Secure Connections broken since latest Plex Web update

So i’m having an issue that I think is related to this.
I am having an issue with the iOS app when sending the video to chromecast.
It actually starts the cast, but then the iOS app loses connection and i can no longer manage the video playback from my phone.
I have my own SSL cert, key in the plex server admin page, as I like to access the page from a subdomain.
I can connect to it, it says it is secure and reporting my correct comodo SSL cert.
In the plex server admin page, it says to enter: Custom certificate domain (Domain name to be published to plex.tv using your mapped port; must match a name from the custom certificate file.)
and it does match, as proof that my certificate does work.
However, I see this in the iOS app logs:

No secure connections for PMKRemotePlayer:0x1384d2410 identifier=b0d19bdb5011aad034afcb0d90d93641 name=Living Room

This is my chromecast.

Then i see this:
All secure connection tests to PMKServer:0x1381f0e40 identifier=32a2767a3b1fa2671900176a91fb5c7119a4a173 name=XXXXXXX Plex Server failed

Then this:
PMKPlexConnection.m:487 | Not trusting unexpected hostname XXXXXXXX.com for device PMKServer:0x1381f0e40 identifier=32a2767a3b1fa2671900176a91fb5c7119a4a173 name=XXXXX Plex Server

This is so frustrating, as it was working fine.
I am using PfSense, i did setup plex.direct in my unbound settings for my dns resolver.
Even turned off DNS protections for re-binding.

Plex pass would be nice if it came with some kind of support.
I posted a bug repport in the iOS forum 4 days ago and not getting ■■■■ for help.
About to swith to emby out of principle…

@IamSpartacus said:
That sucks. What ISP is this?

KPN, Netherlands

I cannot even get to my Plex server. all other shared servers from friends are in my list, but my server isn’t, even when I’m sitting at the computer it’s installed on! started today. what’s going on!!!

@hockeyfreak said:
I cannot even get to my Plex server. all other shared servers from friends are in my list, but my server isn’t, even when I’m sitting at the computer it’s installed on! started today. what’s going on!!!

Had the same thing. You probably forced the server to use secure connections. Change to public DNS as a workaround or change the preferences.xml and change the secureconnection setting there to 1. You should be able to get to your server without a secure connection.

Hi All, I have been suffering from this issue for the last couple of days (also KPN, Netherlands as ISP btw) https://forums.plex.tv/discussion/214813/my-server-connections-are-messed-up-missing-share-servers-or-not-secure-on-local-lan

My current guess is that they changed the DNS registration and it just takes to much time to bubble down to us all, and all our ISP’s and that we are stuck sitting it out

Its a reall shame, I just got a guy with thousends of movies on his NAS to setup Plex proofing him how nice and easy it was, and the system never gave me any issues and now one month into using Plex for his collection and Plex is completly broken and no official word

How is your ISP preventing you from using another DNS? Just add 8.8.8.8 in your network settings.

ive been having this issue as well for a few weeks on and off

@jmeehan11 said:
How is your ISP preventing you from using another DNS? Just add 8.8.8.8 in your network settings.

Of course I can change it per device. I mean changing it in the router so the clients get the dns server automatically I don’t want to do all those clients manually…

@jmeehan11 said:
How is your ISP preventing you from using another DNS? Just add 8.8.8.8 in your network settings.

Next to only have a single primairy DNS entry in my router (and so loosing all options for local DNS) it is also not working on the 4g network of the same provider, and I can not change that on a phone by phone basis. This stuff has to work on a global level.
If this was a pure single provider issue we could force them to solve it, but it is bigger it seems.

