Current status:

• The proxy compiles without any changes using gomobile
• It also compiles and runs fine on Termux

This is fantastic, but not enough for most Android users to easily install and use it.

Since my knowledge of Android is fairly limited, help would be welcome!

DNSCloak takes advantage of the DNS proxy provider system introduced in iOS 11 to bring the DNSCrypt protocol to Apple devices. Devices don't have to be jailbroken to install this software.

This is great, but it apparently uses code from dnscrypt-proxy v1, it is not opensource and lacks interesting features such as logging and filtering.

A similar, opensource application for iOS would be terrific!

Subject

• [x] Other

Description

After a brutal shutdown off the multiplug where was my raspberry pi and a restart i can't reach domains anymore with any DNSCrypt (tired with scalewayfr google and cloudflare) :

Ex:

pi@Raspberry:~ $ sudo /opt/dnscrypt-proxy/dnscrypt-proxy -resolve github.com Resolving [github.com]

Domain exists: probably not, or blocked by the proxy Canonical name: - IP addresses: - TXT records: -

This is my pi hole DNS configuration :

This is my DNS parameter in dnscrypt-proxy.toml :

All of this is setup on the same local network. And pi hole is listening on all interfaces.

Please can you help me to fix this asap and give me indications for this to not happen again ? Best regards

EDIT : This is the guide i've follow to my use for the setup https://www.derekseaman.com/2019/09/how-to-pi-hole-plus-dnscrypt-setup-on-raspberry-pi-4.html

I upgraded from 2.0.14 to 2.0.15 on my Raspberry Pi. According to syslog, everything is running OK, but DNS requests do not get forwarded anymore: if I do a nslookup, the request gets a timeout. Reverting back to 2.0.14 makes everything work normally again.

I do not know which debug info you need, please let me know how to support.

Anonymized DNS is here!

DNS encryption was a huge step towards making DNS more secure, preventing intermediaries from recording and tampering with DNS traffic.

However, one still has to trust non-logging DNS servers for actually doing what they pretend to do. They obviously see the decrypted traffic, but also client IP addresses.

In order to prevent this, using DNS over Tor or over proxies (HTTP, SOCKS) has become quite common. However, this is slow and unreliable as these mechanisms were not designed to relay DNS traffic.

A new step towards making DNS more secure has been made. Today, I am thrilled to announce the general availability of Anonymized DNSCrypt, a protocol that prevents servers from learning anything about client IP addresses.

How does it work?

Instead of directly reaching a server, an Anonymized DNS client encrypts the query for the final server, but sends it to a relay.

The relay doesn't know the secret key, and cannot learn anything about the content of the query. It can only blindly forward the query to the actual DNS server, the only server that can decrypt it.

The DNS server itself receives a connection from the relay, not from the actual client. So the only IP address is knows about is the one of the relay, making it impossible to map queries to clients

Anonymized DNSCrypt

Anonymized DNS can be implemented on top of all existing encrypted protocols, but DNSCrypt is by far the simplest and most efficient instantiation.

It only adds a header with a constant sequence followed by routing information (server IP+port) to unmodified DNSCrypt queries. Implementing it on top of an existing DNSCrypt implementation is trivial.

The overhead is minimal. Unlike DoH where headers may still reveal a lot of information about the client's identity, Anonymized DNSCrypt, by design, doesn't allow passing any information at all besides the strict minimum required for routing.

For relay operators, Anonymized DNSCrypt is less of a commitment than running a Tor node. Queries can only be relayed over UDP, they need to match a very strict format, amplification is impossible, and loops are prevented. Relays can essentially be only used for encrypted DNS traffic.

Available in dnscrypt-proxy now!

A first beta version of dnscrypt-proxy 2.0.29 is available now, and adds support for anonymized DNSCrypt.

The way it can currently be configured is through a new [anonymized_dns] section in the configuration file.

