0

DNS-queries go to the wrong profile-ID. Bug in ECS/hostname/SNI?!

Background:

I have had one profile-ID since I started using DNS years ago. Let's call this profile-ID "aaaaaa".

A week ago I created a new profile since my old ID has leaked. Let's call this new profile-ID "bbbbbb".

I decided to keep my old profile "aaaaaa" to check that things was working OK and cleared the log to monitor for any "leaks".

Issue:

I see queries to my old profile "aaaaaa" even though I 100% changed it in all places on my router. I'm 100% sure "aaaaaa" is not used anywhere, so how can queries still reach "aaaaaa"??? It seems to jump between my old profile "aaaaaa" and "bbbbbb". Can see queries for hours in one profile and then it randomly switches to the other. It must be some technical DNS/NextDNS backend issues, since I erased all traces of "aaaaaa" on my side.

More info:

When I surf to "test.nextdns.io" my old profile sometimes is incorrectly shown on line 3. How is this even possible?!

{
    "status": "ok",
    "protocol": "DOQ",
    "profile": "<my_old_profile_id_is_shown_here>",
    "client": "xx.xx.xx.xx",
    "srcIP": "xx.xx.xx.xx",
    "destIP": "188.172.192.71",
    "anycast": false,
    "server": "anexia-cph-1",
    "clientName": "unknown-doq",
    "deviceName": "DK-ANX-DoQ",
    "deviceID": "XXXXX"
}

A "ping.nextdns.io" looks normal:

■ anexia-cph    2 ms  (anycast2, ultralow1)
  zepto-cph     3 ms  (anycast1, ultralow2)
  anexia-osl   10 ms
  zepto-sto    10 ms
  anexia-sto   11 ms
  zepto-osl    11 ms
  zepto-prg    21 ms
  anexia-prg   21 ms
  zepto-waw    22 ms
  zepto-ber    25 ms

The steering looks OK:

;; ANSWER SECTION:
dns1.nextdns.io.    600 IN  CNAME   dns1.steering.nextdns.io.
dns1.steering.nextdns.io. 600   IN  A   188.172.192.71
dns2.nextdns.io.    600 IN  CNAME   dns2.steering.nextdns.io.
dns2.steering.nextdns.io. 600   IN  A   38.175.117.129

It's the same issue for all protocols (DoT, DoQ and DoH3) showing up randomly in the old profile.

The hostname is configured like this: DK-ANX-DoQ-bbbbbb.dns.nextdns.io

One strange thing I noticed is that ECS is now almost revealing my whole original IP except the last digit and it used to be something generic. Also the subnet is shows as "/24/24" which looks incorrect.

dns1.steering.nextdns.io. 0s TXT "ecs: XX.XX.XX.0/24/24"

When I go to the admin-portal from a desktop client behind the router, it shows this when it is using the old profile. What mechanism decides the steering/routing to what profile since it seems randomly to ignore the "hostname/SNI"?! Must be something on "your side".

5 replies

null
    • NextDNs
    • 11 mths ago
    • Reported - view

    With DoQ or DoT, SNI is used to get the profile id. The only thing that could override SNI is if you embed the profile id in the DNS query using EDNS0 CPEID.

    The aaaaaa profile id has to be in the request you send somehow for our edge to associate it. There is 0 link between profiles from the point of view of our DNS edges, would they come from the same account or not.

      • Pro Subscriber ✅
      • Jorgen_A
      • 11 mths ago
      • Reported - view

       Thanks for your quick answer! :-))

      It is really strange... I'm 100% sure the old "aaaaaa" profile-ID is deleted everywhere, so can't understand how queries can find the old profile. I thought my old profile maybe was some kind of "default location" acting as fallback if there was some issue. It can stick with each profile for a few hours, so it felt like some steering had changed on your side.

      I use DNSProxy from AdGuard with DNS-stamps specified for every upstream server, but have checked every DNS-stamp and they all contain the new "bbbbbb" profile. No EDNS0 feature is activated in my config. There are two options, but I don't use them.

            --edns                       Use EDNS Client Subnet extension
            --edns-addr=                 Send EDNS Client Address
      

      I also tried unlinking my WAN-IP from the old profile, so it is only used with the new profile.

      What happens if I someday delete my old profile and queries is made to it?! Guess I'll have to keep my old profile until I fully trust all queries are going to the new one.

      Will keep an eye in the logs and get back if I find something new!

      • Pro Subscriber ✅
      • Jorgen_A
      • 11 mths ago
      • Reported - view

       My bad... I found a faulty DNS stamp copied from the old config. 🤯

      Sorry guys... All working fine now again!! 👍

      • Bernard.2
      • yesterday
      • Reported - view

       Hey there, I have a similar issue, but the weird thing is that it does not grab all the queries, just a few and just from one iPV6 address. Where did you verify the configuration? 

      • Bernard.2
      • yesterday
      • Reported - view

      Actually scrape that, I just had the old DNS set in Network settings.

      On the other other hand, I noticed that calls to ipv4only.arpa and similar services seem to be logged only if using only the Network settings DNS settings, otherwise they will come in with the full ipV6 address and grouped under Unknown devices cc. @NextDNS

Content aside

  • yesterdayLast active
  • 5Replies
  • 173Views
  • 3 Following