bootstrap resolvers were ignored when http3 was turned on in version 2.1.2

Question

bootstrap resolvers were ignored when http3 was turned on in version 2.1.2

so1ar opened this issue 2 years ago · 13 comments

so1ar commented 2 years ago

Output of the following commands:

./dnscrypt-proxy -version

2.1.2

./dnscrypt-proxy -check

nothing

./dnscrypt-proxy -resolve example.com

Resolving [example.com] using [::1] port 53

Unable to resolve: [Timeout]

Initially raised as discussion #...

What is affected by this bug?

DoH domain cannot be resolved

When does this occur?

Where does it happen?

How do we replicate the issue?

using manjaro Arm64 for raspberrypi4 and install dnscrypt-proxy form official repo.
configure bootstrap_resolvers = ['114.114.114.114:53'] and ignore_system_dns = true .
add a custom doh and configure server_name = ['doh'] and listen_adresses = ['[::]:53'].
start dnscrypt-proxy service, the doh domain cannot be resolved, here is the log and the domain name has been replaced.

2月 04 01:31:50 pi dnscrypt-proxy[2196]: [2023-02-04 01:31:50] [NOTICE] dnscrypt-proxy 2.1.2
2月 04 01:31:50 pi dnscrypt-proxy[2196]: [2023-02-04 01:31:50] [NOTICE] Network connectivity detected
2月 04 01:31:50 pi dnscrypt-proxy[2196]: [2023-02-04 01:31:50] [NOTICE] Now listening to [::]:53 [UDP]
2月 04 01:31:50 pi dnscrypt-proxy[2196]: [2023-02-04 01:31:50] [NOTICE] Now listening to [::]:53 [TCP]
2月 04 01:31:50 pi dnscrypt-proxy[2196]: [2023-02-04 01:31:50] [NOTICE] Source [public-resolvers] loaded
2月 04 01:31:50 pi dnscrypt-proxy[2196]: [2023-02-04 01:31:50] [NOTICE] Source [relays] loaded
2月 04 01:31:50 pi dnscrypt-proxy[2196]: [2023-02-04 01:31:50] [NOTICE] Firefox workaround initialized
2月 04 01:31:50 pi dnscrypt-proxy[2196]: [2023-02-04 01:31:50] [NOTICE] Loading the set of forwarding rules from [/etc/dnscrypt-proxy/forwarding-rules.txt]
2月 04 01:32:00 pi dnscrypt-proxy[2196]: [2023-02-04 01:32:00] [ERROR] Post "https://domain.name:10443/dns-query?body_hash=70f9bde79b4c13da8c4c927d7d70c4c89005b05358dfebc2162696e7e0f92cee": lookup domain.name: Temporary failure in name resolution (Client.Timeout exceeded while awaiting headers)
2月 04 01:32:00 pi dnscrypt-proxy[2196]: [2023-02-04 01:32:00] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable

Expected behavior (i.e. solution)

DoH domain can be resolved by bootstrap resolver.

A temporary workaround is to specify a nameserver to resolve my DoH domain in forwarding-rules.txt but it feels not right.

Other Comments

Answer 1 · 2023-02-03T18:12:47.000Z

Can you try with a server on the normal port (443)?

Answer 2 · 2023-02-03T18:19:25.000Z

Unfortunately, even with a custom port, I was not able to reproduce this.

Can you post the complete configuration file that reproduces this, maybe with the stamp of a public server?

Answer 3 · 2023-02-03T18:28:56.000Z

Can you try with a server on the normal port (443)?

Tested with a public dns server with normal 443 port and it went fine.

Can you post the complete configuration file that reproduces this, maybe with the stamp of a public server?

Unfortunately the server I use is my private server that I cannot show, apart from that I am using default configuration file and every thing I changed are listed above.

Answer 4 · 2023-02-03T18:42:33.000Z

Can 114.114.114.114 resolve your domain name? Did you try with other bootstrap servers?

Answer 5 · 2023-02-03T18:43:31.000Z

I also tried adding my ip address to the stamp, and dosen't work.

Answer 6 · 2023-02-03T18:45:44.000Z

What error do you get when the stamp includes your IP address?

Can you try to start the server with:

env DEBUG=1 dnscrypt-proxy -loglevel 0 -show-certs

?

Answer 7 · 2023-02-03T23:30:30.000Z

I'm getting the same thing when testing on Alpine (2.1.2-r4)

https://drone.modem7.com/modem7/Dnscrypt-Proxy/120/1/4

Would it be worthwhile creating a separate issue or keep on this one?

