odoh-crypto-sx does not work when Tor socks enabled

[syphyr]

I was testing odoh-cloudflare with Tor socks proxy enabled and everything appears to work fine with all of the odoh relays, but when I try to use odoh-crypto-sx with Tor socks proxy enabled, then it fails. Is there something different about odoh-crypto-sx that does not work with Tor exit nodes?

[jedisct1]

Via which relay?

[syphyr]

All of the ODOH relays. I've tried one at a time, but this is my current configuration:

routes = [ { server_name='odoh-cloudflare', via=['odohrelay-ams', 'odohrelay-surf', 'odohrelay-bcn', 'odohrelay-crypto-sx'] }, { server_name='odoh-crypto-sx', via=['odohrelay-ams', 'odohrelay-surf', 'odohrelay-bcn', 'odohrelay-crypto-sx'] } ]

[syphyr]

I think this has something to do with the tls_cipher_suite used. When connecting via a Tor node, could the cipher be different somehow? I've also noticed that I'm having a very difficult time getting ODOH to work properly on my android tablet (cm-14.1 nougat). If I use a local Tor node with dnscrypt-proxy on android, then I can connect to a few ODOH servers and it works (ie; odoh-cloudflare works), but if I dont use a local Tor node on android, then none of the ODOH servers resolve anything, even though it looks like its all connected ok in the logs.

[syphyr]

But then I tested this theory of the cipher suite on Ubuntu 18.04 and ODOH works with or without using a Tor node or setting various tls_cipher_suite configurations.

[syphyr]

Maybe this log will help:

[2021-06-09 23:51:46] [NOTICE] dnscrypt-proxy 2.0.46-beta2 [2021-06-09 23:51:46] [NOTICE] Source [odoh] loaded [2021-06-09 23:51:46] [NOTICE] Source [onion-services] loaded [2021-06-09 23:51:46] [NOTICE] Source [public-resolvers] loaded [2021-06-09 23:51:46] [NOTICE] Source [relays] loaded [2021-06-09 23:51:46] [NOTICE] Anonymized DNS: routing [odoh-crypto-sx] via [odohrelay-ams] [2021-06-09 23:51:46] [NOTICE] Anonymized DNS: routing [odoh-cloudflare] via [odohrelay-ams odohrelay-surf odohrelay-bcn] [2021-06-09 23:51:46] [NOTICE] Loading the set of allowed names from [allowed-names] [2021-06-09 23:51:46] [NOTICE] Firefox workaround initialized [2021-06-09 23:51:46] [NOTICE] Loading the set of blocking rules from [blocked-names] [2021-06-09 23:51:47] [INFO] Trying to fetch the [odoh-crypto-sx] configuration again [2021-06-09 23:51:47] [INFO] Trying to fetch the [odoh-crypto-sx] configuration again [2021-06-09 23:51:48] [INFO] Trying to fetch the [odoh-crypto-sx] configuration again [2021-06-09 23:51:49] [NOTICE] Anonymizing queries for [odoh-cloudflare] via [odohrelay-surf] [2021-06-09 23:51:53] [INFO] [odoh-cloudflare] TLS version: 304 - Protocol: h2 - Cipher suite: 4865 [2021-06-09 23:51:53] [NOTICE] Advertised relay cert: [CN=odoh1.surfdomeinen.nl] [39388d8e34076afa433b7e4742d75ca03ec927e33ebe4864047db96f227c2896] [2021-06-09 23:51:53] [NOTICE] Advertised relay cert: [CN=R3,O=Let's Encrypt,C=US] [444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce] [2021-06-09 23:51:53] [NOTICE] Advertised relay cert: [CN=ISRG Root X1,O=Internet Security Research Group,C=US] [11b102e6b1f63e528984d6025f32b138241fc88bbd7519574d70c9832d53e1e8] [2021-06-09 23:51:53] [NOTICE] [odoh-cloudflare] OK (ODoH) - rtt: 269ms [2021-06-09 23:51:55] [WARNING] [onion-cloudflare] does not support HTTP/2 [2021-06-09 23:51:55] [INFO] [onion-cloudflare] TLS version: 304 - Protocol: http/1.1 - Cipher suite: 4865 [2021-06-09 23:51:55] [NOTICE] Advertised cert: [SERIALNUMBER=4710875,CN=tor.cloudflare-dns.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e] [a6629618e5a502f280c2c9be759ff6e8563882628508ac0d62c8c4d7235bb9f4] [2021-06-09 23:51:55] [NOTICE] Advertised cert: [CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1,O=DigiCert Inc,C=US] [ac15d221c58f955a879da52ac42960216811158fef0bfa9fc5265eb03293ee7e] [2021-06-09 23:51:55] [NOTICE] [onion-cloudflare] OK (DoH) - rtt: 305ms [2021-06-09 23:51:55] [NOTICE] Sorted latencies: [2021-06-09 23:51:55] [NOTICE] - 269ms odoh-cloudflare [2021-06-09 23:51:55] [NOTICE] - 305ms onion-cloudflare [2021-06-09 23:51:55] [NOTICE] Server with the lowest initial latency: odoh-cloudflare (rtt: 269ms)

[syphyr]

DEBUG=1 dnscrypt-proxy -loglevel 0

[2021-06-10 01:36:50] [DEBUG] Refreshing certificates [2021-06-10 01:36:50] [DEBUG] [odoh.crypto.sx] IP address was not cached [2021-06-10 01:36:50] [DEBUG] [https://odoh.crypto.sx/.well-known/odohconfigs]: [403 Forbidden] [2021-06-10 01:36:50] [DEBUG] https://odoh.crypto.sx/.well-known/odohconfigs [2021-06-10 01:36:50] [INFO] Trying to fetch the [odoh-crypto-sx] configuration again [2021-06-10 01:36:50] [DEBUG] [https://odoh.crypto.sx/.well-known/odohconfigs]: [403 Forbidden] [2021-06-10 01:36:50] [DEBUG] https://odoh.crypto.sx/.well-known/odohconfigs [2021-06-10 01:36:50] [INFO] Trying to fetch the [odoh-crypto-sx] configuration again [2021-06-10 01:36:51] [DEBUG] [https://odoh.crypto.sx/.well-known/odohconfigs]: [403 Forbidden] [2021-06-10 01:36:51] [DEBUG] https://odoh.crypto.sx/.well-known/odohconfigs [2021-06-10 01:36:51] [INFO] Trying to fetch the [odoh-crypto-sx] configuration again [2021-06-10 01:36:51] [DEBUG] [cloudflare-dns.com] IP address was not cached [2021-06-10 01:36:51] [NOTICE] Anonymizing queries for [odoh-cloudflare] via [odohrelay-surf] [2021-06-10 01:36:51] [DEBUG] Pausing after ODoH configuration retrieva

curl -x socks5h://127.0.0.1:9050 -v https://odoh.crypto.sx/.well-known/odohconfigs | grep -i captcha

The issue is that odoh-crypto-sx is asking for a captcha when tor is enabled so it fails.

[jedisct1]

Mystery solved :)

While it is fun that it actually works, using ODoH in addition to Tor makes little sense anyway. Tor gives you more hops than ODoH already.

And if you really do want to add an extra hop, anonymized DNSCrypt should work; there's no catcha here.

Thanks!