Unable to perform DNS resolution

eloquentbit commented 4 years ago

Describe the bug

I've deployed Algo in a brand new Vultr instance from my Mac OS Catalina. The connection is established without any problem but I can't resolve any hostname. From what I see, when connected, my DNS server in /etc/resolv.conf changes from my router's IP address to the address of wg0 interface (10.19.49.1) even if in config.cfg are present these settings: dns_encryption: false dns_servers: ipv4:

1.1.1.1
1.0.0.1 ipv6:
2606:4700:4700::1111
2606:4700:4700::1001

To Reproduce

Steps to reproduce the behavior:

Connect via the default profile generated during the installation process.
Perform a DNS query: it fails

Expected behavior

I'm expected to be able to perform DNS queries without errors

Additional context

Full log

Algo running on: Mac OS X 10.15.3
Created from git clone. Last commit: c231cd4 Bump ansible from 2.8.3 to 2.8.8 (#1736)
Python 3.7.7
Runtime variables:
    algo_provider "vultr"
    algo_ondemand_cellular "False"
    algo_ondemand_wifi "False"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_dns_adblocking "False"
    algo_ssh_tunneling "False"
    wireguard_enabled "True"
    dns_encryption "False"

TASK [Display the invocation environment] ************************************************************************************************
changed: [localhost -> localhost]

TASK [Install the requirements] **********************************************************************************************************
changed: [localhost -> localhost]

TASK [Generate the SSH private key] ******************************************************************************************************
changed: [localhost]

TASK [Generate the SSH public key] *******************************************************************************************************
changed: [localhost]

TASK [Copy the private SSH key to /tmp] **************************************************************************************************
changed: [localhost -> localhost]
[cloud-vultr : pause]
Enter the local path to your configuration INI file
(https://trailofbits.github.io/algo/cloud-vultr.html):
:

TASK [cloud-vultr : pause] ***************************************************************************************************************
ok: [localhost]

TASK [cloud-vultr : Set the token as a fact] *********************************************************************************************
ok: [localhost]

TASK [cloud-vultr : Get regions] *********************************************************************************************************
ok: [localhost]

TASK [cloud-vultr : Format regions] ******************************************************************************************************
ok: [localhost]

TASK [cloud-vultr : Set regions as a fact] ***********************************************************************************************
ok: [localhost]

TASK [cloud-vultr : Set default region] **************************************************************************************************
ok: [localhost]
[cloud-vultr : pause]
What region should the server be located in?
(https://www.vultr.com/locations/):
    1.   Sydney
    2.   Toronto
    3.   Frankfurt
    4.   Paris
    5.   London
    6.   Tokyo
    7.   Amsterdam
    8.   Singapore
    9.   Atlanta
    10.   Chicago
    11.   Dallas
    12.   Los Angeles
    13.   Miami
    14.   New Jersey
    15.   Seattle
    16.   Silicon Valley

Enter the number of your desired region
[14]
:

TASK [cloud-vultr : pause] ***************************************************************************************************************
ok: [localhost]

TASK [cloud-vultr : Set the desired region as a fact] ************************************************************************************
ok: [localhost]

TASK [cloud-vultr : Creating a firewall group] *******************************************************************************************
changed: [localhost]

TASK [cloud-vultr : Creating firewall rules] *********************************************************************************************
changed: [localhost] => (item={'protocol': 'tcp', 'port': 4160, 'ip': 'v4', 'cidr': '0.0.0.0/0'})
changed: [localhost] => (item={'protocol': 'tcp', 'port': 4160, 'ip': 'v6', 'cidr': '::/0'})
changed: [localhost] => (item={'protocol': 'udp', 'port': 500, 'ip': 'v4', 'cidr': '0.0.0.0/0'})
changed: [localhost] => (item={'protocol': 'udp', 'port': 500, 'ip': 'v6', 'cidr': '::/0'})
changed: [localhost] => (item={'protocol': 'udp', 'port': 4500, 'ip': 'v4', 'cidr': '0.0.0.0/0'})
changed: [localhost] => (item={'protocol': 'udp', 'port': 4500, 'ip': 'v6', 'cidr': '::/0'})
changed: [localhost] => (item={'protocol': 'udp', 'port': 51820, 'ip': 'v4', 'cidr': '0.0.0.0/0'})
changed: [localhost] => (item={'protocol': 'udp', 'port': 51820, 'ip': 'v6', 'cidr': '::/0'})

