DNSCrypt over TCP (IPv4) fails

[ignoramous]

Checklist

• [x] I read the README
• [x] I read the FAQ
• [x] I searched the issues

Describe the issue Using BlahDNS DNSCrypt IPv4 (FIN, DE, CH, SIN, JP) endpoints with RethinkDNS doesn't work and fails when validating test queries over TCP with: dns crypt resp packet too short.

RethinkDNS only uses TCP connections over IPv4 with DNSCrypt and not UDP.

To Reproduce Steps to reproduce the behavior:

1. Install RethinkDNS on any Android 6+ device, Start it.
2. Tap on the Configure button in the homescreen.
3. From the drop-down, choose DNSCrypt.
4. Tap on the + Add button at the bottom of the screen.
5. Enter DNSCrypt IPv4 SDNS stamps for any BlahDNS DNSCrypt servers. For ex, blahdns-ch-ipv4-dnscrypt: sdns://AQMAAAAAAAAAETQ1LjkwLjU3LjEyMTo4NDQzIFOE6BRDFCk-Vt0bFAoe8XKtR726F5nIlXKUlT0DTrXHGzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ
6. Notice that the DNS connection flips back to default (which is DNS over HTTPS connection to RethinkDNS Basic).

Expected behavior Should connect to BlahDNS DNSCrypt over TCP.

Logs (optional) From RethinkDNS (annotated):

# dnscrypt server stamp
01-30 20:34:25.500  4660 18379 I RethinkDNS: Crypt Server - 6#sdns://AQMAAAAAAAAAETQ1LjkwLjU3LjEyMTo4NDQzIFOE6BRDFCk-Vt0bFAoe8XKtR726F5nIlXKUlT0DTrXHGzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ

# no anonymized relays used
01-30 20:34:25.506  4660 18379 I RethinkDNS: GoVPNAdapter DNSCrypt routes: , removed relay count:0

# connecting via dnscrypt protocol (dnsmode -> 4); no ocks5 or http/s proxies used (proxyMode -> 0); firewall is enabled (blockMode -> 1)
01-30 20:34:25.506  4660 18379 D RethinkDNS: GoVPNAdapter setCryptMode - Connected to tunnel with DNSMODE - 4 - blockMode-1proxyMode-0

# ...
# test DNS requests are being sent via DNSCrypt to assess server health and cert validity
# ...

# test fails with timeout / no response / dns crypt response too short
01-30 20:34:26.339  4660 22388 I GoLog   : [6] TIMEOUT dns crypt resp packet too short

# dns packet contents from 45.90.57.121:8443 (blahdns-ch-ipv4-dnscrypt)
01-30 20:34:26.339  4660 22388 I GoLog   : {45.90.57.121:8443 S<84>è^TC^T)>VÝ^[^T

# dnscrypt cert?
01-30 20:34:26.339  4660 22388 I GoLog   : ^^ñr­G½º^W<99>È<95>r<94><95>=^CNµÇ [] 2.dnscrypt-cert.blahdns.com  %!s(dnsstamps.ServerInformalProperties=3) %!s(dnsstamps.StampProtoType=1)} not a live server? %!w(*errors.errorString=&{dns crypt resp packet too short})

# stack trace indicating "refresh failed" presumably because of the errors above
01-30 20:34:26.346  4660 22388 E RethinkDNS: GoVPNAdapter celzero connect-tunnel: dns crypt
01-30 20:34:26.346  4660 22388 E RethinkDNS: go.Universe$proxyerror: dns crypt resp packet too short
01-30 20:34:26.346  4660 22388 E RethinkDNS: >--at dnscrypt.Proxy.refresh(Native Method)

# RethinkDNS not happy
01-30 20:34:26.356  4660  4660 D RethinkDNS: RethinkVPNService DNSType- 1       

# RethinkDNS forced to handle unrecoverable exception...
01-30 20:34:26.357  4660 22388 D RethinkDNS: GoVPNAdapter celzero connect crypt exception handling - update dns crypt and remove the servers

# ... with a connection change...
01-30 20:34:26.357  4660  4660 D RethinkDNS: RethinkVPNService CONNECTION_CHANGE- 2

# ... to the default DoH endpoint which is RethinkDNS Basic
01-30 20:34:26.363  4660 18388 D RethinkDNS: GoVPNAdapter DoHURL - https://basic.bravedns.com/1:YBcgAIAQIAAIAABgIAA=

# unhappy users...

Server if applicable): All DNSCrypt IPv4 servers fail so far, including sdns://AQMAAAAAAAAAETQ1LjkwLjU3LjEyMTo4NDQzIFOE6BRDFCk-Vt0bFAoe8XKtR726F5nIlXKUlT0DTrXHGzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ

• OS: Android 6+

Client (if applicable): RethinkDNS

• Device: Android
• OS: 6+
• Client: RethinkDNS
• Protocol: DNSCrypt

Additional context Thanks!

[zoonderkins]

Pls try again

[ignoramous]

Just checked: Still fails for all BlahDNS IPv4 DNSCrypt servers.

[zoonderkins]

@ignoramous Pls give try again on Japan server by using configuration below

[static.'blahdns-jp-dnscrypt-v4']
stamp = 'sdns://AQMAAAAAAAAAEzEzOS4xNjIuMTEyLjQ3Ojg0NDMgbC1IEdPcd6w0tIkpG7PJPgsGG0O9BZX-gf0hJ0E_SLUbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t'
[static.'blahdns-jp-dnscrypt-v6']
stamp = 'sdns://AQMAAAAAAAAAJVsyNDAwOjg5MDI6OmYwM2M6OTJmZjpmZTI3OjM0NGJdOjg0NDMgbC1IEdPcd6w0tIkpG7PJPgsGG0O9BZX-gf0hJ0E_SLUbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t'

[ignoramous]

@ookangzheng thanks. The new JP stamp works!

Your DNS Server: 139.162.112.47 Linode, LLC (63949): li1596-47.members.linode.com

Btw, if you haven't installed RethinkDNS, you should try it. I'm biased, but I hear it is wicked gooood. :)

[zoonderkins]

@ignoramous sorry for the delay,

TCP connection issue work in progress....

• Japan (fixed) sdns://AQMAAAAAAAAAEzEzOS4xNjIuMTEyLjQ3Ojg0NDMgbC1IEdPcd6w0tIkpG7PJPgsGG0O9BZX-gf0hJ0E_SLUbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t
• Singapore (fixed) sdns://AQMAAAAAAAAAEzE5Mi41My4xNzUuMTQ5Ojg0NDMgbC1IEdPcd6w0tIkpG7PJPgsGG0O9BZX-gf0hJ0E_SLUbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t
• Switzerland (fixed) sdns://AQMAAAAAAAAAETQ1LjkwLjU3LjEyMTo4NDQzIGwtSBHT3HesNLSJKRuzyT4LBhtDvQWV_oH9ISdBP0i1GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ
• Finland (fixed)
• Germany (fixed)

[ignoramous]

These work now, thanks.

Was it really DNSCrypt over TCP that was tripping blahdns, or was it something else?

[ignoramous]

@ookangzheng these errors have cropped up again...

I'm testing SIN (IPv4) which I am unable to connect from RethinkDNS (which complains TCP isn't working).

Stamp

sdns://AQMAAAAAAAAAEzE5Mi41My4xNzUuMTQ5Ojg0NDMgbC1IEdPcd6w0tIkpG7PJPgsGG0O9BZX-gf0hJ0E_SLUbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t