Freki123

Level 8
Verified
Hi I'm trying to understand test results I get when I compare my NextDNS results with the ones from Adguard DNS.
The sites for the testing used where: Web-based DNS Randomness Test | DNS-OARC and My IP Address, DNS Leak Test, WebRTC Leak Test, IPv6 Leak Test, HTTP Headers, IP Whois

I don't understand why my NextDns result shows 3 Ip? (See picture 4)
IP 1 seems to be Netblock from Cloudflare
IP 2 seems to be NextDns
IP 3 is owned by me Internet Service Provider

So why is a IP owned be my Internet Service Provider shown there?
Adguard DNS in comparison doesn't do that. (picture 2)
The DNS Server Settings were done with the DNS options inside Adguard Desktop and nothing was changed in Windows 10.
NextDns settings were DNS-over-Https and AdguadDns also (for comparison).


So any help what I understood wrong?
Untitled2.pngUntitled3.pngUntitled4.pngUntitled.jpg
 
Last edited:

valvaris

Level 4
Verified
Hi @Freki123

the main issue is IPv6. Best practice is truly to go with IPv4 only and then do a leak test.

Another factor is how DNS gets handled by your network. Like rouge DNS Users (Android OS, iOS and so on...)
There is a solution were if it is not the DNS Address 1.1.1.1 [Example] it forwards it to the propper IP Address 1.1.1.1. (Example 8.8.8.8 [is not 1.1.1.1] forward that to 1.1.1.1) Do not forget to set the Port on 53 for DNS Traffic.

Next is mDNS if not in use Block it Port 5353.

That should cover the DNS Leaking issue. But make sure you have a central Point for DNS Request. ;)

Tip: Some Apps have hardcoded DNS Addresses this is were a NAT Rule can help.

Best regards
Val.
 

Freki123

Level 8
Verified
@valvaris Thanks for your answer.
Now that you mention it I changed Ip related stuff: I got ip6 disabled via network settings. (Sorry totally forgot was so long ago)
Control Panel\Network and Internet\Network Connections got only Ip4 checked. Ip 6 was disabled
 
  • Like
Reactions: valvaris

valvaris

Level 4
Verified
yap but it should be disabled from the router / modem all the way to the PC. - Like this your Network can only communicate with IPv4 ;)
 

Freki123

Level 8
Verified
To be honest when reading your post I see how much knowledge I'm missing. I got all the available settings for Ip6 in my router disabled but it's Isp provided and got only bad options. So in easy terms for me: It's not an leak more like another way of handling stuff?
 

JoyousBudweiser

Level 9
Verified
So why is a IP owned be my Internet Service Provider shown there? Adguard DNS in comparison doesn't do that. (picture 2)
The DNS Server Settings were done with the DNS options inside Adguard Desktop and nothing was changed in Windows 10.
NextDns settings were DNS-over-Https and AdguadDns also (for comparison).
The best option, if you are concerned about dns leaks /port 53 traffic is to use a router that supports either DNS over TLS or DNS over HTTPS. The advantage of such a system is that the router can intercept all port 53 traffic from any connected device to your desired Encrypted dns provider. Windows leaks some port 53 traffic while start up to the router even if you use adguard on desktop or yogadns app. You can not prevent it until you use a router based doh or dnscrypt(simple dns crypt- that sets ipv4 dns to 127.0.0.1 and ipv6 to ::1 a non existence loopback address so that nothing(port 53) goes out and the dnscrypt service then listens to that address-127.0.0.1) So my advice is to
1. Use Yoga dns as a frontend to your Nextdns.
2. use simple dnscrypt.
3. You can also use New desktop adguard (Version7.5) and use nextdns as a doh/Dot resolver. (Go to Settings> Dns> Add a custom dns "https://dns.nextdns.io/xxxxxx" Replace "xxxxxx" with your configuration id which you can find in your nextdns account).
4. Since you have disabled IPv6, you dont need to do this. (Go to Control panel> Network and sharing center> Click on ethernet/wifi> Properties> Internet protocol version 6> use the following dns address and paste this " ::1 " without inverted commas. This will prevent dns leaking to ipv6 dns servers.)
 
