cancel
Showing results for 
Search instead for 
Did you mean: 

Why have Plusnet blocked secure DNS?

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Why have Plusnet blocked secure DNS?

@Swipe you're one hop away from success there. For some reason Nextdns are firewalling your IP at the last hop.

edwh
Rising Star
Posts: 51
Thanks: 20
Registered: ‎16-10-2015

Re: Why have Plusnet blocked secure DNS?

With Plusnet Safeguard DNS server addresses 213.120.234.42 and 213.120.234.38 in use:

Traceroute has started…

traceroute to 1dot1dot1dot1.cloudflare-dns.com (81.130.111.239), 64 hops max, 72 byte packets
 1  fritz.box (192.168.0.1)  0.676 ms  0.346 ms  0.229 ms
 2  195.166.130.248 (195.166.130.248)  4.979 ms  4.277 ms  4.713 ms
 3  84.93.253.71 (84.93.253.71)  5.258 ms  5.277 ms  5.224 ms
 4  195.99.125.144 (195.99.125.144)  5.825 ms  5.216 ms  5.157 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  *

It never resolves.

However, fire up a VPN:

Traceroute has started…

traceroute: Warning: 1dot1dot1dot1.cloudflare-dns.com has multiple addresses; using 1.0.0.1
traceroute to 1dot1dot1dot1.cloudflare-dns.com (1.0.0.1), 64 hops max, 72 byte packets
 1  172.18.13.1 (172.18.13.1)  6.680 ms  5.681 ms  6.033 ms
 2  88.202.231.1.static.midphase.com (88.202.186.1)  6.867 ms  30.492 ms  8.754 ms
 3  88.202.187.181.static.midphase.com (88.202.187.181)  6.945 ms  6.859 ms  6.696 ms
 4  83.170.70.129 (83.170.70.129)  6.204 ms  6.428 ms  15.063 ms
 5  92.60.249.45 (92.60.249.45)  11.263 ms  47.463 ms  33.781 ms
 6  ae10.cr10-lon2.ip4.gtt.net (89.149.128.214)  6.690 ms  6.478 ms  16.606 ms
 7  ip4.gtt.net (87.119.96.150)  7.899 ms  9.726 ms  17.819 ms
 8  one.one.one.one (1.0.0.1)  6.650 ms  8.225 ms  12.096 ms

Success every time.

I'm on a static IP 212.159.x.x.

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Why have Plusnet blocked secure DNS?

Plusnet may have intentionally altered the DNS for 1dot1dot1dot1.cloudflare-dns.com when Safeguard is enabled since it bypasses Safeguard.

 

one.one.one.one works though.

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Why have Plusnet blocked secure DNS?

Safeguard does indeed change the DNS of known DoT servers as evidenced below.

 

@bobpullen is this as intended?

 

 

C:\>nslookup dns.google
Server: dsldevice.lan
Address: 192.168.1.254

Non-authoritative answer:
Name: dns.google
Address: 81.130.111.239

 

 

C:\>nslookup 1dot1dot1dot1.cloudflare-dns.com
Server: dsldevice.lan
Address: 192.168.1.254

Non-authoritative answer:
Name: 1dot1dot1dot1.cloudflare-dns.com
Address: 81.130.111.239

 

 

C:\>nslookup dns.quad9.net
Server: dsldevice.lan
Address: 192.168.1.254

Non-authoritative answer:
Name: dns.quad9.net
Address: 81.130.111.239

 

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,930
Thanks: 5,016
Fixes: 317
Registered: ‎04-04-2007

Re: Why have Plusnet blocked secure DNS?

That's an interesting observation. Let me ask some questions next week.
For reference: Safeguard resolvers are 213.120.234.42 & 213.120.234.38.
Two of the default Plusnet resolvers are 212.159.6.9 & 212.159.6.10.
Just in case anyone wants to compare lookups between the two (I'm away from a computer at the moment).

