Unable to override DNS settings with DoH/DoT

[kuchkovsky]

I am unable to override DNS settings using DoH/DoT in the Passepartout app. I’ve attempted this override on multiple configurations, including OpenVPN (Surfshark and PIA) and WireGuard, using NextDNS for DoH/DoT. When I configure a DNS override with NextDNS, DNS resolution stops working entirely. This issue occurs on both macOS and iOS. Plain DNS override works as expected.

Steps to reproduce

1. Set up a VPN profile using OpenVPN or WireGuard.
2. Attempt to create a DNS override using NextDNS with DoH or DoT in the app settings.
3. Apply the settings and connect to the VPN.
4. Test DNS resolution (using a browser or DNS test tool).

What is the current bug behavior?

• When a DNS override is configured with NextDNS (DoH/DoT), DNS resolution stops working.
• No DNS queries are resolved, effectively breaking internet connectivity.
• The issue occurs on both macOS and iOS, regardless of the VPN protocol or provider used.

What is the expected correct behavior?

• The app should successfully use the specified NextDNS DoH/DoT settings for DNS when a DNS override is configured.
• DNS resolution should function correctly while using the override.

[keeshux]

@kuchkovsky I think I've received the very same report by e-mail.

Are you able to confirm that this is a regression from v2? I.e. "used to work but doesn't anymore" or "never worked, I've just tried on v3"?

[keeshux]

The other user pointed me to this link, but I see you also mention OpenVPN:

https://www.reddit.com/r/mullvadvpn/comments/x6b3dq/guide_nextdns_mullvad_wireguard_doh3_on_ios/

[kuchkovsky]

Are you able to confirm that this is a regression from v2? I.e. "used to work but doesn't anymore" or "never worked, I've just tried on v3"?

Unfortunately, I didn't test it on v2. If there's a way to install the older build, I can test it.

[kuchkovsky]

BTW, this issue is not specific to NextDNS. I tried with Cloudflare DoH (https://cloudflare-dns.com/dns-query) and I'm having the same issue. No issues when using NextDNS/Clouflare DoH with Little Snitch.

[keeshux]

Strange, this is working correctly on my end with NordVPN. You mention Little Snitch, could it be interfering?

[kuchkovsky]

I usually disable the custom DNS settings in Little Snitch, so they shouldn't interfere.

Ok, here’s what I see:

• If I specify the Cloudflare DNS using an IP in the URL (https://1.1.1.1/dns-query), it starts working.
• If I specify the Cloudflare DNS using a domain in the URL (https://cloudflare-dns.com/dns-query), it’s not working, even though it should (an app should normally just use the system resolver for the initial query).
• If I specify one of the NextDNS IPs in the URL, it’s still not working for some reason.
• What’s really strange is that nslookup is broken in any case. So even when I use https://1.1.1.1/dns-query, I can run curl -L https://test.nextdns.io to check my resolver, and it works fine, but nslookup google.com just hangs.

[keeshux]

I usually disable the custom DNS settings in Little Snitch, so they shouldn't interfere.

Okay, good insight. My questions come from figuring out what issues to prioritize in the hotfix, and I tend to believe that this at least is not a regression.

• If I specify the Cloudflare DNS using a domain in the URL (https://cloudflare-dns.com/dns-query), it’s not working, even though it should (an app should normally just use the system resolver for the initial query).

Does it work if you add 1.1.1.1 to "Servers" explicitly? Any DNS should work, try also 8.8.8.8

• If I specify one of the NextDNS IPs in the URL, it’s still not working for some reason.

Does it work if you keep NextDNS as hostname in the URL, but add a public DNS IP to "Servers"? (like above)

• What’s really strange is that nslookup is broken in any case. So even when I use https://1.1.1.1/dns-query, I can run curl -L https://test.nextdns.io to check my resolver, and it works fine, but nslookup google.com just hangs.

This requires more fiddling.

[kuchkovsky]

Does it work if you add 1.1.1.1 to "Servers" explicitly? Any DNS should work, try also 8.8.8.8

Yes, Cloudflare works with 1.1.1.1 or 1.0.0.1, but interestingly, it doesn’t work with 8.8.8.8 or any other DNS.

