dnsproxy icon indicating copy to clipboard operation
dnsproxy copied to clipboard
verified publisher icon AdguardTeam

Noob here, how do I get QUIC to work?

Open Maple38 opened this issue 7 months ago • 4 comments

Hi all, I'm trying to create a tunnel to use DNS over QUIC. Using a custom NextDNS profile, but I'll redact the profile ID.

My command is as follows: sudo dnsproxy -l 127.0.0.1 -p 5353 -u quic://xxx.dns.nextdns.io -b 1.1.1.1 -v, and then I test it with dnslookup google.com 127.0.0.1:5353.

The console output is as follows:

2025/05/13 10:23:25.043199 INFO dnsproxy starting version=v0.75.4 revision=1fdda9a branch=HEAD commit_time=1746536978
2025/05/13 10:23:25.043396 DEBUG hosts files are enabled
2025/05/13 10:23:25.043404 DEBUG hosts files are not specified, using default paths=[/private/etc/hosts]
2025/05/13 10:23:25.043609 DEBUG set upstream idx=0 addr=quic://xxx.dns.nextdns.io:853
2025/05/13 10:23:25.043630 INFO upstream mode is set prefix=dnsproxy mode=load_balance
2025/05/13 10:23:25.043636 INFO cache disabled prefix=dnsproxy
2025/05/13 10:23:25.043639 INFO starting dns proxy server prefix=dnsproxy
2025/05/13 10:23:25.043648 INFO creating udp server socket prefix=dnsproxy addr=127.0.0.1:5353
2025/05/13 10:23:25.043824 INFO listening to udp prefix=dnsproxy addr=127.0.0.1:5353
2025/05/13 10:23:25.043830 INFO creating tcp server socket prefix=dnsproxy addr=127.0.0.1:5353
2025/05/13 10:23:25.043880 INFO listening to tcp prefix=dnsproxy addr=127.0.0.1:5353
2025/05/13 10:23:25.043924 INFO entering udp listener loop prefix=dnsproxy addr=127.0.0.1:5353
2025/05/13 10:23:25.043956 INFO entering listener loop prefix=dnsproxy proto=tcp addr=127.0.0.1:5353
2025/05/13 10:23:27.735475 DEBUG handling new udp packet prefix=dnsproxy raddr=127.0.0.1:51997
2025/05/13 10:23:27.735549 DEBUG in prefix=dnsproxy line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 30554"
2025/05/13 10:23:27.735558 DEBUG in prefix=dnsproxy line_num=2 line=";; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0"
2025/05/13 10:23:27.735562 DEBUG in prefix=dnsproxy line_num=3 line=""
2025/05/13 10:23:27.735564 DEBUG in prefix=dnsproxy line_num=4 line=";; QUESTION SECTION:"
2025/05/13 10:23:27.735566 DEBUG in prefix=dnsproxy line_num=5 line=";google.com.\tIN\t A"
2025/05/13 10:23:27.735568 DEBUG in prefix=dnsproxy line_num=6 line=""
2025/05/13 10:23:27.735637 DEBUG handling request prefix=default_handler req=";google.com.\tIN\t A"
2025/05/13 10:23:27.735644 DEBUG no hosts records found prefix=default_handler name=google.com qtype=1
2025/05/13 10:23:27.735650 DEBUG not caching prefix=dnsproxy reason="caching disabled: neither global cache nor custom upstreams cache is configured"
2025/05/13 10:23:27.735732 DEBUG sending request addr=1.1.1.1:53 proto=udp qtype=AAAA qname=xxx.dns.nextdns.io.
2025/05/13 10:23:27.735738 DEBUG sending request addr=1.1.1.1:53 proto=udp qtype=A qname=xxx.dns.nextdns.io.
2025/05/13 10:23:27.735746 DEBUG dialing prefix=bootstrap addr=1.1.1.1:53 idx=1 total=1
2025/05/13 10:23:27.735756 DEBUG dialing prefix=bootstrap addr=1.1.1.1:53 idx=1 total=1
2025/05/13 10:23:27.735903 DEBUG connection succeeded prefix=bootstrap addr=1.1.1.1:53 elapsed=140.833µs
2025/05/13 10:23:27.735920 DEBUG connection succeeded prefix=bootstrap addr=1.1.1.1:53 elapsed=168.833µs
2025/05/13 10:23:27.788714 DEBUG response received addr=1.1.1.1:53 proto=udp status=ok
2025/05/13 10:23:27.795778 DEBUG response received addr=1.1.1.1:53 proto=udp status=ok
2025/05/13 10:23:27.795876 DEBUG dialing prefix=bootstrap addr=45.136.155.42:853 idx=1 total=4
2025/05/13 10:23:27.796204 DEBUG connection succeeded prefix=bootstrap addr=45.136.155.42:853 elapsed=316.167µs
2025/05/13 10:23:28.003617 ERROR exchange failed prefix=dnsproxy upstream=quic://xxx.dns.nextdns.io:853 question=";google.com.\tIN\t A" duration=267.913083ms err="getting conn: dialing quic connection to quic://xxx.dns.nextdns.io:853: CRYPTO_ERROR 0x178 (remote): tls: no application protocol"
2025/05/13 10:23:28.003677 DEBUG resolving err prefix=dnsproxy src=upstream err="getting conn: dialing quic connection to quic://xxx.dns.nextdns.io:853: CRYPTO_ERROR 0x178 (remote): tls: no application protocol"
2025/05/13 10:23:28.003716 DEBUG out prefix=dnsproxy line_num=1 line=";; opcode: QUERY, status: SERVFAIL, id: 30554"
2025/05/13 10:23:28.003725 DEBUG out prefix=dnsproxy line_num=2 line=";; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0"
2025/05/13 10:23:28.003731 DEBUG out prefix=dnsproxy line_num=3 line=""
2025/05/13 10:23:28.003737 DEBUG out prefix=dnsproxy line_num=4 line=";; QUESTION SECTION:"
2025/05/13 10:23:28.003743 DEBUG out prefix=dnsproxy line_num=5 line=";google.com.\tIN\t A"
2025/05/13 10:23:28.003749 DEBUG out prefix=dnsproxy line_num=6 line=""
2025/05/13 10:23:28.003939 DEBUG handling dns request prefix=dnsproxy proto=udp err="using request handler: getting conn: dialing quic connection to quic://xxx.dns.nextdns.io:853: CRYPTO_ERROR 0x178 (remote): tls: no application protocol"

I should also mention, running the exact same proxy command but with TLS or HTTPS instead of QUIC works perfectly, and dnslookup google.com quic://xxx.dns.nextdns.io works too.

Maple38 avatar May 13 '25 07:05 Maple38

Hello @Maple38,

I set up a nextdns.io profile for myself, but I was not able to reproduce the issue. Lookups worked as expected. The NextDNS console showed the performed lookups, and identified them as DoQ.

I found a Cloudflare Community post where someone behind a FortiGate firewall got the exact same go error as in your logs. Bypassing the FortiGate's web filter for the traffic resolved the issue for them.

Maybe your issue is firewall or web filter related? Can you try your setup on a VPS or somewhere else and reproduce the problem to rule out your firewall/filter as the issue?

jhed9 avatar May 14 '25 02:05 jhed9

Thanks for the reply! It probably is that. It would make sense as I was testing that while at school, and my school's internet does have said service installed. In hindsight, setting up something like this while connected to a network I don't control may not have been the best of ideas.

Regardless, I have actually changed my mind about QUIC and no longer think I need it, so unless requested otherwise (in which case it's no trouble at all), I probably won't be testing again.

Thank you again, and have a good day.

Maple38 avatar May 17 '25 00:05 Maple38

No problem @Maple38. You have a great day as well.

jhed9 avatar May 19 '25 02:05 jhed9 

  - "quic://anycast.dns.nextdns.io"
  - "h3://anycast.dns.nextdns.io/dns-query"

bcookatpcsd avatar Aug 20 '25 00:08 bcookatpcsd