0

NextDns Config id too easily bruteforced

The config id is only 6 alphanumerical long. It is too easily bruteforced. Config id should be at least 12 characters long. What do you think?

16 replies

null
    • Hey
    • 2 yrs ago
    • Reported - view

    I don't think anyone logical would use another person's config. They don't control what they're using and the owner of the profile can see their IP.

    The person would either annoy or be spied upon by the owner so in any logic a person trying to be private is going to lose all privacy if they go that route.

    Tere are also other deterrences in place, you can use the service for free without any limits if you don't want filtering or you can use it for free upto 300k queries. The pricing structure is also meant to be affordable for most people.

    Overall yeah since it's 6 digits, it could be done but in all senses of logic it's not worth it.

    • charcoal_car
    • 2 yrs ago
    • Reported - view

    With 36 choices for each character and 6 characters, that winds up being  36^6 or 2,176,782,336 possibilities - all to use someone else's configuration - with no guarantee that it's even an active profile. 

    Though, it would be a great milestone for NextDNS if they reached that number and had to increase the character set for users.

      • Calvin_Hobbes
      • 2 yrs ago
      • Reported - view

      CC that’s the probability of finding a specific configuration.   The probability of finding an active configuration is much lower and depends on how many active configurations exist.  (Birthday Problem).  Still, nothing to worry about AFAIK

      • charcoal_car
      • 2 yrs ago
      • Reported - view

      Calvin Hobbes Exactly my point.  This is not an issue to be concerned about at all.

    • Asser
    • 2 yrs ago
    • Reported - view

    Once you find 1 config from a emailacc, you would generally find the rest. Right? am I wrong?

    • Asser
    • 2 yrs ago
    • Reported - view

    If one had a supercomputer is it possible to get someones config in a few days?

    • Asser
    • 2 yrs ago
    • Reported - view

    Once you get sommeones config, is it possible for the attacker to launch commands and find out about critical things? Tell me if that is possible?

      • Hey
      • 2 yrs ago
      • Reported - view

      Asser once you get someones config you'd be spied on by then if they have their logs enabled using whatever settings they have without any control.

      At that point using one of the free Adblocking DNS services without any customization is a lot better since you won't be showing up on a different users logs. It's literally the worst decision to make by a "hacker" aka someone using basic tools.

      • Asser
      • 2 yrs ago
      • Reported - view

      Hey so is it basically in a read only state for the attacker? Correct me if I am wrong. So commands cannot be launched from the attacker end and even if it is launched nothing critical or valuable can be used to exploit end to end communications. If so wow isn't that basically impressive? Is that right?

      • Hey
      • 2 yrs ago
      • Reported - view

      Asser It would be hard for someone to find a person's ID, it would simply be an active Configuration profile and all that'll lead to is them getting access to NextDNS servers through your behalf, using your account aka leeching off someone. The only access is that, that ability to use your profile and settings not access or change them but simply use the profile.

      If someone tries to brute an account through, that would be a different story, most people use 2FA and also are people who care about privacy, so I would expect most people to have good security. There are more than likely security measures already to prevent things like bruting either way.

      So the worse case is, some person has their personal info on someones account when they could have used a free account or pay for the service.

      • Asser
      • 2 yrs ago
      • Reported - view

      Hey I understand now. But what if the attacker is hell bent on doing some nasty ddos attack on the server? I do not know how Ddos works but if I may ask is that possible?

      • Hey
      • 2 yrs ago
      • Reported - view

      Asser Their servers would absorb the DDOS just fine.

      Back when Facebook/Instagram had a huge issue where their records were removed and global DNS usage increased by a lot where Adguard and some ISP DNS servers went down globally. NextDNS staff stated that yeah they had an increase but that they can handle far more than that.

      So a simple DDOS wouldn't just take the servers down as there is a huge network, it's from my knowledge by server size the second largest from what I've seen.

      • Asser
      • 2 yrs ago
      • Reported - view

      Hey I understand now. Thanksyou. I have one more question, is it more vulnerable on mobile phones than on pc?

      • Hey
      • 2 yrs ago
      • Reported - view

      Asser I don't understand that question, there shouldn't be any vulnerabilities by using NextDNS. You always use DNS it's either the Carrier/ISPs DNS or NextDNS that can block ads and respects privacy and is far better than their DNS.

      Basically every time you visit a website by going to a URL, you use a DNS service that connects you to the right server. Without it, you'd have to manually type in all the website IPs.

      So you don't become vulnerable by using NextDNS as it does the same job as the ISP, it just monitors and configures your DNS to make it better.

      • Asser
      • 2 yrs ago
      • Reported - view

      Hey Alright I understand now. Thankyou. I am only asking about it because I am getting more downtime on my mobile compared to my pc. The downtime usually last from 20mins to 30mins. Which makes me question alot of stuff. Thankyou for your help.🙂

      • Asser
      • 2 yrs ago
      • Reported - view

      Hey Besides I  don't get any downtime when I am using my pc.

Content aside

  • 2 yrs agoLast active
  • 16Replies
  • 654Views
  • 3 Following