Always get "Error LANrx: invalid DNS section counts: 1 0 0 1, dropped" when using `dig`

[rampageX]

I test fdns on my VM debian 10. fdns build and run with no error, but when i test it with dig, it's always failed with error: "Error LANrx: invalid DNS section counts: 1 0 0 1, dropped"

Input: dig @127.1.1.1 twitter.com

; <<>> DiG 9.16.8 <<>> @127.1.1.1 twitter.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Log:

~/src/fdns# fdns

Testing server fossdaily
   Tags: Australia, AsiaPacific, adblocker
   Error: server fossdaily failed

Testing server dnslify2
   Tags: AsiaPacific, Singapore
   SSL/TLS connection: 104.39 ms
   DoH query average: 20.01 ms
   DoH/Do53 bandwidth ratio: 2.04
   Keepalive: 20 to 25 seconds

Testing server commsone4
   Tags: Yekaterinburg, Russia, AsiaPacific, adblocker
   SSL/TLS connection: 149.15 ms
   DoH query average: 30.04 ms
   DoH/Do53 bandwidth ratio: 2.60
   Keepalive: 550 to 590 seconds
fdns starting
connecting to dnslify2 server
listening on 127.1.1.1
345 filter entries added from /usr/local/etc/fdns/trackers
7415 filter entries added from /usr/local/etc/fdns/fp-trackers
50788 filter entries added from /usr/local/etc/fdns/adblocker
10265 filter entries added from /usr/local/etc/fdns/coinblocker
07:27:17 (0) SSL connection opened
07:27:17 (2) SSL connection opened
07:27:17 (1) SSL connection opened
07:27:17 (0) h2 transport up
07:27:17 (1) h2 transport up
07:27:17 (2) h2 transport up
07:27:33 (2) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
07:27:38 (2) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
07:27:43 (2) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
^Csignal 2 caught, shutting down all resolvers

BTW: Can we manually specified the listen ip:port and fallback dns server's IP:PORT?

[netblue30]

Bug! Thanks for reporting it.

[netblue30]

I'll have to document it in the man page.

dig attaches to the query a DNS cookie in the "additional" section of the packet. We filter out and drop such requests, and we let through only regular queries generated by regular applications. We also drop anything else but A and AAAA requests, so most of the request options dig provides will be filtered out.

When using dig from behind fdns, send the query to a specific server using @server-ip-address on the command line. This way you bypass fdns. For example:

$ dig @9.9.9.9 debian.org

[netblue30]

just to remember to document it!

[emdete]

i use dig to test the setup, so a @... is exactly not what i want to do... ;)

do you know a way to tell dig to do request that fdns would not filter out? maybe that should be documented as well?

[emdete]

its not only dig that does it, go seems to suffer from that too:

main.go:29:2: maunium.net/go/mauflag@v1.0.0: Get "https://proxy.golang.org/maunium.net/go/mauflag/@v/v1.0.0.zip": dial tcp: lookup proxy.golang.org on 127.0.0.1:53: read udp 127.0.0.1:48660->127.0.0.1:53: i/o timeout

(with corresponding logs from fdns). why does fdns drop such requests?