Does it work if you keep NextDNS as hostname in the URL, but add a public DNS IP to "Servers"? (like above)

NextDNS behavior is totally strange. For me, its domain resolves to 217.146.2.63 and 45.150.243.134. Neither of these works if I specify them in the URL (https://<IP>/<MY_CONFIG_ID>). There’s also a public IP 45.90.28.93 that’s not intended for use with DoH/DoT, and it doesn’t work either. But if I specify the normal URL (https://dns.nextdns.io/<MY_CONFIG_ID>) and put the public IP 45.90.28.93 in the "Servers" block, everything works as expected.

This additional step with putting the IPs is Server to configure DoH is really confusing. DoH/DoT is usually configured with just an URL (that includes a domain, not an IP) and initially uses the system resolver. So ideally, when I select DoH, there's should be a single field for the URL, and the servers block should be hidden. Just my suggestion.

[keeshux]

This additional step with putting the IPs is Server to configure DoH is really confusing. DoH/DoT is usually configured with just an URL (that includes a domain, not an IP) and initially uses the system resolver. So ideally, when I select DoH, there's should be a single field for the URL, and the servers block should be hidden. Just my suggestion.

Then have you tried putting your system resolver(s) in "Servers" instead of 1.1.1.1?

(Let me restore the comment that I erroneously edited...)

[kuchkovsky]

Then have you tried putting your system resolver(s) in "Servers" instead of 1.1.1.1?

It doesn't work. For some reason, the "Servers" IP should be related to the DoH provider, it doesn't work with other IPs.

[keeshux]

I noticed one thing that would cover at least the common case of VPN offering their DNS servers.

If the list of modules is e.g. [VPN, DNS] (in this order), and the DNS module does not specify any servers (like in DoH), the VPN servers are not used as a fallback for bootstrap, and they should. Unsurprisingly, /etc/resolv.conf is empty in that scenario.

[keeshux]

@kuchkovsky call me crazy but after killing mDNSResponder, I managed the following:

• Given the URL: https//cloudflare-dns.com/dns-query
• Profile with only DNS module active: the URL is enough, no 1.1.1.1 server is required
  • Actually, it BREAKS if I add the 1.1.1.1 server
• Profile with VPN + DNS active: the URL is not enough, the 1.1.1.1 server is required

Confirmed with both DoH and DoT on https://one.one.one.one/help/

OTOH, NextDNS always requires an IP to see the green sign on their page.

Perhaps try the "only DNS" setup with NextDNS on your end.

[keeshux]

NextDNS behavior is totally strange. For me, its domain resolves to 217.146.2.63 and 45.150.243.134. Neither of these works if I specify them in the URL (https://<IP>/<MY_CONFIG_ID>). There’s also a public IP 45.90.28.93 that’s not intended for use with DoH/DoT, and it doesn’t work either. But if I specify the normal URL (https://dns.nextdns.io/<MY_CONFIG_ID>) and put the public IP 45.90.28.93 in the "Servers" block, everything works as expected.

I can confirm this as well. No luck without the explicit IP.

[kuchkovsky]

I tried creating a separate profile only for NextDNS. In this case, it works even if only the URL is specified (with the domain included). Then I toggled both Surfshark and DNS via the system settings. This approach works fine, so it can be used as a workaround if I combine these two actions using Shortcuts. However, the app's UI has issues with this approach:

• The UI recognizes only one of the enabled profiles, and I can't toggle multiple profiles at the same time.
• If two profiles are enabled in the settings (VPN + DNS), and the currently active one in the UI is the DNS profile, the traffic counter increases even for non-DNS traffic. It doesn’t make logical sense because it's clearly not sending hundred megs of Speedtest traffic via the NextDNS servers.

[keeshux]

I tried creating a separate profile only for NextDNS. In this case, it works even if only the URL is specified (with the domain included).

When you say "it works", you mean the header in the "my.nextdns.io" page? It never works for me with DNS only.

