Advanced Plus Security Brambedkar59's Security Config 2026

[brambedkar59]

@brambedkar59 Hey man are you noticed sudden ping timeouts or DNS resolving timeouts with NextDNS?

Hey bro, what's up? No, I have not seen any DNS timeouts with NextDNS or any slowdown.

Edit: I am seeing much higher ping to Singapore (instead of 80 ms I am getting 180 ms). Dunno if it is related to NextDNS or some weird Excitel routing.

Edit2: Something messed up with the routing. Even with ISP DNS and Cloudflare DNS I am seeing much higher ping than normal. Route to EU/US doesn't seem to be affected.

 

[SeriousHoax]

Hey bro, what's up? No, I have not seen any DNS timeouts with NextDNS or any slowdown.

Edit: I am seeing much higher ping to Singapore (instead of 80 ms I am getting 180 ms). Dunno if it is related to NextDNS or some weird Excitel routing.

Edit2: Something messed up with the routing. Even with ISP DNS and Cloudflare DNS I am seeing much higher ping than normal. Route to EU/US doesn't seem to be affected.

At nighttime DNS performance is not the best for me also quite often. What's your lowest ping here? @Vasudev
Share a screenshot of the result.

ping.nextdns.io

 

[brambedkar59]

At nighttime DNS performance is not the best for me also quite often. What's your lowest ping here? @Vasudev
Share a screenshot of the result.

ping.nextdns.io

 

[SeriousHoax]

View attachment 292310

Your closest servers are both ultralow 1 and 2. So you just need to use:

https://ultralow.dns.nextdns.io/Your-ID/Device-Name(optional)

You can also force it to use a specific server like this,

https://vultr-del-1.edge.nextdns.io/Your-ID/Device-Name(optional)

https://anexia-del-1.edge.nextdns.io/Your-ID/Device-Name(optional)

Or force ultralow 1 or 2 like this:

https://ultralow.dns1.nextdns.io/Your-ID/Device-Name(optional)

https://ultralow.dns2.nextdns.io/Your-ID/Device-Name(optional)

Forcing specific server is not required in your case, I think. ultralow should pick one of them by default.
If your ISP provide IPv6 then you would also see IPv6 servers in ping.nextdns.io

 

[brambedkar59]

Your closest servers are both ultralow 1 and 2. So you just need to use:

You can also force it to use a specific server like this,

Or force ultralow 1 or 2 like this:

Forcing specific server is not required in your case, I think. ultralow should pick one of them by default.
If your ISP provide IPv6 then you would also see IPv6 servers in ping.nextdns.io

I am already using NextDNS Ultralow servers. I should have been clearer in my post #261. I was not talking about ping to DNS servers but AWS servers located in those regions.

 

[SeriousHoax]

I am already using NextDNS Ultralow servers. I should have been clearer in my post #261. I was not talking about ping to DNS servers but AWS servers located in those regions.

Oh, I see. I was wondering why it was not auto using the closest servers for you since they are very close to you. Does EDNS/ECS on NextDNS work for you?

 

[brambedkar59]

Does EDNS/ECS on NextDNS work for you?

How do I check that?

 

[SeriousHoax]

How do I check that?

Visit this site:

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

dnscheck.tools

Here after your IP address, you should see this section if it's working. If not, then it will not be present.

 

[brambedkar59]

Visit this site:

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

dnscheck.tools

Here after your IP address, you should see this section if it's working. If not, then it will not be present.
View attachment 292346

It's not working.

Edit: EDNS/ECS is not working. Site is working fine

 

[SeriousHoax]

It's not working.

Edit: EDNS/ECS is not working. Site is working fine

Oh! Same for me but I expected it to work on your region.
Could please check if it works for you for AdGuard DNS?

https://dns.adguard-dns.com/dns-query

 

[brambedkar59]

Oh! Same for me but I expected it to work on your region.
Could please check if it works for you for AdGuard DNS?

ECS is working only with Adguard (https://dns.adguard-dns.com/dns-query), Quad9 (https://dns11.quad9.net/dns-query) and Google (https://dns.google/dns-query).

Your DNS resolvers specify your IP subnet (ECS)

 

[SeriousHoax]

ECS is working only with Adguard (https://dns.adguard-dns.com/dns-query), Quad9 (https://dns11.quad9.net/dns-query) and Google (https://dns.google/dns-query).

Yeah, it's default for Google and AdGuard. For day-to-day browsing, it's not really necessary.

 

[Kongo]

 

[brambedkar59]

I have read this article, it was good. A bit too technical in the end for me though. Still don't understand why on NextDNS ECS is not working?

 

[Kongo]

I have read this article, it was good. A bit too technical in the end for me though. Still don't understand why on NextDNS ECS is not working?

From my understanding they use ECS but in an anonymized way (don't ask me how they actually do this. Too technical for me also). Maybe that's why those test pages do not detect it as it was modified for privacy.

The setting in NextDNS clearly says it does use ECS:

 

[TairikuOkami]

So, no ECS then?

 

[Kongo]

So, no ECS then?

Huh?

Two more links that prove that NextDNS uses ECS:

1. What is EDNS Client-Subnet (ECS)? (Olivier Poitrey is the dev)

2. Is Anonymized EDNS Client Subnet Broken?

 

[brambedkar59]

Huh?

Two more links that prove that NextDNS uses ECS:

1. What is EDNS Client-Subnet (ECS)? (Olivier Poitrey is the dev)

2. Is Anonymized EDNS Client Subnet Broken?

But how to test if it is actually working?

 

[Kongo]

But how to test if it is actually working?

Good question.

 

[SeriousHoax]

From my understanding they use ECS but in an anonymized way (don't ask me how they actually do this. Too technical for me also). Maybe that's why those test pages do not detect it as it was modified for privacy.

The setting in NextDNS clearly says it does use ECS:
View attachment 292568

Anonymized doesn't mean it's not visible/hidden, it just means that instead of using your exact IP or IP subnet it uses the ASN number of that region or something like that. I don't fully understand ASN number yet, but some details are present in the NextDNS article you gave above, as well as in this AdGuard article.

Privacy-friendly EDNS Client Subnet

EDNS Client Subnet is a mechanism used by DNS resolvers to to deliver location-specific results to clients. It's widely popular, but also not without its drawbacks. Are there ways to improve it?

adguard-dns.io

AdGuard took inspiration from NextDNS's approach and made some tweak of their own to further improve cache hit ratio.

My IP address starts with 103 while the ECS that I get from AdGuard starts with 203. Both IP belongs to my country, but they are not the same, hence still private to some extent. So when DNS is queried with the ECS IP subnet, the DNS server still knows that it's coming from my country and serve IPs for/closest to my location if available.
So the ECS shouldn't be hidden to a testing site as far as I understand. No issue while using AdGuard DNS on that site, who is doing almost exactly the same thing as NextDNS.

Besides, NextDNS has their own testing site,

https://test.nextdns.io/

You should see an ECS entry here if ECS is working for you. If you see, then the previous testing site has an issue.
Here's mine. No sign of ECS here.

The nice thing is, you can use this site to test ECS with any DNS provider.
Here's the same site with AdGuard DNS, and there we have ECS. You can test with Google DNS, Quad9 with ECS or anything else.

Another method that is given in the NextDNS article is by using DIG. This method is applicable to NextDNS only.

dig malwaretips.com CHAOS

I already have dig installed on my Windows. You will have to install it for testing. Here from the result we have another confirmation that ECS is not being sent when I am using NextDNS.

So you can try these methods to see it's actually working for you.
ECS not working for many users is a long known issue. It never ever worked for me.