DNS over QUIC not work

[cwyin7788]

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

• [X] I am running the latest version
• [X] I checked the documentation and found no answer
• [X] I checked to make sure that this issue has not already been filed

Issue Details

raspberrypi:/opt/AdGuardHome# ./AdGuardHome -v --version
AdGuard Home
Version: v0.107.0-b.17
Channel: beta
Go version: go1.16.12
Build time: 2021-12-21T12:45:37Z+0000
GOOS: linux
GOARCH: arm64
Race: false
Dependencies:
        github.com/AdguardTeam/dnsproxy@v0.39.13 (sum: h1:7YM5Mr4EpFZ8UO4/4xd6zBG3lZ6AzZO6Xq29Cr4ydOY=)
        github.com/AdguardTeam/golibs@v0.10.3 (sum: h1:FBgk17zf35ESVWQKIqEUiqqB2bDaCBC8X5vMU760yB4=)
        github.com/AdguardTeam/urlfilter@v0.15.1 (sum: h1:dP6S7J6eFAk8MN4IDpUq2fZoBo8K8fmc6pXpxNIv84M=)
        github.com/NYTimes/gziphandler@v1.1.1 (sum: h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=)
        github.com/aead/chacha20@v0.0.0-20180709150244-8b13a72661da (sum: h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=)
        github.com/aead/poly1305@v0.0.0-20180717145839-3fee0db0b635 (sum: h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=)
        github.com/ameshkov/dnscrypt/v2@v2.2.2 (sum: h1:lxtS1iSA2EjTOMToSi+2+rwspNA+b/wG5/JpccvE9CU=)
        github.com/ameshkov/dnsstamps@v1.0.3 (sum: h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=)
        github.com/beefsack/go-rate@v0.0.0-20200827232406-6cde80facd47 (sum: h1:M57m0xQqZIhx7CEJgeLSvRFKEK1RjzRuIXiA3HfYU7g=)
        github.com/cheekybits/genny@v1.0.0 (sum: h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=)
        github.com/digineo/go-ipset/v2@v2.2.1 (sum: h1:k6skY+0fMqeUjjeWO/m5OuWPSZUAn7AucHMnQ1MX77g=)
        github.com/fsnotify/fsnotify@v1.4.9 (sum: h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=)
        github.com/go-ping/ping@v0.0.0-20210506233800-ff8be3320020 (sum: h1:mdi6AbCEoKCA1xKCmp7UtRB5fvGFlP92PvlhxgdvXEw=)
        github.com/google/go-cmp@v0.5.5 (sum: h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=)
        github.com/google/gopacket@v1.1.19 (sum: h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=)
        github.com/google/renameio@v1.0.1 (sum: h1:Lh/jXZmvZxb0BBeSY5VKEfidcbcbenKjZFzM/q0fSeU=)
        github.com/AdguardTeam/dhcp@v0.0.0-20210519141215-51808c73c0bf (sum: h1:gc042VRSIRSUzZ+Px6xQCRWNJZTaPkomisDfUZmoFNk=)
        github.com/joomcode/errorx@v1.0.3 (sum: h1:3e1mi0u7/HTPNdg6d6DYyKGBhA5l9XpsfuVE29NxnWw=)
        github.com/josharian/native@v0.0.0-20200817173448-b6b71def0850 (sum: h1:uhL5Gw7BINiiPAo24A2sxkcDI0Jt/sqp1v5xQCniEFA=)
        github.com/kardianos/service@v1.2.0 (sum: h1:bGuZ/epo3vrt8IPC7mnKQolqFeYJb7Cs8Rk4PSOBB/g=)
        github.com/lucas-clemente/quic-go@v0.21.1 (sum: h1:uuhCcu885TE9u/piPYMChI/yqA1lXfaLUEx8uCMxf8w=)
        github.com/marten-seemann/qtls-go1-16@v0.1.3 (sum: h1:XEZ1xGorVy9u+lJq+WXNE+hiqRYLNvJGYmwfwKQN2gU=)
        github.com/mdlayher/ethernet@v0.0.0-20190606142754-0394541c37b7 (sum: h1:lez6TS6aAau+8wXUP3G9I3TGlmPFEq2CTxBaRqY6AGE=)
        github.com/mdlayher/netlink@v1.4.0 (sum: h1:n3ARR+Fm0dDv37dj5wSWZXDKcy+U0zwcXS3zKMnSiT0=)
        github.com/mdlayher/raw@v0.0.0-20210412142147-51b895745faf (sum: h1:InctQoB89TIkmgIFQeIL4KXNvWc1iebQXdZggqPSwL8=)
        github.com/ameshkov/dns@v1.1.32-0.20211214123418-7a5e0dc5f1b0 (sum: h1:a6ca3WlDG4zvUWqVFpVu48b9NZJ0fUFlRhiZKKkq+aw=)
        github.com/patrickmn/go-cache@v2.1.0+incompatible (sum: h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=)
        github.com/pkg/errors@v0.9.1 (sum: h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=)
        github.com/satori/go.uuid@v1.2.0 (sum: h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=)
        github.com/ti-mo/netfilter@v0.4.0 (sum: h1:rTN1nBYULDmMfDeBHZpKuNKX/bWEXQUhe02a/10orzg=)
        github.com/u-root/u-root@v7.0.0+incompatible (sum: h1:u+KSS04pSxJGI5E7WE4Bs9+Zd75QjFv+REkjy/aoAc8=)
        go.etcd.io/bbolt@v1.3.6 (sum: h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=)
        golang.org/x/crypto@v0.0.0-20210817164053-32db794688a5 (sum: h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=)
        golang.org/x/net@v0.0.0-20210929193557-e81a3d93ecf6 (sum: h1:Z04ewVs7JhXaYkmDhBERPi41gnltfQpMWDnTnQbaCqk=)
        golang.org/x/sync@v0.0.0-20210220032951-036812b2e83c (sum: h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=)
        golang.org/x/sys@v0.0.0-20210909193231-528a39cd75f3 (sum: h1:3Ad41xy2WCESpufXwgs7NpDSu+vjxqLt2UFqUV+20bI=)
        golang.org/x/text@v0.3.7 (sum: h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=)
        gopkg.in/natefinch/lumberjack.v2@v2.0.0 (sum: h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=)
        gopkg.in/yaml.v2@v2.4.0 (sum: h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=)
        howett.net/plist@v0.0.0-20201203080718-1454fab16a06 (sum: h1:QDxUo/w2COstK1wIBYpzQlHX/NqaQTcf9jyz347nI58=)