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,930
Thanks: 5,016
Fixes: 317
Registered: ‎04-04-2007

Re: Why have Plusnet blocked secure DNS?

Safeguard looks to be categorising these hostnames as annonymisers.
I wonder if this was the case before the problem began Huh

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Why have Plusnet blocked secure DNS?

It seems like a logical block @bobpullen . Android allows DoT servers to be specified, which would be an easy way for children to bypass Safeguard. This DNS mangling prevents it.

VileReynard
Hero
Posts: 12,616
Thanks: 579
Fixes: 20
Registered: ‎01-09-2007

Re: Why have Plusnet blocked secure DNS?

You wouldn't be inviting your ISP to manipulate your traffic if you are using DoT.

I don't have "Safeguard".

Going by the example in https://developers.cloudflare.com/1.1.1.1/dns-over-tls 

I tried:-

kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com  community.plus.net
;; DEBUG: Querying for owner(community.plus.net.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 126 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52864
;; Flags: qr rd ra; QUERY: 1; ANSWER: 6; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 259 B

;; QUESTION SECTION:
;; community.plus.net. 		IN	A

;; ANSWER SECTION:
community.plus.net. 	86363	IN	CNAME	aptgm87544.lithium.com.
aptgm87544.lithium.com.	862	IN	CNAME	d14xs8zr41zt1m.cloudfront.net.
d14xs8zr41zt1m.cloudfront.net.	22	IN	A	99.84.10.50
d14xs8zr41zt1m.cloudfront.net.	22	IN	A	99.84.10.7
d14xs8zr41zt1m.cloudfront.net.	22	IN	A	99.84.10.108
d14xs8zr41zt1m.cloudfront.net.	22	IN	A	99.84.10.23

;; Received 468 B
;; Time 2020-07-25 21:41:47 BST
;; From 1.1.1.1@853(TCP) in 7.2 ms

Which would seem to indicate that DoT works for 1.1.1.1 (for me, in this instance)

"In The Beginning Was The Word, And The Word Was Aardvark."

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Why have Plusnet blocked secure DNS?


@VileReynard wrote:

You wouldn't be inviting your ISP to manipulate your traffic if you are using DoT.

 


 

 

Equally if you have enabled Safeguard you wouldn't want it to be a piece of cake for your children to be able to circumvent it. 

VileReynard
Hero
Posts: 12,616
Thanks: 579
Fixes: 20
Registered: ‎01-09-2007

Re: Why have Plusnet blocked secure DNS?


@pv wrote:

Equally if you have enabled Safeguard you wouldn't want it to be a piece of cake for your children to be able to circumvent it. 


Never trust a computer to raise your children.

Try getting a human to teach them what to avoid or at least where to tread warily, if that is not too much trouble...

"In The Beginning Was The Word, And The Word Was Aardvark."

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Why have Plusnet blocked secure DNS?


@VileReynard wrote:


Never trust a computer to raise your children.

Try getting a human to teach them what to avoid or at least where to tread warily, if that is not too much trouble...


 

Safeguard is not a suitable replacement for parenting, but technology can be a useful aid sometimes.

Swipe
Grafter
Posts: 45
Thanks: 6
Fixes: 2
Registered: ‎30-05-2010

Re: Why have Plusnet blocked secure DNS?

Here are my results from my Mother's ADSL connection where NextDNS DoT works fine:

