Output of the following commands:
./dnscrypt-proxy -version
./dnscrypt-proxy -check
dnscrypt-proxy -check
[2025-03-09 17:41:20] [WARNING] [/tmp/repro/dnscrypt-proxy.toml] can be modified by other system users because [/tmp/repro] is writable by other users - If this is not intentional, it is recommended to fix the access permissions
[2025-03-09 17:41:20] [NOTICE] dnscrypt-proxy 2.1.7
[2025-03-09 17:41:20] [INFO] Source [public-resolvers] loading from URL [https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md]
[2025-03-09 17:42:00] [NOTICE] System DNS is not usable yet
[2025-03-09 17:42:00] [NOTICE] Resolving server host [raw.githubusercontent.com] using bootstrap resolvers over udp
[2025-03-09 17:42:00] [NOTICE] Source [public-resolvers] loaded
[2025-03-09 17:42:00] [NOTICE] Configuration successfully checked
./dnscrypt-proxy -resolve example.com
[2025-03-09 17:42:53] [WARNING] [/tmp/repro/dnscrypt-proxy.toml] can be modified by other system users because [/tmp/repro] is writable by other users - If this is not intentional, it is recommended to fix the access permissions
Resolving [example.com] using 127.0.0.1 port 53
Unable to resolve: [Timeout]
What is affected by this bug?
Forwarding rules get parsed using possibly invalid substrings of server IPv6 addresses.
With f531c8f the parsing logic trims the first [ from every IPv6 address and does not handle the port when trimming.
When does this occur?
Forwarding fails for IPv6 addresses specified like [2001:4860:4860::8888]:53 as in the wiki or example-forwarding-rules.txt.
Some indication from the logs are
[INFO] Forwarding [.] to [2001:4860:4860::8888]:53]
...
[DEBUG] Handling query for [google.com]
[DEBUG] Forwarding [google.com] to [2001:4860:4860::8888]:53]
note the mismatched square brackets.
However, using just [2001:4860:4860::8888] in forwarding-rules.txt works fine.
How do we replicate the issue?
With the following configuration, the failed forwarding can be observed.
cat dnscrypt-proxy.toml
listen_addresses = ['127.0.0.1:53', '[::1]:53']
forwarding_rules = 'forwarding-rules.txt'
log_level=0
[sources]
[sources.public-resolvers]
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 73
prefix = ''
cat forwarding-rules.txt
. [2001:4860:4860::8888]:53
dnscrypt-proxy --config dnscrypt-proxy.toml
dnscrypt-proxy -resolve example.comExpected behavior (i.e. solution)
Parsing of IPv6 addresses for forwarding should accept the format from the wiki and sample config.
In the forwarding plugin (see f531c8f) the trimming could be done to another local variable, or the port number can be handled/split.
Output of the following commands:
./dnscrypt-proxy -version
./dnscrypt-proxy -check
./dnscrypt-proxy -resolve example.com
What is affected by this bug?
Forwarding rules get parsed using possibly invalid substrings of server IPv6 addresses.
With f531c8f the parsing logic trims the first
[from every IPv6 address and does not handle the port when trimming.When does this occur?
Forwarding fails for IPv6 addresses specified like
[2001:4860:4860::8888]:53as in the wiki or example-forwarding-rules.txt.Some indication from the logs are
note the mismatched square brackets.
However, using just
[2001:4860:4860::8888]inforwarding-rules.txtworks fine.How do we replicate the issue?
With the following configuration, the failed forwarding can be observed.
Expected behavior (i.e. solution)
Parsing of IPv6 addresses for forwarding should accept the format from the wiki and sample config.
In the forwarding plugin (see f531c8f) the trimming could be done to another local variable, or the port number can be handled/split.