Why have Plusnet blocked secure DNS?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Everything else
- :
- Why have Plusnet blocked secure DNS?
Re: Why have Plusnet blocked secure DNS?
24-07-2020 10:03 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@Swipe you're one hop away from success there. For some reason Nextdns are firewalling your IP at the last hop.
Re: Why have Plusnet blocked secure DNS?
24-07-2020 11:00 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
With Plusnet Safeguard DNS server addresses 213.120.234.42 and 213.120.234.38 in use:
Traceroute has started…
traceroute to 1dot1dot1dot1.cloudflare-dns.com (81.130.111.239), 64 hops max, 72 byte packets
1 fritz.box (192.168.0.1) 0.676 ms 0.346 ms 0.229 ms
2 195.166.130.248 (195.166.130.248) 4.979 ms 4.277 ms 4.713 ms
3 84.93.253.71 (84.93.253.71) 5.258 ms 5.277 ms 5.224 ms
4 195.99.125.144 (195.99.125.144) 5.825 ms 5.216 ms 5.157 ms
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 *
It never resolves.
However, fire up a VPN:
Traceroute has started…
traceroute: Warning: 1dot1dot1dot1.cloudflare-dns.com has multiple addresses; using 1.0.0.1
traceroute to 1dot1dot1dot1.cloudflare-dns.com (1.0.0.1), 64 hops max, 72 byte packets
1 172.18.13.1 (172.18.13.1) 6.680 ms 5.681 ms 6.033 ms
2 88.202.231.1.static.midphase.com (88.202.186.1) 6.867 ms 30.492 ms 8.754 ms
3 88.202.187.181.static.midphase.com (88.202.187.181) 6.945 ms 6.859 ms 6.696 ms
4 83.170.70.129 (83.170.70.129) 6.204 ms 6.428 ms 15.063 ms
5 92.60.249.45 (92.60.249.45) 11.263 ms 47.463 ms 33.781 ms
6 ae10.cr10-lon2.ip4.gtt.net (89.149.128.214) 6.690 ms 6.478 ms 16.606 ms
7 ip4.gtt.net (87.119.96.150) 7.899 ms 9.726 ms 17.819 ms
8 one.one.one.one (1.0.0.1) 6.650 ms 8.225 ms 12.096 ms
Success every time.
I'm on a static IP 212.159.x.x.
Re: Why have Plusnet blocked secure DNS?
24-07-2020 11:19 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Plusnet may have intentionally altered the DNS for 1dot1dot1dot1.cloudflare-dns.com when Safeguard is enabled since it bypasses Safeguard.
one.one.one.one works though.
Re: Why have Plusnet blocked secure DNS?
25-07-2020 12:52 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Safeguard does indeed change the DNS of known DoT servers as evidenced below.
@bobpullen is this as intended?
C:\>nslookup dns.google
Server: dsldevice.lan
Address: 192.168.1.254
Non-authoritative answer:
Name: dns.google
Address: 81.130.111.239
C:\>nslookup 1dot1dot1dot1.cloudflare-dns.com
Server: dsldevice.lan
Address: 192.168.1.254
Non-authoritative answer:
Name: 1dot1dot1dot1.cloudflare-dns.com
Address: 81.130.111.239
C:\>nslookup dns.quad9.net
Server: dsldevice.lan
Address: 192.168.1.254
Non-authoritative answer:
Name: dns.quad9.net
Address: 81.130.111.239
Re: Why have Plusnet blocked secure DNS?
25-07-2020 8:49 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
For reference: Safeguard resolvers are 213.120.234.42 & 213.120.234.38.
Two of the default Plusnet resolvers are 212.159.6.9 & 212.159.6.10.
Just in case anyone wants to compare lookups between the two (I'm away from a computer at the moment).
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Why have Plusnet blocked secure DNS?
25-07-2020 8:57 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I wonder if this was the case before the problem began
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Why have Plusnet blocked secure DNS?
25-07-2020 9:06 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
It seems like a logical block @bobpullen . Android allows DoT servers to be specified, which would be an easy way for children to bypass Safeguard. This DNS mangling prevents it.
Re: Why have Plusnet blocked secure DNS?
25-07-2020 9:47 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
You wouldn't be inviting your ISP to manipulate your traffic if you are using DoT.
I don't have "Safeguard".
Going by the example in https://developers.cloudflare.com/1.1.1.1/dns-over-tls
I tried:-
kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com community.plus.net
;; DEBUG: Querying for owner(community.plus.net.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 126 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52864
;; Flags: qr rd ra; QUERY: 1; ANSWER: 6; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 259 B
;; QUESTION SECTION:
;; community.plus.net. IN A
;; ANSWER SECTION:
community.plus.net. 86363 IN CNAME aptgm87544.lithium.com.
aptgm87544.lithium.com. 862 IN CNAME d14xs8zr41zt1m.cloudfront.net.
d14xs8zr41zt1m.cloudfront.net. 22 IN A 99.84.10.50
d14xs8zr41zt1m.cloudfront.net. 22 IN A 99.84.10.7
d14xs8zr41zt1m.cloudfront.net. 22 IN A 99.84.10.108
d14xs8zr41zt1m.cloudfront.net. 22 IN A 99.84.10.23
;; Received 468 B
;; Time 2020-07-25 21:41:47 BST
;; From 1.1.1.1@853(TCP) in 7.2 ms
Which would seem to indicate that DoT works for 1.1.1.1 (for me, in this instance)
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: Why have Plusnet blocked secure DNS?
