[windows] [bug][workaround available] Windows 10 yellow exclamation mark (no internet connection)

[Nesos-ita]

Workaround: win+r open regedit and go here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet Set EnableActiveProbing to 0 and reboot

I'm using dnscrypt-proxy version 2.0.25 (latest) running as a service using cloudflare dns over https (attached config below).
Windows 10 shows the yellow mark "no internet connection" even if internet connection is present, this is annoying and also prevents me from turning the pc into a wifi hotspot.
According to inretnet users this prevents skype calls and some windows apps that rely on yellow mark from working correctly.
This happens both with wifi and ethernet and doesn't happen if i change the system resolver from 127.0.0.1 to 1.1.1.1 (if i don't use dnscrypt-proxy).
The yellow mark appears immediatly after i plug the ethernet cable.

~Is my configuration wrong or it's a bug of the program?~
The problem is present even with default config.
Tested also over windows 7 and 8.1, only win 10 has the problem, same config.
On win 10 (my is 1809 but happensa also on 1903) the yellow mark sometimes goes away but after long time

server_names = ['cloudflare']
listen_addresses = ['127.0.0.1:53']
max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = false
doh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = true
disabled_server_names = []
force_tcp = false
timeout = 2500
keepalive = 30
refused_code_in_responses = false
log_level = 2
log_file = 'dnscrypt-proxy.log'
cert_refresh_delay = 240
fallback_resolver = '1.1.1.1:53'
ignore_system_dns = true
netprobe_timeout = 0
netprobe_address = "1.1.1.1:53"
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
block_ipv6 = false
cache = true
cache_size = 512
cache_min_ttl = 600
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
[query_log]
file = 'query.log'
format = 'tsv'
[nx_log]
file = 'nx.log'
format = 'tsv'
[blacklist]
[ip_blacklist]
[whitelist]
[schedules]
[sources]
[static]
[static.'cloudflare']
stamp = 'sdns://AgcAAAAAAAAABzEuMC4wLjGgENk8mGSlIfMGXMOlIlCcKvq7AVgcrZxtjon911-ep0cg63Ul-I8NlFj4GplQGb_TTLiczclX57DvMV8Q-JdjgRgSZG5zLmNsb3VkZmxhcmUuY29tCi9kbnMtcXVlcnk'
[static.'cloudflare-ipv6']
stamp = 'sdns://AgcAAAAAAAAAGVsyNjA2OjQ3MDA6NDcwMDo6MTExMV06NTOgENk8mGSlIfMGXMOlIlCcKvq7AVgcrZxtjon911-ep0cg63Ul-I8NlFj4GplQGb_TTLiczclX57DvMV8Q-JdjgRgSZG5zLmNsb3VkZmxhcmUuY29tCi9kbnMtcXVlcnk'

[tigernero79]

for windows 10 I have always used "dnscrypt simple"

https://simplednscrypt.org/

which is nothing more than dnscrypt with GUI and I noticed that setting it also showed them the yellow symbol but the navigation went quietly, it was enough for me to disable and activate the lan card to make the yellow symbol disappear

[r4sas]

Have you tried start dnscrypt-proxy not as service, just only binary from directory where config and binary (better run in cmd)? Have you tried -resolve option (read wiki, pls.)?

[Nesos-ita]

Have you tried start dnscrypt-proxy not as service, just only binary from directory where config and binary (better run in cmd)?

Not yet

Have you tried -resolve option (read wiki, pls.)?

No, but i have changed system dns to 127.0.0.1 and nslookup/internet works only if the service is started so i think config is fine, i'll try both tomorrow.

@tigernero79 thanks, i'll try that workaround tomorrow but it's not a definitive solution.

[uBlock-user]

Does your ISP support IPv6 ? If not, remove cloudflare-ipv6.

[Nesos-ita]

@r4sas Running dnscrypt-proxy from (admin) cmd leads to the same results (yellow triangle) According to -resolve output the program is correctly configured (resolver is cloudflare and things doesn't resolve if i stop the service/the exe from cmd)

@uBlock-user ipv6 is not enabled in the posted config

@tigernero79 Tested disable and re-enable the network card, it worked once in 10 attempts. yellow triangle is almost always there (internet always works)

[uBlock-user]

I meant [static.'cloudflare-ipv6'] from the dnscrypt config file. Disable that or remove it.

[Nesos-ita]

it's not used as the only used one are in this list: server_names = ['cloudflare'] as you can see cloudflare-ipv6 is not in the list so it doesn't matter if i left it defined. anwyay the problem exists also with default configuration

[kamilmirza]

I am also facing this problem after win10 v1903 - using Simple DNSCrypt most of the time due to this problem, apps with Microsoft account (Store, Mail, Weather etc) does not work and reports No Internet switching back to router DNS or 1.1.1.1 removes the exclamation immediately and fixes such problems have tried with default configs also but no gain

[Nesos-ita]

@kamilmirza @tigernero79 i have found how the internet detection is done and how to disable it
Apparently windows connects to this host and check for a file: msftncsi.com/ncsi.txt
It also checks the ip of dns.msftncsi.com and compare to hardcoded value

Workaround: win+r open regedit and go here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet Set EnableActiveProbing to 0 and reboot

some commands that might be useful to the author for debugging.
also note that i can't find any entry for msftncsi in the query.log and nx.log
they are present only after my manual nslookup request.
Resolution when dnscrypt-proxy is active:
>ipconfig /flushdns
>nslookup dns.msftncsi.com
Server:  localhost
Address:  127.0.0.1

Risposta da un server non autorevole:
Nome:    dns.msftncsi.com
Addresses:  fd3e:4f5a:5b81::1
          131.107.255.255

>dnscrypt-proxy.exe -resolve dns.msftncsi.com
Resolving [dns.msftncsi.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: dns.msftncsi.com.
IP addresses:   131.107.255.255
TXT records:    -
Resolver IP:    162.158.196.172

With dnscrypt-proxy disabled, using assigned dns:
>nslookup dns.msftncsi.com
Server:  dns.google
Address:  8.8.8.8

Risposta da un server non autorevole:
Nome:    dns.msftncsi.com
Addresses:  fd3e:4f5a:5b81::1
          131.107.255.255

>dnscrypt-proxy.exe -resolve dns.msftncsi.com
Resolving [dns.msftncsi.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: dns.msftncsi.com.
IP addresses:   131.107.255.255
TXT records:    -
Resolver IP:    173.194.170.99

[kamilmirza]

workaround works perfectly no exclamation after reboot/login all apps are working fine now

[ismail]

This is probably same as https://github.com/jedisct1/dnscrypt-proxy/issues/816 (which I'd say shouldn't have been closed). The problem is that you want to forward some local addresses to your internal resolver on modem. But this forwarding as you can see in the bug too doesn't work reliably, which I also reproduced on my system.

[coliod]

Local Group Policy fix from this link works fine https://support.umbrella.com/hc/en-us/articles/230900948-Umbrella-Roaming-Client-Microsoft-Windows-Limited-Network-Connectivity-Warning-Yellow-Triangle-

[jedisct1]

May someone describe the problem and workaround on the Wiki?

[ismail]

May someone describe the problem and workaround on the Wiki?

While the workaround seems ok, https://github.com/jedisct1/dnscrypt-proxy/issues/898 shows yet again forwarding is not working as expected. If it did the workaround wouldn't be needed.