For each resolver, one or more relays can be defined. These relays can be provided as stamps, IP:port pairs, hostname:port pairs, or server name.

You can check that Anonymized DNS is being used by looking at the log messages when proxy starts.

Available in encrypted-dns-server now!

Server-side, Anonymized DNS can now be enabled in Encrypted DNS Server.

This is as simple as changing enabled = false to enabled = true in the dedicated section. It is also possible to restrict the range of upstream ports allowed to connect to, and blacklist IP addresses.

New Prometheus metrics related to relayed queries have been added.

A DoH server, a DNSCrypt server, and a DNSCrypt relay can all run simultaneously on the same IP and port.

Available in the server docker image now!

The DNSCrypt server Docker image has been updated, and supports Anonymized DNSCrypt relaying.

This is disabled by default. In order to enable it, add -A to the init command when creating a container.

Test server available now!

Hopefully more Anonymized DNS servers will be available over time, but for now, you can use the one with stamp sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM for testing.

New DNS Stamp type introduced

A new DNS stamp type has been introduced: DNSCryptRelay (identifier 0x81). It only encodes IPs and ports of relays.

The online DNS Stamp calculator has been updated to support the new stamp, as well as the Go and Rust libraries.

Hello:

Thank you for your work.

Here is the core dump from dnscrypt-proxy v2.0.10 under Alpine linux v3.7.0-(grsecurity hardened), x86.

[2018-04-25 15:00:11] [NOTICE] dnscrypt-proxy is ready - live servers: 32
unexpected fault address 0x34846000
fatal error: fault
[signal SIGSEGV: segmentation violation code=0x2 addr=0x34846000 pc=0x16c985c2]

