location or 18:48 GMT, there's no response from nuki.io or sse5.nuki.io.
I can resolve their IP addresses
nuki.io 82.165.72.222
sse5.nuki.io 82.165.250.36
But a portscan shows nothing there. I cannot load their website. It's possible they block traffic from US or their servers are down for another reason.
-
Calvin Hobbes Good morning, thanks for your updates.
details about Nuki Bridge: https://nuki.io/en/bridge/
Yes, I have a Mac. But the Nuki app only works on the iPhone, and only on the iPhone I am using the NextDNS app.
Other iPhones without NextDNS are not having any connect issues when on LTE/5G
The phone connects via Bluetooth and Wifi (via Bridge).
So when I am at home and close by the lock, Bluetooth is used and working fine. (see pic, green ring)
Wifi enabled: the servers&bridge connection is green, too.
With disabled Wifi (at home) there is no connection between iPhone and Nuki (servers & bridge), see dotted line on the right side of the pic.I see request being made to sse8.nuki.io which is answered as 82.165.250.36 (and also IPv6 address)
Once I disable NextDNS on the iPhone, the network connection to Nuki servers & bridge is established immediately.
On LTE: I get always the same IP address, regardless of NextDNS switched on or off.
-
Calvin Hobbes
on LTE
Changing from NextDNS to automatic: Nuki communication works
Changing back to NextDNS: breaks it
-
Mike Brust
My original theory was NextDNS was supplying a wrong or different answer than your default DNS.
The reason I asked about Mac, is not for the app itself, but to use nslookup to query DNS servers.
From near as I can tell, NextDNS is providing the correct answers, so the problem is a mystery to me.
Here's how I checked.
First, use this web based service to check DNS records from public DNS servers around the world
You can manually enter sse8.nuki.io and see every server returns the same answer. (82.165.250.36 is what I see and is the same as what you reported)
However, they do not check NextDNS by default. Initially, I used my Mac to query the NextDNS servers directly, but it turns out that's not necessary. The web service allows you to manually add other servers to check. First, go to your own NextDNS setup page and verify which DNS servers YOUR configuration is using. Mine is using 45.90.28.251 and 45.90.30.251.
You can manually enter those into the site above. For me, the same result is returned. If you want to use a command line on your Mac, you can use the nslookup command like this:
nslookup sse8.nuki.io 45.90.28.251That command says to query NextDNS server (45.90.28.251) with sse8.nuki.io
If you don't include the server, it will query your default server.
From my location in the US, using my assigned NextDNS server the answers are consistently the same, 82.165.250.36.
There's one more piece the puzzle, that just occured to me and I will check and make another post here. If you are located in Europe (that's my guess) you are probably sleeping while I'm checking this and vice versa
-
-
In my previous message, I mentioned another piece of the puzzle that occurred to me. I will tell you what my thought was, but I don't think it's the answer.
My thought was it could be due to IPv6. You said you received IPv6 answer. I am not able to see an iPv6 answer.
Using the same tool as before: https://dnschecker.org, it appears there's no AAAA reply for sse8.nuki.io (or any hosts at nuki.io)
My thought was maybe your LTE connection was IPv6. However, if that was the case, it wouldn't matter if you are using NextDNS or your default.
Unless....you are using a VPN for all traffic, not just DNS. I don't think you are, but maybe?
Also, I don't understand IPv6 nearly as well as I understand IPv4.
It would be interesting to see your IPv4 and IPv6 address with NextDNS on and NextDNS off, when you are on LTE. If you are using a VPN the answer will change. If you are not using a VPN, the answer should be the same. The tool is here: https://whatismyipaddress.com
-
Calvin Hobbes I think you are hitting something very interesting which may fit to my most recent observations.
I went to a differnt location with a different wifi. And connection was established promptly.
So I can now narrow down the connection issue to LTE connection only, once I am in a Wifi it works.And yes, by default my mobile ISP (Deutsche Telekom) provides me with IPv6 addresses, it seems that this is impacting the Nuki app.
I will perform the test you suggested later today and provide an update. Thanks already in advance
-
Calvin Hobbes
Test results:
Being on LTE, I get the same IP addresses with or without NextDNS
It's both IPv4 and IPv6 but IPv6 seems to be preferred (I think)On my wifi today I just get a IPv4 address.
So I really think it has something to do with the IPv6 stack (not necessarily related to NextDNS but definitely in combination with Nuki and NextDNS)
-
Calvin Hobbes sorry for the spam, but I looked further into the IPv6 topic.
My ISP APN is using a IPv6 only configuration (APN = "internet.v6.telekom"), on system level I can see that I can only a IPv6 IP address and somehow they "emulate" an IPv4 address.
If I change the APN to an earlier version ("internet.telekom") I am getting a real IPv4 and IPv6 address. With this setup, the communication with Nuki works, with and without NextDNS.
Changing it back to the default IPv6 APN brings the situation as before.
With NextDNS, it does not work, without NextDNS it works.
Current conclusion: the IPv6 only network on LTE in combination with NextDNS causes (DNS lookup?) failure.
When I have real IPv4 addresses (e.g. on Wifi networks), I have no issue. -
Mike Brust I don't consider your messages to be spam :) I sent you many messages yesterday, right? I hope you don't think they are spam.
I am retired IT. When I was working, I understood IPv4 pretty well for my job. I understood DNS pretty well too. I never made much effort to understand IPv6 because I didn't have to. IPv6 was slow to become popular. People working in IT today probably cannot avoid it the way I was able to avoid it.
From what I can tell, some of the problem is with Nuki.io because they do not have IPv6 addresses. There's nothing you can do except maybe complain to them. That rarely works, but maybe if enough people complain they will fix it.
However, I don't understand why normal DNS works when you are on IPv6 while NextDNS causes a problem. Seems like if normal DNS works, so should NextDNS.
Anyway, I think you have a good workaround by changing to the earlier version of APN when you need to access your smart lock. It would be great to know a fix, but sometimes it's too much trouble if you have a reliable workaround.
What do you think?
P.S. Maybe I should to learn more about IPv6 for fun. I am happy to not need to know it, but learning is fun. In the US, where I live, we have most of the IPv4 addresses, so it's not used as much as Europe and other places.
-
Calvin Hobbes this is most probably a NAT64 issue. The default DNS is configured with the right DNS64 prefix by the ISP, but this does not happen when a custom DNS is used. DNS64 prefix discovery could work, which is something we are planning to support at some point, but this is not even guaranteed. I would recommend to stay on dual stack if you can (which seems to be the case).
-
NextDNS excellent. I hope @mike_brust sees this too
-
NextDNS thank you for chipping, really much appreciated. Indeed, my ISP (Deutsche Telekom) is using DNS64+NAT64. So that fits into your statement.
It's good that you have something in mind and too bad that there is no clear roadmap.
But I understand the nature now and I have a workaround with the dual stack APN -
Calvin Hobbes I did, many many thanks for all your support (as this is not the first time :-)
Really much appreciated! I owe you a
-
Content aside
-
1
Likes
- 3 yrs agoLast active
- 21Replies
- 222Views
-
3
Following