rethink-app icon indicating copy to clipboard operation
rethink-app copied to clipboard
verified publisher icon celzero

DoT does not work

Open capmlbpkel opened this issue 1 year ago • 9 comments

DoT does not work for me. Neither for pre-configured services such as Mullvad nor for custom services. In the DoT menu, it first says "Starting" and then "No internet", instead of "Connected".

System DNS, pre-configured DoH, custom DoH and RDNS services work as expected.

capmlbpkel avatar Aug 13 '24 17:08 capmlbpkel

Will you share the address of the DoT server, please?

ignoramous avatar Aug 13 '24 19:08 ignoramous

Sure. For the pre-configured Mullvad service, it is tls://extended.dns.mullvad.net. The custom DoT server I tried (both with and without the tls protocoll prefix) is tls://dns3.digitalcourage.de.

capmlbpkel avatar Aug 13 '24 20:08 capmlbpkel

One more thing, I noticed that only one version of the custom server was part of the backup file (I do not remember if it was with or without the tls prefix). Don't know it this is related or not.

capmlbpkel avatar Aug 13 '24 20:08 capmlbpkel

I just tried the two DoT servers you shared (Mullvad Extended and Digital Courage), and both worked. Unsure what's going on your end. Configure -> Settings -> Log level -> Very verbose logs may have clues as to what's going on (if you know how to capture those using adb logcat)?

ignoramous avatar Aug 13 '24 23:08 ignoramous

Thank you, I will try to debug and report back.

capmlbpkel avatar Aug 14 '24 04:08 capmlbpkel

Phew, that took me a couple of hours...here is the relevant part:

D/DnsManager( 4084): on dot change - Mullvad Extended, tls://extended.dns.mullvad.net, false
D/VpnLifecycle( 4084): on pref change, key: dns_type
D/VpnLifecycle( 4084): on pref change, key: connected_dns_name
D/VpnLifecycle( 4084): handle transport change
V/VpnLifecycle( 4084): GoVpnAdapter addTransport
V/VpnLifecycle( 4084): GoVpnAdapter addDotTransport, id: Preferred
I/GoLog   ( 4084): ipmap.go:217: D ipmap: renew: extended.dns.mullvad.net / seed: [] / typ: Auto
I/GoLog   ( 4084): ipmap.go:237: D ipmap: makeIPSet: extended.dns.mullvad.net, seed: [], typ: Regular
I/GoLog   ( 4084): dot.go:83: I dot: (Preferred) setup: tls://extended.dns.mullvad.net; relay? false; resolved? false
I/GoLog   ( 4084): cacher.go:120: I cache: (CachePreferred) setup: cached.extended.dns.mullvad.net:853; opts: ttl=10m0s;bumps=10;size=256
I/GoLog   ( 4084): transport.go:211: I dns: add transport [email protected]:853; cache? true
V/VpnLifecycle( 4084): onDNSAdded: Preferred
I/VpnLifecycle( 4084): new dot: Preferred (Mullvad Extended), url: tls://extended.dns.mullvad.net, ips: 
V/VpnLifecycle( 4084): GoVpnAdapter addDotTransport done
V/VpnLifecycle( 4084): GoVpnAdapter addTransport done

and then repeated messages like this one

I/GoLog ( 4084): transport.go:585: D dns: udp: done; tot: 1, t: 120000ms, err: read udp 10.111.222.3:53: i/o timeout

I am wondering if this might have to do with an DoT / NTP deadlock.

At least I am seeing blocked connections in the log by "Dynamic System Updates + 15 other app(s)" to time.android.com, despite have set those apps to isolate mode and trusting the domain.

capmlbpkel avatar Aug 14 '24 19:08 capmlbpkel

Phew, that took me a couple of hours...here is the relevant part:

Sorry :( For this reason, we're adding ability to view and share debug logs from within the app in v055o.

I/GoLog ( 4084): transport.go:585: D dns: udp: done; tot: 1, t: 120000ms, err: read udp 10.111.222.3:53: i/o timeout

This isn't error, but expected. Look / grep for "dot:" or "dot.go:" logs.

I am wondering if this might have to do with an DoT / NTP deadlock.

Should happen with DoH, too?

ignoramous avatar Aug 14 '24 20:08 ignoramous

Sorry :( For this reason, we're adding ability to view and share debug logs from within the app in v055o.

No problem, I learned something new.

This isn't error, but expected. Look / grep for "dot:" or "dot.go:" logs.

There are no entries containing "dot" besides the ones I just posted.

Should happen with DoH, too?

I am really no expert here, if DoH certificates are also checked for validity date, probably yes. But DoH works without any issues.

capmlbpkel avatar Aug 14 '24 20:08 capmlbpkel

Hi all, any progress on this?

Have same Issue with DoT from: fdns1.dismail.de and fdns2.dismail.de

DoH from https://dnsforge.de/dns-query works as expected.

djusHa avatar Jun 01 '25 06:06 djusHa

Hi all, any progress on this

Verified that fdns2.dismail.de works fine on v055o: https://github.com/celzero/rethink-app/releases/tag/v0.5.5o

For this reason, we're adding ability to view and share debug logs from within the app in v055o

And we've added ability to view "app logs" from within the app. These appear if you tap on the little Android icon in the top right-hand corner in Configure -> Logs. By default, the "app logs" UI only streams error messages, but debug / verbose messages can be streamed by tapping on the filter icon in the search bar.

Image

Image

Besides, we've implemented connection pooling & TLS session resumption for DoT, which should not only decrease DNS-related bandwidth use by 2x but also speed up latency by 2x. Also, Rethink now supports TLSv1.3 ECH (encrypted client hello), a new standard which makes HTTP connections more private by hiding the vulnerable SNI (server name identification) field from ISPs & middleboxes (like DPI censors).

ignoramous avatar Aug 09 '25 05:08 ignoramous