Quad9 Dnscrypt + Relays = No Internet

[RedSteel-1]

It's impossible to use Dnscrypt with Relays.

Steps:

• DNS -> Dnscrypt -> choose Quad9 Security -> press "Relays" -> choose all or some relays -> to go the main screen.
• wait 1 minute
• see "No Internet"
• try to open a webpage in the browser: doesn't open.
• stop and start Rethink -> see "No Internet" again.

Then:

• Remove the selection for all Relays and keep Dnscrypt Quad9 Security without Relays, then stop-start Rethink.
• Rethink now says "Protected", and browser can now load webpages.

[ignoramous]

Quad9 doesn't seem to support Relays, unfortunately. Try other DNSCrypt endpoints?

[RedSteel-1]

Ya, can confirm that when choosing Adguard with Relays, everything works. It's very sad that Quad9 doesn't support relays, it has always been my to-go DNS choice

The DNSCrypt choice is very little - 2 Quad9 (normal but no Relay support), Adguard (normal), and 2 family DNSs (no thanks). Are there any DNSCrypt endpoints that are as good as Quad9 but with Relay support, that could be added to Rethink?

[ignoramous]

The included endpoints are chosen because they're deployed world wide and not regional. I don't think there are very many dnscrypt providers that have servers all over the globe.

I'm closing this issue as there's nothing more we can do wrt Quad9 not supporting Relays. You can however consider contacting them.

[RedSteel-1]

Thanks for the infos, will write to them :-)

[RedSteel-1]

Got the Quad9's response:

Quad9 can be used via DNSCrypt with Anonymized DNS enabled and when using relays, but only as the "target" and not as the relay. Quad9 will likely never support being a relay; only a target. Part of my config: server_names = ['quad9-dnscrypt-ip4-filter-pri']routes = [ { server_name='quad9-dnscrypt-ip4-filter-pri', via=['anon-cs-czech'] } ] My DNSCrypt-proxy log: dnscrypt-proxy[XXXXXXX]: [XXXX-XX-XX XX:XX:XX] [NOTICE] Source [relays] loadeddnscrypt-proxy[XXXXXXX]: [XXXX-XX-XX XX:XX:XX] [NOTICE] Anonymized DNS: routing [quad9-dnscrypt-ip4-filter-pri] via [anon-cs-czech]dnscrypt-proxy[XXXXXXX]: [XXXX-XX-XX XX:XX:XX] [NOTICE] Firefox workaround initializeddnscrypt-proxy[XXXXXXX]: [XXXX-XX-XX XX:XX:XX] [NOTICE] Anonymizing queries for [quad9-dnscrypt-ip4-filter-pri] via [anon-cs-czech]dnscrypt-proxy[XXXXXXX]: [XXXX-XX-XX XX:XX:XX] [INFO] [quad9-dnscrypt-ip4-filter-pri] the key validity period for this server is excessively long (365 days), significantly reducing rel>dnscrypt-proxy[XXXXXXX]: [XXXX-XX-XX XX:XX:XX] [NOTICE] [quad9-dnscrypt-ip4-filter-pri] OK (DNSCrypt) - rtt: 10msdnscrypt-proxy[XXXXXXX]: [XXXX-XX-XX XX:XX:XX] [INFO] [quad9-dnscrypt-ip4-filter-pri] the key validity period for this server is excessively long (365 days), significantly reducing rel>dnscrypt-proxy[XXXXXXX]: [XXXX-XX-XX XX:XX:XX] [NOTICE] [quad9-dnscrypt-ip4-filter-pri] OK (DNSCrypt) - rtt: 10ms - additional certificatednscrypt-proxy[XXXXXXX]: [XXXX-XX-XX XX:XX:XX] [NOTICE] Server with the lowest initial latency: quad9-dnscrypt-ip4-filter-pri (rtt: 10ms)dnscrypt-proxy[XXXXXXX]: [XXXX-XX-XX XX:XX:XX] [NOTICE] dnscrypt-proxy is ready - live servers: 1

[RedSteel-1]

So, their DNSCrypt does support relays in fact.

Can this issue be re-opened?

[ignoramous]

Quad9 is not used as Relay but as Target.

And I don't see how Quad9 says they support it when they clearly don't. The issue with their deployment is they are probably rejecting larger UDP packets. Can't be sure.

I'll reopen this issue, but we are also unsure what to do to make Quad9 work (when the other targets / resolvers work just fine).

[RedSteel-1]

Quad9's reply:

As I can cannot replicate any issues with dnscrypt in Anonymized mode in my lab environment, I'm not sure what the issue might be. I've been running my entire lab network with dnscrypt-proxy in anonymized mode since I responded to this ticket this morning and have not noticed any issues yet.

You know I think this issue will have a change for getting resolved if you talk to them directly, without me as a proxy xD They say everything is allright, maybe you could provide them your details and observations?

[ignoramous]

without me as a proxy xD

Perhaps, if I had infinite energy, motivation, and time... and most importantly, not lazy. (:

They say everything is alright, maybe you could provide them your details and observations?

Ask if they can install Rethink, turn ON verbose logging in Configure -> Settings -> Log Level (then, adb logcat | grep -i "golog" or adb logcat | grep -i "dnscrypt"), and see if they can make sense of the errors that happen when the Quad9 Target is setup to route via Relays. Since they also have the view of what's going on at their servers, they may be able to tell just what is going wrong on their end (since with Rethink, Relays work for most other DNSCrypt Targets like AdGuard).

[RedSteel-1]

Devs' response:

Troubleshooting this app is not within the scope of support. If the developer wishes to contact us with specific details or a reproduction scenario that can be replicated with the standard dnscrypt-proxy application, we can certainly take a look. Since we cannot replicate this issue with dnscrypt-proxy, and because we've both tested relays and received reports from other users that relays with dnscrypt-proxy works as expected, we consider this an implementation-specific issue.

[ignoramous]

We've fixed this (Quad9 servers are apparently unhappy with the anti-censorship related TCP manipulation Rethink does; but we've modified it and it looks like Quad9 servers are now happy with it). Thanks for the bug report and following up with Quad9 on our behalf.

This bug would have resolved way sooner if only Quad9 had helped us with some logs (but I understand why they wouldn't)...

Please verify once v055o is out (in a day or two). Thanks.