Upstream NIC.CZ ODVR DoT throws error

[Xeevis]

When I try to add upstream DNS tls://odvr.nic.cz according to docs, I'm met with error when I click Test upstreams in DNS settings.

Issue Details

• Version of AdGuard Home server:
  • v0.105.0-SNAPSHOT-2bf2d5a1
• How did you install AdGuard Home:

services: 
  adguard:
    image: adguard/adguardhome:edge
    container_name: adguard
    restart: unless-stopped
    volumes:
      - /volume1/docker/adguard/work:/opt/adguardhome/work
      - /volume1/docker/adguard/conf:/opt/adguardhome/conf
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 3000:3000/tcp

• CPU architecture:
  • AMD64
• Operating system and version:
  • Synology DSM 7.0

Expected Behavior

No error when using tls://odvr.nic.cz as upstream DNS

Actual Behavior

[info] couldn't communicate with dns server tls://odvr.nic.cz: Failed to get a connection from TLSPool to tls://odvr.nic.cz:853, cause: Failed to connect to odvr.nic.cz, cause: remote error: tls: no application protocol

Screenshots

Screenshot:

Additional Information

According to this article CZ.NIC ODVR has in December disabled support for outdated TLS 1.0/1.1, could it be related?

[ameshkov]

Interesting. It seems it expects us to send some ALPN extension, but nowhere in the spec I see this requirement.

[ainar-g]

We should try to force our proxy to use at least TLS 1.2 and see if that helps. @ameshkov, what do you think?

[ameshkov]

This shouldn't matter much, the server chooses the TLS version anyway.

[ameshkov]

@EugeneOne1 the problem is that we're speciying ALPN (tls.Config.NextProtos) for DNS-over-TLS connections.

In fact, we should only do this for DNS-over-QUIC and DNS-over-HTTPS:
https://github.com/AdguardTeam/dnsproxy/blob/master/upstream/bootstrap.go#L194

[EugeneOne1]

This should be fixed as of snapshot 400b76d. Could you please check, if our solution fixes the issue for you?

[Xeevis]

Works great now, many thanks!