DOH requests hang after a network reconnection #3217
Comments
|
Hi. Is this really the full command that you use to run the container? Because it doesn't have any volumes attached, so any restart probably removes all previous configuration. See the quick start example on our Docker Hub page. |
ainar-g
added
docker
|
could be related? No thats not the full docker command, I removed the volumes due to privacy reasons: |
|
I might thing that when the internet upload is fully congested, the problem occurs faster. Fully utilized like 100% I mean. |
|
I see. It will be hard to understand what is going on without the logs. Can you configure AGH to make verbose logs and also configure it to write logs to a permanent location using |
|
sure will do |
This is the issue, it's a dual ISP network pihole and windows DNS does not report this issue. It seems almost impossible there is no internet. Let me show you. Switching to the docker container itself, Adguard to be specific. Seems like a software issue regarding https DNS upstreams? upstream config |
|
Does the issue go away with time or is it necessary to restart the container? When this happens, could you please record a tcpdump? Also, it'd be interesting to see if you have any issues when you use a plain DNS upstream. |
Could you guide me where you hide tcpdump in the docker? Any way to run bash from the docker host, i.e. like you have SSH-ed into the docker? |
|
@rodeho you don't need to run it inside the container, try running it on your host machine should be just okay. |
|
I installed it on the OpenWrt router and usually ran normally. But every time Wan is reconnected, ADH does not resolve DNS, the device can't open some web pages, and then check the logs to confirm that no device requests DNS have been received in the ADH background. This phenomenon returns to normal work after turning off the ADH and reopening the operation. |
|
What might be about the logs? Looks like it's a connectivity issue for DoH? But you actually need to close the program and restart it to get back to normal. 2021/06/03 05:37:06.267815 [info] Couldn't get version check json from https://static.adguard.com/adguardhome/release/version.json: *fmt.wrapError updater: HTTP GET https://static.adguard.com/adguardhome/release/version.json: Get "https://static.adguard.com/adguardhome/release/version.json": all upstreams failed to exchange request, cause: couldn't do a GET request to 'https://doh.pub:443/dns-query', cause: Get "https://doh.pub:443/dns-query?dns=M0EBAAABAAAAAAAABnN0YXRpYwdhZGd1YXJkA2NvbQAAAQAB": net/http: request canceled (Client.Timeout exceeded while awaiting headers) (hidden: couldn't do a GET request to 'https://dns.alidns.com:443/dns-query', cause: Get "https://dns.alidns.com:443/dns-query?dns=M0EBAAABAAAAAAAABnN0YXRpYwdhZGd1YXJkA2NvbQAAAQAB": net/http: request canceled (Client.Timeout exceeded while awaiting headers)) |
|
@ameshkov there are 3 tickets complaining about ADH stop processing requests when it detects an internet down situation. All my other DNS servers is run keeps running normal, no issue. Only ADH with DOH is having issue, whit a client I can browse normal during the "internet down alarms" from ADH. It really has something to do with the TCP implementation of ADH. |
|
Okay, I have one idea. Our DOH client has a limit of 1 active connection to the remote host. Maybe, in your case when the network change occurs, the connection is not closed and hangs in some semi-open state. This would block further requests. Let's try lifting that connections limit and see if it helps. |
See here for details: AdguardTeam/AdGuardHome#3217 Also, some minor cosmetic changes.
Merge in DNS/dnsproxy from lift_doh_limit to master Squashed commit of the following: commit a87df1e Author: Andrey Meshkov <am@adguard.com> Date: Thu Jun 3 12:33:24 2021 +0300 unnecessary nolint commit 29cc79d Author: Andrey Meshkov <am@adguard.com> Date: Thu Jun 3 12:26:59 2021 +0300 added typecheck for dnscrypt commit 97faa73 Author: Andrey Meshkov <am@adguard.com> Date: Thu Jun 3 12:25:34 2021 +0300 Lift DOH 1 active connection limit See here for details: AdguardTeam/AdGuardHome#3217 Also, some minor cosmetic changes.
