Intermittent DNS failures

[Tech9]

Without access to my DNS queries they only know the IP I'm connecting to.

IP is enough. I worked on a project to reverse DNS queries based on other information. The accuracy is remarkable. If someone wants to do it, they can. I also use Unbound, it's the default DNS server in pfSense. My point is - there is no perfect solution. There are pros and cons in every approach.

Our common ISP (iirc) has been pretty clear

True. One of the reasons I pay them a bit more for 2x residential lines. Still, there is a crook company protecting intellectual rights in Toronto. They are seeding torrents and wait for someone to bite. They have forced our ISP to send copyright infringement letters. One step closer to requesting the logs.

 

[sbsnb]

Still, there is a crook company protecting intellectual rights in Toronto. They are seeding torrents and wait for someone to bite.

Sounds like a fun project to find their IP space and then report them to their upstream provider for seeding torrents.

 

[Tech9]

Sounds like a fun project

This is how it works: A company somewhere holds the rights for not very popular or xxx movies. They upload the content online themselves and create torrents, then monitor who is downloading the content. When downloading via torrents you become copyright material uploader as well. This is the catch - you distribute their copyright material. Then a layer is hired to send scary letters with out of court settlement offers. According to the rules, the ISP has to forward the letters to corresponding parties. The scammers don't have your name and address yet, but the ISP has it. You get the mail and start freaking out. The moment you reply, the scammer gets your real identity to proceed further asking for money, this time pointed not to an IP, but to you - the real person. They don't bother to get court orders because it costs money, but rely on scare tactics. And some people get burned.

 

[sfx2000]

IP is enough. I worked on a project to reverse DNS queries based on other information. The accuracy is remarkable. If someone wants to do it, they can.

I used to be in the mobile carrier space - yes, one can be tracked very easily, and DNS isn't necessary to do it.

Much of this is to support CALEA warrants, which have broad scope and coverage.

 

[Tech9]

yes, one can be tracked very easily

Some public VPN, public DNS and TOR relays are created with this purpose. No court order fees - the information comes straight to who pays for the show. It's really entertaining to see how people fall for promises or rely on beliefs, provide the information voluntarily and even pay for the service.

 

[jsbeddow]

Some public VPN, public DNS and TOR relays are created with this purpose. No court order fees - the information comes straight to who pays for the show. It's really entertaining to see how people fall for promises or rely on beliefs, provide the information voluntarily and even pay for the service.

Interesting...care to name some names?

 

[Zastoff]

Some public VPN, public DNS and TOR relays are created with this purpose. No court order fees - the information comes straight to who pays for the show. It's really entertaining to see how people fall for promises or rely on beliefs, provide the information voluntarily and even pay for the service.

That why i use Anonymized DNSCrypt and set it with 5+ DNS servers with a minimum of 3 relays servers to each and set load balancing on these servers to "random" and relays are randomized also.. Use dnscrypt ephemeral keys to help prevent fingerprinting devices and many lookups will be cached(Unbound is faster and cache more) and set work/school related devices in DNS-Filter and use the routers VPN-servers when i am not at home.
ISP can still get the SNI part(if they look for it) but will take the DNS server operators some "time and work" to get a complete picture i think.
Tried and sometimes use ODoH in combination with anonymized DNSCrypt but ODoH is not as stable and it has less servers and relays to choose from at the moment.
Choice of browsers is important also i think.. mostly browse with Bromite and Brave on some other devices, Also try too use /E/ OS on devices that support it.

 

[heysoundude]

True. One of the reasons I pay them a bit more for 2x residential lines. Still, there is a crook company protecting intellectual rights in Toronto. They are seeding torrents and wait for someone to bite. They have forced our ISP to send copyright infringement letters. One step closer to requesting the logs.

I use a French company with initials R-D, so it looks like I'm getting data (cached sources for streaming) from their website for the logs - I'm not the pirate, "somebody else" (lots of somebodies) is. There are others, in case the legal beagles manage to force them out of business...and there will be others still to replace those if the same should happen.
(xbian [JeOS debian bullseye] kodi [current] with appropriate addons and ~$0.10/day R-D subscription on RasPi has been working like a charm for 2+ yrs - FOSS is fun)

{apologies to mods if this breaches ToS - remove at your discretion, with my apologies}

 

[sbsnb]

This is how it works: A company somewhere holds the rights for not very popular or xxx movies. They upload the content online themselves and create torrents, then monitor who is downloading the content. When downloading via torrents you become copyright material uploader as well. This is the catch - you distribute their copyright material. Then a layer is hired to send scary letters with out of court settlement offers. According to the rules, the ISP has to forward the letters to corresponding parties. The scammers don't have your name and address yet, but the ISP has it. You get the mail and start freaking out. The moment you reply, the scammer gets your real identity to proceed further asking for money, this time pointed not to an IP, but to you - the real person. They don't bother to get court orders because it costs money, but rely on scare tactics. And some people get burned.

