DoH & DNSCrypt queries randomly fail with the error RESPONSE_ERROR [SOLVED]

judahrichardson · December 10, 2021, 3:16am

For almost 2 months now, DNSCrypt queries have been randomly failing on Cloudflare. Details can be found on the following threads:

Intermittent ServFail on PiHole since latest update · Issue #4399 · pi-hole/pi-hole · GitHub
Resolved: DNScrypt's queries randomly fail with the error RESPONSE_ERROR. · Discussion #1884 · DNSCrypt/dnscrypt-proxy · GitHub
dnscrypt-proxy v2.1.0 on Debian 10.2 (Buster) responding to DNS lookups from downstream Pi-hole with REFUSED · Discussion #1872 · DNSCrypt/dnscrypt-proxy · GitHub

Any ideas? Did Cloudflare silently stop supporting DNSCrypt?

judahrichardson · December 22, 2021, 8:55pm

UPDATE: Based on the lack of response to this and on Twitter it would appear that Cloudflare are silently rate limiting DoH and DNSCrypt queries. Per this thread the issue isn’t unique to Cloudflare or even dnscrypt-proxy; cloudflared has the exact same problem.

Based on this, I would encourage anyone experiencing this issue to either upgrade to a Cloudflare paid account (I’m not sure what difference that would make TBH) or migrate to unbound.

Or, gasp use your ISP’'s DNS, which is less likely to rate limit you as a paying customer.

sdayman · December 23, 2021, 2:10am

I’m not sure I follow your logic. I’d think it’s the opposite: others aren’t seeing this happening.

Based on your experience, what do you think the rate limit threshold is?

judahrichardson · December 23, 2021, 3:05am

others aren’t seeing this happening.

There are literally multiple threads in my OP pointing to other people having that issue.

Based on your experience, what do you think the rate limit threshold is?

I’m thinking it’s probably around 100K queries per day, as I don’t recall having problems before I was at that level. But I’m not sure at all.

sdayman · December 23, 2021, 3:58am

Not here, I guess. People usually jump if they’ve had the same issue.

My last 24 hours looks to be about 33k. Admittedly, it’s been a relatively quiet day here. I’ve never heard of DNS queries of any type being rate limited.

@anb seems to have some experience with DNSCrypt and is a DNS wiz here.

anb · December 23, 2021, 5:08am

Thanks for pinging me @sdayman, I missed this thread as it doesn’t have the 1.1.1.1 tag.

Hi @judahrichardson, I feel sorry to hear that this issue has been around for so long. Please let me try to help you.

Can you try this stamp: sdns://AgcAAAAAAAAABzEuMC4wLjEAEmNsb3VkZmxhcmUtZG5zLmNvbQovZG5zLXF1ZXJ5 to see if the issue persist? It changes the host from dns.cloudflare.com to cloudflare-dns.com. Also can you PM me your external IP(you can have it masked with /24), I’ll check for any potential ratelimiting just in case.

Edit: since PM may not work, you can shot a msg to [email protected] instead, I’ll catch it.

sdayman · December 23, 2021, 2:41pm

Most Community users don’t have PM access unless you PM them first. Other staff sometimes post their @cloudflare email address.

judahrichardson · December 23, 2021, 8:19pm

Didn’t realize that was necessary, but I applied the tag now. Sorry about that.

Unfortunately I’d already # apt purged both cloudflared and dnscrypt-proxy from my server by the time of my 2nd comment. I emailed as requested.

I’m going to link to this thread at the other discussion locations so people who are still experiencing problems can try your suggestion.

@sdayman Thanks for bringing this to the staff’s attention.

OoLunar · December 23, 2021, 8:32pm

I will be doing a test of one DNS uncached query per second over the course of 24 hours, as found here. I will then edit my current configuration with the new stamp you provided, then repeat the test. I’ll report back in roughly 2 days with my results. Thank you for your support!

Edit, here’s my current DNSCrypt-proxy configuration:

listen_addresses = ['127.0.0.1:53']
server_names = ['cloudflare']

ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
odoh_servers = false

require_dnssec = true
require_nolog = true
require_nofilter = true

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'
  format = 'tsv'

[sources]
  [sources.'public-resolvers']
  url = 'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md'
  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 24
  prefix = ''

anb · December 23, 2021, 8:48pm

I think your issue has been solved. One of our attack mitigation system is not quite intelligent yet, which ratelimits a block of IPs that including yours. I’m really sorry about this.

judahrichardson · December 23, 2021, 9:05pm

@anb Thanks for the fix! I’ll be sticking with unbound for now as this is the 2nd major 1.1.1.1 issue I’ve had in as many years and each one has been a PITA to resolve. If unbound fails me at an equal or higher rate I’ll be back. Again, much appreciate the quick action.

system · January 7, 2022, 9:06pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I can't connect to 1.1.1.1 and 1.0.0.1 be redirected to the ISP 1.1.1.1 dns	10	5369	June 18, 2021
Cloudflared DoH 1.1.1.1 failed to perform an HTTPS request 1.1.1.1 dns , dash-ssl-tls	9	12058	June 18, 2021
Issues with server: cloudflared running proxy-dns? 1.1.1.1	3	369	May 18, 2024
Intermittent SERVFAIL on 1.1.1.1 1.1.1.1 dns	2	2308	June 18, 2021
Server [cloudflare] returned temporary error code [2] -- Upstream server may be experiencing connectivity issues 1.1.1.1 dns , dash-troubleshooting	3	2784	June 18, 2021

DoH & DNSCrypt queries randomly fail with the error RESPONSE_ERROR [SOLVED]

Related topics