[keeshux]

Then I toggled both Surfshark and DNS via the system settings. This approach works fine, so it can be used as a workaround if I combine these two actions using Shortcuts. However, the app's UI has issues with this approach:

• The UI recognizes only one of the enabled profiles, and I can't toggle multiple profiles at the same time.
• If two profiles are enabled in the settings (VPN + DNS), and the currently active one in the UI is the DNS profile, the traffic counter increases even for non-DNS traffic. It doesn’t make logical sense because it's clearly not sending hundred megs of Speedtest traffic via the NextDNS servers.

I'm afraid that this will break at some point, the app is not prepared for that (yet).

[kuchkovsky]

When you say "it works", you mean the header in the "my.nextdns.io" page? It never works for me with DNS only.

Never mind, it doesn't work. Sorry for the confusion. Even VPN + DNS doesn't work. It just disables the built-in VPN DNS and falls back to the system one, which in my case is NextDNS.

[keeshux]

VPN + DNS always works for me when I provide the bootstrap IP, both CloudFlare and NextDNS.

Whereas I'm afraid to conclude that DNS-only profiles only work consistently with cleartext.

[kuchkovsky]

VPN + DNS always works for me when I provide the bootstrap IP, both CloudFlare and NextDNS.

What I mean is that it doesn't work if they are enabled as separate VPN configurations at the same time. However, if they are included in a single profile, they work as expected if the IP is specified.

The weird thing is that the "Servers" IP must correspond to the DoH provider domain; otherwise, DNS doesn't work for me. It doesn't work with third-party DNS IPs, even though it should. Perhaps it tries to reuse the same "Servers" IP for the DoH queries under the hood, instead of resolving the DoH domain IP via cleartext DNS and then using that resolved IP for all subsequent DoH requests?

[keeshux]

In the meantime, I'm pretty sure that the inconsistencies of DNS-only and VPN-not-default-gateway profiles are 100% the same. Therefore marking this as related: #298

[keeshux]

The weird thing is that the "Servers" IP must correspond to the DoH provider domain; otherwise, DNS doesn't work for me. It doesn't work with third-party DNS IPs, even though it should. Perhaps it tries to reuse the same "Servers" IP for the DoH queries under the hood, instead of resolving the DoH domain IP via cleartext DNS and then using that resolved IP for all subsequent DoH requests?

This is what puzzles me the most. I have no clue as to why other DNS IPs don't work. The issue should be fixed by falling back to the VPN/system resolvers, as you mentioned earlier. At this point, I have no idea what the Network Extension framework is doing with that IP under the hood. Probably worth reporting to Apple.

[kuchkovsky]

Considering how it works, would it be possible to hide the "Servers" block when a user selects DoH/DoT, and before establishing the tunnel, resolve the IPs of the DoH/DoT domain manually via the system resolver and apply them as if the user had entered them manually in the "Servers" block? This should solve the issue.

[keeshux]

Considering how it works, would it be possible to hide the "Servers" block when a user selects DoH/DoT, and before establishing the tunnel, resolve the IPs of the DoH/DoT domain manually via the system resolver and apply them as if the user had entered them manually in the "Servers" block? This should solve the issue.

Theoretically, then I think that cloudflare-dns.com doesn't resolve to 1.1.1.1 Same for NextDNS apparently.

Am I missing something?

[kuchkovsky]

Theoretically, then I think that cloudflare-dns.com doesn't resolve to 1.1.1.1

Yes, but it shouldn't resolve to it. For me, it resolves to 104.16.248.249/104.16.249.249 and if I put any of them in the UI, everything works as expected.

The same thing with dns.nextdns.io that resolves to 217.146.2.63/45.150.243.134, and they fix DoH.

[keeshux]

Theoretically, then I think that cloudflare-dns.com doesn't resolve to 1.1.1.1

Yes, but it shouldn't resolve to it. For me, it resolves to 104.16.248.249/104.16.249.249 and if I put any of them in the UI, everything works as expected.

The same thing with dns.nextdns.io that resolves to 217.146.2.63/45.150.243.134, and they fix DoH.

Awesome, I'll get back to this after the hotfixes.