TASK [cloud-vultr : Upload the startup script] *******************************************************************************************
changed: [localhost]

TASK [cloud-vultr : Creating a server] ***************************************************************************************************
changed: [localhost]

TASK [cloud-vultr : set_fact] ************************************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] ******************************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] **********************************************************************************************
changed: [localhost]

TASK [Additional variables for the server] ***********************************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] ***************************************************************************************************
ok: [localhost]

TASK [debug] *****************************************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "95.179.249.239"
}

TASK [Wait 600 seconds for target connection to become reachable/usable] *****************************************************************
ok: [localhost -> 95.179.249.239] => (item=95.179.249.239)

PLAY [Configure the server and install required software] ********************************************************************************

TASK [Wait until the cloud-init completed] ***********************************************************************************************
ok: [95.179.249.239]

TASK [Ensure the config directory exists] ************************************************************************************************
changed: [95.179.249.239 -> localhost]

TASK [Dump the ssh config] ***************************************************************************************************************
changed: [95.179.249.239 -> localhost]

TASK [common : Check the system] *********************************************************************************************************
ok: [95.179.249.239]
included: /Users/luca/Developer/algo/roles/common/tasks/ubuntu.yml for 95.179.249.239

TASK [common : Gather facts] *************************************************************************************************************
ok: [95.179.249.239]

TASK [common : Install software updates] *************************************************************************************************
changed: [95.179.249.239]

TASK [common : Check if reboot is required] **********************************************************************************************
changed: [95.179.249.239]

TASK [common : Reboot] *******************************************************************************************************************
changed: [95.179.249.239]

TASK [common : Wait until the server becomes ready...] ***********************************************************************************
ok: [95.179.249.239]

TASK [common : Install unattended-upgrades] **********************************************************************************************
ok: [95.179.249.239]

TASK [common : Configure unattended-upgrades] ********************************************************************************************
changed: [95.179.249.239]

TASK [common : Periodic upgrades configured] *********************************************************************************************
changed: [95.179.249.239]

TASK [common : Disable MOTD on login and SSHD] *******************************************************************************************
changed: [95.179.249.239] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
changed: [95.179.249.239] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})

TASK [common : Loopback for services configured] *****************************************************************************************
changed: [95.179.249.239]

TASK [common : systemd services enabled and started] *************************************************************************************
ok: [95.179.249.239] => (item=systemd-networkd)
ok: [95.179.249.239] => (item=systemd-resolved)

RUNNING HANDLER [common : restart systemd-networkd] **************************************************************************************
changed: [95.179.249.239]

TASK [common : Check apparmor support] ***************************************************************************************************
ok: [95.179.249.239]

TASK [common : Set fact if apparmor enabled] *********************************************************************************************
ok: [95.179.249.239]

TASK [common : Define facts] *************************************************************************************************************
ok: [95.179.249.239]

TASK [common : Set facts] ****************************************************************************************************************
ok: [95.179.249.239]

TASK [common : Set IPv6 support as a fact] ***********************************************************************************************
ok: [95.179.249.239]

TASK [common : Check size of MTU] ********************************************************************************************************
ok: [95.179.249.239]

TASK [common : Set OS specific facts] ****************************************************************************************************
ok: [95.179.249.239]

TASK [common : Install tools] ************************************************************************************************************
changed: [95.179.249.239]

TASK [common : Install headers] **********************************************************************************************************
ok: [95.179.249.239]
included: /Users/luca/Developer/algo/roles/common/tasks/iptables.yml for 95.179.249.239

TASK [common : Iptables configured] ******************************************************************************************************
changed: [95.179.249.239] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})

TASK [common : Iptables configured] ******************************************************************************************************
changed: [95.179.249.239] => (item={'src': 'rules.v6.j2', 'dest': '/etc/iptables/rules.v6'})

TASK [common : Sysctl tuning] ************************************************************************************************************
changed: [95.179.249.239] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
changed: [95.179.249.239] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})
changed: [95.179.249.239] => (item={'item': 'net.ipv6.conf.all.forwarding', 'value': 1})

RUNNING HANDLER [common : restart iptables] **********************************************************************************************
changed: [95.179.249.239]
[WARNING]: flush_handlers task does not support when conditional

