DoH & DNSCrypt queries randomly fail with the error RESPONSE_ERROR [SOLVED]

For almost 2 months now, DNSCrypt queries have been randomly failing on Cloudflare. Details can be found on the following threads:

Any ideas? Did Cloudflare silently stop supporting DNSCrypt?

UPDATE: Based on the lack of response to this and on Twitter it would appear that Cloudflare are silently rate limiting DoH and DNSCrypt queries. Per this thread the issue isn’t unique to Cloudflare or even dnscrypt-proxy; cloudflared has the exact same problem.

Based on this, I would encourage anyone experiencing this issue to either upgrade to a Cloudflare paid account (I’m not sure what difference that would make TBH) or migrate to unbound.

Or, gasp use your ISP’'s DNS, which is less likely to rate limit you as a paying customer.

I’m not sure I follow your logic. I’d think it’s the opposite: others aren’t seeing this happening.

Based on your experience, what do you think the rate limit threshold is?

others aren’t seeing this happening.

There are literally multiple threads in my OP pointing to other people having that issue.

Based on your experience, what do you think the rate limit threshold is?

I’m thinking it’s probably around 100K queries per day, as I don’t recall having problems before I was at that level. But I’m not sure at all.

Not here, I guess. People usually jump if they’ve had the same issue.

My last 24 hours looks to be about 33k. Admittedly, it’s been a relatively quiet day here. I’ve never heard of DNS queries of any type being rate limited.

@anb seems to have some experience with DNSCrypt and is a DNS wiz here.

1 Like

Thanks for pinging me @sdayman, I missed this thread as it doesn’t have the tag.

Hi @judahrichardson, I feel sorry to hear that this issue has been around for so long. Please let me try to help you.

Can you try this stamp: sdns://AgcAAAAAAAAABzEuMC4wLjEAEmNsb3VkZmxhcmUtZG5zLmNvbQovZG5zLXF1ZXJ5 to see if the issue persist? It changes the host from to Also can you PM me your external IP(you can have it masked with /24), I’ll check for any potential ratelimiting just in case.

Edit: since PM may not work, you can shot a msg to [email protected] instead, I’ll catch it.


Most Community users don’t have PM access unless you PM them first. Other staff sometimes post their @cloudflare email address.


Didn’t realize that was necessary, but I applied the tag now. Sorry about that.

Unfortunately I’d already # apt purged both cloudflared and dnscrypt-proxy from my server by the time of my 2nd comment. I emailed as requested.

I’m going to link to this thread at the other discussion locations so people who are still experiencing problems can try your suggestion.

@sdayman Thanks for bringing this to the staff’s attention.

1 Like

I will be doing a test of one DNS uncached query per second over the course of 24 hours, as found here. I will then edit my current configuration with the new stamp you provided, then repeat the test. I’ll report back in roughly 2 days with my results. Thank you for your support!

Edit, here’s my current DNSCrypt-proxy configuration:

listen_addresses = ['']
server_names = ['cloudflare']

ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
odoh_servers = false

require_dnssec = true
require_nolog = true
require_nofilter = true

  file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'

  file = '/var/log/dnscrypt-proxy/nx.log'
  format = 'tsv'

  url = ''
  cache_file = '/var/cache/dnscrypt-proxy/'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 24
  prefix = ''

I think your issue has been solved. One of our attack mitigation system is not quite intelligent yet, which ratelimits a block of IPs that including yours. I’m really sorry about this.


@anb Thanks for the fix! I’ll be sticking with unbound for now as this is the 2nd major issue I’ve had in as many years and each one has been a PITA to resolve. If unbound fails me at an equal or higher rate I’ll be back. Again, much appreciate the quick action.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.