DNSCrypt response is invalid and cannot be decrypted

[renatoyamane]

Prerequisites

• I have checked the Wiki and Discussions and found no answer

• I have searched other issues and found no duplicates

• I want to report a bug and not ask a question or ask for help

• I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Linux, ARM64

Installation

Custom package (OpenWrt, HomeAssistant, etc; please mention in the description)

Setup

On a router, DHCP is handled by the router

AdGuard Home version

0.107.48

Action

I'm noticing a lot of these errors on my log:

Sat Apr  6 17:57:37 2024 user.notice AdGuardHome[8137]: 2024/04/06 16:57:37.213287 [error] dnsproxy: upstream sdns://AQAAAAAAAAAACjguMjAuMjQ3LjIg0sJUqpYcHsoXmZb1X7yAHwg2xyN5q1J-zaiGG-Dgs7AoMi5kbnNjcnlwdC1jZXJ0LnNoaWVsZC0yLmRuc2J5Y29tb2RvLmNvbQ failed to exchange ;weather.nest.com.	IN	 A in 18.729841ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

Sat Apr  6 21:00:52 2024 user.notice AdGuardHome[8137]: 2024/04/06 20:00:52.880450 [error] dnsproxy: upstream sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ failed to exchange ;s3.glbimg.com.	IN	 HTTPS in 226.548648ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

Sat Apr  6 21:29:39 2024 user.notice AdGuardHome[8137]: 2024/04/06 20:29:39.610791 [error] dnsproxy: upstream sdns://AQIAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20 failed to exchange ;firebaseremoteconfig.googleapis.com.	IN	 A in 7.66672ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

Sat Apr  6 23:11:45 2024 user.notice AdGuardHome[8137]: 2024/04/06 22:11:45.401988 [error] dnsproxy: upstream sdns://AQAAAAAAAAAACjguMjAuMjQ3LjIg0sJUqpYcHsoXmZb1X7yAHwg2xyN5q1J-zaiGG-Dgs7AoMi5kbnNjcnlwdC1jZXJ0LnNoaWVsZC0yLmRuc2J5Y29tb2RvLmNvbQ failed to exchange ;colvk.viki.io.	IN	 A in 20.838928ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

Sun Apr  7 00:12:15 2024 user.notice AdGuardHome[8137]: 2024/04/06 23:12:15.570966 [error] dnsproxy: upstream sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 failed to exchange ;xgapromomanager-pa.googleapis.com.	IN	 A in 9.135598ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

Sun Apr  7 00:12:15 2024 user.notice AdGuardHome[8137]: 2024/04/06 23:12:15.561725 [error] dnsproxy: upstream sdns://AQIAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20 failed to exchange ;xgapromomanager-pa.googleapis.com.	IN	 A in 7.550599ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

Sun Apr  7 12:37:57 2024 user.notice AdGuardHome[8137]: 2024/04/07 11:37:57.442440 [error] dnsproxy: upstream sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ failed to exchange ;shop.allnetchina.cn.	IN	 A in 18.676623ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

Sun Apr  7 15:00:03 2024 user.notice AdGuardHome[8137]: 2024/04/07 14:00:03.703077 [error] dnsproxy: upstream sdns://AQAAAAAAAAAACjguMjAuMjQ3LjIg0sJUqpYcHsoXmZb1X7yAHwg2xyN5q1J-zaiGG-Dgs7AoMi5kbnNjcnlwdC1jZXJ0LnNoaWVsZC0yLmRuc2J5Y29tb2RvLmNvbQ failed to exchange ;5aa25954e40ffb18984989b59487dfe054549e213a2e64a12187f8deb5a4cb5.us-east-1.prod.service.minerva.devices.a2z.com.	IN	 A in 17.727306ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

Sun Apr  7 17:49:49 2024 user.notice AdGuardHome[8137]: 2024/04/07 16:49:49.174139 [error] dnsproxy: upstream sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ failed to exchange ;fitbitvestibuleshim-pa.googleapis.com.	IN	 A in 15.355386ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

Upstream servers (load balancing mode):
The 3rd (from bottom to top) is an ADGuard DNSCrypt server, which is also resulting in an error reported above.
To reproduce the error quickier, remove the HTTPS, TLS and QUIC servers from the list below.