goroutine 64 [running]:
runtime.throw(0x16ec4ea1, 0x5)
	/usr/lib/go/src/runtime/panic.go:616 +0x77 fp=0x34405c10 sp=0x34405c04 pc=0x16b50ef7
runtime.sigpanic()
	/usr/lib/go/src/runtime/signal_unix.go:395 +0x1e4 fp=0x34405c34 sp=0x34405c10 pc=0x16b668c4
github.com/aead/chacha20/chacha.xorKeyStreamSSE2(0x34405d34, 0x40, 0x40, 0x34405d34, 0x40, 0x40, 0x34388040, 0x34388000, 0x14, 0x16c97555)
	/home/buildozer/aports/community/dnscrypt-proxy/src/dnscrypt-proxy-2.0.10/src/github.com/aead/chacha20/chacha/chacha_386.s:157 +0x162 fp=0x34405c38 sp=0x34405c34 pc=0x16c985c2
github.com/aead/chacha20/chacha.xorKeyStream(0x34405d34, 0x40, 0x40, 0x34405d34, 0x40, 0x40, 0x34388040, 0x34388000, 0x14, 0x20)
	/home/buildozer/aports/community/dnscrypt-proxy/src/dnscrypt-proxy-2.0.10/src/github.com/aead/chacha20/chacha/chacha_386.go:65 +0x8e fp=0x34405c64 sp=0x34405c38 pc=0x16c975de
github.com/aead/chacha20/chacha.(*Cipher).XORKeyStream(0x34388000, 0x34405d34, 0x40, 0x40, 0x34405d34, 0x40, 0x40)
	/home/buildozer/aports/community/dnscrypt-proxy/src/dnscrypt-proxy-2.0.10/src/github.com/aead/chacha20/chacha/chacha.go:165 +0x1b3 fp=0x34405ca0 sp=0x34405c64 pc=0x16c97233
runtime: unexpected return pc for github.com/jedisct1/xsecretbox.Seal called from 0x8f1f4b36
stack: frame={sp:0x34405ca0, fp:0x34405d90} stack=[0x34405000,0x34406000)
34405c20:  34846000  34247ce0  16b7a981 <runtime.morestack+65>  16b666e5 <runtime.sigpanic+5> 
34405c30:  16c985c2 <github.com/aead/chacha20/chacha.xorKeyStreamSSE2+354>  16c975de <github.com/aead/chacha20/chacha.xorKeyStream+142>  34405d34  00000040 
34405c40:  00000040  34405d34  00000040  00000040 
34405c50:  34388040  34388000  00000014  16c97555 <github.com/aead/chacha20/chacha.xorKeyStream+5> 
34405c60:  16c97233 <github.com/aead/chacha20/chacha.(*Cipher).XORKeyStream+435>  34405d34  00000040  00000040 
34405c70:  34405d34  00000040  00000040  34388040 
34405c80:  34388000  00000014  00000020  00000020 
34405c90:  00000000  00000000  16c97085 <github.com/aead/chacha20/chacha.(*Cipher).XORKeyStream+5>  16ca06e8 <github.com/jedisct1/xsecretbox.Seal+216> 
34405ca0: <34388000  34405d34  00000040  00000040 
34405cb0:  34405d34  00000040  00000040  34388000 
34405cc0:  00000000  00000000  16b77b60 <runtime.(*mcache).nextFree.func1+0>  24006000 
34405cd0:  16b3deb5 <runtime.gcTrigger.test+5>  16b35d64 <runtime.mallocgc+948>  00000001  00000000 
34405ce0:  00000000  00000000  00000000  01014304 
34405cf0:  00000000  00000500  00000002  3459e000 
34405d00:  172235e0  00000000  00004000  34277680 
34405d10:  24006000  00000000  00000060  342608f0 
34405d20:  343723c0  16b7cc11 <runtime.memclrNoHeapPointers+65>  16b67cf7 <runtime.growslice+519>  3459e281 
34405d30:  0000027f  799b09b3  476476e4  ad4a01ac 
34405d40:  a3add054  94aee6ed  85cd259d  949fb27a 
34405d50:  b3a691f3  6dc28ba2  982bd4a0  ad57b292 
34405d60:  767d8824  63c5ec33  e796424c  04ea8fe5 
34405d70:  4f76766f  d6e51325  255a730e  fb3dd7d5 
34405d80:  f6612be9  f82eaff2  ed85cf31 !8f1f4b36 
34405d90: >e035f845  d0ec3743  669815bf  33bcad34 
34405da0:  8cf9ac4a  e82a4ccf  0313d34d  2b227014 
34405db0:  8b668a36  68e7beaf  b8797db0  e9a064f5 
34405dc0:  d51853e4  1a2d2a22  78155d31  06ae1b93 
34405dd0:  792b1791  352f22d7  e64a17e7  75076b81 
34405de0:  1a666551  722ff12f  8cc86c83  1699194a 
34405df0:  a213dca6  16fe22aa  6c8f8ad2  dd88f8b2 
34405e00:  fffe84bd  72d8df77  e99459f9  13b0478a 
github.com/jedisct1/xsecretbox.Seal(0xe035f845, 0xd0ec3743, 0x669815bf, 0x33bcad34, 0x8cf9ac4a, 0xe82a4ccf, 0x313d34d, 0x2b227014, 0x8b668a36, 0x68e7beaf, ...)
	/home/buildozer/aports/community/dnscrypt-proxy/src/dnscrypt-proxy-2.0.10/src/github.com/jedisct1/xsecretbox/xsecretbox.go:31 +0xd8 fp=0x34405d90 sp=0x34405ca0 pc=0x16ca06e8
created by main.(*Proxy).udpListener
	/home/buildozer/aports/community/dnscrypt-proxy/src/dnscrypt-proxy-2.0.10/dnscrypt-proxy/proxy.go:141 +0x88

thank you

west suhanic

Hi. I was using dnscrypt-proxy on my Fedora since long time without problem since you inform me how to configure it correctly - see my previous post & it's date bellow: https://github.com/DNSCrypt/dnscrypt-proxy/issues/856

But today I received update for dnscrypt-proxy from my official Fedora 32 repositories .... I updated dnscrypt-proxy to version: 2.0.44 Just after rebooting of my PC, I became unable to connect to Internet at all !! I did not change any thing, I did not change my ISP, all other devices that do not use dnscrypt-proxy are working very well without any problem !

