Some DoH servers does not respect TTL, how do I block them?

[mhtvsSFrpHdE]

I have a DDNS domain and set TTL to 60.
One day I failed to connect and discovered the query returns an old IP address,
with 3 hours 58 minutes TTL on CNAME, 40 minutes on A record.

Cloudflare doesn't modify my TTL, but my ISP not always allow connection to Cloudflare servers.
Usually I have to comment out server_names to try and get an available server from the large amount of sources.

I see there are only require_nolog = true, require_nofilter = true,
but respect TTL isn't a filter.

I have turned on Query logging, but TTL is not appearing in query.log,
so I can't know who told wrong TTL either.

[mhtvsSFrpHdE]

Longer TTL usually don't affect availability, even for DDNS domains.
For example, they may update address at night or update just before TTL is gonna to be expired.
But if a server really went too far, it does can lock me out for hours.

Use this command to get query.log live output with certain domain.
Save Out-File path to OneDrive or anything reliable file sync provider,
once the file is not updating for too long, the last few DNS provider appears in log most likely are returning fake results.

Get-Content ".\query.log" -Wait -Tail 1 | Select-String -Pattern <example.com> -SimpleMatch | Out-File filteredQuery.log

Send nslookup -debug request to these providers, if one of them tells unbelievable long TTL,
add them to dnscrypt-proxy.toml, disabled_server_names = [].

[mhtvsSFrpHdE]

Providers that will modify TTL, tested with domain with TTL 60
This list is not a request to ask server maintainers to answer correct TTL
Only share information for those who indeed really depends on short TTL

• dnscrypt.ca-1-doh, 4 mins 58 secs
• dnscrypt.ca-2-doh, 4 mins 58 secs

[lifenjoiner]

Maybe I haven't understand your scenario clearly. But, here are some of my thoughts:

1. Almost all DNS severs have TTL controls, like these

   dnscrypt-proxy/dnscrypt-proxy/example-dnscrypt-proxy.toml

   Lines 405 to 412 in d381af5

   	## Minimum TTL for cached entries
   	cache_min_ttl = 2400
   	## Maximum TTL for cached entries
   	cache_max_ttl = 86400

   , and some may have more complicated rules.
2. DNS caching is better in normal case.
3. DDNS is a bit special. There should be some mechanism to force update the record in recursive DNS hierarchy, I guess.
4. dnscrypt-proxy is not recursive DNS, and has only 1 caching rule for all domains.
5. Testing and cherry picking good from all upstreams is tedious work.

Considering all these, maybe no caching for your DDNS domain is an easier way, by shunting/forking, using Forwarding here or similar features of other tools. Querying different upstreams more frequently will increase the availability.

[mhtvsSFrpHdE]

5. Testing and cherry picking good from all upstreams is tedious work.

Agree, currently my idea is if I discovered my service fail to connect,
I'm going to check the log and see who caused this fail.

It has been 3 days after that, only two servers are on the list,
rest of them are all fine.

Also, I'm going to check forwarding as soon as possible.

[jedisct1]

Yes, Forwarding sounds like a good idea for DDNS names.

You can even forward directly to the DDNS servers (for example 194.62.182.53 for no-ip.com, ddns.net, etc), bypassing resolvers to get updates as fast as possible.

[mhtvsSFrpHdE]

I've checked config about forwarding.

What if my domain is CNAME+DDNS?
For example, a.example.com is top domain, it CNAME to DDNS service provider domain abcdefg.ddns.net.
Say ddns.net have the following nameserver:

nf1.no-ip.com
nf2.no-ip.com
nf3.no-ip.com
nf4.no-ip.com

So I have this in forwarding-rules.txt

abcdefg.ddns.net     nf1.no-ip.com,nf2.no-ip.com,nf3.no-ip.com,nf4.no-ip.com

If I query abcdefg.ddns.net, via nf1.no-ip.com, I get good result.
If I query a.example.com, via nf1.no-ip.com, it will say "Query refused".

When I query abcdefg.ddns.net via dnscrypt, I should forward to nf1.no-ip.com for sure.
When I query a.example.com via dnscrypt, I should get a CNAME result.
Will I be forwarded to nf1.no-ip.com in the end?