search

DNSCrypt / dnscrypt-proxy

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
https://dnscrypt.info
ISC License
11.09k stars 993 forks source link

--list shows five servers.. startup does not always show those five (confused) #2652

Closed bcookatpcsd closed 3 days ago

bcookatpcsd commented 3 days ago

Output of the following commands:

./dnscrypt-proxy -version

./dnscrypt-proxy -check

./dnscrypt-proxy -resolve example.com

[I] root@alpine-awow ~/d/u/generate-domains-blocklist (master)# /usr/bin/dnscrypt-proxy -check --list --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
[2024-07-02 18:01:27] [NOTICE] dnscrypt-proxy 2.1.5
[2024-07-02 18:01:27] [NOTICE] Source [public-resolvers] loaded
[2024-07-02 18:01:27] [NOTICE] Source [relays] loaded
controld-unfiltered
nextdns-ultralow
plan9dns-nj-doh
controld-uncensored
dnscry.pt-newyork-ipv4

[I] root@alpine-awow ~/d/u/generate-domains-blocklist (master)# /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve example.com
Resolving [example.com] using 127.0.0.1 port 53

Resolver      : 207.246.87.96 (kronos.plan9-dns.com.)

Canonical name: example.com.

IPv4 addresses: 93.184.215.14
IPv6 addresses: -

Name servers  : a.iana-servers.net., b.iana-servers.net.
DNSSEC signed : yes
Mail servers  : 1 mail servers found

HTTPS alias   : -
HTTPS info    : -

Host info     : -
TXT records   : v=spf1 -all, wgyf8z8cgvm2qmxpnbnldrcltvk4xqfn

restart dnscrypt-proxy: 

[2024-07-02 17:58:59] [NOTICE] dnscrypt-proxy 2.1.5
[2024-07-02 17:58:59] [NOTICE] Network connectivity detected
[2024-07-02 17:58:59] [NOTICE] Now listening to 0.0.0.0:53 [UDP]
[2024-07-02 17:58:59] [NOTICE] Now listening to 0.0.0.0:53 [TCP]
[2024-07-02 17:58:59] [NOTICE] Source [public-resolvers] loaded
[2024-07-02 17:58:59] [NOTICE] Source [relays] loaded
[2024-07-02 17:58:59] [NOTICE] Firefox workaround initialized
[2024-07-02 17:58:59] [NOTICE] Loading the set of blocking rules from [/var/tmp/blocked-names.txt]
[2024-07-02 17:59:01] [NOTICE] Loading the set of cloaking rules from [/etc/dnscrypt-proxy/cloaking-rules.txt]
[2024-07-02 17:59:01] [NOTICE] Loading the set of forwarding rules from [/etc/dnscrypt-proxy/forwarding-rules.txt]
[2024-07-02 17:59:06] [INFO] [controld-unfiltered] TLS version: 304 - Protocol: h2 - Cipher suite: 4865
[2024-07-02 17:59:06] [NOTICE] [controld-unfiltered] OK (DoH) - rtt: 16ms
[2024-07-02 17:59:06] [NOTICE] [dnscry.pt-newyork-ipv4] OK (DNSCrypt) - rtt: 19ms
[2024-07-02 17:59:06] [INFO] [plan9dns-nj-doh] TLS version: 304 - Protocol: h2 - Cipher suite: 4866
[2024-07-02 17:59:06] [NOTICE] [plan9dns-nj-doh] OK (DoH) - rtt: 14ms
[2024-07-02 17:59:06] [NOTICE] Sorted latencies:
[2024-07-02 17:59:06] [NOTICE] -    14ms plan9dns-nj-doh
[2024-07-02 17:59:06] [NOTICE] -    16ms controld-unfiltered
[2024-07-02 17:59:06] [NOTICE] -    19ms dnscry.pt-newyork-ipv4
[2024-07-02 17:59:06] [NOTICE] Server with the lowest initial latency: plan9dns-nj-doh (rtt: 14ms)
[2024-07-02 17:59:06] [NOTICE] dnscrypt-proxy is ready - live servers: 3

restart again:

