search

Jigsaw-Code / outline-apps

Outline Client and Manager, developed by Jigsaw. Outline Manager makes it easy to create your own VPN server. Outline Client lets you share access to your VPN with anyone in your network, giving them access to the free and open internet.
https://getoutline.org/
Apache License 2.0
8.45k stars 1.37k forks source link

Randomize the order of DNS servers to prevent reaching the limitations of public resolvers #1980

Open serge-r opened 6 months ago

serge-r commented 6 months ago

Is there an existing issue that is already proposing this?

Application

Outline Client

What are you trying to do? What is your use case?

Hello.

I understand that it might seem odd, but I am conducting research on mobile app issues related to Outline VPN, Apple, and Cloudflare's DNS over TLS.

You can find many details along with logs here: https://community.cloudflare.com/t/1-1-1-1-1-0-0-1-dns-over-tls-limitations/643561 I am still awaiting a response from the Cloudflare Community, but it seems like it might take some time.

For those who are unable to follow the link I provided, here is a TL;DR:

When Outline is connected, MacOS (and iOS too) starts using DNS over TLS with Cloudflare servers, because 1.1.1.1 is listed first.

My theory is that Cloudflare has some per-IP limits for DNS DoT queries, and when these limits are reached, I receive a REFUSED response for any domain.

The problem with MacOS X and iOS (which use the same system resolver service, mDNSResponder) when DoT is enabled, is that this negative response is cached for a period, causing all apps that use the system resolver to fail. As a result, retries and other DNS servers configured in the system do not work. This is a significant problem for mobile users, as mobile apps can generate tons of DNS traffic, and iOS users of our mobile app who use Outline are experiencing issues with the application.

I have an Apple developer certificate, and I was able to build and test the Outline Client with different DNS servers. The problems appear only with 1.1.1.1. It seems that changing the order of servers could help us resolve many issues for mobile users.

Im not sure about Windows and Android users, because I don't have devices for testing, but I think would be better to use same behavior on all platforms.

Is your feature request related to a problem? Please describe it.

Problem not with the Outline but with Cloudflare, details are here: https://community.cloudflare.com/t/1-1-1-1-1-0-0-1-dns-over-tls-limitations/643561

Describe the solution you'd like.

Would be better to have random order of DNS servers here

Describe alternatives you've considered

An alternative way is to move 1.1.1.1 from the first position to another, as I did not reproduce the issue with other public resolvers. But Im not sure about others limitations.

cornzzy commented 6 months ago

Could also set from dynamic access links

serge-r commented 6 months ago

@cornzzy yeah it's a variant too, but anyway I need to redefine default behavior because a lot of clients are using defaults and 1.1.1.1 only as a first resolver