Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot establish connection to Quad9 via dnscrypt protocol #3947

Closed
3 tasks done
HellboyPI opened this issue Dec 16, 2021 · 10 comments
Closed
3 tasks done

Cannot establish connection to Quad9 via dnscrypt protocol #3947

HellboyPI opened this issue Dec 16, 2021 · 10 comments
Assignees
@ameshkov
Labels
invalid Not an issue with AGH or a misunderstanding

Comments

@HellboyPI
Copy link

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

  • I am running the latest version
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed

Issue Details

  • Version of AdGuard Home server:
    • v0.106.3
  • How did you install AdGuard Home:
    • GitHub releases
  • How did you setup DNS configuration:
    • System
  • CPU architecture:
    • AMD64
  • Operating system and version:
    • Ubuntu 20.04 LTS

Expected Behavior

A working connection via DNSCrypt protocol to Quad9 servers.

Actual Behavior

I went to:
https://raw.githubusercontent.com/Quad9DNS/dnscrypt-settings/main/dnscrypt/quad9-resolvers.md

I selected an Quad9 ipv4 DNS stamp (for DNSCrypt protocol).
Example:
sdns://AQYAAAAAAAAAEzE0OS4xMTIuMTEyLjEwOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA

I pasted the DNS stamp into AdGuard Home, clicked on "Test upstreams" and got this error message:
Server "sdns://AQYAAAAAAAAAEzE0OS4xMTIuMTEyLjEwOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA": could not be used, please check that you've written it correctly.

I have tried with other Quad9 ipv4 DNS Stamps (for DNSCrypt protocol). I always get the same error.

Unencrypted DNS, DoH and DoT to Quad9 DNS servers work just fine in AdGuard Home.

I downloaded ameshkov's dnslookup programm and I get the same results:

./dnslookup google.com sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
dnslookup v. v1.5.1
2021/12/14 13:32:39 Cannot make the DNS request: failed to fetch certificate info from sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0, cause: read udp 192.168.6.6:46228->9.9.9.9:8443: read: no route to host

With dnscrypt-proxy v2.x I can establish the connection to Quad9 via dnscrypt protocol.
@ameshkov
Copy link
Member

Well, both AGH and dnslookup use the dnscrypt internally so the problem must be there.

@ameshkov
Copy link
Member

A quick test shows that Quad9 works over TCP only and this is what's causing the issue.

@ameshkov ameshkov mentioned this issue Dec 17, 2021
Open
@ameshkov
Copy link
Member

ameshkov commented Dec 17, 2021
edited
Loading

I've opened a bug report, but fixing this on our side may take some time.

Meanwhile, I've also contacted Quad9. Maybe this is a mistake on their side, having DNSCrypt work over TCP-only is rather strange.

@ameshkov
Copy link
Member

I am in contact with Quad9, it's confirmed that the problem is on their side.

@ainar-g ainar-g added the invalid Not an issue with AGH or a misunderstanding label Dec 17, 2021
@HellboyPI
Copy link
Author

Ok. Thank You! Did they say, when this problem will be fixed?

@sauceress
Copy link

We have a fix being deployed out to the network right now. We had an incomplete roll out of the firewall rule that allowed DNSCrypt over UDP traffic. This should be corrected within the hour. Thanks for getting touch with our support team on this!

@lordraiden
Copy link

Are this quad9 servers still working?

dnscrypt-ip4-filter-pri

Quad9 (anycast) dnssec/no-log/filter 9.9.9.9

sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0

dnscrypt-ip4-filter-alt

Quad9 (anycast) dnssec/no-log/filter 149.112.112.9

sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0

dnscrypt-ip4-filter-alt2

Quad9 (anycast) dnssec/no-log/filter 149.112.112.112

sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ

my log is full of these:

27/10/2023
15:22:27
2023/10/27 13:22:27.984343 [error] upstream sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;prda.aadg.msidentity.com.	IN	 A in 13.467269ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:22:51
2023/10/27 13:22:51.556515 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 A in 13.58772ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:22:51
2023/10/27 13:22:51.568549 [error] upstream sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 A in 12.012534ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:23:52
2023/10/27 13:23:52.983815 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 AAAA in 15.281039ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:24:24
2023/10/27 13:24:24.321491 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 AAAA in 24.525986ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:28:18
2023/10/27 13:28:18.864441 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 A in 12.479532ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:31:22
2023/10/27 13:31:22.786324 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;tf-presigned-url-eu-central-1-prod-firewall-bucket.s3.eu-central-1.amazonaws.com.	IN	 AAAA in 31.973152ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:33:18
2023/10/27 13:33:18.884234 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 A in 35.095955ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:34:43
2023/10/27 13:34:43.984917 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 A in 13.735802ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:35:08
2023/10/27 13:35:08.399283 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;displaycatalog-rp.md.mp.microsoft.com.akadns.net.	IN	 A in 11.83526ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:39:18
2023/10/27 13:39:18.858514 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 AAAA in 12.779417ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:39:41
2023/10/27 13:39:41.507154 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;www.youtube-nocookie.com.	IN	 A in 41.175667ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:39:54
2023/10/27 13:39:54.164559 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 A in 14.005667ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:44:02
2023/10/27 13:44:02.332513 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 AAAA in 12.507892ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:44:41
2023/10/27 13:44:41.124662 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;storeedgefd.xbetservices.akadns.net.	IN	 A in 63.408543ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:50:38
2023/10/27 13:50:38.565092 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;login.mso.msidentity.com.	IN	 A in 12.140777ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:52:21
2023/10/27 13:52:21.001923 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;update.code.visualstudio.com.	IN	 A in 92.532157ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:52:21
2023/10/27 13:52:21.034621 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;update.code.visualstudio.com.	IN	 A in 32.668567ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:52:21
2023/10/27 13:52:21.046504 [error] upstream sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;update.code.visualstudio.com.	IN	 A in 11.858162ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:55:18
2023/10/27 13:55:18.844564 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 A in 12.060826ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:56:45
2023/10/27 13:56:45.472222 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;owamail.public.cdn.office.net.edgekey.net.	IN	 A in 13.834996ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
15:57:01
2023/10/27 13:57:01.527667 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;a.privatelink.msidentity.com.	IN	 A in 11.919412ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
16:00:06
2023/10/27 14:00:06.904279 [error] upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;utm-cloudstation-eu-central-1.prod.hydra.sophos.com.	IN	 A in 13.895316ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
27/10/2023
16:03:36
2023/10/27 14:03:36.210426 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;youtube-ui.l.google.com.	IN	 A in 13.365737ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

@renatoyamane
Copy link

I have similar records in my logs, as the previous comment above from lordraiden, but not only on Quad9 servers.

Adguard Home Version: v0.107.48

user.notice AdGuardHome[8137]: 2024/04/06 06:28:30.763031 [error] dnsproxy: upstream sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ failed to exchange ;login.microsoftonline.com.	IN	 A in 10.037173ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

user.notice AdGuardHome[8137]: 2024/04/06 10:26:44.824948 [error] dnsproxy: upstream sdns://AQIAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20 failed to exchange ;r.bing.com.	IN	 A in 65.852113ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

user.notice AdGuardHome[8137]: 2024/04/06 10:42:36.986852 [error] dnsproxy: upstream sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ failed to exchange ;nxdomain-dw48hllhj5b.ca.	IN	 A in 21.547306ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

user.notice AdGuardHome[8137]: 2024/04/06 10:42:38.598967 [error] dnsproxy: upstream sdns://AQAAAAAAAAAACjguMjAuMjQ3LjIg0sJUqpYcHsoXmZb1X7yAHwg2xyN5q1J-zaiGG-Dgs7AoMi5kbnNjcnlwdC1jZXJ0LnNoaWVsZC0yLmRuc2J5Y29tb2RvLmNvbQ failed to exchange ;nxdomain-hfqtsxkct7s.uk.	IN	 A in 11.852266ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

@ghost
Copy link

ghost commented Apr 6, 2024

@renatoyamane please create a new issue. This has already been resolved.

@renatoyamane
Copy link

2023/10/27 14:03:36.210426 [error] upstream sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ failed to exchange ;youtube-ui.l.google.com. IN A in 13.365737ms. Cause: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

Are you still having this problem?
I'm noticing the same errors, in all DNSCrypt servers.

I reported the issue below, but looks like I'm the only one with this problem:
#6897

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ameshkov ameshkov

Labels
invalid Not an issue with AGH or a misunderstanding
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@sauceress @ainar-g @ameshkov @lordraiden @HellboyPI @renatoyamane and others