Answer 8 · 2023-02-04T06:22:55.000Z

Seems it has been fixed in 2.1.3. So I'll just wait until Manjaro update dnscrypt-proxy to version 2.1.3

Answer 9 · 2023-02-04T06:41:23.000Z

@so1ar, I deleted a comment above because it appeared to contain a domain name you were trying to hide. I've quoted the deleted message below with the domain name censored the same way as you had been doing.

Can 114.114.114.114 resolve your domain name? Did you try with other bootstrap servers?

Tried dig my domain using 114.114.114.114 and it works fine. Also I tried changing another bootstrap server like 8.8.8.8, same.

What error do you get when the stamp includes your IP address?

When my IP address was inclueded in the stamp, no error occurs and the domain name still need to be resolved.

Can you try to start the server with:
env DEBUG=1 dnscrypt-proxy -loglevel 0 -show-certs
?

here is the log , and the domain name was also been replaced:

2月 04 13:40:54 pi env[10953]: [2023-02-04 13:40:54] [DEBUG] Adding [anon-v.dnscrypt.uk-ipv4] to the set of available relays
2月 04 13:40:54 pi env[10953]: [2023-02-04 13:40:54] [NOTICE] Firefox workaround initialized
2月 04 13:40:54 pi env[10953]: [2023-02-04 13:40:54] [NOTICE] Loading the set of forwarding rules from [/etc/dnscrypt-proxy/forwarding-rules.txt]
2月 04 13:40:54 pi env[10953]: [2023-02-04 13:40:54] [DEBUG] Refreshing certificates
2月 04 13:40:55 pi env[10953]: [2023-02-04 13:40:55] [DEBUG] Alt-Svc [domain.name:10443]: [[h3=":10443"]]
2月 04 13:40:55 pi env[10953]: [2023-02-04 13:40:55] [DEBUG] Using HTTP/3 for [domain.name:10443]
2月 04 13:40:55 pi env[10953]: [2023-02-04 13:40:55] [DEBUG] Using HTTP/3 transport for [domain.name:10443]
2月 04 13:40:55 pi env[10953]: [2023-02-04 13:40:55] [DEBUG] [https://domain.name:10443/dns-query?body_hash=704cc894e722ea0d7208f78f445207d73f0c513fda20ca4af18adfc7c0614998]: [Post "domain.name:1043/dns-query?body_hash=704cc894e722ea0d7208f78f445207d73f0c513fda20ca4af18adfc7c0614998": lookup domain.name: Temporary failure in name resolution]
2月 04 13:40:55 pi env[10953]: [2023-02-04 13:40:55] [INFO] [doh] [https://domain.name:10443/dns-query]: Post "https://domain.name:10443/dns-query?body_hash=704cc894e722ea0d7208f78f445207d73f0c513fda20ca4af18adfc7c0614998": lookup domain.name: Temporary failure in name resolution"https://domain.name:10443/dns-query?body_hash=
2月 04 13:40:55 pi systemd[1]: dnscrypt-proxy.service: Deactivated successfully.

It looks like something wrong with HTTP/3, so I tried disabling http3 on my DoH server and it works fine.

Answer 10 · 2023-02-04T07:01:02.000Z

@welwood08 Thanks a lot, it was my negligence

Answer 11 · 2023-02-04T08:22:59.000Z

Did the Manjaro package change the default configuration to set http3 to true?
It's supposed to be false by default.

Answer 12 · 2023-02-04T08:37:58.000Z

@modem7 's case is about resolving the source file URL, based on the logs and configs:

[2023-02-03 23:27:48] [NOTICE] dnscrypt-proxy 2.1.2
[2023-02-03 23:27:48] [NOTICE] Network connectivity detected
[2023-02-03 23:27:48] [NOTICE] Now listening to 0.0.0.0:53 [UDP]
[2023-02-03 23:27:48] [NOTICE] Now listening to 0.0.0.0:53 [TCP]
[2023-02-03 23:27:52] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [ipv6.download.dnscrypt.info] using bootstrap resolvers over tcp
[2023-02-03 23:27:56] [NOTICE] Bootstrap resolvers didn't respond - Trying with the system resolver as a last resort

Vs
force_tcp = false
ignore_system_dns = true

I will ask:
How could it try system DNS first (spent 4s)? And over TCP? They doesn't match the configs. These are most confusing to me.

Answer 13 · 2023-02-04T09:08:26.000Z

Did the Manjaro package change the default configuration to set http3 to true? It's supposed to be false by default.

My bad, I set http3 to true and forgot to mention.