It seem that this update is the cause of the problem !

Please, your kind help !

When does this occur?

Just after updated dnscrypt-proxy to version 2.0.44-5.fc32 X86_64

Expected behavior (i.e. solution)

Internet connection should not affected & should be possible after updating & rebooting the PC.

Other comment

1. I did not open a ticket on RedHat BugZilla waiting your response 1st .....
2. I'm currently, reaching to Internet from my PC through using other WiFi point that I connected to it - after bug - using the default (non dnscrypt-proxy setting).

Just wrote some from-scratch instructions to setup your own DNSCrypt server in less than 10 minutes:

https://github.com/jedisct1/dnscrypt-proxy/wiki/How-to-setup-your-own-DNSCrypt-server-in-less-than-10-minutes

There are other ways to do it, for example using dnsdist or unbound's built-in dnscrypt support. But this is how I've been running my server for years, and it doesn't require any maintenance.

New in beta 2:

• Patterns can now be prefixed with = to do exact matching: =example.com matches example.com but will not match www.example.com.
• Patterns are now fully supported by the cloaking module.
• A new option was added to use a specific cipher suite instead of the server's provided one. Using RSA+ChaChaPoly over ECDSA+AES-GCM has shown to decrease CPU usage and latency when connecting to Cloudflare, especially on Mips and ARM systems.
• The ephemeral keys mode of dnscrypt-proxy v1.x was reimplemented: this creates a new unique key for every single query.

In beta 1:

• Whitelists have been implemented: one a name matches a pattern in the whitelist, rules from the name-based and IP-based blacklists will be bypassed. Whitelists support the same patterns as blacklists, as well as time-based rules, so that some website can be normally blocked, but accessible on specific days or times of the day.
• Lists are now faster to load, and large lists require significantly less memory than before.
• New options have been added to disable TLS session tickets as well as use a specific cipher suite. See the example configuration file for a recommended configuration to speed up DoH servers on ARM such as Android devices and Raspberry Pi.
• The -service install command now remembers what the current directory was when the service was installed, in order to later load configuration files with relative paths.
• DoH: The "Cache-Control: max-age" header is now ignored.

Howdy,

Any plans to update / maintain the Alpine package? I currently see they are still on DNSCrypt-Proxy 1 [1] vs using 2. I've gotten DNSCrypt-Proxy 2 working on Alpine in RAM mode, and its like a dream. With dropbear + DNSCrypt-Proxy 2 + netdata (stream mode) + chrony, the system only uses 45MB. The CPU also never pegs out, and I'm still on 2.0.8.

# free -m
             total       used       free     shared    buffers     cached
Mem:           942        114        828         47          1         69
-/+ buffers/cache:         43        899
Swap:            0          0          0

Thanks, Jason

[1] https://github.com/alpinelinux/aports/tree/8b7e48dcaf6a2049edeffaa957db618e923b78ab/community/dnscrypt-proxy

ISSUE

dnscrypt-proxy on Android doesn't work on new Android 10 (Q).

dnscrypt-proxy can start, report about connection, but can't do the job. The behaviour looks like it's appears restricted on system level or I don't know what...

iNFO

Seems like some new changes in Andoid DNS daemon stop dnscrypt-proxy from working.

Let's have a look at the option:

Settings -> Network & Internet -> Private DNS

( ) Off
( ) Automatic
(•) Private DNS provider hostname : localhost

Only the names can be accepted here (not the IPs). This option was designed for entering the names of alternative DNS servers that support DoT (DNS-over-TLS). There are almost no such servers over the Internet (let alone trusted ones). It is clear that when dnscrypt-proxy used, then this nonsense does not need anyone. But exactly this thing (IMO) prevents dnscrypt-proxy from working.

