DoH connectivity issues in UK

I am in the UK using Cloudflare via dnscrypt-proxy using DoH.

I am finding that I get a lot of messages of the form:

May 11 19:24:07 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:24:07 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:24:12 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:24:12 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:24:23 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:24:28 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:24:43 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:24:53 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:25:08 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:25:24 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:26:00 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues
May 11 19:26:46 dnscrypt-proxy[7154]: Server [Cloudflare] returned temporary error code [2] – Upstream server may be experiencing connectivity issues

These happen in bursts at random times and often means that a DNS lookup fails.
I have never had any DNS Server ‘FAIL’ during a DNS Lookup previously.
I can use google, opendns or even my ISP’s DNS (BT) and they all work without failures.

I have a good line (74M/20M) Fibre DSL via BT/Plusnet (ISP) and do not experience any issues (including failed DNS lookups) if I use OpenDNS as an example via conventional port 53.

Is this a known issue at the moment ?

What do you recommend as the ideal setup for dnscrypt-proxy to use DoH.
i.e. are there any specific settings that you need to use to make everything work consistently with Cloudflare in the UK !!!

Thanks for your Time & Attention.

Moved because it seems to be a different issue and the origin thread was about to be closed automatically in 4 hours from now…

Please follow this guide and provide us with the information requested. This might help the Cloudflare stuff to solve or address this issue.

These are responses with a SERVFAIL return code. This is a temporary error, and dnscrypt-proxy doesn’t even normally log this unless you configure it to display debug messages.

That being said, there have been quite a lot of reports of SERVFAIL responses when using Cloudflare, for valid zones served by healthy authoritative servers. That’s something I witnessed as well, no matter what the transport protocol was.

What do you recommend as the ideal setup for dnscrypt-proxy to use DoH.

You can reduce the maximum TTL for failed responses, and increase the minimal TTL for normal responses. And maybe increase the cache size by the way.

This will force the proxy to retry more often after a failure, and cache responses for a longer period of time after a success. But this is a hack that is unlikely to provide a significant improvement.

Thanks.
Before I collect the information you have requested, one more point.

I have run the DNS Benchmark Software from Steve Gibson (of GRC fame).

I get 100% reliability from the test of 1.1.1.1 via Port 53 and get failures from 1.1.1.1 via DoH.
These are being run as part of the same Benchmark process.

It would appear Cloudflare is 100% OK if I am not using DoH !!!???

1.1.1.1 _____ | Min _ | Avg _ | Max _ |Std.Dev|Reliab%|
Cached Name _ | 0.015 | 0.024 | 0.061 | 0.012 | 100.0 |
Uncached Name | 0.019 | 0.065 | 0.293 | 0.075 | 100.0 |
DotCom Lookup | 0.018 | 0.050 | 0.151 | 0.044 | 100.0 |

1dot1dot1dot1.Cloudflare-dns.com (using port 53)
CloudflareNET - Cloudflare, Inc., US

==========================================================

192.168. 1.250 | Min __| Avg __| Max __|Std.Dev|Reliab%|
Cached Name __ | 0.002 | 0.012 | 0.049 | 0.012 | 100.0 |
Uncached Name _| 0.018 | 0.072 | 0.265 | 0.067 | 095.8 |
DotCom Lookup _| 0.018 | 0.039 | 0.109 | 0.022 | 100.0 |

Home Router (dnsmasq → dnscrypt-proxy → 1.1.1.1/1.0.0.1 via DoH)
** Local Network Nameserver (UK)
**

==========================================================
As far as ‘fudging’ the ttl values, it does not really solve the problem does it ?

Thanks for your help, I am now reading the referenced info to reply further.

Please find output of Troubleshooting commands as requested:

