Does DNSProxy pick the wrong servers?!

[iJorgen]

I'm not sure if this is a DNSProxy issue or NextDNS. My issue is I have to use unencrypted bootstrap servers against NextDNS-servers or else I get slower servers with AnyCast (45.90.28.1 and 45.90.30.1). I'll try to explain...

When I dig dns.nextdns.io unencrypted against NextDNS I get this answer with the two best Ultralow-servers closest to me:

;; ANSWER SECTION:
steering.nextdns.io.    60  IN  A   188.172.192.71
steering.nextdns.io.    60  IN  A   192.36.27.86

...but when I dig dns.nextdns.io with any other DNS-resolver (like 1.1.1.1 or using secure protocols) the results are different and DNSProxy seems to pick the two servers under "AUTHORITY SECTION" (ns1.nextdns.io and ns2.nextdns.io) as the servers to use in upstream/fallback instead of the ones under "ANSWER SECTION" below as it does above.

;; ANSWER SECTION:
steering.nextdns.io.    60  IN  A   192.36.27.86
steering.nextdns.io.    60  IN  A   188.172.192.71

;; AUTHORITY SECTION:
steering.nextdns.io.    234 IN  NS  ns1.nextdns.io.
steering.nextdns.io.    234 IN  NS  ns2.nextdns.io.

So my question is... Shouldn't DNSProxy pick the servers under the "ANSWER SECTION" like it does in the first example? Unencrypted queries for resolving all upstream/fallback-servers feels like a big security risk if the answers are spoofed and are pointing to a false DNS-server.

[ameshkov]

DNSProxy seems to pick the two servers under "AUTHORITY SECTION

This is definitely not possible, authority section is like a "signature", its contents cannot be used as a resolution result.

If you enable verbose logging in dnsproxy it should be clear which IP addresses it chooses.

[iJorgen]

Thanks for your answer and will try verbose logging. Seems like my routing has changed, so opened a case to NextDNS. I tried AdGuard DNS meanwhile and it has developed quite nice, so I'll maybe switch over... :-)