Fallback does not work when SERVFAIL occurs

[agneevX]

I have dnsproxy configured with a fallback option, but when the primary address returns SERVFAIL (often due to a timeout), it does not fallback to the configured server.

[ameshkov]

Yep, the fallback currently is only used when a network error occurs.

I am not sure about changing that logic globally, or maybe we should add a config setting that controls when to fallback.

[agneevX]

Yep, the fallback currently is only used when a network error occurs.

Can you please elaborate on what that means, and what conditions surround it?

[ameshkov]

It means any network error (a timeout, connection reset, etc), i.e. it means that the DNS request was not successful.

And SERVFAIL means that the request was successful, it's just the server responded with a message with SERVFAIL status.

[agneevX]

To add to this... for a non-existent DNS server, fallback does not occur.

~> docker run --rm -p 7000:53/udp hezhijie0327/dnsproxy:latest -u tls://1.1.1.7 -f tls://8.8.8.8
2022/12/30 12:25:09 [info] Starting dnsproxy 0.46.5-ZHIJIE-DC6B0FE2
2022/12/30 12:25:09 [info] Fallback 0 is tls://8.8.8.8:853
2022/12/30 12:25:09 [info] Starting the DNS proxy server
2022/12/30 12:25:09 [info] dnsproxy: cache: disabled
2022/12/30 12:25:09 [info] Creating the UDP server socket
2022/12/30 12:25:09 [info] Listening to udp://[::]:53
2022/12/30 12:25:09 [info] Creating a TCP server socket
2022/12/30 12:25:09 [info] Listening to tcp://[::]:53
2022/12/30 12:25:09 [info] Entering the UDP listener loop on [::]:53
2022/12/30 12:25:09 [info] Entering the tcp listener loop on [::]:53

❱ dig @10.0.0.10 -p 7000 www.google.com

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @10.0.0.10 -p 7000 www.google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

[cbuijs]

Mind that when DNSSEC validation fails, most if not all DNS servers return SERVFAIL as a valid answer (validation failed).