Config setting for defaulting dnscrypt client to ues TCP

[invis-z]

For some network settings, it would be handy if the default protocol for the DNSCrypt client (mayby also plain DNS) can be changed to TCP. https://github.com/AdguardTeam/dnsproxy/blob/master/upstream/upstream_dnscrypt.go#L85

[iJorgen]

Not an answer but when I tested DNSCrypt, I noticed the address is translated to an ordinary DOH-address (saw it at startup when it lists fallback-servers) so I skipped using it since I don't wanna use DOH.

[ameshkov]

@iJorgen DNSCrypt is very different from DoH, this must be an inaccuracy of the log.

[ameshkov]

I guess we could introduce something like dnscrypt-tcp:// scheme in the upstream addresses for that.

[invis-z]

The spec of dnscrypt require the server to support TCP (Source).

The DNSCrypt protocol can use the UDP and TCP transport protocols. DNSCrypt Clients and resolvers should support the protocol over UDP and must support it over TCP.

And as the example in the readme show, configuring dnscrypt is usually achieved by using a stamp (sdns://xxxx) which itself is base64 encoded with all the info and also compatible with DoH DoT and DoQ. Also, DNSCrypt configuration seems to include public keys of the server, a plain text configuration scheme would be a bit complicated. Since DoH/T/Q are all not affected by this at all, personally I would say that adding an option like --default-tcp or --tcp or --dnscrypt=tcp that will affect DNSCrypt only would be a better yet simpler solution.

[invis-z]

Sorry I might misunderstood the word "upstream" in your previous post, I was thinking updating the protocol. Yes maybe something like dnscrypt-tcp://xxxx with the DNS stamp (thus only replacing the sdns:// part) should work.

[ameshkov]

Yeah, it'd be better if we could encode the information about preferred protocol somehow in the address itself.

@jedisct1 Frank, is there any space for extending DNS stamps spec with additional flags? "Prefer TCP/UDP" flag may also be useful for DoH addresses as it would allow specifying which HTTP version to use.

For example, currently we run two probe connections (TLS and QUIC) in order to choose which protocol to use. It would be nice if people could select the preferred one, encode it in the stamp and thus avoid "probing".

[invis-z]

After looking into the specification of DNS Stamps, I don't know if there is an elegant way of adding this flag without breaking compatability.

Maybe it is possible to add a prefix to any upstream like @tcp:sdns://AAA... so that it can also work with DoH like @h3:sdns://AAA... and plain DNS like @tcp:1.1.1.1:53 Also, when parsing, only needs to check the first character.

If : can be confising, there are some alternatives

• @tcp@sdns://AA... @tcp@1.1.1.1
• @tcp|sdns://AA... @tcp|1.1.1.1
• @tcp~sdns://AA...
• !tcp!sdns://AA...

[ameshkov]

props seem to have plenty of space for different flags in it:

props is a little-endian 64 bit value that represents informal properties about the resolver. It is a logical OR combination of the following values:

[jedisct1]

I'm not sure that this should be part of the stamp. It sounds better as an application config flag.

People willing to use TCP only are likely to want it globally, not for specific resolvers.

Duplicating all resolvers in the list to add a TCP only variant would also be a little awkward.

Finally, DNSCrypt was really designed to be used over UDP, not TCP.