TASK [wireguard : Ensure the required directories exist] *********************************************************************************
changed: [95.179.249.239 -> localhost] => (item=configs/95.179.249.239/wireguard//.pki//preshared)
changed: [95.179.249.239 -> localhost] => (item=configs/95.179.249.239/wireguard//.pki//private)
changed: [95.179.249.239 -> localhost] => (item=configs/95.179.249.239/wireguard//.pki//public)
changed: [95.179.249.239 -> localhost] => (item=configs/95.179.249.239/wireguard//apple/ios)
changed: [95.179.249.239 -> localhost] => (item=configs/95.179.249.239/wireguard//apple/macos)
included: /Users/luca/Developer/algo/roles/wireguard/tasks/ubuntu.yml for 95.179.249.239

TASK [wireguard : WireGuard repository configured] ***************************************************************************************
changed: [95.179.249.239]

TASK [wireguard : WireGuard installed] ***************************************************************************************************
changed: [95.179.249.239]

TASK [wireguard : WireGuard reload-module-on-update] *************************************************************************************
changed: [95.179.249.239]

TASK [wireguard : Configure unattended-upgrades] *****************************************************************************************
changed: [95.179.249.239]

TASK [wireguard : Set OS specific facts] *************************************************************************************************
ok: [95.179.249.239]

TASK [wireguard : Generate private keys] *************************************************************************************************
changed: [95.179.249.239] => (item=luca)
changed: [95.179.249.239] => (item=95.179.249.239)

TASK [wireguard : Save private keys] *****************************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=None)
changed: [95.179.249.239 -> localhost] => (item=None)
changed: [95.179.249.239]

TASK [wireguard : Touch the lock file] ***************************************************************************************************
changed: [95.179.249.239] => (item=luca)
changed: [95.179.249.239] => (item=95.179.249.239)

TASK [wireguard : Generate preshared keys] ***********************************************************************************************
changed: [95.179.249.239] => (item=luca)
changed: [95.179.249.239] => (item=95.179.249.239)

TASK [wireguard : Save preshared keys] ***************************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=None)
changed: [95.179.249.239 -> localhost] => (item=None)
changed: [95.179.249.239]

TASK [wireguard : Touch the preshared lock file] *****************************************************************************************
changed: [95.179.249.239] => (item=luca)
changed: [95.179.249.239] => (item=95.179.249.239)

TASK [wireguard : Generate public keys] **************************************************************************************************
ok: [95.179.249.239] => (item=luca)
ok: [95.179.249.239] => (item=95.179.249.239)

TASK [wireguard : Save public keys] ******************************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=None)
changed: [95.179.249.239 -> localhost] => (item=None)
changed: [95.179.249.239]

TASK [wireguard : WireGuard user list updated] *******************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=luca)

TASK [wireguard : set_fact] **************************************************************************************************************
ok: [95.179.249.239 -> localhost]

TASK [wireguard : WireGuard users config generated] **************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=[0, 'luca'])
included: /Users/luca/Developer/algo/roles/wireguard/tasks/mobileconfig.yml for 95.179.249.239
included: /Users/luca/Developer/algo/roles/wireguard/tasks/mobileconfig.yml for 95.179.249.239

TASK [wireguard : WireGuard apple mobileconfig generated] ********************************************************************************
changed: [95.179.249.239 -> localhost] => (item=[0, 'luca'])

TASK [wireguard : WireGuard apple mobileconfig generated] ********************************************************************************
changed: [95.179.249.239 -> localhost] => (item=[0, 'luca'])

TASK [wireguard : Generate QR codes] *****************************************************************************************************
ok: [95.179.249.239 -> localhost] => (item=[0, 'luca'])

TASK [wireguard : WireGuard configured] **************************************************************************************************
changed: [95.179.249.239]

TASK [wireguard : WireGuard enabled and started] *****************************************************************************************
changed: [95.179.249.239]

RUNNING HANDLER [wireguard : restart wireguard] ******************************************************************************************
changed: [95.179.249.239]
included: /Users/luca/Developer/algo/roles/strongswan/tasks/ubuntu.yml for 95.179.249.239

TASK [strongswan : Set OS specific facts] ************************************************************************************************
ok: [95.179.249.239]

TASK [strongswan : Ubuntu | Install strongSwan] ******************************************************************************************
changed: [95.179.249.239]

TASK [strongswan : Ubuntu | Charon profile for apparmor configured] **********************************************************************
changed: [95.179.249.239]

TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] *******************************************************************************
ok: [95.179.249.239] => (item=/usr/lib/ipsec/charon)
ok: [95.179.249.239] => (item=/usr/lib/ipsec/lookip)
ok: [95.179.249.239] => (item=/usr/lib/ipsec/stroke)

TASK [strongswan : Ubuntu | Enable services] *********************************************************************************************
ok: [95.179.249.239] => (item=apparmor)
ok: [95.179.249.239] => (item=strongswan)
ok: [95.179.249.239] => (item=netfilter-persistent)

TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exists] *********************************************************
changed: [95.179.249.239]

TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ***********************************************************
changed: [95.179.249.239]

TASK [strongswan : Ensure that the strongswan user exists] *******************************************************************************
ok: [95.179.249.239]

TASK [strongswan : Install strongSwan] ***************************************************************************************************
ok: [95.179.249.239]

TASK [strongswan : Setup the config files from our templates] ****************************************************************************
changed: [95.179.249.239] => (item={'src': 'strongswan.conf.j2', 'dest': 'strongswan.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [95.179.249.239] => (item={'src': 'ipsec.conf.j2', 'dest': 'ipsec.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [95.179.249.239] => (item={'src': 'ipsec.secrets.j2', 'dest': 'ipsec.secrets', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [95.179.249.239] => (item={'src': 'charon.conf.j2', 'dest': 'strongswan.d/charon.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})

TASK [strongswan : Get loaded plugins] ***************************************************************************************************
ok: [95.179.249.239]

TASK [strongswan : Disable unneeded plugins] *********************************************************************************************
changed: [95.179.249.239] => (item=xauth-generic)
changed: [95.179.249.239] => (item=resolve)
changed: [95.179.249.239] => (item=dnskey)
changed: [95.179.249.239] => (item=agent)
changed: [95.179.249.239] => (item=md5)
changed: [95.179.249.239] => (item=mgf1)
changed: [95.179.249.239] => (item=connmark)
changed: [95.179.249.239] => (item=bypass-lan)
changed: [95.179.249.239] => (item=pkcs1)
changed: [95.179.249.239] => (item=xcbc)
changed: [95.179.249.239] => (item=sha1)
changed: [95.179.249.239] => (item=gmp)
changed: [95.179.249.239] => (item=sshkey)
changed: [95.179.249.239] => (item=rc2)
changed: [95.179.249.239] => (item=counters)
changed: [95.179.249.239] => (item=attr)
changed: [95.179.249.239] => (item=fips-prf)
changed: [95.179.249.239] => (item=md4)
changed: [95.179.249.239] => (item=eap-mschapv2)
changed: [95.179.249.239] => (item=aesni)
changed: [95.179.249.239] => (item=updown)
changed: [95.179.249.239] => (item=constraints)

TASK [strongswan : Ensure that required plugins are enabled] *****************************************************************************
changed: [95.179.249.239] => (item=stroke)
changed: [95.179.249.239] => (item=gcm)
changed: [95.179.249.239] => (item=pem)
changed: [95.179.249.239] => (item=pkcs7)
changed: [95.179.249.239] => (item=sha2)
changed: [95.179.249.239] => (item=random)
changed: [95.179.249.239] => (item=pubkey)
changed: [95.179.249.239] => (item=aes)
changed: [95.179.249.239] => (item=hmac)
changed: [95.179.249.239] => (item=nonce)
changed: [95.179.249.239] => (item=pkcs12)
changed: [95.179.249.239] => (item=openssl)
changed: [95.179.249.239] => (item=pgp)
changed: [95.179.249.239] => (item=pkcs8)
changed: [95.179.249.239] => (item=kernel-netlink)
changed: [95.179.249.239] => (item=x509)
changed: [95.179.249.239] => (item=socket-default)
changed: [95.179.249.239] => (item=revocation)

TASK [strongswan : debug] ****************************************************************************************************************
ok: [95.179.249.239 -> localhost] => {
    "subjectAltName": "IP:95.179.249.239,IP:2001:19f0:6c01:25d0:5400:2ff:fe9c:ea6d"
}

TASK [strongswan : Ensure the pki directories exist] *************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=ecparams)
changed: [95.179.249.239 -> localhost] => (item=certs)
changed: [95.179.249.239 -> localhost] => (item=crl)
changed: [95.179.249.239 -> localhost] => (item=newcerts)
changed: [95.179.249.239 -> localhost] => (item=private)
changed: [95.179.249.239 -> localhost] => (item=public)
changed: [95.179.249.239 -> localhost] => (item=reqs)