Last edited:
  • Like
Reactions: Freki123

security123

Level 26
Verified
Why should anyone disable IPv6? It exist since 1998 and replace the deprecated IPv4.

Disabling IPv6 will break sites and doesn't provide any advantages.
Also from Wikipedia:
The deployment of IPv6 in the Internet backbone continued. In 2018 only 25.3% of the about 54,000 autonomous systems advertised both IPv4 and IPv6 prefixes in the global Border Gateway Protocol (BGP) routing database. A further 243 networks advertised only an IPv6 prefix. Internet backbone transit networks offering IPv6 support existed in every country globally, except in parts of Africa, the Middle East and China.[71] By mid-2018 some major European broadband ISPs had deployed IPv6 for the majority of their customers. British Sky Broadcasting provided over 86% of its customers with IPv6, Deutsche Telekom had 56% deployment of IPv6, XS4ALL in the Netherlands had 73% deployment and in Belgium the broadband ISPs VOO and Telenet had 73% and 63% IPv6 deployment respectively.[72] In the United States the broadband ISP Comcast had an IPv6 deployment of about 66%. In 2018 Comcast reported an estimated 36.1 million IPv6 users, while AT&T reported 22.3 million IPv6 users.[73]
 
  • Like
Reactions: Freki123

Freki123

Level 8
Verified
It seems there is no ip6 leak. Also only my IP4 Adress is listed no IP6(Since disabling it in router and network settings) //Atleast thats how I understand it
111.png

@JoyousBudweiser I tried to avoid extra software so my screenshots were made with your suggestin Nr. 3 (Using my custom NextDNS settings in Adguards.)
For me atm it's not about a leak but more about using an DNS that's separate from my ISP. (Sorry couldn't phrase it better)1.pngUntitled.jpg
I get confused why NextDNS still shows an IP that belonges to my ISP.
Adguard just lists one ip, NextDNS three.

Thank you both for your kind answers :)

@security123 Thanks for the input. I will think about it after I understood the 3 IP thing :)
 
Last edited:
  • Like
Reactions: security123

JoyousBudweiser

Level 9
Verified
Why should anyone disable IPv6? It exist since 1998 and replace the deprecated IPv4.

Disabling IPv6 will break sites and doesn't provide any advantages.
No disabling IPv6 does not break websites, every website have an ipv4 fallback configured for it. Ipv6 is bad for privacy focussed setups as it is difficult to mask all your ipv6 traffic, consider this scenario...you are on an ipv6 enabled network and you have 3 or 4 IOT devices in your network which has got an ipv 6 address from NAT and all these devices communicate to net using their own ipv6 address, now you want to use a VPN for your windows based computer, the ipv 6 address of your IOt devices remains unmasked by vpn, so you can still be traced and tracked, all because of your iot using ipv6.
 
Last edited:

JoyousBudweiser

Level 9
Verified
It seems there is no ip6 leak. Also only my IP4 Adress is listed no IP6(Since disabling it in router and network settings) //Atleast thats how I understand it
View attachment 245677

@JoyousBudweiser I tried to avoid extra software so my screenshots were made with your suggestin Nr. 3 (Using my custom NextDNS settings in Adguards.)
For me atm it's not about a leak but more about using an DNS that's separate from my ISP. (Sorry couldn't phrase it better)View attachment 245678View attachment 245679
I get confused why NextDNS still shows an IP that belonges to my ISP.
Adguard just lists one ip, NextDNS three.

Thank you both for your kind answers :)

@security123 Thanks for the input. I will think about it after I understood the 3 IP thing :)
Can you test Nextdns with this DNS leak test and post the result? Do the extended test.
 

security123

Level 26
Verified
No disabling IPv6 does not break websites, every website have an ipv4 fallback configured for it. Ipv6 is bad for privacy focussed setups as it is difficult to mask all your ipv6 traffic, consider this scenario...you are on an ipv6 enabled network and you have 3 or 4 IOT devices in your network which has got an ipv 6 address from NAT and all these devices communicate to net using their own ipv6 address, now you want to use a VPN for your windows based computer, the ipv 6 address of your IOt devices remains unmasked by vpn, so you can still be traced and tracked, all because of your iot using ipv6.
I say it will break websites, not that it 100% does. Of course sites use v4 as fallback. But only for now.