Values (•) Off, or (•) Automatically do not make sense here at all, because the servers of the "not evil" corporation will be used, or the mobile operator's defaults.

Since the OS uses a third-party DNS service (dnscrypt-proxy), in order to avoid interference and leaks, the obvious decision was made to specify there a value: localhost The problem was quickly solved and forgotten before Android 10.

Now this trick doesn't work. From what I can assume that in Android 9 this option was experimental and optional, and DNS daemon in the Android 10 has become closely tied to this option and does not let run dnscrypt-proxy. I don't know the workaround for this yet.

Moreover, I know for sure that the dnscrypt-proxy binary is in the ready state. The dnscrypt-proxy connection logs say about readiness and finding the right encrypted servers according to my settings. But "Private DNS" option in Android 10 option does not allow dnscrypt-proxy to start working at system level as usual.

May be I'm wrong about a reason of the issue... Any suggestions how this should be fixed?

Bumps golang.org/x/crypto from 0.4.0 to 0.5.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps golang.org/x/net from 0.4.0 to 0.5.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps golang.org/x/sys from 0.3.0 to 0.4.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Here is my experience with 'dnscrypt-proxy' on Android (I use Replicant. Replicant has root and init.d support "out of the box".

To start off, I have spent more than a week digging the web for information on how to do it. I have read many many discussions, questions and answers (including issues here). The official documentation didn't really help. In the very beginning it says:

If you want to change the DNSCrypt resolver, unzip the downloaded archive, edit the RESOLVER_NAME variable in system/etc/init.d/99dnscrypt. Keep the content as a ZIP file, with the original structure.

I have downloaded and unzipped every single release since 2.0.6 (the first one introducing Android binaries). There is no 99dnscrypt in any of them. Neither there is such file in the source code in git. So, my next step was to search the web, read issues here and there, a lot of time and effort.

What I found:

• @quindecim's repo - it seems made for some software called Magisk. I don't want to install additional software which I don't need, give it permissions etc. I just want dnscrypt-proxy.
• There are some solutions for creating a boot service using init.rc. This process seems to involve unpacking the boot image, editing init.rc, and repacking it. This is new to someone like me. I found several softwares/versions which unpack and repack but when testing unpacking and repacking with no modification whatsoever the repacked image is always quite smaller than the original. I decided not to risk bricking my phone, so I stopped exploring this route.
• Researching further, I found this issue and from it - @uzen's repo. Unfortunately, it seems to include a binary with unknown source code in src/META-INF/com/google/android, so I won't run it. Instead of putting that blindly on my phone, I looked into the 99dnscrypt it includes and the two sub-scripts it calls. My impression: the author has spent quite some time on that. Shellcheck complains about so many problems though. Regardless of that, I decided to give these 3 scripts a try but unfortunately the result wasn't satisfactory. I couldn't get things to work as expected, so after many hours of digging into that obviusly old shell script code, I decided to return to simplicity and start from scratch.
• Then I found this. The init.d script used by the questioner is pretty much the same one which I tried myself initially. The difference is that I don't get the errors he gets - there are no such selinux messages in my logcat.

The official documentation also suggests installing one of "four (paid) apps" to switch currently running DNS settings to DNSCrypt. That is another thing I don't want to do. Installing additional (especially non-free) software for the sake of improving security through a software like dnscrypt-proxy, thus increasing attack surface and so on, is a logical contradiction.

So, in my search for a simple, clean, and working FOSS solution I used the same steps as in the Stackexchange question. In my dnscrypt-proxy.toml I enable blocked_names and put only one line in it for testing:

*.fsf.org

My findings:

I notice that 'dnscrypt-proxy' is started twice on boot:

$ adb shell logcat | grep dns
12-29 19:25:23.100  1993  1993 I sysinit : Running /system/etc/init.d/99dnscrypt 
12-29 19:25:23.290  2006  2006 I dnscrypt: Starting dnscrypt-proxy... 
12-29 19:25:23.315  2010  2010 I dnscrypt: Changing dns with iptables... 
12-29 19:27:38.500  3459  3459 I sysinit : Running /system/etc/init.d/99dnscrypt 
12-29 19:27:38.550  3464  3464 I dnscrypt: Starting dnscrypt-proxy... 
12-29 19:27:38.595  3467  3467 I dnscrypt: Changing dns with iptables...