https://dns.google/dns-query
https://dns.quad9.net/dns-query
https://dns.twnic.tw/dns-query
https://doh.opendns.com/dns-query
https://security.cloudflare-dns.com/dns-query
tls://security.cloudflare-dns.com
quic://dns.adguard-dns.com
quic://zero.dns0.eu
https://dns.adguard-dns.com/dns-query
tls://dns.adguard-dns.com
sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ
sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
sdns://AQMAAAAAAAAAEjEwMy44Ny42OC4xOTQ6ODQ0MyAxXDKkdrOao8ZeLyu7vTnVrT0C7YlPNNf6trdMkje7QR8yLmRuc2NyeXB0LWNlcnQuZG5zLmJlYmFzaWQuY29t
sdns://AQIAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20
sdns://AQAAAAAAAAAACjguMjAuMjQ3LjIg0sJUqpYcHsoXmZb1X7yAHwg2xyN5q1J-zaiGG-Dgs7AoMi5kbnNjcnlwdC1jZXJ0LnNoaWVsZC0yLmRuc2J5Y29tb2RvLmNvbQ
sdns://AgMAAAAAAAAADDk0LjE0MC4xNS4xNSCaOjT3J965vKUQA9nOnDn48n3ZxSQpAcK6saROY1oCGQ9kbnMuYWRndWFyZC5jb20KL2Rucy1xdWVyeQ

Bootstrap servers:

208.67.222.222
1.1.1.1
208.67.220.220
9.9.9.9
8.8.8.8
149.112.112.10
2620:fe::10
2620:fe::fe:10
94.140.15.15
2a10:50c0::ad1:ff
94.140.14.14
2a10:50c0::ad2:ff
[2a10:50c0::ad1:ff]:5443

Filters:

# Phishing army
https://adguardteam.github.io/HostlistsRegistry/assets/filter_18.txt

# Spanish / Portuguese
https://filters.adtidy.org/extension/chromium/filters/9.txt

# Annoyances
https://filters.adtidy.org/extension/chromium/filters/14.txt

# Perflyst and Dandelion Sprout's Smart-TV Blocklist
https://adguardteam.github.io/HostlistsRegistry/assets/filter_7.txt

# 1Hosts (Lite)
https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt

# OISD Blocklist Big
https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt

# HaGeZi's Gambling Blocklist
https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt

# HaGeZi's Pro++ Blocklist
https://adguardteam.github.io/HostlistsRegistry/assets/filter_51.txt

# Threat Intelligence Feeds - Medium version
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/tif.medium.txt

Same errors also noticed on previous versions (0.107.45 -- 0.107.46 -- 0.107.47)

Expected result

No errors

Actual result

Noticed some errors as reported

Additional information and/or screenshots

No response

[ghost]

Hi @renatoyamane, thanks for the report.
I am unable to reproduce this on my own build.

Could you please get me the verbose-level logs with the issue reproduced so we might be able to see better what's happening here?

[renatoyamane]

Hi @jslawler-gh,

Please see the log attached (dnscrypt_log.txt)

You can see the error at the line:

Mon Apr 8 18:13:18 2024 user.notice AdGuardHome[27886]: 2024/04/08 17:13:18.275573 27886#2310 [error] dnsproxy: upstream sdns://AQIAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20 failed to exchange ;nxdomain-75wuuuay5j8.biz. IN A in 9.666776ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted

[marcelloinfoweb]

Same problem v0.107.48

[renatoyamane]

How can I remove this tag "waiting for data", as I already submited it?

[renatoyamane]

It's also weird because even with a very short response time, DNSCrypt servers are not selected by Adguard:

[renatoyamane]

Can be something related to the timezone?

I'm on Summer Time (GMT +1)

My computer and my router are on the correct time and timezone, but I noticed this:

[afflux]

seeing the same message here. I only have the Adguard Public DNS sdns as my sole upstream in AGH. Querying i.scdn.co. on AGH reproducibly fails:

$ ./dnslookup i.scdn.co. tls://MYAGH 
dnslookup v1.11.1
Server: tls://MYAGH

dnslookup result (elapsed 89.760446ms):
;; opcode: QUERY, status: SERVFAIL, id: 38601
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;i.scdn.co.     IN       A

While I can query the sdns upstream myself without issue:

$ ./dnslookup i.scdn.co. sdns://AQMAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20
dnslookup v1.11.1
Server: sdns://AQMAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20

dnslookup result (elapsed 25.078094ms):
;; opcode: QUERY, status: NOERROR, id: 18147
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;i.scdn.co.     IN       A

