ams-dnscrypt-nl: Returning bad results for github.com #853

vadcx · 2023-11-02T13:57:15Z

I noticed this due to SSH access to Github became unexcusably slow: ssh -vT github.com showed that it tried to connect first to IPv6 to github, timed out and then connected via IPv4. Infamously, Github doesn't have IPv6.

Turns out this DNSCrypt resolver is returning garbage in this case, "ams-dnscrypt-nl"

$ dig AAAA github.com; dig A github.com                             
                                                                    
; <<>> DiG 9.11.9 <<>> AAAA github.com                              
;; global options: +cmd                                             
;; Got answer:                                                      
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15981           
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                                                                    
;; OPT PSEUDOSECTION:                                               
; EDNS: version: 0, flags:; udp: 1232                               
;; QUESTION SECTION:                                                
;github.com.                    IN      AAAA                        
                                                                    
;; ANSWER SECTION:                                                  
github.com.             2400    IN      AAAA    64:ff9b::14cd:f3a6  
                                                                    
;; Query time: 31 msec                                              
;; SERVER: 127.0.0.1#53(127.0.0.1)                                  
;; WHEN: Thu Nov 02 14:44:35 CET 2023                               
;; MSG SIZE  rcvd: 67                                               
                                                                    
                                                                    
; <<>> DiG 9.11.9 <<>> A github.com                                 
;; global options: +cmd                                             
;; Got answer:                                                      
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61805           
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                                                                    
;; OPT PSEUDOSECTION:                                               
; EDNS: version: 0, flags:; udp: 1232                               
;; QUESTION SECTION:                                                
;github.com.                    IN      A                           
                                                                    
;; ANSWER SECTION:                                                  
github.com.             2400    IN      A       20.205.243.166      
                                                                    
;; Query time: 29 msec                                              
;; SERVER: 127.0.0.1#53(127.0.0.1)                                  
;; WHEN: Thu Nov 02 14:44:35 CET 2023                               
;; MSG SIZE  rcvd: 55

Now 64::/16 for IPv6 is just non-sense and 20.205.243.166 is apparently Microsoft's hosting in Singapore (I am from Europe).

Even though my config has require_nofilter = true, kkkgo determined here this server to be filtering.

Log file:

[2023-11-02 14:13:30] [NOTICE] dnscrypt-proxy 2.1.5
[2023-11-02 14:13:30] [NOTICE] Network connectivity detected
[2023-11-02 14:13:30] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2023-11-02 14:13:30] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2023-11-02 14:13:30] [NOTICE] Now listening to [::1]:53 [UDP]
[2023-11-02 14:13:30] [NOTICE] Now listening to [::1]:53 [TCP]
[2023-11-02 14:13:30] [NOTICE] Source [relays] loaded
[2023-11-02 14:13:30] [NOTICE] Source [opennic] loaded
[2023-11-02 14:13:30] [NOTICE] Source [public-resolvers] loaded
[2023-11-02 14:13:30] [NOTICE] Firefox workaround initialized
[2023-11-02 14:13:30] [INFO] [ffmuc.net-v6] the key validity period for this server is excessively long (479 days), significantly reducing reliability and forward security.
[2023-11-02 14:13:30] [NOTICE] [ffmuc.net-v6] OK (DNSCrypt) - rtt: 38ms
[2023-11-02 14:13:30] [INFO] [faelix-ch-ipv4] the key validity period for this server is excessively long (3652 days), significantly reducing reliability and forward security.
[2023-11-02 14:13:30] [NOTICE] [faelix-ch-ipv4] OK (DNSCrypt) - rtt: 40ms
[2023-11-02 14:13:30] [NOTICE] [ams-dnscrypt-nl] OK (DNSCrypt) - rtt: 30ms
[2023-11-02 14:13:30] [INFO] [ffmuc.net] the key validity period for this server is excessively long (479 days), significantly reducing reliability and forward security.
[2023-11-02 14:13:30] [NOTICE] [ffmuc.net] OK (DNSCrypt) - rtt: 35ms
[2023-11-02 14:13:30] [NOTICE] [ams-dnscrypt-nl-ipv6] OK (DNSCrypt) - rtt: 32ms
[2023-11-02 14:13:30] [NOTICE] [scaleway-ams] OK (DNSCrypt) - rtt: 32ms
[2023-11-02 14:13:30] [NOTICE] Sorted latencies:
[2023-11-02 14:13:30] [NOTICE] -    30ms ams-dnscrypt-nl
[2023-11-02 14:13:30] [NOTICE] -    32ms ams-dnscrypt-nl-ipv6
[2023-11-02 14:13:30] [NOTICE] -    32ms scaleway-ams
[2023-11-02 14:13:30] [NOTICE] -    35ms ffmuc.net
[2023-11-02 14:13:30] [NOTICE] -    38ms ffmuc.net-v6
[2023-11-02 14:13:30] [NOTICE] -    40ms faelix-ch-ipv4
[2023-11-02 14:13:30] [NOTICE] Server with the lowest initial latency: ams-dnscrypt-nl (rtt: 30ms)
[2023-11-02 14:13:30] [NOTICE] dnscrypt-proxy is ready - live servers: 6

Is there no option to log each DNS query to console? --loglevel doesn't cut it. So you will have to take my word for it. Other servers when selected work correctly. I have managed at least once to hit a correct result between restarting dnscrypt-proxy and writing this down, but other than that this is a consistent error with this server.

I have no idea if this is a way to contact the server admin or whatever be done.

The text was updated successfully, but these errors were encountered:

jedisct1 · 2023-11-02T18:09:55Z

/cc @kokial

agross · 2023-11-10T19:35:03Z

Having the same issue. The returned IPv6 appears to be a NAT64 address.

agross · 2023-11-10T19:56:27Z

@vadcx

Is there no option to log each DNS query to console?

I use this with the default log level to see where the query is forwarded to:

[query_log]
file = '/dev/stdout'

Due to #853

The test script is based on https://github.com/kkkgo/PaoPao-Pref/blob/bef1cb285c8f2b8ec61977d2a7309f59ad4b06ce/dnscrypt_resolver/check.sh It verifies that: * Known IPv4 and IPv6 addresses resolve * An AAAA query for github.com does not return a NAT64 IPv6 address DNSCrypt/dnscrypt-resolvers#853 * The short TTL of a known address is unchanged It's best to run the script on a docker host that has IPv6 enabled such that IPv6 servers can be reached from within the test container.

jedisct1 · 2023-11-11T20:02:08Z

Fixed in #857

agross · 2023-11-11T20:12:43Z

Thank you!

jedisct1 added a commit that referenced this issue Nov 10, 2023

Remove ams-dnscrypt-nl and ams-doh-nl

0c7fd67

Due to #853

jedisct1 closed this as completed Nov 11, 2023

DNSCrypt locked and limited conversation to collaborators Dec 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ams-dnscrypt-nl: Returning bad results for github.com #853

ams-dnscrypt-nl: Returning bad results for github.com #853

vadcx commented Nov 2, 2023

jedisct1 commented Nov 2, 2023

agross commented Nov 10, 2023

agross commented Nov 10, 2023

jedisct1 commented Nov 11, 2023

agross commented Nov 11, 2023

ams-dnscrypt-nl: Returning bad results for github.com #853

ams-dnscrypt-nl: Returning bad results for github.com #853

Comments

vadcx commented Nov 2, 2023

jedisct1 commented Nov 2, 2023

agross commented Nov 10, 2023

agross commented Nov 10, 2023

jedisct1 commented Nov 11, 2023

agross commented Nov 11, 2023