I am having this problem since last week. All my shared users can use my Plex library secure but I can only use it insecure, and when I use a vpn it is suddenly secure on the same computer. (ISP is also KPN, Netherlands)

I don’t know if I would go as far as saying Optimum is the reason why things are broken as this issue is popping up a lot more now on Reddit.
Another user had this same issue as the one I posted about on April 5th and it seems to come down to Optimum trying to secure their network by disabling DNS Rebinding which Plex heavily uses.
Because Optimum disabled or changed DNS Rebinding, Plex is now broken which makes me wonder about Plex and the code they are using to accomplish the secure connections. Because if other ISPs start protecting their networks by disabling DNS Rebinding, then Plex connections will fail.
From another user on Reddit:
Found out some more information. Check out the last paragraph of this article. I think this is 90% likely to be the cause: https://support.plex.tv/hc/en-us/articles/206225077-How-to-Use-Secure-Server-Connections
ISP Settings
In some cases, your ISP itself may prevent DNS Rebinding when using their DNS services. In this case, you can switch to using a different DNS service. Depending on your personal setup, you may need to update either your router configuration, you computer(s) configuration, or both.
The easiest thing is to switch to use either Google Public DNS or Open DNS. A colleague explained to me that DNS Re-binding, which Plex uses to facilitate its tunneling, serving, and sharing, is actually often considered a flaw in DNS and to use it is considered an exploit. He also mentioned that, in his opinion, to rely on DNS Re-binding to provide a service is bad practice because, although any current standards compliant DNS server will allow DNS Re-binding, it is unintentionally allowed and could be patched in a future version/config change. Thus, I think it’s probable that Optimum has chosen to “head this exploit off at the pass” and patch/block it – breaking Plex.

the problem lies with the fact that my 4g provider also blocks this as do many o fmy visitoing wifi’s now.
So this is an increasing problem that at some point all isp’s may implement. So plex needs to rethink their solution.

I would like to hear from Plex. This thread lives for a week now, a lot of users experiencing the same problem and no response at all. Is the problem recognized? Will it be solved? Is it bad luck for us?

I’m a paying customer, I would like to know if I get what I pay for?

So glad I am not alone on this problem, but I fear it is going to get a lot worse before it gets better.
Sad thing is, I wiped out my entire folder structure thinking something was corrupt when it wasn’t and now gotta generate all the BIF files again.

All,
It is our (ninjas) understanding the implementation of the plex.direct domain is to help protect against DNS rebinding attacks. It’s unclear why some ISPs have not yet supported *.plex.direct and others have. Those who do support/have it (my ISP being one) see no connection issues with this change.

I wrote the formal issue (problem ticket) and submitted it to get this resolved ASAP.

This thread, and others with the same problem, have been referenced in the writeup

I personally am tracking this and collecting all information possible in case more is needed by the dev team

I’d be curious to see some DNS query results from anyone experiencing problems. Running four sample queries would probably be enough to be illuminating:

nslookup 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
nslookup 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct 8.8.8.8
nslookup 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct 
nslookup 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct 8.8.8.8

Run each of those and copy/paste the full results. For example, I get:

[Fri 13:18:04] sullman@mbp:  ~ 
$ nslookup 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct           
Server:		75.75.75.75
Address:	75.75.75.75#53

Non-authoritative answer:
Name:	192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
Address: 192.168.0.10


[Fri 13:18:11] sullman@mbp:  ~ 
$ nslookup 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct 8.8.8.8   
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
Address: 192.168.0.10


[Fri 13:18:13] sullman@mbp:  ~ 
$ nslookup 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct                
Server:		75.75.75.75
Address:	75.75.75.75#53

Non-authoritative answer:
Name:	1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
Address: 1.2.3.4


[Fri 13:18:30] sullman@mbp:  ~ 
$ nslookup 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct 8.8.8.8        
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
Address: 1.2.3.4

I am affected and I get:

nslookup 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
Server: mijnmodem.kpn.lan
Address: 192.168.2.254

*** mijnmodem.kpn.lan can’t find 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct: Non-existent domain

nslookup 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
Address: 192.168.0.10

nslookup 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
Server: router.lan
Address: 192.168.2.254

*** router.lan can’t find 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct: Non-existent domain

nslookup 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

*** google-public-dns-a.google.com can’t find 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct: Non-existent domain

I tested the same commands from another provider and there I get the same results as in your example. My provider is KPN Netherlands while the working one I tested is XS4ALL Netherlands.

Thanks for investigating this issue, I feel reassured now I know its is being looked into.

@ChuckPa said:
… It’s unclear why some ISPs have not yet supported *.plex.direct and others have. Those who do support/have it (my ISP being one) see no connection issues with this change.