|
@rodeho, the possible fix is implemented in the latest |
Cool let me check. Could you guide me how to run this edge build into docker? |
|
Running development builds for Docker is described here. |
And up and running:v0.107.0-a.62+084564e6 |
|
After testing, it seems that the problem only exists in DoH. The above problem does not occur with DoT or ordinary port dns. |
|
@hplee0120, we've got no information about how you installed your AdGuard Home. Could you please provide this info? |
I added ADH luci when compiling OpenWrt. Use binary files at https://github.com/AdguardTeam/AdGuardHome/releases. |
I don't think its fully solved yet. Its very fragile, when the TCP connection drops is running into issues. Could the auto recovery of the TCP session be optimized? |
|
Hi there, Did some further testing, when the internet line is OK everything seems to be working well. When I change a FW rule, assume it will hit the current TCP table of the router (OPNsense) the issue kicks in. The session or the re-connect implementation seems not be able to reconnect in a proper way, and the outage remains for minutes <10. After a minute or what, it resolves by itself. |
|
Did some testing with 106.3 the stable one, with normal DNS resolving to unbound within the same network. It also drops when there was a minimal glitch in the internet connectivity. The interesting part is that I monitor 4 DNS servers: And only the AdGuard servers does have issues, all the other DNS servers are not metioned once in the logs...in the past week. Always working fine, it has to be something in the AGH IP stack... |
|
@rodeho, thank you for the information! We're still investigating the issues. Just as a side note, what is the value of The error you see on the stable version are caused by the fact that |
Hi, the |
No no netwerk issue, connection reset by peer is the other side. There is a connection but SSL seems to be failing, could that lead to the root cause? Will show you some other dockers in the same network segment and their output. |
ameshkov
changed the title
|
Renaming the issue and merging #3270 here. I tend to think the problem is specific to DOH and may be caused by a bug in golang http2 implementation. The problem is that we still cannot reproduce this. We probably can add some workaround (re-create the HTTP client on every timeout error for instance), but I'd like to figure out what's really causing this first. |
|
@ameshkov thanks, is there anyway we can validate if its specific to the DOH servers of adguard cloud, or specific to DOH upstream servers? When trying to simulate in your lab, try to add some packet loss. Seems to be more frequent when the upload is heavy loaded. |
Trying to solve AdguardTeam/AdGuardHome#3217
|
@rodeho IMO, it does not seem to be specific to particular DOH servers, rather to golang's http client in general (which we use internally). If we're not able to reproduce it internally, we'll push another build to the edge build that should in theory solve this by re-creating the http client on timeout errors. |
|
I have observed this problem twice, but when I specifically wanted to reproduce it in order to post the log here, this time there were no problems and everything worked fine. Although the settings were the same. I use a DoH server https://family.cloudflare-dns.com/dns-query |
Just to inform you, I moved to a local Unbound forwarder. Therefore 95% of my network using port 53 with UDP. Only some clients 5% where specifically configure with extra checking for parental control, and they failed an hour ago. Analyzed the logs only the logs DOH checks failed, which also means that the rest of the IP stack remains functional for at least UDP packets.
|
Updates AdguardTeam/AdGuardHome#3217. Squashed commit of the following: commit e0bdfd9 Merge: b34be01 5bf778a Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jun 22 13:09:57 2021 +0300 Merge branch 'master' into fix/doh_timeout commit b34be01 Author: Andrey Meshkov <am@adguard.com> Date: Mon Jun 21 20:07:44 2021 +0300 added TODO commit 18e1ad9 Author: Andrey Meshkov <am@adguard.com> Date: Mon Jun 21 20:01:46 2021 +0300 fix review comments commit a7725e8 Author: Andrey Meshkov <am@adguard.com> Date: Mon Jun 21 17:23:50 2021 +0300 Recreate HTTP client on timeout error Trying to solve AdguardTeam/AdGuardHome#3217
|
@rodeho, @hplee0120, @fizsef, we've pushed some fixes that may improve the situation to the |
From my personal use, after downloading the latest version of edge, the problem seems to have been solved.! |
I upgraded to this edge build within my test setup, my primary DNS moved to PiHole during this debugging period AGH was causing to much outages. |
|
and how to install, where to download, this corrected version? |
Last night my stable build went down, and the edge build remains up. Seems to be fixed! Thanks |
ainar-g
added
bug
P3: Medium
and removed
docker
Merge in DNS/adguard-home from 3217-fix-doh to master Updates AdguardTeam#3217. Squashed commit of the following: commit 29a81e0 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Jun 3 12:58:01 2021 +0300 all: upd dnsproxy
Updates AdguardTeam#3217. Squashed commit of the following: commit c0208c8 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jun 22 13:23:17 2021 +0300 all: upd dnsproxy
0.106.3
docker
Adguard -> router -> ISP
OPNsense
Intel
Ubuntu running with Docker containers
Expected Behavior
adguard should always keeps processing DNS requests.
Actual Behavior
Since the latest updates, AdGuard stops processing DNS requests. Even in the same vlan (excluding the router) the software stops listing to DNS requests. Logs keep empty, webgui and ping still works (no network issue)
Screenshots
PRTG polling my DNS setup, also pihole is deployed in the same setup an never show an alarm. It seems for now only related tot adguard.
Additional Information
sudo docker run -d --name adguard --hostname adguard --net=hostnetwork --ip=172.16.1.253 --cap-add=NET_ADMIN --cap-add=CAP_NET_RAW --cap-add=CAP_NET_BIND_SERVICE -e TZ=Europe/Amsterdam -v /home/rodeho/docker/adguard/workdir:/opt/adguardhome/work -v /home/rodeho/docker/adguard/confdir:/opt/adguardhome/ --restart unless-stopped adguard/adguardhomeThe text was updated successfully, but these errors were encountered: