DoH Resolution via DNSCrypt-Proxy very unstable
Hi, I have two dns resolvers based on pihole. One on a PI4 and another ubuntu 20.04 LTS. Both use dnscrypt-proxy v2 to query nextdns. Starting March 12/13, resolution has become extremely poor, failing for ~70% of queries. I replaced upstream dns servers with Quad9 and Cloudflare and all works fine. I then replaced upstream dns servers with unencrypted nextdns resolvers and all works fine. Testing for the last few days still reveals the same results, even now.
Anything going on resolving encrypted DoH requests?
15 replies
-
Please submit a https://nextdns.io/diag
-
Olivier Poitrey I've tried a few times and can't get a successful post. Here's some odd behaviour though.
Testing IPv6 connectivity available: false Fetching https://test.nextdns.io Fetch error: Get "https://test.nextdns.io": dial tcp: lookup test.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. Fetching PoP name for ultra low latency primary IPv4 (ipv4.dns1.nextdns.io) Fetch error: Get "https://dns.nextdns.io/info": dial tcp: lookup ipv4.dns1.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. Fetching PoP name for ultra low latency secondary IPv4 (ipv4.dns2.nextdns.io) Fetch error: Get "https://dns.nextdns.io/info": dial tcp: lookup ipv4.dns2.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. Fetching PoP name for anycast primary IPv4 (45.90.28.0) vultr-chi: 15.187ms Fetching PoP name for anycast secondary IPv4 (45.90.30.0) anexia-yto: 3.174ms Pinging PoPs error: Get "https://router.nextdns.io/?limit=10&stack=dual": dial tcp: lookup router.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. Traceroute error: lookup ipv4.dns1.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. Traceroute error: lookup ipv4.dns2.nextdns.io: getaddrinfow: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server. Traceroute for anycast primary IPv4 (45.90.28.0) 2 10.11.3.201 2ms 4ms 1ms 3 * * * 4 64.230.59.182 7ms 7ms 7ms 5 64.230.106.105 2ms 1ms 1ms 6 64.230.79.73 14ms 14ms 14ms 7 4.15.248.93 * * 15ms 8 4.69.142.105 * 16ms 16ms 9 4.14.14.158 18ms 17ms 18ms 10 * * * 11 * * * 12 * * * 13 45.90.28.0 17ms 16ms 16ms Traceroute for anycast secondary IPv4 (45.90.30.0) 2 10.11.3.201 2ms 40ms 36ms 3 * * * 4 64.230.59.188 6ms 7ms 7ms 5 64.230.107.187 2ms 2ms 2ms 6 64.230.107.186 6ms 3ms 3ms 7 64.230.51.162 * * 3ms 8 64.230.52.231 2ms 2ms 2ms 9 213.248.97.222 3ms 2ms 2ms 10 62.115.117.229 3ms 3ms 3ms 11 62.115.160.18 4ms 3ms 3ms 12 188.172.249.32 2ms 2ms 2ms 13 45.90.30.0 2ms 2ms 2ms Do you want to send this report? [Y/n]: Optional email in case we need additional info: y Post unsuccessful: status 400 {"error":"0: instance.Test requires property \"Client\"\n"} -
Olivier Poitrey I did get a successful post eventually. https://nextdns.io/diag/b6081bc0-8598-11eb-909c-bbd98deb2146
-
Seems like nextdns.io domain is blocked on your network. What do you get for « nslookup dns.nextdns.io »
-
I had the same issue with the same setup. I had no issues until 3/12-13 and then my internet went out for the majority of devices. I didn't make any changes on my end prior to the issues, and changing away from NextDNS servers immediately resolved the issue. I couldn't find a way to fix it so I decided to stop using DNSCrypt-Proxy (which I thought worked really well). I'm now trying the NextDNS CLI client on my router (OPNense) but it seems to do a terrible job of actually encrypting traffic (only successful with maybe 30-50% of DNS queries) which is frustrating. I'd be interested in a solution to the DNSCrypt method.
-
Olivier Poitrey you were partly correct. NextDNS was added to a DoH filter list recently.
https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txtBut, that hasn't solved the whole issue. Here is an example of using the unecrypted IPv4 address to query NextDNS:
C:\>nslookup dns.nextdns.io Server: pihole Address: 192.168.1.50 Non-authoritative answer: Name: steering.nextdns.io Addresses: 2605:380:55:450::7 2001:19f0:b001:1bb:5400:2ff:fec8:6dcc 188.172.221.9 155.138.130.135 Aliases: dns.nextdns.ioHere is the same thing when sending the request through DNSCrypt-Proxy:
C:\>nslookup dns.nextdns.io Server: pihole Address: 192.168.1.50 *** pihole can't find dns.nextdns.io: Server failedAfter ~10 requests I will get an answer:
Server: pihole Address: 192.168.1.50 Name: steering.nextdns.io Addresses: 2605:380:55:450::7 2001:19f0:b001:1bb:5400:2ff:fec8:6dcc Aliases: dns.nextdns.ioOR
Server: pihole Address: 192.168.1.50 Non-authoritative answer: Name: steering.nextdns.io Addresses: 2001:19f0:b001:1bb:5400:2ff:fec8:6dcc 2605:380:55:450::7 188.172.221.9 155.138.130.135 Aliases: dns.nextdns.io -
Can you try with the CLI instead of PiHole?
-
Olivier Poitrey Nope, has since gotten significantly worse now. Same behaviour as dnscrypt-proxy. I've reverted to unencrypted nextdns resolvers and performance is much better. I'm going to try some detailed traces and pcaps later this evening.
-
I think I've narrowed it down more. With DNSSEC turned on in Pihole, terrible performance, many sites not resolving. With DNSSEC turned off, resolution is nearly 100%. This must have something to do with the fixes made last weekend. This config has been running fine with DNSSEC for more than 6 months.
Content aside
- 3 yrs agoLast active
- 15Replies
- 791Views
-
3
Following