$ adb shell ps | grep dns
root      2009  1     813640 6500  futex_wait 40103db0 S dnscrypt-proxy
root      3466  1     808256 7628  futex_wait 4016fdb0 S dnscrypt-proxy

The 'iptables' rules are not applied:

root@i9300:/ # iptables -L | grep 53                                               
1|root@i9300:/ # iptables -t nat -L | grep 53                                      
1|root@i9300:/ # 

I kill 'dnscrypt-proxy' manually:

$ adb shell
root@i9300:/ # killall dnscrypt-proxy                                              
root@i9300:/ # killall dnscrypt-proxy                                              
killall: dnscrypt-proxy: No such process

Then I start the service manually (cellular data is not enabled):

root@i9300:/ # /etc/init.d/99dnscrypt                                            
root@i9300:/ # [2022-12-29 19:36:20] [NOTICE] dnscrypt-proxy 2.1.2
[2022-12-29 19:36:20] [NOTICE] Network not available yet -- waiting...

Now, 'logcat' and 'ps' show there is only one runnig process:

12-29 19:36:19.860  5209  5209 I dnscrypt: Starting dnscrypt-proxy... 
12-29 19:36:19.970  5213  5213 I dnscrypt: Changing dns with iptables...

$ adb shell ps | grep dns
root      5212  1     812096 7604  futex_wait 401c4db0 S dnscrypt-proxy

The firewall rule is applied correctly too:

root@i9300:/ # iptables -t nat -L | grep 53                                      
DNAT       udp  --  anywhere             anywhere             udp dpt:domain to:127.0.0.1:53

Enable cellular data and watch what is happening in 'adb shell':

root@i9300:/ # [2022-12-29 20:08:31] [NOTICE] Network connectivity detected
[2022-12-29 20:08:31] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2022-12-29 20:08:31] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
...
// many other regular notices
...
[2022-12-29 20:09:45] [NOTICE] dnscrypt-proxy is ready - live servers: 32

Everything seems to work. Testing to confirm:

root@i9300:/ # host fsf.org
host: Host not found.
1|root@i9300:/ # host gnu.org
gnu.org has address 209.51.188.116

So, the blocked_names section works and resolving works.

Next, I disabled cellular data, unplugged the USB cable connected to the computer and connected the external WiFi adapter (Replicant needs an external RYF adapter as the phone's built in one won't work without proprietary software). So, I could not test with ADB any more but only using the limited "Terminal" application in Replicant and using the browser that comes with Replicant (no idea what its name is).

In that terminal (rewriting manually here):

host -v fsf.org
host: Host not found.
host -v gnu.org
host: Host not found.

and so on - it seem nothing resolved.

In the browser I see a different result though:

• fsf.org works (although it must not resolve)
• gnu.org works
• other sites work

Obviously, things don't work as expected when using WiFi.

Connecting the phone to the computer again I see that 'dnscrypt-proxy' process is still active. Re-testing with cellular data again shows the same result as above: fsf.org is not resolved, other domains are.

The questions are:

1. Why only the logging commands of the init.d script work, considering that the script is ran by root at boot time?

2. Why (even with manual starting of the service) the behavior is different when using WiFi?

3. How to make this service work on boot with all connections (cellular, WiFi, reverse USB tethering, etc) without requiring manual starting through ADB or additional apps (assuming one already has root and init.d support)?

It would be really great if someone can update the documentation.