TASK [strongswan : Ensure the config directories exist] **********************************************************************************
changed: [95.179.249.239 -> localhost] => (item=apple)
changed: [95.179.249.239 -> localhost] => (item=manual)

TASK [strongswan : Ensure the files exist] ***********************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=.rnd)
changed: [95.179.249.239 -> localhost] => (item=private/.rnd)
changed: [95.179.249.239 -> localhost] => (item=index.txt)
changed: [95.179.249.239 -> localhost] => (item=index.txt.attr)
changed: [95.179.249.239 -> localhost] => (item=serial)

TASK [strongswan : Generate the openssl server configs] **********************************************************************************
changed: [95.179.249.239 -> localhost]

TASK [strongswan : Build the CA pair] ****************************************************************************************************
changed: [95.179.249.239 -> localhost]

TASK [strongswan : Copy the CA certificate] **********************************************************************************************
changed: [95.179.249.239 -> localhost]

TASK [strongswan : Generate the serial number] *******************************************************************************************
changed: [95.179.249.239 -> localhost]

TASK [strongswan : Build the server pair] ************************************************************************************************
changed: [95.179.249.239 -> localhost]

TASK [strongswan : Build the client's pair] **********************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=luca)

TASK [strongswan : Build openssh public keys] ********************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=luca)

TASK [strongswan : Build the client's p12] ***********************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=luca)

TASK [strongswan : Build the client's p12 with the CA cert included] *********************************************************************
changed: [95.179.249.239 -> localhost] => (item=luca)

TASK [strongswan : Copy the p12 certificates] ********************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=luca)

TASK [strongswan : Get active users] *****************************************************************************************************
changed: [95.179.249.239 -> localhost]

TASK [strongswan : Copy the keys to the strongswan directory] ****************************************************************************
changed: [95.179.249.239] => (item={'src': 'cacert.pem', 'dest': 'cacerts/ca.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [95.179.249.239] => (item={'src': 'certs/95.179.249.239.crt', 'dest': 'certs/95.179.249.239.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [95.179.249.239] => (item={'src': 'private/95.179.249.239.key', 'dest': 'private/95.179.249.239.key', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})

TASK [strongswan : Register p12 PayloadContent] ******************************************************************************************
ok: [95.179.249.239 -> localhost] => (item=luca)

TASK [strongswan : Set facts for mobileconfigs] ******************************************************************************************
ok: [95.179.249.239 -> localhost]

TASK [strongswan : Build the mobileconfigs] **********************************************************************************************
changed: [95.179.249.239 -> localhost] => (item=None)
changed: [95.179.249.239]

TASK [strongswan : Build the client ipsec config file] ***********************************************************************************
changed: [95.179.249.239 -> localhost] => (item=luca)

TASK [strongswan : Build the client ipsec secret file] ***********************************************************************************
changed: [95.179.249.239 -> localhost] => (item=luca)

TASK [strongswan : Restrict permissions for the local private directories] ***************************************************************
ok: [95.179.249.239 -> localhost]

TASK [strongswan : strongSwan started] ***************************************************************************************************
ok: [95.179.249.239]

RUNNING HANDLER [strongswan : restart strongswan] ****************************************************************************************
changed: [95.179.249.239]

RUNNING HANDLER [strongswan : daemon-reload] *********************************************************************************************
ok: [95.179.249.239]

TASK [Dump the configuration] ************************************************************************************************************
changed: [95.179.249.239 -> localhost]

TASK [debug] *****************************************************************************************************************************
ok: [95.179.249.239] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"",
            "\"#                     Your Algo server is running.                     #\"",
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
            "\"#              Go to https://whoer.net/ after connecting               #\"",
            "\"#        and ensure that all your traffic passes through the VPN.      #\"",
            "\"#                     Local DNS resolver 172.24.117.23, fd00::8:7517                   #\"",
            ""
        ],
        "    \"#        The p12 and SSH keys password for new users is 8jhfsS9uA       #\"\n",
        "    \"#        The CA key password is CVfwnkPGBlMqlqTk       #\"\n",
        "    \"#      Shell access: ssh -F configs/95.179.249.239/ssh_config algo        #\"\n"
    ]
}

PLAY RECAP *******************************************************************************************************************************
95.179.249.239             : ok=98   changed=61   unreachable=0    failed=0    skipped=37   rescued=0    ignored=0
localhost                  : ok=42   changed=11   unreachable=0    failed=0    skipped=6    rescued=0    ignored=0

ghost commented 4 years ago

I'm not sure if it's related, I've had DNS resolution issues since a couple of days as well. Whenever dnscrypt-proxy choses the cloudflare server, name resolution doesn't work. When I force it to use the cloudflare-ipv6 server, everything works as expected.

