DoT stopped working after 1.16.10

[Marc05]

Both IPv4 and IPv6 DoT fail on Portmaster versions after 1.16.10.

Testing details:

• Tested on Windows 11 (using default settings from DHCP which gives a local DNS server).
• Issue affects browsers and other apps on the system (e.g. nslookup).
• No settings were changed between Portmaster versions.
• A reboot does not help.
• Issue persists even when using the "quick setting" for Cloudflare DNS.

On Portmaster 1.16.10: The first command shows that DoT queries directly to the local DNS server succeed. The second command shows that plain DNS queries to the local DNS server get intercepted by Portmaster (which then uses DoT) and are successful.

PS dnslookup> .\dnslookup.exe google.com tls://sub.domain.tld 10.0.1.1
dnslookup v1.10.1
Server: tls://sub.domain.tld

dnslookup result (elapsed 126.886ms):
;; opcode: QUERY, status: NOERROR, id: 35084
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.    IN       A

;; ANSWER SECTION:
google.com.     62      IN      A       142.251.218.142

PS dnslookup> .\dnslookup.exe google.com 10.0.1.1
dnslookup v1.10.1
Server: 10.0.1.1

dnslookup result (elapsed 24.3565ms):
;; opcode: QUERY, status: NOERROR, id: 18437
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;google.com.    IN       A

;; ANSWER SECTION:
google.com.     17      IN      A       142.251.218.142

;; ADDITIONAL SECTION:
info.portmaster.        0       IN      TXT     "accepted: allowing dns request"
info.portmaster.        0       IN      TXT     "freshly resolved by sub (dot://sub.domain.tld:853#config)"
info.portmaster.        0       IN      TXT     "record valid for 59s"

On Portmaster 1.16.12: The first command shows that DoT queries directly to the local DNS server still succeed. The second command shows that plain DNS queries to the local DNS server get intercepted by Portmaster (which then uses DoT) and fail.

PS dnslookup> .\dnslookup.exe google.com tls://sub.domain.tld 10.0.1.1
dnslookup v1.10.1
Server: tls://sub.domain.tld

dnslookup result (elapsed 67.7276ms):
;; opcode: QUERY, status: NOERROR, id: 61786
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.    IN       A

;; ANSWER SECTION:
google.com.     142     IN      A       142.250.138.139
google.com.     142     IN      A       142.250.138.100
google.com.     142     IN      A       142.250.138.138
google.com.     142     IN      A       142.250.138.113
google.com.     142     IN      A       142.250.138.102
google.com.     142     IN      A       142.250.138.101

PS dnslookup> .\dnslookup.exe google.com 10.0.1.1
dnslookup v1.10.1
2024/06/07 12:51:53 [error] dnsproxy: 10.0.1.1:53: response received over udp: "exchanging with 10.0.1.1:53 over udp: read udp 10.0.1.50:60935->10.0.1.1:53: i/o timeout"
2024/06/07 12:51:53 [fatal] Cannot make the DNS request: exchanging with 10.0.1.1:53 over udp: read udp 10.0.1.50:60935->10.0.1.1:53: i/o timeout

[vlabo]

Thank you again for testing. The new kext is in beta, it should fix the issue.

For reference: https://wiki.safing.io/en/FAQ/SwitchReleaseChannel

[Marc05]

It works on 1.16.13, thank you!