Best wishes for the new year!

https://www.ietf.org/archive/id/draft-schwartz-ohai-consistency-doublecheck-03.html suggests connecting twice to the relay in order to retrieve the keys: once to get the (possibly) cached content, and using the relay as a TCP proxy to connect to the upstream server.

This forces ODoH relays to also support acting as TCP relays. Something that makes me feel a little bit anxious. And an ODoH relay that would like to send different keys to different targets can pretend not to support TCP relaying.

Still something we may want to implement, and make optional.

Platform: macOS Version: 2.1.2

./dnscrypt-proxy -version 2.1.2

./dnscrypt-proxy -check [2022-12-05 13:10:45] [NOTICE] dnscrypt-proxy 2.1.2 [2022-12-05 13:10:45] [NOTICE] Source [public-resolvers] loaded [2022-12-05 13:10:45] [NOTICE] Configuration successfully checked

./dnscrypt-proxy -resolve google.com Resolving [google.com] using 127.0.0.1 port 53

Steps to Reproduce

• Installed dnscrypt-proxy2
• Configured - server_names, doh, bootstrap_resolvers and http_proxy
• Started the dnscrypt-proxy2
• dnscrypt-proxy2 cannot connect to the DOH servers over the proxy as it couldn't resolve the proxy using the bootstrap_resolvers

root@xxxx-mbp /Applications# ./dnscrypt-proxy
[2022-12-05 13:05:19] [NOTICE] dnscrypt-proxy 2.1.2
[2022-12-05 13:05:19] [NOTICE] Network connectivity detected
[2022-12-05 13:05:19] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2022-12-05 13:05:19] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2022-12-05 13:05:19] [NOTICE] Source [public-resolvers] loaded
[2022-12-05 13:05:19] [NOTICE] Firefox workaround initialized
[2022-12-05 13:05:39] [ERROR] Get "https://dns.cloudflare.com/dns-query?dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAAAAAFAAMABBAWJM8BRTVGzjmZQ4GvgyM": context deadline exceeded
[2022-12-05 13:05:39] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
^C[2022-12-05 13:08:41] [NOTICE] Stopped.

Configuration

listen_addresses = ['127.0.0.1:53']
server_names = ['google','cloudflare']

http_proxy = 'http://proxy.acme.com:1883'
doh_servers = true
ipv4_servers = true

bootstrap_resolvers = ['192.168.10.1:53']
ignore_system_dns = true

cache = true

[sources]
  [sources.public-resolvers]
    urls = ['https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
    cache_file = 'public-resolvers.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    refresh_delay = 72

Expected behavior (i.e., solution)

http_proxy domain (e.g., proxy.acme.com) must be resolved using the bootstrap_resolvers.

[2022-12-05 13:09:04] [NOTICE] dnscrypt-proxy 2.1.2
[2022-12-05 13:09:04] [NOTICE] Network connectivity detected
[2022-12-05 13:09:04] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2022-12-05 13:09:04] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2022-12-05 13:09:04] [NOTICE] Source [public-resolvers] loaded
[2022-12-05 13:09:04] [NOTICE] Firefox workaround initialized
[2022-12-05 13:09:04] [NOTICE] [cloudflare] OK (DoH) - rtt: 26ms
[2022-12-05 13:09:04] [NOTICE] [google] OK (DoH) - rtt: 33ms
[2022-12-05 13:09:04] [NOTICE] Sorted latencies:
[2022-12-05 13:09:04] [NOTICE] -    26ms cloudflare
[2022-12-05 13:09:04] [NOTICE] -    33ms google
[2022-12-05 13:09:04] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 26ms)
[2022-12-05 13:09:04] [NOTICE] dnscrypt-proxy is ready - live servers:

Other Comments

It works with the following scenarios, so the http_proxy domains are likely not resolved.

• Disable the http_proxy
• Use IP instead of the domain for the http_proxy (e.g., https://192.168.1.100:1883 instead of https://proxy.acme.com:1883)