IPv6 respect privacy with Privacy Extensions:
Nodes use IPv6 stateless address autoconfiguration to generate
addresses using a combination of locally available information and
information advertised by routers. Addresses are formed by combining
network prefixes with an interface identifier. On an interface that
contains an embedded IEEE Identifier, the interface identifier is
typically derived from it. On other interface types, the interface
identifier is generated through other means, for example, via random
number generation. This document describes an extension to IPv6
stateless address autoconfiguration for interfaces whose interface
identifier is derived from an IEEE identifier. Use of the extension
causes nodes to generate global scope addresses from interface
identifiers that change over time, even in cases where the interface
contains an embedded IEEE identifier. Changing the interface
identifier (and the global scope addresses generated from it) over
time makes it more difficult for eavesdroppers and other information
collectors to identify when different addresses used in different
transactions actually correspond to the same node.


Can you test Nextdns with this DNS leak test and post the result? Do the extended test.
nodnsleak.png
 
  • Like
Reactions: Freki123

JoyousBudweiser

Level 9
Verified
You are fine it seems. There is no second dns server involved in query fulfilling as the test shows.

IPv6 respect privacy with Privacy Extensions:

Read this too at page 7.

The division of IPv6 addresses into distinct topology and interface
identifier portions raises an issue new to IPv6 in that a fixed
portion of an IPv6 address (i.e., the interface identifier) can
contain an identifier that remains constant even when the topology
portion of an address changes (e.g., as the result of connecting to a
different part of the Internet). In IPv4, when an address changes,
the entire address (including the local part of the address) usually
changes. It is this new issue that this document addresses.

If addresses are generated from an interface identifier, a home
user's address could contain an interface identifier that remains the
same from one dial-up session to the next, even if the rest of the
address changes. The way PPP is used today, however, PPP servers
typically unilaterally inform the client what address they are to use
(i.e., the client doesn't generate one on its own). This practice,
if continued in IPv6, would avoid the concerns that are the focus of
this document.

A more troubling case concerns mobile devices (e.g., laptops, PDAs,
etc.) that move topologically within the Internet. Whenever they
move, they form new addresses for their current topological point of
attachment. This is typified today by the "road warrior" who has
Internet connectivity both at home and at the office. While the
node's address changes as it moves, the interface identifier
contained within the address remains the same (when derived from an
IEEE Identifier). In such cases, the interface identifier can be
used to track the movement and usage of a particular machine. For
example, a server that logs usage information together with source
addresses, is also recording the interface identifier since it is
embedded within an address. Consequently, any data-mining technique
that correlates activity based on addresses could easily be extended
to do the same using the interface identifier. This is of particular
concern with the expected proliferation of next-generation network-
connected devices (e.g., PDAs, cell phones, etc.) in which large
numbers of devices are, in practice, associated with individual users
(i.e., not shared). Thus, the interface identifier embedded within
an address could be used to track activities of an individual, even
as they move topologically within the Internet.
In summary, IPv6 addresses on a given interface generated via
Stateless Autoconfiguration contain the same interface identifier,
regardless of where within the Internet the device connects. This
facilitates the tracking of individual devices (and thus,
potentially, users). The purpose of this document is to define
mechanisms that eliminate this issue in those situations where it is
a concern.
I was referring to a scenario where different ipv6 address are provided to all network linked devices on a home network where all the devices gets a public facing ipv6 address. With IPv4 only the router gets the public facing ip address, in most cases the isps does not even provide any public facing ip address instead they provide nated vlan ids and all your devices under router gets nated local ip, which you can mask via vpn. The problem arises when a home network has more than one public facing ipv6 address issued to the devices connected to it and you can't mask an iot IPV6 with VPN on windows machine, you will be needing a VPN setup in the router itself ( which only high end routers has-with acceptable throughput)
 
  • Thanks
Reactions: Freki123

Freki123

Level 8
Verified
You are fine it seems. There is no second dns server involved in query fulfilling as the test shows.
Thanks for you looking over it I really appreciate it :)

Sorry for repeating myself, but is there any reason why my ISP is still listed when a DNS Resolver Test is done (Only on NextDNS not AdguardDNS)? In my novice logic: When I change a DNS Server my ISP should have nothing to do with DNS resolving after that.
Untitled.jpg
I hope you understand what I mean because I got problems to explain it better (I blame beeing not native in english :D). It's just for me it seems not to work in the way I expected and I want to know why. Curious by nature
 

JoyousBudweiser

Level 9
Verified
Thanks for you looking over it I really appreciate it :)

Sorry for repeating myself, but is there any reason why my ISP is still listed when a DNS Resolver Test is done (Only on NextDNS not AdguardDNS)? In my novice logic: When I change a DNS Server my ISP should have nothing to do with DNS resolving after that.
View attachment 245694
I hope you understand what I mean because I got problems to explain it better (I blame beeing not native in english :D). It's just for me it seems not to work not in the way I expected and I want to know why. Curious by nature
What kind of router do you use? Are there any dns settings in your router? Is it dns from ISP? If so change it to next dns address and retest to see the problem still exists.
 
  • Like
Reactions: Freki123

security123

Level 26
Verified
Sorry for repeating myself, but is there any reason why my ISP is still listed when a DNS Resolver Test is done (Only on NextDNS not AdguardDNS)? In my novice logic: When I change a DNS Server my ISP should have nothing to do with DNS resolving after that.
Looks like the sites are weird.

Test these:
 
  • Like
Reactions: Freki123

valvaris

Level 4
Verified
Thanks for you looking over it I really appreciate it :)

Sorry for repeating myself, but is there any reason why my ISP is still listed when a DNS Resolver Test is done (Only on NextDNS not AdguardDNS)? In my novice logic: When I change a DNS Server my ISP should have nothing to do with DNS resolving after that.
View attachment 245694
I hope you understand what I mean because I got problems to explain it better (I blame beeing not native in english :D). It's just for me it seems not to work in the way I expected and I want to know why. Curious by nature
Looks like a double recursive request...

DNS1 -> DNS2 -> Root DNS

Could be that after that change to NextDNS that you need to flush your DNS Cache. :D

Little Explainer how DNS Works:

Best regards
Val.
 
  • Thanks
Reactions: Freki123

Freki123

Level 8
Verified
What kind of router do you use? Are there any dns settings in your router? Is it dns from ISP? If so change it to next dns address and retest to see the problem still exists.
There are not DNS settings to change in the router (ISP provided). The thing is I still use the same router, while AdguardDNS doesn't show the ISP IP in the results. So with the same router it should show up in both cases (NextDNS and AdguardDNS) not only with NextDNS.
@security123 Untitled.pngUntitled2.pngUntitled3.png

@valvaris I did a ipconfig/flushdns and after a reboot still the same results.
 
Last edited:

security123

Level 26
Verified
The thing is I still use the same router, while AdguardDNS doesn't show the ISP IP in the results. So with the same router it should show up in both cases (NextDNS and AdguardDNS) not only with NextDNS.
The results are good

How did you use AdGuard and how NextDNS ? I mean how and where did you enter the data before making the test?
 
  • Like
Reactions: Freki123

Freki123

Level 8
Verified
How did you use AdGuard and how NextDNS ? I mean how and where did you enter the data before making the test?

I copy the more elegant explanation from @JoyousBudweiser
3. You can also use New desktop adguard (Version7.5) and use nextdns as a doh/Dot resolver. (Go to Settings> Dns> Add a custom dns "https://dns.nextdns.io/xxxxxx" Replace "xxxxxx" with your configuration id which you can find in your nextdns account).

For chosing the AdguardDNS I just had to select the AdguardDNS server (inside the Adguard Desktop APP) instead of the freshly created NextDNS Server. Thats the way I did my testing.
To be honest I forgot to flush the DNS cache as kindly pointed out. But even after doing it I get the same results.

Did a quick test with YogaDNS (dnsflush and reboot included)
Untitled.png
It shows: 2 NextDNS Server, 1 Cloudblock Server, NO ISP Server.
 
Last edited:
Top