25-07-2020 10:11 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@VileReynard wrote:
You wouldn't be inviting your ISP to manipulate your traffic if you are using DoT.
Equally if you have enabled Safeguard you wouldn't want it to be a piece of cake for your children to be able to circumvent it.
Re: Why have Plusnet blocked secure DNS?
26-07-2020 12:06 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@pv wrote:
Equally if you have enabled Safeguard you wouldn't want it to be a piece of cake for your children to be able to circumvent it.
Never trust a computer to raise your children.
Try getting a human to teach them what to avoid or at least where to tread warily, if that is not too much trouble...
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: Why have Plusnet blocked secure DNS?
26-07-2020 12:19 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@VileReynard wrote:
Never trust a computer to raise your children.
Try getting a human to teach them what to avoid or at least where to tread warily, if that is not too much trouble...
Safeguard is not a suitable replacement for parenting, but technology can be a useful aid sometimes.
Re: Why have Plusnet blocked secure DNS?
26-07-2020 6:02 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Here are my results from my Mother's ADSL connection where NextDNS DoT works fine:
IP: 143.159.XXX.XXX
[swipe@laptop ~]$ traceroute 45.90.28.14
traceroute to 45.90.28.14 (45.90.28.14), 30 hops max, 60 byte packets
1 _gateway (192.168.1.254) 54.038 ms 54.456 ms 65.568 ms
2 * * *
3 * * *
4 132.hiper04.sheff.dial.plus.net.uk (195.166.143.132) 96.983 ms 100.029 ms 128.hiper04.sheff.dial.plus.net.uk (195.166.143.128) 99.339 ms
5 195.99.125.140 (195.99.125.140) 99.834 ms 195.99.125.144 (195.99.125.144) 100.103 ms 100.589 ms
6 peer8-et-0-1-1.telehouse.ukcore.bt.net (109.159.252.150) 100.883 ms peer8-et-0-0-1.telehouse.ukcore.bt.net (62.172.103.170) 47.287 ms peer8-et-0-1-1.telehouse.ukcore.bt.net (109.159.252.150) 52.368 ms
7 5.226.136.50 (5.226.136.50) 42.174 ms 35.765 ms 35.338 ms
8 ae1.rt1-cr.ldn.as25369.net (5.226.136.39) 40.958 ms 40.990 ms 39.566 ms
9 ae7.31-cs0-cr.ldn.as25369.net (185.38.150.227) 55.591 ms 45.682 ms 55.951 ms
10 fwd-1.crd.lon07.gb.misaka.io (45.11.107.160) 37.246 ms 39.161 ms 35.692 ms
11 * * *
12 * * *
13 * * *
Note that the traceroute still doesn't reach its destination (the same as on my home connection) but DoT works fine on my android phone for xxxxxx.dns.nextdns.io
Re: Why have Plusnet blocked secure DNS?
27-07-2020 1:45 PM - edited 27-07-2020 6:03 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@pv wrote:
It seems like a logical block @bobpullen . Android allows DoT servers to be specified, which would be an easy way for children to bypass Safeguard. This DNS mangling prevents it.
True. However you could argue that specifying alternate plain text DNS resolvers does the same 😉
There's also the question of how things should behave if you have Safeguard enabled, but the majority of the blocking categories disabled?
@pv wrote:
Safeguard does indeed change the DNS of known DoT servers as evidenced below.
@bobpullen is this as intended?
I think my Safeguard must be broken as I've enabled it with default categories but lookups continue to give me 'proper' IP addresses. Even for websites that should be blocked:-
>nslookup dns.google 213.120.234.38
Server: indnsc102.ukcore.bt.net
Address: 213.120.234.38
Non-authoritative answer:
Name: dns.google
Addresses: 2001:4860:4860::8888
2001:4860:4860::8844
8.8.4.4
8.8.8.8
>nslookup 1dot1dot1dot1.cloudflare-dns.com 213.120.234.38
Server: indnsc102.ukcore.bt.net
Address: 213.120.234.38
Non-authoritative answer:
Name: 1dot1dot1dot1.cloudflare-dns.com
Addresses: 2606:4700:4700::1111
2606:4700:4700::1001
1.0.0.1
1.1.1.1
>nslookup dns.quad9.net 213.120.234.38
Server: indnsc102.ukcore.bt.net
Address: 213.120.234.38
Non-authoritative answer:
Name: dns.quad9.net
Addresses: 2620:fe::fe
2620:fe::9
9.9.9.9
149.112.112.112
Have we established that those experiencing problems all have Safeguard enabled then?
If so, I wonder if it helps to whitelist the DoT URLs using the Safeguard controls on the website? 🤔
Edit: Turns out I had to wait a while after enabling Safeguard. I'm now getting the blocked IP when carrying out the above lookups.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Why have Plusnet blocked secure DNS?
27-07-2020 1:50 PM - edited 27-07-2020 1:55 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I have just turned Safeguard off. I wasn't even aware of that setting or that it was switched on. I can now confirm that DoT is now working for xxxxxx.dns.nextdns.io
Edit: Safeguard was set to OFF on my mother's account which explains why it worked there.
Thank you
Re: Why have Plusnet blocked secure DNS?
27-07-2020 1:55 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@bobpullen wrote:
True. However you could argue that specifying alternate plain text DNS resolvers does the same 😉
Indeed. You could rewrite plain text DNS packets and route them via Plusnet servers when Safeguard is enabled, it depends how far your engineers want to go.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Everything else
- :
- Why have Plusnet blocked secure DNS?