0

DoH Resolution via DNSCrypt-Proxy very unstable

Hi, I have two dns resolvers based on pihole. One on a PI4 and another ubuntu 20.04 LTS. Both use dnscrypt-proxy v2 to query nextdns.  Starting March 12/13, resolution has become extremely poor, failing for ~70% of queries.  I replaced upstream dns servers with Quad9 and Cloudflare and all works fine.  I then replaced upstream dns servers with unencrypted nextdns resolvers and all works fine.  Testing for the last few days still reveals the same results, even now.

Anything going on resolving encrypted DoH requests?

15 replies

null
    • olivier
    • 3 yrs ago
    • Reported - view

    Please submit a https://nextdns.io/diag

    • Neil
    • 3 yrs ago
    • Reported - view

    Olivier Poitrey  I've tried a few times and can't get a successful post.  Here's some odd behaviour though.

    Testing IPv6 connectivity
      available: false
    Fetching https://test.nextdns.io
      Fetch error: Get "https://test.nextdns.io": dial tcp: lookup test.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
    Fetching PoP name for ultra low latency primary IPv4 (ipv4.dns1.nextdns.io)
    Fetch error: Get "https://dns.nextdns.io/info": dial tcp: lookup ipv4.dns1.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
    Fetching PoP name for ultra low latency secondary IPv4 (ipv4.dns2.nextdns.io)
    Fetch error: Get "https://dns.nextdns.io/info": dial tcp: lookup ipv4.dns2.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
    Fetching PoP name for anycast primary IPv4 (45.90.28.0)
      vultr-chi: 15.187ms
    Fetching PoP name for anycast secondary IPv4 (45.90.30.0)
      anexia-yto: 3.174ms
    Pinging PoPs
      error: Get "https://router.nextdns.io/?limit=10&stack=dual": dial tcp: lookup router.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
      Traceroute error: lookup ipv4.dns1.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
      Traceroute error: lookup ipv4.dns2.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
    Traceroute for anycast primary IPv4 (45.90.28.0)
        2    10.11.3.201    2ms   4ms   1ms
        3                   *     *     *
        4  64.230.59.182    7ms   7ms   7ms
        5 64.230.106.105    2ms   1ms   1ms
        6   64.230.79.73   14ms  14ms  14ms
        7    4.15.248.93    *     *    15ms
        8   4.69.142.105    *    16ms  16ms
        9    4.14.14.158   18ms  17ms  18ms
       10                   *     *     *
       11                   *     *     *
       12                   *     *     *
       13     45.90.28.0   17ms  16ms  16ms
    Traceroute for anycast secondary IPv4 (45.90.30.0)
        2    10.11.3.201    2ms  40ms  36ms
        3                   *     *     *
        4  64.230.59.188    6ms   7ms   7ms
        5 64.230.107.187    2ms   2ms   2ms
        6 64.230.107.186    6ms   3ms   3ms
        7  64.230.51.162    *     *     3ms
        8  64.230.52.231    2ms   2ms   2ms
        9 213.248.97.222    3ms   2ms   2ms
       10 62.115.117.229    3ms   3ms   3ms
       11  62.115.160.18    4ms   3ms   3ms
       12 188.172.249.32    2ms   2ms   2ms
       13     45.90.30.0    2ms   2ms   2ms
    Do you want to send this report? [Y/n]: Optional email in case we need additional info: y
    Post unsuccessful: status 400
    {"error":"0: instance.Test requires property \"Client\"\n"}
    
    • Neil
    • 3 yrs ago
    • Reported - view

    Olivier Poitrey I did get a successful post eventually. https://nextdns.io/diag/b6081bc0-8598-11eb-909c-bbd98deb2146

    • olivier
    • 3 yrs ago
    • Reported - view

    Seems like nextdns.io domain is blocked on your network. What do you get for « nslookup dns.nextdns.io »

    • Nathan
    • 3 yrs ago
    • Reported - view

    I had the same issue with the same setup. I had no issues until 3/12-13 and then my internet went out for the majority of devices. I didn't make any changes on my end prior to the issues, and changing away from NextDNS servers immediately resolved the issue. I couldn't find a way to fix it so I decided to stop using DNSCrypt-Proxy (which I thought worked really well). I'm now trying the NextDNS CLI client on my router (OPNense) but it seems to do a terrible job of actually encrypting traffic (only successful with maybe 30-50% of DNS queries) which is frustrating. I'd be interested in a solution to the DNSCrypt method.

