Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ams-dnscrypt-nl: Returning bad results for github.com #853

Closed
vadcx opened this issue Nov 2, 2023 · 5 comments
Closed

ams-dnscrypt-nl: Returning bad results for github.com #853

vadcx opened this issue Nov 2, 2023 · 5 comments

Comments

@vadcx
Copy link

vadcx commented Nov 2, 2023

I noticed this due to SSH access to Github became unexcusably slow: ssh -vT github.com showed that it tried to connect first to IPv6 to github, timed out and then connected via IPv4. Infamously, Github doesn't have IPv6.

Turns out this DNSCrypt resolver is returning garbage in this case, "ams-dnscrypt-nl"

$ dig AAAA github.com; dig A github.com                             
                                                                    
; <<>> DiG 9.11.9 <<>> AAAA github.com                              
;; global options: +cmd                                             
;; Got answer:                                                      
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15981           
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                                                                    
;; OPT PSEUDOSECTION:                                               
; EDNS: version: 0, flags:; udp: 1232                               
;; QUESTION SECTION:                                                
;github.com.                    IN      AAAA                        
                                                                    
;; ANSWER SECTION:                                                  
github.com.             2400    IN      AAAA    64:ff9b::14cd:f3a6  
                                                                    
;; Query time: 31 msec                                              
;; SERVER: 127.0.0.1#53(127.0.0.1)                                  
;; WHEN: Thu Nov 02 14:44:35 CET 2023                               
;; MSG SIZE  rcvd: 67                                               
                                                                    
                                                                    
; <<>> DiG 9.11.9 <<>> A github.com                                 
;; global options: +cmd                                             
;; Got answer:                                                      
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61805           
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                                                                    
;; OPT PSEUDOSECTION:                                               
; EDNS: version: 0, flags:; udp: 1232                               
;; QUESTION SECTION:                                                
;github.com.                    IN      A                           
                                                                    
;; ANSWER SECTION:                                                  
github.com.             2400    IN      A       20.205.243.166      
                                                                    
;; Query time: 29 msec                                              
;; SERVER: 127.0.0.1#53(127.0.0.1)                                  
;; WHEN: Thu Nov 02 14:44:35 CET 2023                               
;; MSG SIZE  rcvd: 55

Now 64::/16 for IPv6 is just non-sense and 20.205.243.166 is apparently Microsoft's hosting in Singapore (I am from Europe).

Even though my config has require_nofilter = true, kkkgo determined here this server to be filtering.

Log file:

[2023-11-02 14:13:30] [NOTICE] dnscrypt-proxy 2.1.5
[2023-11-02 14:13:30] [NOTICE] Network connectivity detected
[2023-11-02 14:13:30] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2023-11-02 14:13:30] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2023-11-02 14:13:30] [NOTICE] Now listening to [::1]:53 [UDP]
[2023-11-02 14:13:30] [NOTICE] Now listening to [::1]:53 [TCP]
[2023-11-02 14:13:30] [NOTICE] Source [relays] loaded
[2023-11-02 14:13:30] [NOTICE] Source [opennic] loaded
[2023-11-02 14:13:30] [NOTICE] Source [public-resolvers] loaded
[2023-11-02 14:13:30] [NOTICE] Firefox workaround initialized
[2023-11-02 14:13:30] [INFO] [ffmuc.net-v6] the key validity period for this server is excessively long (479 days), significantly reducing reliability and forward security.
[2023-11-02 14:13:30] [NOTICE] [ffmuc.net-v6] OK (DNSCrypt) - rtt: 38ms
[2023-11-02 14:13:30] [INFO] [faelix-ch-ipv4] the key validity period for this server is excessively long (3652 days), significantly reducing reliability and forward security.
[2023-11-02 14:13:30] [NOTICE] [faelix-ch-ipv4] OK (DNSCrypt) - rtt: 40ms
[2023-11-02 14:13:30] [NOTICE] [ams-dnscrypt-nl] OK (DNSCrypt) - rtt: 30ms
[2023-11-02 14:13:30] [INFO] [ffmuc.net] the key validity period for this server is excessively long (479 days), significantly reducing reliability and forward security.
[2023-11-02 14:13:30] [NOTICE] [ffmuc.net] OK (DNSCrypt) - rtt: 35ms
[2023-11-02 14:13:30] [NOTICE] [ams-dnscrypt-nl-ipv6] OK (DNSCrypt) - rtt: 32ms
[2023-11-02 14:13:30] [NOTICE] [scaleway-ams] OK (DNSCrypt) - rtt: 32ms
[2023-11-02 14:13:30] [NOTICE] Sorted latencies:
[2023-11-02 14:13:30] [NOTICE] -    30ms ams-dnscrypt-nl
[2023-11-02 14:13:30] [NOTICE] -    32ms ams-dnscrypt-nl-ipv6
[2023-11-02 14:13:30] [NOTICE] -    32ms scaleway-ams
[2023-11-02 14:13:30] [NOTICE] -    35ms ffmuc.net
[2023-11-02 14:13:30] [NOTICE] -    38ms ffmuc.net-v6
[2023-11-02 14:13:30] [NOTICE] -    40ms faelix-ch-ipv4
[2023-11-02 14:13:30] [NOTICE] Server with the lowest initial latency: ams-dnscrypt-nl (rtt: 30ms)
[2023-11-02 14:13:30] [NOTICE] dnscrypt-proxy is ready - live servers: 6

Is there no option to log each DNS query to console? --loglevel doesn't cut it. So you will have to take my word for it. Other servers when selected work correctly. I have managed at least once to hit a correct result between restarting dnscrypt-proxy and writing this down, but other than that this is a consistent error with this server.

I have no idea if this is a way to contact the server admin or whatever be done.
@jedisct1
Copy link
Member

jedisct1 commented Nov 2, 2023

/cc @kokial

@agross
Copy link

agross commented Nov 10, 2023

Having the same issue. The returned IPv6 appears to be a NAT64 address.

@agross
Copy link

agross commented Nov 10, 2023

@vadcx

Is there no option to log each DNS query to console?

I use this with the default log level to see where the query is forwarded to:

[query_log]
file = '/dev/stdout'

jedisct1 added a commit that referenced this issue Nov 10, 2023
@jedisct1
Remove ams-dnscrypt-nl and ams-doh-nl
0c7fd67 
Due to #853
agross added a commit to agross/ansible-home-network that referenced this issue Nov 11, 2023
@agross
dns-server: unify dnscrypt-proxy config, configure disabled servers
3bde539 
The test script is based on
https://github.com/kkkgo/PaoPao-Pref/blob/bef1cb285c8f2b8ec61977d2a7309f59ad4b06ce/dnscrypt_resolver/check.sh

It verifies that:

* Known IPv4 and IPv6 addresses resolve
* An AAAA query for github.com does not return a NAT64 IPv6 address
  DNSCrypt/dnscrypt-resolvers#853
* The short TTL of a known address is unchanged

It's best to run the script on a docker host that has IPv6 enabled such
that IPv6 servers can be reached from within the test container.
@jedisct1
Copy link
Member

Fixed in #857

@agross
Copy link

agross commented Nov 11, 2023

Thank you!

@DNSCrypt DNSCrypt locked and limited conversation to collaborators Dec 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@agross @jedisct1 @vadcx