[2024-07-02 18:04:39] [NOTICE] dnscrypt-proxy 2.1.5
[2024-07-02 18:04:39] [NOTICE] Network connectivity detected
[2024-07-02 18:04:39] [NOTICE] Now listening to 0.0.0.0:53 [UDP]
[2024-07-02 18:04:39] [NOTICE] Now listening to 0.0.0.0:53 [TCP]
[2024-07-02 18:04:39] [NOTICE] Source [public-resolvers] loaded
[2024-07-02 18:04:39] [NOTICE] Source [relays] loaded
[2024-07-02 18:04:39] [NOTICE] Firefox workaround initialized
[2024-07-02 18:04:39] [NOTICE] Loading the set of blocking rules from [/var/tmp/blocked-names.txt]
[2024-07-02 18:04:40] [NOTICE] Loading the set of cloaking rules from [/etc/dnscrypt-proxy/cloaking-rules.txt]
[2024-07-02 18:04:40] [NOTICE] Loading the set of forwarding rules from [/etc/dnscrypt-proxy/forwarding-rules.txt]
[2024-07-02 18:04:45] [INFO] [controld-uncensored] TLS version: 304 - Protocol: h2 - Cipher suite: 4865
[2024-07-02 18:04:45] [NOTICE] [controld-uncensored] OK (DoH) - rtt: 18ms
[2024-07-02 18:04:45] [INFO] [controld-unfiltered] TLS version: 304 - Protocol: h2 - Cipher suite: 4865
[2024-07-02 18:04:45] [NOTICE] [controld-unfiltered] OK (DoH) - rtt: 17ms
[2024-07-02 18:04:45] [NOTICE] [dnscry.pt-newyork-ipv4] OK (DNSCrypt) - rtt: 19ms
[2024-07-02 18:04:46] [NOTICE] Sorted latencies:
[2024-07-02 18:04:46] [NOTICE] -    17ms controld-unfiltered
[2024-07-02 18:04:46] [NOTICE] -    18ms controld-uncensored
[2024-07-02 18:04:46] [NOTICE] -    19ms dnscry.pt-newyork-ipv4
[2024-07-02 18:04:46] [NOTICE] Server with the lowest initial latency: controld-unfiltered (rtt: 17ms)
[2024-07-02 18:04:46] [NOTICE] dnscrypt-proxy is ready - live servers: 3

What is affected by this bug?

I don't seem to get all the manually defined servers.. these come from sources.public-resolvers

When does this occur?

on restart

Where does it happen?

on restart

How do we replicate the issue?

Expected behavior (i.e. solution)

Other Comments

I'm sorry if you immediately see something that I missed..

I have rm'd /var/cache/dnscrypt-proxy/* to refresh the files..

This is Alpine linux (musl) with dnscrypt-proxy2 from pkgs..

Thank you in advance. 

 egrep -v '^#|^$' /etc/dnscrypt-proxy/dnscrypt-proxy.toml

server_names = ['dnscry.pt-newyork-ipv4' ,'nextdns-ultralow', 'plan9dns-nj-doh', 'controld-uncensored', 'controld-unfiltered']
listen_addresses = ['0.0.0.0:53']
max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
odoh_servers = false
require_dnssec = false
require_nolog = true
require_nofilter = true
disabled_server_names = []
force_tcp = false
http3 = false
timeout = 50
keepalive = 30
 log_level = 0
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
cert_refresh_delay = 240
bootstrap_resolvers = ['1.1.1.1:53', '9.9.9.9:53']
ignore_system_dns = false
netprobe_timeout = 60
netprobe_address = '76.76.2.0:53'
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
block_ipv6 = true
block_unqualified = true
block_undelegated = true
reject_ttl = 300
forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'
cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'
cloak_ttl = 600
cache = true
cache_size = 16384
cache_min_ttl = 1200
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
[captive_portals]
[local_doh]
[query_log]
file = '/tmp/query.log'
format = 'tsv'
[nx_log]
format = 'tsv'
[blocked_names]
blocked_names_file = '/var/tmp/blocked-names.txt'
[blocked_ips]
[allowed_names]
[allowed_ips]
[schedules]
[sources]
  [sources.public-resolvers]
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
    cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    refresh_delay = 72
    prefix = ''
  [sources.relays]
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
    cache_file = '/var/cache/dnscrypt-proxy/relays.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    refresh_delay = 72
    prefix = ''
[broken_implementations]
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
[doh_client_x509_auth]
[anonymized_dns]
skip_incompatible = false
[dns64]
[static]
jedisct1 commented 3 days ago

timeout = 50

This is in milliseconds. This is way too short to finish a transaction with a server that's not close to you, especially with DoH.

The default value is 5000 for a reason.