Bitping + DNSCrypt #3268
Replies: 5 comments 1 reply
-
|
Thanks for the detailed report and the clean reproduction steps. Short version: this is harmless. Nothing is being lost, and dnscrypt-proxy is not corrupting anything. It's a mismatch between how Hickory (the DNS library used by Bitping) reads UDP replies and how dnscrypt-proxy sends them. Here's what's going on. Every DNS query carries a small random number in its header, the transaction ID. The client uses it to match a reply to the question it asked. dnscrypt-proxy preserves that ID from end to end — the ID you send out is exactly the ID you get back. So the responses themselves are correct. The friction is about ordering, not correctness. Bitping/Hickory sends several queries at once over a single UDP socket and expects the replies to come back in the same order it asked. That assumption holds when you talk straight to a normal resolver over plain UDP. dnscrypt-proxy doesn't work that way. It handles each query independently and in parallel, then sends each answer back the moment it's ready. Because some answers come from cache, some from a fast server, some from a slow one, some after a retry, they naturally come back in a different order than they were asked. Every reply is valid and has the right ID — they just don't arrive in the order Hickory was expecting. So when Hickory is sitting there waiting for reply This is really a client-side expectation in Hickory (assuming replies come back in order on a shared socket). A couple of things on your side make the warnings go away:
Nothing to fix on the dnscrypt-proxy side here — the answers are correct, just delivered as soon as each one is ready rather than strictly in request order. |
Beta Was this translation helpful? Give feedback.
-
|
Cached responses already do exactly that. On a cache hit, dnscrypt-proxy copies the incoming query's transaction ID onto the response before sending it back — the cache never invents or reuses an ID of its own. So the cache can't be the source of a mismatch. In fact, no path in dnscrypt-proxy can hand you a response whose ID doesn't match the query you sent:
So when Hickory reports "expected 64203, got 25223", the The reason TCP makes it disappear is not that TCP fixes any ID. It's that over TCP each answer is framed and read one at a time, so ordering can't surprise the client. Over UDP, dnscrypt-proxy answers each query the moment it's ready, and Hickory's UDP path assumes replies come back in request order. Nothing to change on the dnscrypt-proxy side here. The IDs are already preserved everywhere, cache included. Sticking with TCP, or a Hickory build that matches replies by ID rather than by arrival order, is the way to silence the warnings. |
Beta Was this translation helpful? Give feedback.
-
|
To close the loop on where the fix belongs: this is really something for Hickory to address, not dnscrypt-proxy. DNS over UDP has never guaranteed that replies come back in the same order the queries went out. That's the entire reason each query carries a transaction ID — so a client can match a response to its question no matter what order they arrive in. Any caching resolver, forwarder, or load balancer is free to answer queries as soon as each one is ready, which means out of order. dnscrypt-proxy is behaving normally here; so would most resolvers. The correct way to handle several queries on one shared UDP socket is to keep a small table of "ID → who's waiting for it" and hand each incoming datagram to the matching waiter by its ID. A datagram whose ID matches nothing outstanding is simply ignored. What should not happen is treating a valid answer for query 25223 as junk to be "dropped" just because query 64203 happened to be first in line. That part is a limitation in Hickory's UDP path — it appears to assume replies arrive in request order, which the protocol doesn't promise. It's also why talking straight to an upstream looks clean (one query, one reply, no chance to reorder) while anything that parallelizes or caches trips the warning. Worth flagging upstream to Hickory as "match responses by transaction ID on a shared socket, and don't warn on non-matching datagrams" — a concrete, standards-backed request. One broader note: Hickory is still a young, experimental project on a 0.x release line (0.26 at the time of writing). A pre-1.0 version number is the authors telling you the API and behavior aren't settled yet. I'd be cautious about relying on it for anything you actually depend on. This ordering assumption is a good example of the kind of rough edge you run into with a resolver that hasn't reached a stable release. Pointing your client at dnscrypt-proxy over TCP sidesteps it for now. |
Beta Was this translation helpful? Give feedback.
-
|
Hi,
Thank you |
Beta Was this translation helpful? Give feedback.
-
|
Hi, When If the problem is timing-related, would introducing a delay before returning cached responses help resolve the issue? If doing so resolves the issue, we can confirm that the root cause is related to timing rather than the IDs returned in cached responses. Thank you. |
Beta Was this translation helpful? Give feedback.

Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Diagnostic Output
Please run the following commands and share the output:
DNS Configuration
Description
When the Bitping application is used with DNSCrypt, Hickory DNS emits warning messages indicating DNS message ID mismatches. These warnings do not occur when:
This suggests a possible issue in how DNS responses are being returned to the client when DNSCrypt is used as an intermediary resolver.
Although Bitping already uses Hickory DNS (as shown in the logs), the warnings only appear when DNS traffic is routed through DNSCrypt.
Bitping Logs
When Does This Occur?
The issue occurs while running a Bitping node with DNS traffic redirected through DNSCrypt.
Where Does It Occur?
Bitping node application.
Steps to Reproduce
Download the Internet Income test branch:
https://github.com/engageub/InternetIncome/tree/test
Update
properties.conf:USE_DNS_OVER_HTTPS=trueUSE_DNSCRYPT=trueBITPING_EMAILandBITPING_PASSWORDUSE_PROXIES=trueENABLE_LOGS=trueStart the application:
Monitor the Bitping Docker logs.
Observe the Hickory DNS warnings related to mismatched DNS message IDs.
Alternative Setup
Bitping can also be installed without Docker:
https://github.com/BitpingApp/Bitping-Node/blob/master/README.md
Expected Behavior
DNS responses returned through DNSCrypt should be handled in the same manner as responses received through direct UDP or standard Hickory DNS resolution, without generating message ID mismatch warnings.
Additional Context
The DNSCrypt proxy successfully resolves domains and passes health checks. The issue appears to be specific to the interaction between DNSCrypt and Hickory DNS, where Hickory receives responses containing unexpected DNS message IDs and subsequently drops them.
Beta Was this translation helpful? Give feedback.
All reactions