That's why I say it would be fun to get their upstream service disconnected, if only temporarily, by playing their DMCA game with them.

 

[sbsnb]

I'm still experiencing this intermittent outage using Quad 9 servers. I discovered quite by accident that if you leave the browser sitting at the NXDOMAIN error page, eventually the page loads anyway.

 

[Tech9]

I'm still experiencing this intermittent outage using Quad 9 servers.

For me, Quad9 was never as reliable as Google or OpenDNS. I do not recommend Quad9 anymore.

Interesting...care to name some names?

If you use public VPN service with user agreement saying they reserve the right to terminate your service because of detected illegal activity (or similar wording), you may get the idea. If they keep no logs whatsoever, how they are going to link the illegal activity to your IP? Also, the VPN company may promise to keep no logs and never sell your data, but they may share your data with interested parties and someone else may be doing logs. Good chance, if your VPN is registered or operates (has servers) in one of five/nine/fourteen eyes countries.

 

[sbsnb]

Also, the VPN company may promise to keep no logs and never sell your data, but they may share your data with interested parties and someone else may be doing logs. Good chance, if your VPN is registered or operates (has servers) in one of five/nine/fourteen eyes countries.

Also, most privacy policies are not legally binding contracts. If the provider violates their privacy policy there's no remedy, so effectively they're meaningless.

 

[Agoldstein54]

I am having the exact same issue, started very randomly!

I am running 386.5 on RT-AX88U. I updated my DNS crypt to the latest version, reset the configuration file for it, but issue randomly persists.

Have we determined where this is going wrong? is it a generic firmware issue or specific to dns crypt?

 

[Zastoff]

I am having the exact same issue, started very randomly!

I am running 386.5 on RT-AX88U. I updated my DNS crypt to the latest version, reset the configuration file for it, but issue randomly persists.

Have we determined where this is going wrong? is it a generic firmware issue or specific to dns crypt?

The issue can be a lot of different things, Browser, cache,DNS servers and os related i think.
@sbsnb tried both with and without dnscrypt-proxy and get NX-domain anyway
Here is link i found maybe it can help:

How to Fix DNS_PROBE_FINISHED_NXDOMAIN (Desktop & Mobile)

What is the DNS_PROBE_FINISHED_NXDOMAIN error in Chrome? This occurs when the DNS fails to lookup an IP address while accessing a website.

kinsta.com

 

[jj22038]

I'm getting these messsages also, but it hadn't occured to me that this might possibly be related to the router. Mine happen a few times a week, and a refresh is usually successful on the first try. I've seen this on MacOs Big Sur on Fiirefox, Safari, and Chrome, with various combinations of DNS server settings and DNS addresses in the router LAN / Dhcp Server page, assuming it was the external DNS servers (I'm an engineer; I know this statement is useless ).

The next time this happens I'll check the router log right away. What else can I do to chase this down? I'm willing to do more structured testing (not just the useless "I wonder if this will work" hail mary pass).

 

[sbsnb]

OK. This is now certainly a router problem and not a DNS server or network issue. I know because it just happened with an internal LAN machine. Meaning I'm getting a failure to resolve while trying to hit another machine on the lan.

nslookup myPC
Server:  RT-AX86U-AR28.foo.lan
Address:  192.168.1.1

*** RT-AX86U-AR28.foo.lan can't find myPC: Non-existent domain

The myPC machine is visible in network map and dhcp leases and is reachable by IP.

 

[sbsnb]

Even from the router console:

admin@RT-AX86U-AR28:/tmp/home/root# nslookup myPC 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 RT-AX86U-AR28.foo.lan

nslookup: can't resolve 'myPC'

 

[Ptax213]

I've been having this issue for a while now. I tried Google DNS servers, OpenDNS servers, and now on Quad9 servers and I still get the problem. It's intermittent and happens on big sites (like facebook, twitter, reddit, etc.) and resolves after a few refreshes so it's been hard to pinpoint.

I have an RT-AC68U currently on 386.5_2 and I've had this problem for probably a year or longer now. I don't have any addons, but I had DNSSEC and DoT turned on so I'll try turning it off to see if makes a difference.

 

[ColinTaylor]

Even from the router console:

admin@RT-AX86U-AR28:/tmp/home/root# nslookup myPC 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 RT-AX86U-AR28.foo.lan

nslookup: can't resolve 'myPC'

From the router what do you get for these?

cat /etc/resolv.conf
cat /tmp/resolv.dnsmasq

 

[sbsnb]

From the router what do you get for these?

cat /etc/resolv.conf
cat /tmp/resolv.dnsmasq

admin@RT-AX86U-AR28:/tmp/home/root# cat /etc/resolv.conf
nameserver 127.0.1.1
admin@RT-AX86U-AR28:/tmp/home/root# cat /tmp/resolv.dnsmasq
server=127.0.1.1