;; ANSWER SECTION:
i.scdn.co.      274     IN      CNAME   image-scdn.cdn-gslb.spotify.com.
image-scdn.cdn-gslb.spotify.com.        60      IN      CNAME   common-eipb-ak.spotifycdn.com.edgesuite.net.
common-eipb-ak.spotifycdn.com.edgesuite.net.    21574   IN      CNAME   squadcdn.scdn.co.splitter-eip.akadns.net.
squadcdn.scdn.co.splitter-eip.akadns.net.       60      IN      CNAME   i.scdn.co-noeip.akamaized.net.
i.scdn.co-noeip.akamaized.net.  334     IN      CNAME   a1520.dscc.akamai.net.
a1520.dscc.akamai.net.  60      IN      A       23.32.239.40
a1520.dscc.akamai.net.  60      IN      A       23.32.239.16
a1520.dscc.akamai.net.  60      IN      A       23.32.239.81
a1520.dscc.akamai.net.  60      IN      A       23.32.239.51

AGH verbose log output:

adguardhome_1  | 2024/07/14 07:20:53.475844 1#59 [debug] dnsforward: got client server name "MYAGH" from tls conn
adguardhome_1  | 2024/07/14 07:20:53.478989 1#59 [debug] dnsforward: started processing initial
adguardhome_1  | 2024/07/14 07:20:53.479578 1#19 [debug] clients: processing MYCLIENTIP with rdns
adguardhome_1  | 2024/07/14 07:20:53.479771 1#19 [debug] clients: finished processing MYCLIENTIP with rdns in 248.913µs
adguardhome_1  | 2024/07/14 07:20:53.480747 1#59 [debug] applying filters: looking for client with ip MYCLIENTIP and clientid ""
adguardhome_1  | 2024/07/14 07:20:53.481471 1#59 [debug] applying filters: no clients with ip MYCLIENTIP and clientid ""
adguardhome_1  | 2024/07/14 07:20:53.483025 1#19 [debug] clients: processing MYCLIENTIP with whois
adguardhome_1  | 2024/07/14 07:20:53.483411 1#59 [debug] dnsforward: finished processing initial
adguardhome_1  | 2024/07/14 07:20:53.484210 1#19 [debug] clients: finished processing MYCLIENTIP with whois in 1.290742ms
adguardhome_1  | 2024/07/14 07:20:53.484488 1#59 [debug] dnsforward: started processing ddr
adguardhome_1  | 2024/07/14 07:20:53.484688 1#59 [debug] dnsforward: finished processing ddr
adguardhome_1  | 2024/07/14 07:20:53.485029 1#59 [debug] dnsforward: started processing dhcp hosts
adguardhome_1  | 2024/07/14 07:20:53.485653 1#59 [debug] dnsforward: finished processing dhcp hosts
adguardhome_1  | 2024/07/14 07:20:53.485771 1#59 [debug] dnsforward: started processing dhcp addrs
adguardhome_1  | 2024/07/14 07:20:53.486106 1#59 [debug] dnsforward: finished processing dhcp addrs
adguardhome_1  | 2024/07/14 07:20:53.486246 1#59 [debug] dnsforward: started processing filtering before req
adguardhome_1  | 2024/07/14 07:20:53.486520 1#59 [debug] dnsforward: finished processing filtering before req
adguardhome_1  | 2024/07/14 07:20:53.486601 1#59 [debug] dnsforward: started processing upstream
adguardhome_1  | 2024/07/14 07:20:54.045123 1#59 [error] dnsproxy: upstream sdns://AQMAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20 failed to exchange ;i.scdn.co.      IN       A in 558.138141ms: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
adguardhome_1  | 2024/07/14 07:20:54.045191 1#59 [debug] dnsproxy: replying from upstream: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
adguardhome_1  | 2024/07/14 07:20:54.045319 1#59 [debug] dnsforward: finished processing upstream
adguardhome_1  | 2024/07/14 07:20:54.045503 1#59 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: SERVFAIL, id: 3418
adguardhome_1  | ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
adguardhome_1  |
adguardhome_1  | ;; QUESTION SECTION:
adguardhome_1  | ;i.scdn.co.    IN       A
adguardhome_1  |
adguardhome_1  | 2024/07/14 07:20:54.045920 1#59 [error] handling tcp: handling tls request: using request handler: exchanging: dnscrypt: DNSCrypt response is invalid and cannot be decrypted
adguardhome_1  | 2024/07/14 07:20:54.065499 1#59 [debug] handling tcp: reading msg: connection is closed; original error: reading len: EOF