To force IPv6, set ipv4_servers = false in /etc/dnscrypt-proxy/dnscrypt-proxy.toml and restart dnscrypt-proxy via systemctl restart dnscrypt-proxy.service.

Another solution for me was to follow these steps from the FAQ to use the Google DNS server. Might indicate an issue with the Cloudflare IPv4 DNS connectivity?

In my case, it's reproducible. Would be very interested if it helps you out as well.

eloquentbit commented 4 years ago

Hi @oh-fv, thanks for the suggestions.

On my Ubuntu server there isn't /etc/dnscrypt-proxy/dnscrypt-proxy.toml file, maybe because I have opted out for DNS encryption during installation.

I've tried also to follow the FAQ you have mentioned but without success.

ChrisWiegman commented 4 years ago

I've tried both methods, tried rebuilding the server and even tried switching from cloudflare to nextdns in /etc/dnscrypt-proxy/dnscrypt-proxy.toml nothing works.

ghost commented 4 years ago

My solution only worked for a couple of days for me. I did a fresh install yesterday evening (with DNS encryption and ad blocking), and after around 9 in the morning today DNS resolution stopped working again. Frustrating.

Is there anything I can do to help debug this issue? I'm running Algo on a fresh Ubuntu 18.04 install.

ChrisWiegman commented 4 years ago

I did a 2nd re-install without any DNS features and things are working for me now. I would love to help debug this as well.

ghost commented 4 years ago

In an otherwise unchanged /etc/dnscrypt-proxy/dnscrypt-proxy.toml I edited server_names to server_names = ['cloudflare'] with the following reproducible result in # journalctl -u dnscrypt-proxy:

Mar 20 21:19:18 v220190910411597575 dnscrypt-proxy[4202]: Get https://dns.cloudflare.com/dns-query?ct=&dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 20 21:19:18 v220190910411597575 dnscrypt-proxy[4202]: dnscrypt-proxy is waiting for at least one server to be reachable

So for me, the issue still seems to be related to Cloudflare. I don't know enough about the inner workings of the Algo server to say if this is the cause or a symptom. But I picked a couple of servers from https://dnscrypt.info/public-servers/ I like and added them to server_names (without the Cloudflare ones) and so far the DNS resolution works.

sethgoldin commented 4 years ago

Chiming in here to say that I'm running into this issue now, too. Not sure what's up; it was working for a few days just fine last week, and now I can't create a fresh instance and then actually resolve from a Catalina 10.15.4 client. This is from Lightsail, configured with an Ubuntu 18.04.4 instance. Doesn't matter whether dns_encryption is true or false in config.cfg before running $ ./algo.

sethgoldin commented 4 years ago

Now I can't replicate. DNS resolves just fine. Not sure if it was a temporary hiccough or some configuration option I missed somewhere.

OoLunar commented 3 years ago

I can reproduce on commit 4172dea43659818fbbcba3ecc5e6bb54a0b98d72. Everything y'all have mentioned seems same for me. The only difference is that I am running this on Debian 10. I only modified the ubuntu.yml tasks to not update cache or use apt to install anything, and I installed wireguard, dnscrypt-proxy and co myself.

OoLunar commented 3 years ago

Fixed by setting the DNS property in local client wireguard configs to 8.8.8.8. Seems to work for 1.1.1.1 as well.

sethgoldin commented 3 years ago

Fixed by setting the DNS property in local client wireguard configs to 8.8.8.8. Seems to work for 1.1.1.1 as well.

Thanks for this. I don't really know what happened, but manually setting wg0.conf on my client to 1.1.1.1 indeed worked. Thank you!

ivan-gorin commented 2 years ago

Maybe this will help someone, I had the same issue, turns out docker created a bridge interface for one of the containers which overlapped with the dns ip. Removing the interface (for example docker network prune) solved it.

trailofbits / algo

Unable to perform DNS resolution #1754