===================================================================================
[12/05/2018 01:35:42] Running the following commands:
[12/05/2018 01:35:42] =======================================================
[12/05/2018 01:35:42] Troubleshooting Name Resolution Issues
[12/05/2018 01:35:42] =======================================================
[12/05/2018 01:35:42] traceroute 1.1.1.1
[12/05/2018 01:35:42] traceroute 1.0.0.1
[12/05/2018 01:35:42] dig +short CHAOS TXT id.server @1.1.1.1
[12/05/2018 01:35:42] dig +short CHAOS TXT id.server @1.0.0.1
[12/05/2018 01:35:42] dig +tcp @1.1.1.1 id.server CH TXT
[12/05/2018 01:35:42] dig +tcp @1.0.0.1 id.server CH TXT
[12/05/2018 01:35:42] =======================================================
[12/05/2018 01:35:42] Troubleshooting Unreachability or Routing Issues
[12/05/2018 01:35:42] =======================================================
[12/05/2018 01:35:42] running curl -v ‘https://1.1.1.1/dns-query?ct=application/dns-json&name=Cloudflare.com
[12/05/2018 01:35:42]
[12/05/2018 01:35:42]
[12/05/2018 01:35:42] Output Starts Here ====>>>
[12/05/2018 01:35:42]
[12/05/2018 01:35:42]
[12/05/2018 01:35:42] =======================================================
[12/05/2018 01:35:42] Troubleshooting Name Resolution Issues
[12/05/2018 01:35:42] =======================================================
[12/05/2018 01:35:42]
[12/05/2018 01:35:42] dig output =============================================
[12/05/2018 01:35:42] Running dig example.com @1.1.1.1
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ; <<>> DiG 9.11.2-P1 <<>> example.com @1.1.1.1
[12/05/2018 01:35:43] ;; global options: +cmd
[12/05/2018 01:35:43] ;; Got answer:
[12/05/2018 01:35:43] ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58825
[12/05/2018 01:35:43] ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ;; OPT PSEUDOSECTION:
[12/05/2018 01:35:43] ; EDNS: version: 0, flags:; udp: 1536
[12/05/2018 01:35:43] ;; QUESTION SECTION:
[12/05/2018 01:35:43] ;example.com. IN A
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ;; ANSWER SECTION:
[12/05/2018 01:35:43] example.com. 1268 IN A 93.184.216.34
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ;; Query time: 17 msec
[12/05/2018 01:35:43] ;; SERVER: 1.1.1.1#53(1.1.1.1)
[12/05/2018 01:35:43] ;; WHEN: Sat May 12 00:35:43 UTC 2018
[12/05/2018 01:35:43] ;; MSG SIZE rcvd: 56
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] Running dig example.com @1.0.0.1
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ; <<>> DiG 9.11.2-P1 <<>> example.com @1.0.0.1
[12/05/2018 01:35:43] ;; global options: +cmd
[12/05/2018 01:35:43] ;; Got answer:
[12/05/2018 01:35:43] ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59497
[12/05/2018 01:35:43] ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ;; OPT PSEUDOSECTION:
[12/05/2018 01:35:43] ; EDNS: version: 0, flags:; udp: 1536
[12/05/2018 01:35:43] ;; QUESTION SECTION:
[12/05/2018 01:35:43] ;example.com. IN A
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ;; ANSWER SECTION:
[12/05/2018 01:35:43] example.com. 1268 IN A 93.184.216.34
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ;; Query time: 14 msec
[12/05/2018 01:35:43] ;; SERVER: 1.0.0.1#53(1.0.0.1)
[12/05/2018 01:35:43] ;; WHEN: Sat May 12 00:35:43 UTC 2018
[12/05/2018 01:35:43] ;; MSG SIZE rcvd: 56
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] Running dig example.com @8.8.8.8
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ; <<>> DiG 9.11.2-P1 <<>> example.com @8.8.8.8
[12/05/2018 01:35:43] ;; global options: +cmd
[12/05/2018 01:35:43] ;; Got answer:
[12/05/2018 01:35:43] ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59725
[12/05/2018 01:35:43] ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ;; OPT PSEUDOSECTION:
[12/05/2018 01:35:43] ; EDNS: version: 0, flags:; udp: 512
[12/05/2018 01:35:43] ;; QUESTION SECTION:
[12/05/2018 01:35:43] ;example.com. IN A
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ;; ANSWER SECTION:
[12/05/2018 01:35:43] example.com. 14098 IN A 93.184.216.34
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] ;; Query time: 20 msec
[12/05/2018 01:35:43] ;; SERVER: 8.8.8.8#53(8.8.8.8)