• Version of AdGuard Home server: v0.107.0-b.17
• How did you install AdGuard Home: Download from github official release page
• How did you setup DNS configuration: Router
• If it's a router or IoT, please write device model: Raspberry pi 3B+
• CPU architecture: ARM64
• Operating system and version: raspberrypi:/opt/AdGuardHome# uname -a Linux raspberrypi 5.10.63-v8+ # 1488 SMP PREEMPT Thu Nov 18 16:16:16 GMT 2021 aarch64 GNU/Linux

Expected Behavior

DNS-over-QUIC work properly

Actual Behavior

DNS-over-QUIC not work

Screenshots

I have 2 Raspberry Pi, adguard1.abc.com, adguard2.abc.com , both Pi already installed the AGH, adguard1 is behind the router, adguard2 is not, both pi also not work as DOQ server, here is the screen capture from adguard1.abc.com

adguard1.abc.com, I didn't use any CDN service, so, connect my domain, it will connect my IP directly

AGH setup page show the DOQ address is quic://adguard1.abc.com:784

AGH already listen udp port 784

My router configured port forward

I want to test DOQ working or not, so under adguard2.abc.com's AGH, I set my adguard1 DOQ as the upstream

but when I click "Test upstreams" it show this error

Under adguard2 terminal, I use this command:

https://github.com/ameshkov/dnslookup

try to test my adguard1 DOQ, it also failed

in adguard1 AGH, my certificate do not have any problem

Is this a bug or any wrong settings？

thanks for help.

