Strange queries from dnscrypt-proxy.exe.

[maestropss]

Hello friends.

Every night at 4:18 there are four queries from dnscrypt-proxy.exe to 53 port of 9.9.9.9 cloudflare server. Two of them use TCP and the other two of them use UDP protocols. The strange thing is that:

1. 9.9.9.9 is not written anywhere in the configuration file (dnscrypt-proxy.toml)

2. I do not use 9.9.9.9 as a system DNS resolver. There is only one network interface and it uses 127.0.0.1 for IPv4 . IPv6 is disabled in the system.

3. bootstrap_resolvers and netprobe_address parameteres in dnscrypt-proxy.toml are commented (disabled). Resolvers, relays, certificates are updated from cache or through dnscrypt resolvers after they become available. ISP DNS hijacking, you know...

4. cert_refresh_delay is set to 60 minutes, log file shows no warnings or errors. So it should not be related to these parameters.

5. refresh_delay of resolvers and relays are set to 72 hours (not 24 hours) so it should not be related to these parameters.

6. The log file contains the following (it happens every 24 hours at 4:18 at night).

[2022-09-18 04:18:21] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using bootstrap resolvers over tcp
[2022-09-18 04:18:21] [NOTICE] Bootstrap resolvers didn't respond - Trying with the system resolver as a last resort
[2022-09-18 04:18:26] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using bootstrap resolvers over tcp
[2022-09-18 04:18:26] [NOTICE] Bootstrap resolvers didn't respond - Trying with the system resolver as a last resort

7. Windows DNScache service is disabled. UDP, TCP 53 port is not allowed for dnscrypt-proxy.exe in my configuration. It is not blocked though, so if dnscrypt proxy needs query DNS at this port it should pass through the system DNS, which is 127.0.0.1. This is how it works for all other software.

The questions:

A. Why does dnscrypt-proxy.exe query DNS resolver at 53 port every 24 hours? If it tries to update relays and resolvers list, why does it NOT use available dnscrypt resolvers? And why does it happen every 24 hours while refresh_delay for resolvers and relays are set to 72 hours?

B. Why does dnscrypt-proxy.exe try to resolve something by using 9.9.9.9 resolver while this resolver is not mentioned anywhere in the system and dncrypt-proxy configuration?

Thanks in advance

[jedisct1]

If you don't have a usable system DNS, some DNS resolver is still required to resolve the names of the list sources, as well as resolve DoH server names. So, bootstrap resolvers are used in that case. If you don't configure any, the defaults are used, which are 9.9.9.9 (Quad9, not Cloudflare).

[maestropss]

Thank you.
<If you don't have a usable system DNS>
But i do. DNS crypt servers are available. According to dnscrypt-proxy.toml comments, "They (Bootstrap resolvers，non-encrypted DNS resolvers) will not be used after the proxy already has at least one usable secure resolver".

In addition, it is not quite clear why this query is made every 24 hours. Is it hard coded?

Thank you

[ghost]

This looks like the typical forced reconnect some ISPs do once a day.

[lifenjoiner]

I think it is over concerned:

1. The hosts resolved through the bootstrap resolvers are those in the config file: source domains and DoH hosts without addresses. But none of those queries dnscrypt-proxy received are forwarded to them at all.
2. Those hosts are looked up at the startup and when the cached IPs are expired.
3. Bootstrap resolvers are necessary, for the situation when a user uses only DoH and all of they have no address preset.
4. In fact, most of the time, the system DNS leads to dnscrypt-proxy itself, if you set up dnscrypt-proxy in the system DNS chain. And it is the bootstrap resolver too.

When you ignored system DNS and removed all bootstrap_resolvers, it could cause problem to the situation in item 3. So, embedded default bootstrap resolvers are necessary.

I totally understand your concern about querying to those non-encrypted DNS. #2204 is try to do some improvements.

[lifenjoiner]

Reviewed the v2.1.4 source code (there has been changes), and found I made a mistake. So, let's make it clear what happened, afresh:

The log items should be grouped like this:

Jul 26 14:00:03 System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.net] using bootstrap resolvers over tcp
Jul 26 14:00:07 Bootstrap resolvers didn't respond - Trying with the system resolver as a last resort
...

line 1:

1. System DNS configuration not usable yet, means you set ignore_system_dns = true, so it did using bootstrap resolvers over tcp;
2. tcp meaning you must set force tcp, but not mentioned. It tried TCP first, failed, showed the log, and then UDP, still failed.

line 2:
Bootstrap resolvers didn't respond, timeout. At last (although you disabled system DNS, but there is no other ways left), it tried with the system resolver as a last resort, and succeeded.

Downloading source file starts.

Extra info:
download.dnscrypt.net is not in the latest URLs.

1. You are not use the latest version. There are some important bug fixes. Maybe the bug causing this has been fixed, which we wouldn't dive in.
2. Maybe it is why there are more than 2 groups of failures. No source file on this site anymore, one more retry on other URL.

resolv.conf implies you're more likely using an old version.

Why Bootstrap resolvers didn't respond?
That may be hard to say. You should make sure them work well and stable in the normally way, for example with dig, and then we may narrow the issue to dnscrypt-proxy. But, considering you are using an old version, I suggest you upgrade it first.

it happens every 24 hours.
q: but why? #2201 (comment)?

dnscrypt-proxy update the source files every 24h, forcibly.

PS:
If there is any issue, you'd better provide information like the issue template requests: OS version, software version, config, logs and etc. which may give plenty of information and help reproduce your issue. That will help not only us who want to help you, but also yourself in fact.

[llightcb]

thanks again for the quick reply + for looking @ code and co. .

why does the resolv.conf indicate that i have an old dnscrypt-proxy version? i don't see a causal connection. i will do an apk fix dnscrypt-proxy before. the version is up to date, but it could be that i have an outdated .toml (the one from previous versions, not: dnscrypt-proxy.toml.apk-new). a diff between these 2 files will also be interesting.

[lifenjoiner]

There is too few information you give, as I said at the beginning.
I can't help you anymore but just guess.

[llightcb]

i will use the new .toml first. but a diff between these 2 configs i did 5 min ago showed me that this will be useless. no difference that would matter. again: version is up to date. et cetera. see you (maybe) in issues, in time, when i am not that tired anymore.

regarding: download.dnscrypt.net ? that's the actual url of the actual version. i hope everything is ok with this download mirror.

[lifenjoiner]

Just recall all my guesses due to no guarantees but goes too far away.

"like the issue template requests" is not saying you must log an issue. Wherever you want someone to dive into something, you must explain your problem clear first. Normally, redundant information is requested to make sure enough, and, the fact may not be what you think.

Say:
Tom used to eat an apple every day. But he left it untouched last week. Why?

It's a pity that I don't have this problem nor can reproduce it. I don't have the answer. Let's see what others say.