[12/05/2018 01:35:43] ;; WHEN: Sat May 12 00:35:43 UTC 2018
[12/05/2018 01:35:43] ;; MSG SIZE rcvd: 56
[12/05/2018 01:35:43]
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] Running dig +short CHAOS TXT id.server @1.1.1.1
[12/05/2018 01:35:43] “lhr01”
[12/05/2018 01:35:43] Running dig +short CHAOS TXT id.server @1.0.0.1
[12/05/2018 01:35:43] “lhr01”
[12/05/2018 01:35:43]
[12/05/2018 01:35:43] Running dig @ns3.Cloudflare.com whoami.Cloudflare.com txt +short
[12/05/2018 01:35:44] “xxx.xxx.xxx.xxx”
***************************************************
This command is supposed to return my IP Address
I can confirm that my IP Address was returned :slight_smile:
***************************************************
*** Would prefer not to publish it in this file ***
***************************************************
[12/05/2018 01:35:44]
[12/05/2018 01:35:44]
[12/05/2018 01:35:44] Traceroute of 1.1.1.1 & 1.0.0.1 =========================
[12/05/2018 01:35:45] traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
[12/05/2018 01:35:45] 1 Cisco (xxx.xxx.xxx.xxx) 1.012 ms 0.566 ms 0.891 ms
[12/05/2018 01:36:00] 2 * * *
[12/05/2018 01:36:15] 3 * * *
[12/05/2018 01:36:15] 4 195.166.143.132 (195.166.143.132) 13.590 ms 13.477 ms 13.316 ms
[12/05/2018 01:36:15] 5 195.99.125.140 (195.99.125.140) 13.431 ms 195.99.125.132 (195.99.125.132) 14.349 ms 13.175 ms
[12/05/2018 01:36:16] 6 195.99.127.81 (195.99.127.81) 13.994 ms 62.172.103.15 (62.172.103.15) 14.284 ms 195.99.127.81 (195.99.127.81) 13.165 ms
[12/05/2018 01:36:16] 7 195.99.126.151 (195.99.126.151) 13.611 ms 13.960 ms 195.99.126.1 (195.99.126.1) 13.122 ms
[12/05/2018 01:36:16] 8 1.1.1.1 (1.1.1.1) 12.767 ms 12.852 ms 12.861 ms
[12/05/2018 01:36:16] traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 38 byte packets
[12/05/2018 01:36:16] 1 Cisco (xxx.xxx.xxx.xxx) 0.558 ms 0.482 ms 1.021 ms
[12/05/2018 01:36:31] 2 * * *
[12/05/2018 01:36:46] 3 * * *
[12/05/2018 01:36:46] 4 195.166.143.132 (195.166.143.132) 12.811 ms 195.166.143.128 (195.166.143.128) 12.703 ms 12.786 ms
[12/05/2018 01:36:47] 5 195.99.125.140 (195.99.125.140) 12.404 ms 195.99.125.144 (195.99.125.144) 13.229 ms 195.99.125.132 (195.99.125.132) 12.960 ms
[12/05/2018 01:36:47] 6 195.99.127.81 (195.99.127.81) 13.127 ms 195.99.127.23 (195.99.127.23) 13.930 ms 62.172.103.19 (62.172.103.19) 13.987 ms
[12/05/2018 01:36:47] 7 195.99.126.1 (195.99.126.1) 24.424 ms 13.680 ms 13.370 ms
[12/05/2018 01:36:47] 8 1.0.0.1 (1.0.0.1) 13.239 ms 13.263 ms 13.303 ms
[12/05/2018 01:36:47] Running dig +short CHAOS TXT id.server @1.1.1.1
[12/05/2018 01:36:48] “lhr01”
[12/05/2018 01:36:48] Running dig +short CHAOS TXT id.server @1.0.0.1
[12/05/2018 01:36:48] “lhr01”
[12/05/2018 01:36:48] Running dig +tcp @1.1.1.1 id.server CH TXT
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] ; <<>> DiG 9.11.2-P1 <<>> +tcp @1.1.1.1 id.server CH TXT
[12/05/2018 01:36:48] ; (1 server found)
[12/05/2018 01:36:48] ;; global options: +cmd
[12/05/2018 01:36:48] ;; Got answer:
[12/05/2018 01:36:48] ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61403
[12/05/2018 01:36:48] ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] ;; OPT PSEUDOSECTION:
[12/05/2018 01:36:48] ; EDNS: version: 0, flags:; udp: 1536
[12/05/2018 01:36:48] ;; QUESTION SECTION:
[12/05/2018 01:36:48] ;id.server. CH TXT
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] ;; ANSWER SECTION:
[12/05/2018 01:36:48] id.server. 0 CH TXT “lhr01”
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] ;; Query time: 18 msec
[12/05/2018 01:36:48] ;; SERVER: 1.1.1.1#53(1.1.1.1)
[12/05/2018 01:36:48] ;; WHEN: Sat May 12 00:36:48 UTC 2018
[12/05/2018 01:36:48] ;; MSG SIZE rcvd: 56
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] Running dig +tcp @1.0.0.1 id.server CH TXT
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] ; <<>> DiG 9.11.2-P1 <<>> +tcp @1.0.0.1 id.server CH TXT
[12/05/2018 01:36:48] ; (1 server found)
[12/05/2018 01:36:48] ;; global options: +cmd
[12/05/2018 01:36:48] ;; Got answer:
[12/05/2018 01:36:48] ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46316
[12/05/2018 01:36:48] ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] ;; OPT PSEUDOSECTION:
[12/05/2018 01:36:48] ; EDNS: version: 0, flags:; udp: 1536