IP:     143.159.XXX.XXX

[swipe@laptop ~]$ traceroute 45.90.28.14
traceroute to 45.90.28.14 (45.90.28.14), 30 hops max, 60 byte packets
 1  _gateway (192.168.1.254)  54.038 ms  54.456 ms  65.568 ms
 2  * * *
 3  * * *
 4  132.hiper04.sheff.dial.plus.net.uk (195.166.143.132)  96.983 ms  100.029 ms 128.hiper04.sheff.dial.plus.net.uk (195.166.143.128)  99.339 ms
 5  195.99.125.140 (195.99.125.140)  99.834 ms 195.99.125.144 (195.99.125.144)  100.103 ms  100.589 ms
 6  peer8-et-0-1-1.telehouse.ukcore.bt.net (109.159.252.150)  100.883 ms peer8-et-0-0-1.telehouse.ukcore.bt.net (62.172.103.170)  47.287 ms peer8-et-0-1-1.telehouse.ukcore.bt.net (109.159.252.150)  52.368 ms
 7  5.226.136.50 (5.226.136.50)  42.174 ms  35.765 ms  35.338 ms
 8  ae1.rt1-cr.ldn.as25369.net (5.226.136.39)  40.958 ms  40.990 ms  39.566 ms
 9  ae7.31-cs0-cr.ldn.as25369.net (185.38.150.227)  55.591 ms  45.682 ms  55.951 ms
10  fwd-1.crd.lon07.gb.misaka.io (45.11.107.160)  37.246 ms  39.161 ms  35.692 ms
11  * * *
12  * * *
13  * * *

 

Note that the traceroute still doesn't reach its destination (the same as on my home connection) but DoT works fine on my android phone for xxxxxx.dns.nextdns.io

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,930
Thanks: 5,016
Fixes: 317
Registered: ‎04-04-2007

Re: Why have Plusnet blocked secure DNS?


@pv wrote:

It seems like a logical block @bobpullen . Android allows DoT servers to be specified, which would be an easy way for children to bypass Safeguard. This DNS mangling prevents it.



True. However you could argue that specifying alternate plain text DNS resolvers does the same 😉

There's also the question of how things should behave if you have Safeguard enabled, but the majority of the blocking categories disabled?

@pv wrote:

Safeguard does indeed change the DNS of known DoT servers as evidenced below.

@bobpullen is this as intended?


I think my Safeguard must be broken as I've enabled it with default categories but lookups continue to give me 'proper' IP addresses. Even for websites that should be blocked:-

 

>nslookup dns.google 213.120.234.38
Server:  indnsc102.ukcore.bt.net
Address:  213.120.234.38

Non-authoritative answer:
Name:    dns.google
Addresses:  2001:4860:4860::8888
          2001:4860:4860::8844
          8.8.4.4
          8.8.8.8

>nslookup 1dot1dot1dot1.cloudflare-dns.com 213.120.234.38
Server:  indnsc102.ukcore.bt.net
Address:  213.120.234.38

Non-authoritative answer:
Name:    1dot1dot1dot1.cloudflare-dns.com
Addresses:  2606:4700:4700::1111
          2606:4700:4700::1001
          1.0.0.1
          1.1.1.1

>nslookup dns.quad9.net 213.120.234.38
Server:  indnsc102.ukcore.bt.net
Address:  213.120.234.38

Non-authoritative answer:
Name:    dns.quad9.net
Addresses:  2620:fe::fe
          2620:fe::9
          9.9.9.9
          149.112.112.112

 

Have we established that those experiencing problems all have Safeguard enabled then?

If so, I wonder if it helps to whitelist the DoT URLs using the Safeguard controls on the website? 🤔

Edit: Turns out I had to wait a while after enabling Safeguard. I'm now getting the blocked IP when carrying out the above lookups.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Swipe
Grafter
Posts: 45
Thanks: 6
Fixes: 2
Registered: ‎30-05-2010

Re: Why have Plusnet blocked secure DNS?

I have just turned Safeguard off. I wasn't even aware of that setting or that it was switched on. I can now confirm that DoT is now working for xxxxxx.dns.nextdns.io

 

Edit: Safeguard was set to OFF on my mother's account which explains why it worked there.

 

Thank you

 

 

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Why have Plusnet blocked secure DNS?


@bobpullen wrote:



True. However you could argue that specifying alternate plain text DNS resolvers does the same 😉

 

Indeed. You could rewrite plain text DNS packets and route them via Plusnet servers when Safeguard is enabled, it depends how far your engineers want to go.