My ISP supported it, it worked before. So apparently they decided to not support it anymore. Does it make sense to report it to my ISP? What should I report?

@schuyler said:
I’d be curious to see some DNS query results from anyone experiencing problems.

My results:

C:\>nslookup 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
Server:  ns1.wxs.nl
Address:  195.121.1.34
*** ns1.wxs.nl can't find 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct: Non-existent domain

C:\>nslookup 192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
Non-authoritative answer:
Name:    192-168-0-10.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
Address:  192.168.0.10

C:\>nslookup 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct
Server:  ns1.wxs.nl
Address:  195.121.1.34
*** ns1.wxs.nl can't find 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct: Non-existent domain

C:\>nslookup 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
*** google-public-dns-a.google.com can't find 1-2-3-4.aaaaaaaabbbbbbbbccccccccdddddddd.plex.direct: Non-existent domain

Is this a “KPN only” problem or are there other providers having the same issue?

@LegeDoos said:

@ChuckPa said:
… It’s unclear why some ISPs have not yet supported *.plex.direct and others have. Those who do support/have it (my ISP being one) see no connection issues with this change.

My ISP supported it, it worked before. So apparently they decided to not support it anymore. Does it make sense to report it to my ISP? What should I report?

Is this a “KPN only” problem or are there other providers having the same issue?

@LegeDoos

This problem is being seen in other places and not just your ISP. How widespread is not yet known. If you wish to show this to your ISP and ask for their assistance that would be beneficial because in your case, you can see even DNS lookup targeted for 8.8.8.8 was either intercepted or google themselves is having a problem with host google-public-dns-a. Another reply we’ve seen is where a completely incorrect (junk) address is returned by the ISP.

An example of junk being returned is my ISP:
[chuck@lizum ~.102]$ nslookup non-existant-dns.tld
Server: 192.168.0.12
Address: 192.168.0.12#53

Non-authoritative answer:
Name:	non-existant-dns.tld
Address: 104.239.198.84
Name:	non-existant-dns.tld
Address: 198.105.244.65

[chuck@lizum ~.103]$ nslookup non-existant-dns.direct
Server:		192.168.0.12
Address:	192.168.0.12#53

Non-authoritative answer:
Name:	non-existant-dns.direct
Address: 104.239.198.84
Name:	non-existant-dns.direct
Address: 198.105.244.65

My ISP supports *.plex.direct but, as you can see, but non-existant (.tld and .direct) return junk instead of the proper error message. This makes diagnosing the problem much more difficult if they don’t populate the .direct domain at all.

[chuck@lizum ~.104]$ nslookup 198.105.244.65
Server:		192.168.0.12
Address:	192.168.0.12#53

** server can't find 65.244.105.198.in-addr.arpa: NXDOMAIN

[chuck@lizum ~.105]$ nslookup 104.239.198.84
Server:		192.168.0.12
Address:	192.168.0.12#53

** server can't find 84.198.239.104.in-addr.arpa: NXDOMAIN

[chuck@lizum ~.106]$

** Note: 192.168.0.12 is my modem/router which uses the ISP DNS by default.

@here,

For everyone else having trouble accessing your server on your home lan, I’ve been trying to work up a few things I think will get you by temporarily until this is completely resolved with ISPs or the dev team can figure out a way around such ISPs.

1. ssh tunnel into my NAS just as if it were off-site
2. Go to Settings - Server - Network
3. work with the 3 “secured connection” options (Required, Preferred, Disabled)

I’ve found that on my home LAN, preferred and disabled operation completely masks any issue by falling back to http (which is safe at home and on a wired lan)

For those using wifi at home, your wifi should already be encrypted through the SSID password.

With server set to ‘Required’:

1. HTTP://192.168.0.23:32400/web → “Connection Reset” error (this is expected)
2. HTTPS://192.168.0.23:32400/web → Warning about certificate does not match and only valid for *.plex.direct
   Accept the warning to create an exception → Secure connection over home LAN now established

With server set to ‘Preferred’

 HTTP://192.168.0.23:32400/web          ->   Normal operation
 HTTPS://192.168.0.23:32400/web        ->   Normal operation   (after it falls back to HTTP)