DoH service does not resolve 78977.duckdns.org - not always


#1

DoH using Dnscrypt-Proxy often does not resolve 78977.duckdns.org. It is immediately fixed when I resolve it using dig 78977.duckdns.org @1.1.1.1. Then DoH works for some time. No issues with other DNS e.g. Quad9


#2

dig 78977.duckdns.org

; <<>> DiG 9.10.6 <<>> 78977.duckdns.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45125
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;78977.duckdns.org. IN A

;; Query time: 718 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 02 11:37:23 BST 2018
;; MSG SIZE rcvd: 46

now when I try dig 78977.duckdns.org @9.9.9.9
it resolves it correctly:

; <<>> DiG 9.10.6 <<>> 78977.duckdns.org @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13217
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;78977.duckdns.org. IN A

;; ANSWER SECTION:
78977.duckdns.org. 60 IN A 81.109.233.126

;; Query time: 303 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Wed May 02 11:37:21 BST 2018
;; MSG SIZE rcvd: 62

Now what is the most interesting is that as soon as I resolve it using 1.1.1.1 - dig 78977.duckdns.org @1.1.1.1
; <<>> DiG 9.10.6 <<>> 78977.duckdns.org @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25913
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;78977.duckdns.org. IN A

;; ANSWER SECTION:
78977.duckdns.org. 60 IN A 81.109.233.126

;; Query time: 182 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed May 02 11:37:27 BST 2018
;; MSG SIZE rcvd: 62

and try DoH it works!

dig 78977.duckdns.org

; <<>> DiG 9.10.6 <<>> 78977.duckdns.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13464
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x003b, udp: 1536
;; QUESTION SECTION:
;78977.duckdns.org. IN A

;; ANSWER SECTION:
78977.duckdns.org. 59 IN A 81.109.233.126

;; Query time: 29 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 02 11:37:29 BST 2018
;; MSG SIZE rcvd: 79

It will stop again shortly after - I cant see any pattern or timing. But every time when DoH does not work and I resolve it using standard DNS 1.1.1.1 - it work immediately after.

I have the same issues with other domain names registered with duckdns.org. But only when using DoH. No issues with other domains.


#3

It doesn’t seem to depend on the transport protocol. duckdns.org appears to be quite unreliable:

dig 68977.duckdns.org @1.1.1.1

; <<>> DiG 9.10.6 <<>> 68977.duckdns.org @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35515
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

This is a different host name, which probably wasn’t cached.

Retrying right after returns a non-SERVFAIL response.


#4

dig 78977.duckdns.org @1.1.1.1 always works for me. the same other DNS e.g. @9.9.9.9. Now I decided to change cloudflare parameter in dnscrypt and point it directly to 1.1.1.1

For last few hours I am using

[static.‘cloudflare1’]
stamp = ‘sdns://AgcAAAAAAAAABzEuMS4xLjGgENk8mGSlIfMGXMOlIlCcKvq7AVgcrZxtjon911-ep0cg63Ul-I8NlFj4GplQGb_TTLiczclX57DvMV8Q-JdjgRgHMS4xLjEuMQovZG5zLXF1ZXJ5’

And it works so far without any issue - not like default sdns for cloudflare

Might be something with how duckdns.org guys setup their DNS - but then it should show with ‘normal’ DNS (1.1.1.1, 9.9.9.9 etc) as well. I don’t have enough information to speculate.
I’ve been using dnscrypt with cloudflare DoH for some time now and I am extremely happy - just this domain gives me a headache. me and friends are using few services we configured with duckdns.org hence i need it working.


#5

after few hours errors returned. So no difference with new sdns - it was temporarily.

it is very confusing the way how it works (or rather does not). Not very clear pattern.


#6

FYI

I did another test. Reverted dnscrypt setting to default and changed config to make it work with cloudflare only.
Have run it for about 1h, end every 61sec (to make sure that TTL expire) run dig 78977.duckdns.org.
Roughly 50% of queries returned no results - with usual “Upstream server may be experiencing connectivity issues” reported by dnscrypt.

Then I repeated this test but this time running DoH client from cloudflare - default configuration - cloudflared
config.yaml:
proxy-dns: true
proxy-dns-upstream:

This time 100% of queries were answered.


#7

This topic was automatically closed after 14 days. New replies are no longer allowed.