USG-Pro4 and Cloudflare DNSSEC, incl. dnscrypt-proxy

Every my host is finished with 522 Error when the Cloudflare DNS is Proxied.
When there is used just DNS only (Cloudflare DNS) setup for the hosts, everything is running as was expected.

This is my basic setup:
My registrar (diff from the Cloudflare)
Wildcard cert
Unifi USG-Pro4 Gateway, last possible firmware
NAS host with +20 containers behind Nginx RP manager

Details of the setup

Registrar’s side:

  1. DNS nameservers pointed to and / defined in my registrar
  2. DNESEC record defined, based on Cloudflare DS Record for my domain
  3. Sync of keys is Done, successfully

Cloudflare DNS setup:
4. Proxied for all domain/subdomain records
5. DNSSEC enabled

Cloudflare SSL setup: Full (strict)
6. Edge certificate: my domain, status ACTIVE
7. Always Use HTTPS
8. HSTS enabled, subcategories> everything is enabled, except Preload, Max age of header is 6M
9. Opportunistic Encryption, Enabled
10. TLS 1.3 Enabled
11. Automatic HTTPS Rewrites
12. Disable Universal SSL, not disabled

Cloudflare Firewall setup:
13. Empty Activity log

My Gateway side:
14. DNS defined for and
15. Primary LAN, DHCP fixed client IPsec
16. Services/DHCP … Register client hostname from DHCP requests in USG DNS forwarder ENABLED

My Gateway/Firewall side:
17. WAN IN Rule:

Accept, TCP/UDP, Don’t match on IPsec packets, Source: IPv4 Address Group for Cloudflare. Based on Cloudflare list:

  1. WAN OUT Rule:

Accept, TCP/UDP, Don’t match on IPsec packets, Destination: IPv4 Address Group for Cloudflare. Based on Cloudflare list

  1. Receive/Send redirects ENABLED,

I have also successfully running ’ dnscrypt-proxy’ in my USG-Pro4
My dnscrypt-proxy:
20. Status: running,
Now listening to MY-GTW-IP:6878 [TCP] & [UDP]
Now listening to [TCP] & [UDP]
[NOTICE] Server with the lowest initial latency: cloudflare (rtt: 9ms)
[NOTICE] dnscrypt-proxy is ready - live servers: 1
[cloudflare] OK (DoH) - rtt: 9ms

My Host:

  • NAS with Nginx RP Manager
  • Redirection to the RP and the final host is working, only when Cloudflare is switched to DNS only (doesn’t proxied).
  • Also defined range of custom trusted proxies for the host, based on the same IPv4 and IPv6 range from the CloudFlare IP list

curl -ivL https://fqdn

* About to connect() to fqdn port 443 (#0)
* Trying 172.x.x.x...
* connected
* Connected to (172.x.x.x) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.;
* start date: 2021-11-11 00:00:00 GMT
* expire date: 2022-11-10 23:59:59 GMT
* subjectAltName: FQDN matched
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: FQDN
> Accept: */*
* additional stuff not fine transfer.c:1037: 0 0

What was wrong with my USG - Host setup?

Thx for your advice.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.