      • olivier
      • 3 yrs ago
      • Reported - view

      Nathan the CLI is not able to NOT encrypt queries, so having only 30-50% encrypted queries with CLI is not possible. You might have some hosts not going thru the CLI.

      • Nathan
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey I clearly don't have deep technical knowledge of how the CLI works. Is there a way to make sure hosts are going through the CLI (which I thought would be the case given that it's running on my router)?

      • olivier
      • 3 yrs ago
      • Reported - view

      Nathan make sure all your hosts on your LAN are using DHCP supplied DNS.

    • Neil
    • 3 yrs ago
    • Reported - view

    Olivier Poitrey you were partly correct.  NextDNS was added to a DoH filter list recently. 

    https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt

    But, that hasn't solved the whole issue.  Here is an example of using the unecrypted IPv4  address to query NextDNS:

    C:\>nslookup dns.nextdns.io
    Server:  pihole
    Address:  192.168.1.50
    Non-authoritative answer:
    Name:    steering.nextdns.io
    Addresses:  2605:380:55:450::7
              2001:19f0:b001:1bb:5400:2ff:fec8:6dcc
              188.172.221.9
              155.138.130.135
    Aliases:  dns.nextdns.io

    Here is the same thing when sending the request through DNSCrypt-Proxy:

    C:\>nslookup dns.nextdns.io
    Server:  pihole
    Address:  192.168.1.50
    *** pihole can't find dns.nextdns.io: Server failed

    After ~10 requests I will get an answer:

    Server:  pihole
    Address:  192.168.1.50
    Name:    steering.nextdns.io
    Addresses:  2605:380:55:450::7
              2001:19f0:b001:1bb:5400:2ff:fec8:6dcc
    Aliases:  dns.nextdns.io

    OR

    Server:  pihole
    Address:  192.168.1.50
    Non-authoritative answer:
    Name:    steering.nextdns.io
    Addresses:  2001:19f0:b001:1bb:5400:2ff:fec8:6dcc
              2605:380:55:450::7
              188.172.221.9
              155.138.130.135
    Aliases:  dns.nextdns.io
    • olivier
    • 3 yrs ago
    • Reported - view

    Can you try with the CLI instead of PiHole?

      • Neil
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey The CLI, by itself, seems to work fine.  When I install it on Ubuntu Server 20.04 with pihole and the embedded dnsmasq, it will not install.  It always wants to listen to  port 53, no matter what I put in the config file.  

      • olivier
      • 3 yrs ago
      • Reported - view

      Neil set the "setup-router" to false.

      • Neil
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey That works now. But still get failures very often. Especially querying nextdns.io.

      Server:  pihole
      Address:  192.168.1.50
      *** pihole can't find dns.nextdns.io: Server failed
    • Neil
    • 3 yrs ago
    • Reported - view

    Olivier Poitrey Nope, has since gotten significantly worse now.  Same behaviour as dnscrypt-proxy.  I've reverted to unencrypted nextdns resolvers and performance is much better.  I'm going to try some detailed traces and pcaps later this evening.

    • Neil
    • 3 yrs ago
    • Reported - view

    I think I've narrowed it down more.  With DNSSEC turned on in Pihole, terrible performance, many sites not resolving.  With DNSSEC turned off, resolution is nearly 100%.  This must have something to do with the fixes made last weekend.  This config has been running fine with DNSSEC for more than 6 months.

Content aside

  • 3 yrs agoLast active
  • 15Replies
  • 695Views
  • 3 Following