Closed iganeshk closed 4 years ago
ameshkov
commented
4 years ago To troubleshoot this issue we need to see AdGuard Home logs.
log_fileverbose to True
iganeshk
commented
4 years ago ;; QUESTION SECTION:
;my.nextdns.io. IN A
;; ADDITIONAL SECTION:
;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: ; udp: 65535
; SUBNET: 0.0.0.0/0/0
; PADDING: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2020/02/17 07:48:24 26926#281 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*TLSPool).Get(): Returning existing connection to 9.9.9.9:853 with updated deadLine
2020/02/17 07:48:24 26926#280 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*TLSPool).Get(): Returning existing connection to 1.1.1.1:853 with updated deadLine
2020/02/17 07:48:24 26926#258 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).Resolve(): RTT: 6 ms
2020/02/17 07:48:24 26926#258 [debug] DNSFwd: Checking record A (104.31.89.168) for my.nextdns.io.
2020/02/17 07:48:24 26926#258 [debug] DNSFwd: Checking record A (104.31.88.168) for my.nextdns.io.
2020/02/17 07:48:24 26926#258 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 49062
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;my.nextdns.io. IN A
;; ANSWER SECTION:
my.nextdns.io. 300 IN A 104.31.89.168
my.nextdns.io. 300 IN A 104.31.88.168
;; ADDITIONAL SECTION:
;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: ; udp: 1452
2020/02/17 07:48:24 26926#282 [debug] 1 elements serialized via json in 76.655µs: 0 kB, 271/entry, 76.655µs/entry
2020/02/17 07:48:24 26926#282 [debug] ok "/home/apps/AdGuardHome/data/querylog.json": 271 bytes written
2020/02/17 07:48:24 26926#258 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 43214
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1Hm, tbh I don't understand what's the problem, everything seems okay.
Could it be that either 9.9.9.9 or 1.1.1.1 return wrong/dead IP address for nextdns?
iganeshk
commented
4 years ago After quite some time debugging, found out that Comcast is behind this issue regardless of the DNS being used. They're going after custom DNS services now.
Edit: If anyone else stumbles upon this, it's "xFi Advanced Security".
ameshkov
commented
4 years ago They're going after custom DNS services now.
Wow what? Do they block all traffic to port 853?
iganeshk
commented
4 years ago Actually Comcast/Xfinity's so called "xFi Advanced Security" cuts my access to nextdns.io and my.nextdns.io regardless of the DNS server I was using. The errors stated in the first post are what I receive when I try to access the website. I reached out to Nextdns team about this:
Hi Ganesh,
Several users reported that issue. We tried to contacting them, but the only answer we managed to get was that we should just tell our users to disable their security feature. You may want to contact them, if enough customers complain, perhaps they will move… Sorry about that.
- Olivier Poitrey
Issue Details
When accessing some websites with DoT, I get:
macOS w/ Stubby Chrome - ERR_SSL_PROTOCOL_ERROR Firefox (73) - SSL_ERROR_RX_RECORD_TOO_LONG cURL (7.64.1) -
Android (10) w/ Private DNS
TLS Settings (running without DNS-o-HTTPS)
Version of AdGuard Home server:
v0.100.9-91-g9a81-dirty
How did you setup DNS configuration:
Operating system and version:
Additional Information
When trying to access without the DoT, I'm able to access the website.