[12/05/2018 01:36:48] ;; QUESTION SECTION:
[12/05/2018 01:36:48] ;id.server. CH TXT
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] ;; ANSWER SECTION:
[12/05/2018 01:36:48] id.server. 0 CH TXT “lhr01”
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] ;; Query time: 12 msec
[12/05/2018 01:36:48] ;; SERVER: 1.0.0.1#53(1.0.0.1)
[12/05/2018 01:36:48] ;; WHEN: Sat May 12 00:36:48 UTC 2018
[12/05/2018 01:36:48] ;; MSG SIZE rcvd: 56
[12/05/2018 01:36:48]
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] =======================================================
[12/05/2018 01:36:48] Troubleshooting Unreachability or Routing Issues
[12/05/2018 01:36:48] =======================================================
[12/05/2018 01:36:48]
[12/05/2018 01:36:48] Running curl -v ‘https://1.1.1.1/dns-query?ct=application/dns-json&name=Cloudflare.com
[12/05/2018 01:36:48]
[12/05/2018 01:36:49] * Trying 1.1.1.1…
[12/05/2018 01:36:49] * TCP_NODELAY set
[12/05/2018 01:36:49] * Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
[12/05/2018 01:36:49] * ALPN, offering http/1.1
[12/05/2018 01:36:49] * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
[12/05/2018 01:36:50] * successfully set certificate verify locations:
[12/05/2018 01:36:50] * CAfile: /etc/ssl/certs/ca-certificates.crt
[12/05/2018 01:36:50] CApath: none
[12/05/2018 01:36:50] * TLSv1.2 (OUT), TLS header, Certificate Status (22):
[12/05/2018 01:36:50] * TLSv1.2 (OUT), TLS handshake, Client hello (1):
[12/05/2018 01:36:50] * TLSv1.2 (IN), TLS handshake, Server hello (2):
[12/05/2018 01:36:50] * TLSv1.2 (IN), TLS handshake, Certificate (11):
[12/05/2018 01:36:50] * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
[12/05/2018 01:36:50] * TLSv1.2 (IN), TLS handshake, Server finished (14):
[12/05/2018 01:36:50] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
[12/05/2018 01:36:50] * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
[12/05/2018 01:36:50] * TLSv1.2 (OUT), TLS handshake, Finished (20):
[12/05/2018 01:36:50] * TLSv1.2 (IN), TLS change cipher, Client hello (1):
[12/05/2018 01:36:50] * TLSv1.2 (IN), TLS handshake, Finished (20):
[12/05/2018 01:36:50] * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
[12/05/2018 01:36:50] * ALPN, server accepted to use http/1.1
[12/05/2018 01:36:50] * Server certificate:
[12/05/2018 01:36:50] * subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=*.Cloudflare-dns.com
[12/05/2018 01:36:50] * start date: Mar 30 00:00:00 2018 GMT
[12/05/2018 01:36:50] * expire date: Mar 25 12:00:00 2020 GMT
[12/05/2018 01:36:50] * subjectAltName: host “1.1.1.1” matched cert’s IP address!
[12/05/2018 01:36:50] * issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
[12/05/2018 01:36:50] * SSL certificate verify ok.
[12/05/2018 01:36:50] > GET /dns-query?ct=application/dns-json&name=Cloudflare.com HTTP/1.1
[12/05/2018 01:36:50] > Host: 1.1.1.1
[12/05/2018 01:36:50] > User-Agent: curl/7.57.0
[12/05/2018 01:36:50] > Accept: /
[12/05/2018 01:36:50] >
[12/05/2018 01:36:50] < HTTP/1.1 200 OK
[12/05/2018 01:36:50] < Date: Sat, 12 May 2018 00:36:50 GMT
[12/05/2018 01:36:50] < Content-Type: application/dns-json
[12/05/2018 01:36:50] < Content-Length: 287
[12/05/2018 01:36:50] < Connection: keep-alive
[12/05/2018 01:36:50] < cache-control: max-age=19
[12/05/2018 01:36:50] < Set-Cookie: __cfduid=d9bb81480bb09ccc8d827f0cc645f11591526085410; expires=Sun, 12-May-19 00:36:50 GMT; path=/; domain=.1.1.1.1; HttpOnly; Secure
[12/05/2018 01:36:50] < Server: Cloudflare-nginx
[12/05/2018 01:36:50] < CF-RAY: 4198d038198f6a1f-LHR
[12/05/2018 01:36:50] <
[12/05/2018 01:36:50] * Connection #0 to host 1.1.1.1 left intact
[12/05/2018 01:36:50] {“Status”: 0,“TC”: false,“RD”: true, “RA”: true, “AD”: true,“CD”: false,“Question”:[{“name”: “Cloudflare.com.”, “type”: 1}],“Answer”:[{“name”: “Cloudflare.com.”, “type”: 1, “TTL”: 19, “data”: “198.41.214.162”},{“name”: “Cloudflare.com.”, “type”: 1, “TTL”: 19, “data”: “198.41.215.162”}]}
[12/05/2018 01:36:50] ==============================================================
[12/05/2018 01:36:50] End of Output
[12/05/2018 01:36:50] ==============================================================

Bump … any feedback on the additional data I provided ???