🐛 dot-jp and dot-sg is not working.

[daemonserj]

dot-jp and dot-sg are not working completely. dot-de and dot-ch work as Private DNS in Android but not respond or respond SERVFAIL through stubby.

[LucioAmely]

Up, I can confirm it has been like this for 3 days.

[LucioAmely]

@zoonderkins Sorry for the ping, I'm pinging you because this issue is urgent.

[LucioAmely]

@zoonderkins

[zoonderkins]

Hi @LucioAmely

Problem has been solved, please try again. Sorry for the delay, I'm been busy this few months.

[LucioAmely]

Switzerland Server is still not working. It's giving the following error on DnsCrypt:

Incorrect signature for provider name: [2.dnscrypt-cert.blahdns.com.]

Also not working through DoT as well.

[zoonderkins]

Hi @LucioAmely
From what I tested on my machine, Swiss server DoT, DNSCrypt both working normally.

Here is the DNSCrypt lookup

 dnslookup example.org sdns://AQMAAAAAAAAAETQ1LjkxLjkyLjEyMTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ
dnslookup 1.10.0
Server: sdns://AQMAAAAAAAAAETQ1LjkxLjkyLjEyMTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ

dnslookup result (elapsed 615.782458ms):
;; opcode: QUERY, status: NOERROR, id: 18129
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 5632

;; QUESTION SECTION:
;example.org.   IN   A

;; ANSWER SECTION:
example.org.    47361   IN  A   93.184.216.34

Here is the DoT lookup

kdig example.org @dot-ch.blahdns.com +tls +tls-hostname=dot-ch.blahdns.com
;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4131
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; example.org.             IN  A

;; ANSWER SECTION:
example.org.            47248   IN  A   93.184.216.34

;; Received 56 B
;; Time 2024-01-23 02:00:46 CST
;; From 45.91.92.121@853(TLS) in 896.0 ms

[LucioAmely]

Issue looks similar to the following one. I am not sure if anybody else is having the connectivity problem as well. I've been using your DNS service for years without any problems and grateful to you for that.

https://github.com/DNSCrypt/dnscrypt-resolvers/issues/62

Also I am using the following SPKI fingerprint for the CH DoT and connecting using the port 443 instead of 853. Maybe something about the SPKI fingerprint or strict SNI configuration got changed during the time servers have had problems or certificates got expired as mentioned on the issue in the link above?

CH DoT SPKI Fingerprint: cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk=

Also connecting to different networks/using mobile data does not help either. Checked if it's some kind of new ISP restriction or not; it doesn't seem so.

[daemonserj]

I've checked dot-ch with dnslookup and getdns_query on various hosts. Now it looks fine.

[LucioAmely]

It's sadly still the same for me. @zoonderkins can you please tell us what was the problem in the servers and what actions taken to solve them, maybe I can figure out what got changed and find the cause of my connectivity problems.

[zoonderkins]

1. TLS certificate renew and TLS key length alter -> 2048
2. Bump HaProxy to 2.9
3. re-compile dns-over-https to latest version Golang 1.21

I think that's it, the rest still the same ~

[LucioAmely]

Calculated the SPKI fingerprint of the CH server again, it's the same as before. Today somehow DoT started to work again by itself.

About DnsCrypt, what can be the problem?:

CH server gives this exact error both on PC and phone even with different network connections. Incorrect signature for provider name: [2.dnscrypt-cert.blahdns.com.]

JP and SG servers are still giving TIMEOUT errors.

Update: Used the dnslookup like you did for DnsCrypt connection, it gave me certificate signature mismatch error as well.

[zoonderkins]

Please try with this dnscrypt

Provider public key: 8842893c635a92a9bd1d91043486a01c8e3104f31fc0d05551e6760c6ba0ee39
DNS Stamp: sdns://AQMAAAAAAAAAETQ1LjkxLjkyLjEyMTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ

DNS Stamp: sdns://AQMAAAAAAAAAF1syYTBlOmRjMDo2OjIzOjoyXTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ

Provider public key: 8842893c635a92a9bd1d91043486a01c8e3104f31fc0d05551e6760c6ba0ee39
Provider name: 2.dnscrypt-cert.blahdns.com

[LucioAmely]

Please try with this dnscrypt

Provider public key: 8842893c635a92a9bd1d91043486a01c8e3104f31fc0d05551e6760c6ba0ee39
DNS Stamp: sdns://AQMAAAAAAAAAETQ1LjkxLjkyLjEyMTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ

DNS Stamp: sdns://AQMAAAAAAAAAF1syYTBlOmRjMDo2OjIzOjoyXTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ

Provider public key: 8842893c635a92a9bd1d91043486a01c8e3104f31fc0d05551e6760c6ba0ee39
Provider name: 2.dnscrypt-cert.blahdns.com

IPv4 one works perfectly, could not test IPv6 since all IPv6 connections are blocked in my network. Thank you for solving this issue.

I think when you renewed the certificate the provider public key got changed. That's why old DnsCrypt stamp got invalidated.

[LucioAmely]

CH DoT stopped responding around 30 minutes ago. It's still reachable and pingable but not responding to requests.

[zoonderkins]

Sorry for the late reply. Can you connect through port 853 instead of 443 ? I plan migrate to standard DoT i the future.