[ainar-g]

Hello and thank you for the very thorough report! A couple of questions to clarify:

1. Do you see any certificate errors in the verbose logs?

2. Are there any issues with DoH and DoT?

3. Do these servers have some kind of firewall rules? The errors look like AGH just doesn't receive any requests. Does nc -u -v -z adguard1.abc.com 784 show something like Connection to … 784 port [udp/*] succeeded!?

Thanks!

[cwyin7788]

Hello and thank you for the very thorough report! A couple of questions to clarify:

1. Do you see any certificate errors in the verbose logs?
2. Are there any issues with DoH and DoT?
3. Do these servers have some kind of firewall rules? The errors look like AGH just doesn't receive any requests. Does nc -u -v -z adguard1.abc.com 784 show something like Connection to … 784 port [udp/*] succeeded!?

Thanks!

Thanks for your quick reply

1. Do you see any certificate errors in the [verbose logs]

seems the log do not have any error about certificate

Here is the DoH question section:

;; QUESTION SECTION:
;safebrowsing-proxy.g.aaplimg.com.      IN       A

2021/12/25 02:09:58.407068 120956#449 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).ServeHTTP(): Incoming HTTPS request on /dns-query/iphonex
2021/12/25 02:09:58.407440 120956#449 [debug] github.com/AdguardTeam/dnsproxy/proxy.remoteAddr(): Using IP address from HTTP request: xxx.xxx.xxx.xxx
2021/12/25 02:09:58.407669 120956#449 [debug] request came from proxy server 127.0.0.1:47730
2021/12/25 02:09:58.407948 120956#449 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 8921
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

2. Are there any issues with DoH and DoT?

DoH and DoT, both adguard1 & adguard2 also works perfect.

*3. show something like `Connection to … 784 port [udp/] succeeded!`?**

In adguard2 terminal, nc to adguard1 udp port 784, the result show it succeeded.

---

Merry Christmas！

[cwyin7788]

Hello and thank you for the very thorough report! A couple of questions to clarify:

1. Do you see any certificate errors in the verbose logs?
2. Are there any issues with DoH and DoT?
3. Do these servers have some kind of firewall rules? The errors look like AGH just doesn't receive any requests. Does nc -u -v -z adguard1.abc.com 784 show something like Connection to … 784 port [udp/*] succeeded!?

Thanks!

I just tried to open verbose log in adguard2, so when I repeat this step to test adguard1 DOQ :

Under adguard2, tail -f, the verbose log show the above information:

Will these messages be helpful for your debugging?

thanks for your help.

[ainar-g]

@cwyin7788, thank you for the data! Unfortunately, I still have no idea what could be wrong. It seems like both AGH and the external clients see the port as open.

There is a way to check if there is something wrong with the port or with our DoQ implementation:

1. Switch the DoQ and DoT ports. So, for example, set the DoT port to 784 and DoQ port 853.

2. Try making the following requests using dnslookup (making sure that you use the latest version that implements RFC 9000):

   dnslookup 'example.com' 'tls://adguard1.abc.com:784'

   dnslookup 'example.com' 'quic://adguard1.abc.com:853'

If the first one fails, but the second succeeds, there is an issue with port 784. If the first one succeeds, but the second one fails, it may have something to do with our DoQ server.

[cwyin7788]

After I do more test, I know what happen,I solved the problem.

I have configured cloudflare warp with wgcf in both adguard1 and adguard2

I just remembered that cloudflare warp uses wireguard, and wireguard uses udp, and quic also uses udp.

so I stop adguard2 cloudflare warp with command "service wg-quick@wg0 stop"

and run "dnslookup 'yahoo.com' quic://adguard1.abc.com:784" test again.

it works.

[cwyin7788]

This experience, let me know that cloudflare warp and DNS-Over-QUIC are not compatible with each other. This is a compatibility issue, not a bug of AGH or DOQ. I'm sorry to bother you for a few days.