Dnscrypt-proxy getting 415 error from Cloudflare's servers (doesn't trigger w/ Google, others)


#1

I initially posted this to the dnscrypt-proxy project on github, but the lead developer suggested I report it here.

I’ve just configured dnscrypt-proxy on my home router, and while messing with the config file, I noticed that cloudflare’s servers seems to initially return a 415 error code, which causes the cloudflare server to be dropped from the list of live servers. However, I can force dnscrypt-proxy to use cloudflare if I remove all of the other servers from the server_names list.

Consider the following two examples:
server_names = [‘cloudflare’, ‘google’, ‘doh-crypto-sx’]

[2018-05-27 23:21:24] [NOTICE] Source [public-resolvers.md] loaded
[2018-05-27 23:21:24] [NOTICE] dnscrypt-proxy 2.0.14
[2018-05-27 23:21:24] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2018-05-27 23:21:24] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2018-05-27 23:21:30] [INFO] [doh-crypto-sx] TLS version: 303 - Protocol: h2 - Cipher suite: 52393
[2018-05-27 23:21:30] [NOTICE] [doh-crypto-sx] OK (DoH) - rtt: 208ms
[2018-05-27 23:21:31] [INFO] [google] TLS version: 303 - Protocol: h2 - Cipher suite: 52393
[2018-05-27 23:21:31] [NOTICE] [google] OK (DoH) - rtt: 20ms
[2018-05-27 23:21:31] [NOTICE] Server with the lowest initial latency: google (rtt: 20ms)
[2018-05-27 23:21:31] [NOTICE] dnscrypt-proxy is ready - live servers: 2

Note that Cloudflare isn’t mentioned at all in the output

This time with:
server_names = [‘cloudflare’]

[2018-05-27 23:09:51] [NOTICE] Source [public-resolvers.md] loaded
[2018-05-27 23:09:51] [NOTICE] dnscrypt-proxy 2.0.14
[2018-05-27 23:09:51] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2018-05-27 23:09:51] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
2018-05-27 23:09:54] [ERROR] Webserver returned code 415
[2018-05-27 23:09:54] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
[2018-05-27 23:10:05] [INFO] [cloudflare] TLS version: 303 - Protocol: h2 - Cipher suite: 52393
[2018-05-27 23:10:05] [NOTICE] [cloudflare] OK (DoH) - rtt: 16ms
[2018-05-27 23:10:05] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 16ms)

Any idea what’s going on here? Is this a cloudflare issue?

This is the info on the local POP i’m using.
fl=16f86
h=www.cloudflare.com
ip=73.250.164.23
ts=1527524350.767
visit_scheme=https
uag=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
colo=IAD
spdy=h2
http=h2
loc=US


#2

That is some sort of DNS proxy, right? How is HTTP relevant in that case?

Webserver returned code 415

#3

dnscrypt-proxy allows you to use DNS-over-HTTPS (DoH) So yes, this is a DNS proxy, but it is connecting to CloudFlare’s server over HTTP(S).


#4

Ohh my, they really use hypertext for everything these days, dont they :roll_eyes: :wink:

Well, yes, that changes it a bit.


Though, I wonder when IP-over-HTTP will become a thing :wink:


#5

I think this is because of https://github.com/jedisct1/dnscrypt-proxy/issues/509 (Cloudflare interprets ‘?ct’ as “use default content type” and ‘?ct=’ as “use empty content type”). It wasn’t not clear to me from the RFC if there’s a difference, but I’ve unified the behavior for this and it’s being rolled out.