Skip to content

dnscrypt-proxy should check every IP associated with the same DoH server #2913

New issue
New issue
Closed
Closed
dnscrypt-proxy should check every IP associated with the same DoH server#2913
@nihil-admirari

Description

@nihil-admirari
nihil-admirari
opened on Jul 16, 2025

Output of the following commands:

./dnscrypt-proxy -version

2.1.12

./dnscrypt-proxy -check

[2025-07-16 18:59:02] [NOTICE] Using default Weighted Power of Two (WP2) load balancing strategy
[2025-07-16 18:59:02] [NOTICE] Configuration successfully checked

./dnscrypt-proxy -resolve example.com

Resolving [example.com] using 127.0.0.1 port 53

Resolver      : 79.127.216.19 (unn-79-127-216-19.datapacket.com.)

Canonical name: example.com.

IPv4 addresses: 23.215.0.138, 96.7.128.175, 96.7.128.198, 23.192.228.80, 23.192.228.84, 23.215.0.136
IPv6 addresses: 2600:1406:3a00:21::173e:2e66, 2600:1406:bc00:53::b81e:94c8, 2600:1406:bc00:53::b81e:94ce, 2600:1408:ec00:36::1736:7f24, 2600:1408:ec00:36::1736:7f31, 2600:1406:3a00:21::173e:2e65

Name servers  : a.iana-servers.net., b.iana-servers.net.
DNSSEC signed : yes
Mail servers  : 1 mail servers found

HTTPS alias   : -
HTTPS info    : -

Host info     : -
TXT records   : v=spf1 -all, _k2n1y4vw3qtb4skdx9e7dxt97qrmmq9

How do we replicate the issue?

If multiple IPs are provided for the same DoH server (https://noads.joindns4.eu/dns-query in this case, see https://www.joindns4.eu/for-public)

[static.'dns4eu-noads-ipv4']
stamp = 'sdns://AgMAAAAAAAAACzg2LjU0LjExLjEzIPf1ryiAHod9ffOivij-FJ8ydKftKfE2_VA845jLqAsNEW5vYWRzLmpvaW5kbnM0LmV1Ci9kbnMtcXVlcnk'

[static.'dns4eu-noads-ipv4-alt']
stamp = 'sdns://AgMAAAAAAAAADDg2LjU0LjExLjIxMyD39a8ogB6HfX3zor4o_hSfMnSn7SnxNv1QPOOYy6gLDRFub2Fkcy5qb2luZG5zNC5ldQovZG5zLXF1ZXJ5'

[static.'dns4eu-noads-ipv6']
stamp = 'sdns://AgMAAAAAAAAAFjJhMTM6MTAwMTo6ODY6NTQ6MTE6MTMg9_WvKIAeh31986K-KP4UnzJ0p-0p8Tb9UDzjmMuoCw0Rbm9hZHMuam9pbmRuczQuZXUKL2Rucy1xdWVyeQ'

[static.'dns4eu-noads-ipv6-alt']
stamp = 'sdns://AgMAAAAAAAAAFzJhMTM6MTAwMTo6ODY6NTQ6MTE6MjEzIPf1ryiAHod9ffOivij-FJ8ydKftKfE2_VA845jLqAsNEW5vYWRzLmpvaW5kbnM0LmV1Ci9kbnMtcXVlcnk'

and server_names mention them all

server_names = [
  'dns4eu-noads-ipv4',
  'dns4eu-noads-ipv4-alt',
  'dns4eu-noads-ipv6',
  'dns4eu-noads-ipv6-alt',
]

then, on a system without IPv6 connectivity, dnscrypt-proxy sometimes picks dns4eu-noads-ipv6 or dns4eu-noads-ipv6-alt at startup. When that happens, dnscrypt-proxy says that no server is reachable:

Jul 16 18:26:14 host dnscrypt-proxy[17277]: [2025-07-16 18:26:14] [ERROR] Get "https://noads.joindns4.eu/dns-query?dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAAAAAFAAMABCOlXr3pvDLlcj6KhTJcq-1": dial tcp [2a13:1001::86:54:11]:443: connect: network is unreachable
Jul 16 18:26:14 host dnscrypt-proxy[17277]: [2025-07-16 18:26:14] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable

If dnscrypt-proxy were to pick one of IPv4 addresses, it would declare all servers to be reachable, despite the lack of IPv6 connectivity:

Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] [dns4eu-noads-ipv4] OK (DoH) - rtt: 87ms
Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] [dns4eu-noads-ipv6-alt] OK (DoH) - rtt: 90ms
Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] [dns4eu-noads-ipv4-alt] OK (DoH) - rtt: 94ms
Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] [dns4eu-noads-ipv6] OK (DoH) - rtt: 97ms
Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] Sorted latencies:
Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] -    87ms dns4eu-noads-ipv4
Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] -    90ms dns4eu-noads-ipv6-alt
Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] -    94ms dns4eu-noads-ipv4-alt
Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] -    97ms dns4eu-noads-ipv6
Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] Server with the lowest initial latency: dns4eu-noads-ipv4 (rtt: 87ms)
Jul 16 18:26:17 host dnscrypt-proxy[17297]: [2025-07-16 18:26:17] [NOTICE] dnscrypt-proxy is ready - live servers: 4

bootstrap_resolvers are empty, but they don't help since

## They will never be used if lists have already been cached, and if the stamps
## of the configured servers already include IP addresses (which is the case for
## most of DoH servers, and for all DNSCrypt servers and relays).

The issue is not reproducible with DNSCrypt servers. With DNSCrypt servers, IPv6 ones simply timeout at startup, and only IPv4 ones remain:

Jul 16 14:21:13 host dnscrypt-proxy[2480]: [2025-07-16 14:21:13] [NOTICE] [quad9-dnscrypt-ip6-filter-pri] TIMEOUT
Jul 16 14:21:13 host dnscrypt-proxy[2480]: [2025-07-16 14:21:13] [NOTICE] [quad9-dnscrypt-ip6-filter-alt2] TIMEOUT
Jul 16 14:21:13 host dnscrypt-proxy[2480]: [2025-07-16 14:21:13] [NOTICE] [quad9-dnscrypt-ip6-filter-alt] TIMEOUT
Jul 16 14:22:01 host dnscrypt-proxy[2480]: [2025-07-16 14:22:01] [NOTICE] [quad9-dnscrypt-ip4-filter-alt] should upgrade to XChaCha20 for encryption
Jul 16 14:22:01 host dnscrypt-proxy[2480]: [2025-07-16 14:22:01] [NOTICE] [quad9-dnscrypt-ip4-filter-alt] OK (DNSCrypt) - rtt: 2712ms
Jul 16 14:22:01 host dnscrypt-proxy[2480]: [2025-07-16 14:22:01] [NOTICE] [quad9-dnscrypt-ip4-filter-alt] OK (DNSCrypt) - rtt: 2712ms - additional certificate

Expected behavior (i.e. solution)

I want to be able to ship the same config to both IPv6-enabled and IPv6-lacking servers without modifications. When multiple IPs are associated with the same DoH server, they should be tried in sequences until a working one is found, and only after that they are to be declared unreachable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions