0.107.44 broke DoT

[boardlord1]

Prerequisites

• [X] I have checked the Wiki and Discussions and found no answer

• [X] I have searched other issues and found no duplicates

• [X] I want to report a bug and not ask a question or ask for help

• [X] I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Linux, ARM64

Installation

Custom package (OpenWrt, HomeAssistant, etc; please mention in the description)

Setup

Other (please mention in the description)

AdGuard Home version

0.107.44

Action

I've been using AGH for a long time as an addon in HAOS on an rPI4. I've set up DHCP on my OWRT router to direct all clients to use AGH as the resolver (using DoT with cloudflare and quad9), and in AGH I direct local requests to dnsmasq on my router.

Expected result

Just like for the past couple of years, to work as it should.

Actual result

Since upgrading to 0.107.44, DoT has become very flaky. I noticed that name resolving stops working from all clients at random times, for a random length of time. Restarting the addon fixes the issue until it crops up again.

I've noticed message like these in the logs (while in this snippet there's only quadn9's address, it happens with cloudflare as well.

2024/02/10 13:39:57.901787 [error] dnsproxy: upstream tls://dns.quad9.net:853 failed to exchange ;mobile-data.onetrust.io.	IN	 A in 806.934µs: getting conn to tls://dns.quad9.net:853: connecting to dns.quad9.net: dial tcp [2620:fe::9]:853: connect: network is unreachable
dial tcp [2620:fe::fe]:853: connect: network is unreachable
2024/02/10 13:43:28.883745 [error] dnsproxy: upstream tls://dns.quad9.net:853 failed to exchange ;graph.facebook.com.	IN	 A in 1.423221ms: getting conn to tls://dns.quad9.net:853: connecting to dns.quad9.net: dial tcp [2620:fe::9]:853: connect: network is unreachable
dial tcp [2620:fe::fe]:853: connect: network is unreachable
2024/02/10 13:44:11.147678 [error] dnsproxy: upstream tls://dns.quad9.net:853 failed to exchange ;i4.gtm.eset.com.	IN	 A in 835.192µs: getting conn to tls://dns.quad9.net:853: connecting to dns.quad9.net: dial tcp [2620:fe::9]:853: connect: network is unreachable
dial tcp [2620:fe::fe]:853: connect: network is unreachable
2024/02/10 13:44:47.581381 [error] dnsproxy: upstream tls://dns.quad9.net:853 failed to exchange ;api.cloudflare.com.	IN	 A in 692.639µs: getting conn to tls://dns.quad9.net:853: connecting to dns.quad9.net: dial tcp [2620:fe::9]:853: connect: network is unreachable
dial tcp [2620:fe::fe]:853: connect: network is unreachable
2024/02/10 13:45:11.561544 [error] dnsproxy: upstream tls://dns.quad9.net:853 failed to exchange ;i3.gtm.eset.com.	IN	 A in 725.304µs: getting conn to tls://dns.quad9.net:853: connecting to dns.quad9.net: dial tcp [2620:fe::9]:853: connect: network is unreachable
dial tcp [2620:fe::fe]:853: connect: network is unreachable
2024/02/10 13:45:51.059642 [error] dnsproxy: upstream tls://dns.quad9.net:853 failed to exchange ;ocsp.entrust.net.	IN	 A in 592.417µs: getting conn to tls://dns.quad9.net:853: connecting to dns.quad9.net: dial tcp [2620:fe::9]:853: connect: network is unreachable
dial tcp [2620:fe::fe]:853: connect: network is unreachable

I tested plain DNS and DoH and both works uninterrupted, only when I use DoT resolvers do I see this issue.

Additional information and/or screenshots

No response

[steve28]

I am seeing this as well:

2024/02/10 10:43:18.477035 [error] dnsproxy: upstream tls://1dot1dot1dot1.cloudflare-dns.com:853 failed to exchange ;17-courier.push.apple.com.	IN	 HTTPS in 213.582µs: getting conn to tls://1dot1dot1dot1.cloudflare-dns.com:853: connecting to 1dot1dot1dot1.cloudflare-dns.com: dial tcp [2606:4700:4700::1001]
:853: connect: network is unreachable
dial tcp [2606:4700:4700::1111]:853: connect: network is unreachable
2024/02/10 10:43:18.478251 [error] dnsproxy: upstream tls://1dot1dot1dot1.cloudflare-dns.com:853 failed to exchange ;17-courier.push.apple.com.	IN	 A in 150.652µs: getting conn to tls://1dot1dot1dot1.cloudflare-dns.com:853: connecting to 1dot1dot1dot1.cloudflare-dns.com: dial tcp [2606:4700:4700::1001]:853
: connect: network is unreachable
dial tcp [2606:4700:4700::1111]:853: connect: network is unreachable
2024/02/10 10:43:18.737234 [error] dnsproxy: upstream tls://1dot1dot1dot1.cloudflare-dns.com:853 failed to exchange ;fmfmobile.fe2.apple-dns.net.	IN	 A in 197.015µs: getting conn to tls://1dot1dot1dot1.cloudflare-dns.com:853: connecting to 1dot1dot1dot1.cloudflare-dns.com: dial tcp [2606:4700:4700::1
001]:853: connect: network is unreachable
dial tcp [2606:4700:4700::1111]:853: connect: network is unreachable
2024/02/10 10:43:25.284583 [error] dnsproxy: upstream tls://1dot1dot1dot1.cloudflare-dns.com:853 failed to exchange ;bookkeeper.itunes.apple.com.	IN	 A in 204.573µs: getting conn to tls://1dot1dot1dot1.cloudflare-dns.com:853: connecting to 1dot1dot1dot1.cloudflare-dns.com: dial tcp [2606:4700:4700::1
001]:853: connect: network is unreachable
dial tcp [2606:4700:4700::1111]:853: connect: network is unreachable

I do notice that it's trying an IPv6 address [2620:fe::fe] but I do not have IPv6 on my network. Maybe a clue?

[iluvatyr]

can confirm. switched to dns over quic for now!

[TChilderhose]

Observing the same thing as well with DoT. DoH has been working fine

[mesacarlos]

Same here. AdGuard Home randomly stops resolving DNS over TLS. Logs show that AdGuard is trying to connect to upstream DNS (Google/Quad1) using IPv6 in a machine with no IPv6.

This last version comes with lots of bugs. Is there a way to downgrade to last stable version?

[mesacarlos]

Found a duplicate already in the current milestone: https://github.com/AdguardTeam/AdGuardHome/issues/4354

[EugeneOne1]

@boardlord1, hello and thanks for the report. The errors in the log may sign that the the dns.quad9.net upstream has been bootstrapped into the only IPv6 address. Could you please collect a verbose log for us? You may send it to [email protected].

Also, do you have the dns.bootstrap_prefer_ipv6 configuration field set to false?

[boardlord1]

@EugeneOne1 The snippet I've shared indeed only showed quad9, but there were identical entries for cloudflare as well.

And yes, dns.bootstrap_prefer_ipv6 is set to false

Log file is on it's way to [email protected]

[MichaelAndoid]

Same problem after update to v.0.107.44 i have random problems resolving DNS requests with DOT.

`2024/02/16 08:25:34.160783 [error] dnsproxy: upstream tls://unfiltered.adguard-dns.com:853 failed to exchange ;mail.google.com. IN HTTPS in 8.739224ms: dialing tls://unfiltered.adguard-dns.com:853: connecting to unfiltered.adguard-dns.com: dial tcp [2a10:50c0::1:ff]:853: socket: address family not supported by protocol dial tcp [2a10:50c0::2:ff]:853: socket: address family not supported by protocol

2024/02/16 07:35:27.650641 [error] dnsproxy: upstream tls://1dot1dot1dot1.cloudflare-dns.com:853 failed to exchange ;edge-consumer-static.azureedge.net. IN HTTPS in 5.821702ms: getting conn to tls://1dot1dot1dot1.cloudflare-dns.com:853: connecting to 1dot1dot1dot1.cloudflare-dns.com: dial tcp [2606:4700:4700::1001]:853: socket: address family not supported by protocol dial tcp [2606:4700:4700::1111]:853: socket: address family not supported by protocol`

[ardel]

I also have bootstrap_prefer_ipv6: false

Here's some more verbose logs if it helps in your investigations:

2024/02/16 17:06:14.347591 1#8234 [debug] dnsproxy: sending request to https://dns.google:443/dns-query over udp: A "pbs.twimg.com."
2024/02/16 17:06:14.347718 1#8234 [debug] dnsproxy: https://dns.google:443/dns-query: response received over udp: "requesting https://dns.google:443/dns-query: Get_0rtt \"https://dns.google:443/dns-query?dns=AAABIAABAAAAAAABA3BicwV0d2ltZwNjb20AAAEAAQAAKQgAAACAAAAA\": NO_ERROR (remote): 168:Connection max age expired"
2024/02/16 17:06:14.347769 1#8234 [debug] re-creating the http client due to requesting https://dns.google:443/dns-query: Get_0rtt "https://dns.google:443/dns-query?dns=AAABIAABAAAAAAABA3BicwV0d2ltZwNjb20AAAEAAQAAKQgAAACAAAAA": NO_ERROR (remote): 168:Connection max age expired
2024/02/16 17:06:14.347818 1#8239 [debug] parallel lookup: lookup for dns.google succeeded in 2.638µs: [2001:4860:4860::8888 2001:4860:4860::8844]
2024/02/16 17:06:14.347873 1#8237 [debug] parallel lookup: lookup for dns.google succeeded in 3.577µs: [2001:4860:4860::8888 2001:4860:4860::8844]
2024/02/16 17:06:14.347924 1#8249 [debug] dnsproxy: sending request to 9.9.9.9:53 over udp: AAAA "dns.google."
2024/02/16 17:06:14.347934 1#8236 [debug] parallel lookup: lookup for dns.google succeeded in 4.107µs: [8.8.8.8 8.8.4.4]
2024/02/16 17:06:14.347953 1#8234 [debug] bootstrap: dialing [2001:4860:4860::8844]:443 (1/2)
2024/02/16 17:06:14.347964 1#8248 [debug] dnsproxy: sending request to 9.9.9.9:53 over udp: A "dns.google."
2024/02/16 17:06:14.347977 1#8249 [debug] bootstrap: dialing 9.9.9.9:53 (1/1)
2024/02/16 17:06:14.348000 1#8248 [debug] bootstrap: dialing 9.9.9.9:53 (1/1)
2024/02/16 17:06:14.348085 1#8249 [debug] bootstrap: connection to 9.9.9.9:53 succeeded in 29.485µs
2024/02/16 17:06:14.348088 1#8248 [debug] bootstrap: connection to 9.9.9.9:53 succeeded in 26.187µs
2024/02/16 17:06:14.348112 1#8234 [debug] bootstrap: connection to [2001:4860:4860::8844]:443 failed in 52.971µs: dial udp [2001:4860:4860::8844]:443: connect: cannot assign requested address
2024/02/16 17:06:14.348165 1#8234 [debug] bootstrap: dialing [2001:4860:4860::8888]:443 (2/2)
2024/02/16 17:06:14.348239 1#8234 [debug] bootstrap: connection to [2001:4860:4860::8888]:443 failed in 20.974µs: dial udp [2001:4860:4860::8888]:443: connect: cannot assign requested address
2024/02/16 17:06:14.348291 1#8234 [debug] using HTTP/2 for this upstream: failed to dial: dial udp [2001:4860:4860::8844]:443: connect: cannot assign requested address
dial udp [2001:4860:4860::8888]:443: connect: cannot assign requested address
2024/02/16 17:06:14.348333 1#8234 [debug] dnsproxy: upstream https://dns.google:443/dns-query failed to exchange ;pbs.twimg.com.	IN	 A in 750.587µs: failed to reset http client: initializing http transport: HTTP1/1 and HTTP2 are not supported by this upstream
2024/02/16 17:06:14.348364 1#8234 [debug] proxy: replying from upstream: using fallback due to failed to reset http client: initializing http transport: HTTP1/1 and HTTP2 are not supported by this upstream

[MichaelAndoid]

Hi changed from DOT(tls://) to HTTPS:// let's see iff temporary resolve before the new version.

[Haravikk]

I'm another seeing this problem with DoT (Cloudflare), hopefully switching to DoH solves it for me for now.

[Shiwigy]

Platform (OS and CPU architecture) Linux (Debian 11.9), amd64

Installation Docker adguard/adguardhome latest 20888152689b

Version v0.107.44

I have the exact same problem since update, see logs from docker below

Log output dial tcp [2001:4860:4860::8888]:853: connect: network is unreachable 2024/02/18 11:58:11.643067 [error] dnsproxy: upstream tls://dns.google:853 failed to exchange ; IN SRV in 205.995µs: getting conn to tls://dns.google:853: connecting to dns.google: dial tcp [2001:4860:4860::8844]:853: connect: network is unreachable dial tcp [2001:4860:4860::8888]:853: connect: network is unreachable

Settings bootstrap_prefer_ipv6: false blocking_ipv6: ""

[EugeneOne1]

@boardlord1, hello again. We've pushed the edge build which includes a fix for this issue. Could you please check if the DNS-over-TLS upstreams are working better now?

[boardlord1]

Apologies, I won't be able to test as I don't have a spare pi4, and home assistant addon repo doesn't provide an edge build (and I need internet access, don't want to reconfigure my whole dns resolution config).

[EugeneOne1]

@boardlord1, well, we'll be including the fix into the upcoming release, so I'll close the issue for now. Please feel free to reopen it if the release still doesn't work properly.