DNS pointing to a Kazakstan server: anyone seen this?

[Mister2088]

Hi Team, I am on the last 388.7 firmware version, first of all. I noticed by doing a dns leak test that dns points to some KG server (185.211.231.155) although my configuration uses DOT with Quad9 and cleanbrowsing.
Has anyone seen this? is dns somehow 'poisoned'? Any suggestions?
in the meantime, I'll reboot my router to see if it clears.

 

[SkippyP]

That IP address belongs to KG-IX, an internet exchange / transit provider. Quad9 lists KG-IX as their server location for Kyrgyzstan. So if that shows up on a DNS leak test, then your ISP is routing you to that Quad9 POP. When using Quad9, you’ll never see “Quad9” in a dns leak test. Instead, you’ll see the server belonging to whatever transit provider Quad9 has peered with. For example, I’m located in Canada (in the Toronto area) and I’m using Quad9…my leak test shows an IP address belonging to PCH (Packet Clearing House) and ISP shows WoodyNet, which is what Quad9 uses for their servers located at the Toronto Internet Exchange.

Where are you located and who’s your ISP?

 

[Mister2088]

That IP address belongs to KG-IX, an internet exchange / transit provider. Quad9 lists KG-IX as their server location for Kyrgyzstan. So if that shows up on a DNS leak test, then your ISP is routing you to that Quad9 POP. When using Quad9, you’ll never see “Quad9” in a dns leak test. Instead, you’ll see the server belonging to whatever transit provider Quad9 has peered with. For example, I’m located in Canada (in the Toronto area) and I’m using Quad9…my leak test shows an IP address belonging to PCH (Packet Clearing House) and ISP shows WoodyNet, which is what Quad9 uses for their servers located at the Toronto Internet Exchange.

Where are you located and who’s your ISP?

I am in Pickering with Rogers. I have never seen this before in any dns leak tests, thus I was worried. I usually see woodynet as you mentioned. Makes you wonder how the best sers are chosen.
How did you find that KG-IX belongs to quad9?

 

[SkippyP]

Locations | Quad9

Quad9 systems are distributed worldwide in more than 150 locations in 90 nations

www.quad9.net

That’s very strange. I’m also with Rogers and always see WoodyNet. I’ve never seen Rogers routing to locations outside of Canada and US (sometimes they route to the New York Internet Exchange).

Can you post a screenshot of how you have your DNS settings configured in your router?

 

[dave14305]

my configuration uses DOT with Quad9 and cleanbrowsing.

It could be related to CleanBrowsing since their IPs start with 185.

 

[Mister2088]

I am in Pickering with Rogers. I have never seen this before in any dns leak tests, thus I was worried. I usually see woodynet as you mentioned. Makes you wonder how the best sers are chosen.
How did you find that KG-IX belongs to quad9?

Nevermind, I found it on the quad9 website. Initially, I thought I was somehow hacked. But now I am not worried. I still wonder how Roger's peers the best quad9 server. I would think it would choose a GTA location or even somewhere like Chicago.

 

[SkippyP]

It could be related to CleanBrowsing since their IPs start with 185.

I saw that too but…

185.211.231.0/24 IP range details - IPInfo.io

185.211.231.0/24 IP address block information: WHOIS details, hosted domains and IP addresses in this range.

ipinfo.io

 

[SkippyP]

Nevermind, I found it on the quad9 website. Initially, I thought I was somehow hacked. But now I am not worried. I still wonder how Roger's peers the best quad9 server. I would think it would choose a GTA location or even somewhere like Chicago.

You should not be routed to Kyrgyzstan. Contact Quad9 support. They need to look into this.

 

[Mister2088]

That IP address belongs to KG-IX, an internet exchange / transit provider. Quad9 lists KG-IX as their server location for Kyrgyzstan. So if that shows up on a DNS leak test, then your ISP is routing you to that Quad9 POP. When using Quad9, you’ll never see “Quad9” in a dns leak test. Instead, you’ll see the server belonging to whatever transit provider Quad9 has peered with. For example, I’m located in Canada (in the Toronto area) and I’m using Quad9…my leak test shows an IP address belonging to PCH (Packet Clearing House) and ISP shows WoodyNet, which is what Quad9 uses for their servers located at the Toronto Internet Exchange.

Where are you located and who’s your ISP?

Locations | Quad9

Quad9 systems are distributed worldwide in more than 150 locations in 90 nations

www.quad9.net

That’s very strange. I’m also with Rogers and always see WoodyNet. I’ve never seen Rogers routing to locations outside of Canada and US (sometimes they route to the New York Internet Exchange).

Can you post a screenshot of how you have your DNS settings configured in your router?

 

[SkippyP]

I can confirm there’s a problem with Quad9 and Rogers ISP. I’m now also seeing KG-IX in my dns leak tests. I’ve contacted Quad9 support. Will provide an update here when I hear back.

 

[Mister2088]

I have also contacted quad9.

 

[Mister2088]

FYI.. just did another leak test and it is back to normal again re. choosing woodynet in NYC . I guess it was a temporary glitch.

 

[SkippyP]

I heard back from them. There was a routing leak in Asia that started yesterday. It’s now resolved. They had to shut down the KG POP and they’re still investigating how it happened.

I just ran a dns leak test too and I don’t see KG anymore either. I see the usual Toronto and New York servers. All good again but I’m still concerned that this happened…

 

[AntonK]

I heard back from them. There was a routing leak in Asia that started yesterday. It’s now resolved. They had to shut down the KG POP and they’re still investigating how it happened.

I just ran a dns leak test too and I don’t see KG anymore either. I see the usual Toronto and New York servers. All good again but I’m still concerned that this happened…

What DNS leak test are you running?

 

[SkippyP]

These two are pretty good:

DNS leak test

www.dnsleaktest.com

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

www.dnscheck.tools

 

[AntonK]

These two are pretty good:

DNS leak test

www.dnsleaktest.com

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

www.dnscheck.tools

Thank you!

 

[balr0g]

I heard back from them. There was a routing leak in Asia that started yesterday. It’s now resolved. They had to shut down the KG POP and they’re still investigating how it happened.

I just ran a dns leak test too and I don’t see KG anymore either. I see the usual Toronto and New York servers. All good again but I’m still concerned that this happened…

Thank you! Thought i was the only one having issues with Quad9 routing DNS traffic to khazagstan. Have transferred to nextdns + controld (I'm in canada), and my latency now is even less at 30ms versus quad9 in chicago which is around 150ms.

 

[SkippyP]

I’ve switched to CIRA (Canadian Shield). Giving them a try. I like the fact that all my DNS queries stay in-country instead of being routed to the US (or worse…half way around the world ). So far, so good. My pings are better than they were with Quad9. They’re almost as good as my pings are with my ISP’s (Rogers) DNS.

Free DNS Servers | CIRA

Canadian Shield is a free DNS firewall service provided by CIRA that protects your devices from malware, phishing, and other cyber threats. Learn how Canadian Shield can help keep you safe online and get started today.

www.cira.ca

 

[Tech9]

Research the history of CIRA management and who's behind. You may want to switch to something else.

 

[SkippyP]

Research the history of CIRA management and who's behind. You may want to switch to something else.

I looked at their leadership team, read their privacy policy, and read up a bit on who they are, etc. but nothing is jumping out at me. What should I be concerned about?