rethink-app icon indicating copy to clipboard operation
rethink-app copied to clipboard
verified publisher icon celzero

DoH initial resolution always done through RethinkDNS (Wireguard proxy use case)

Open Aeris1One opened this issue 3 months ago • 5 comments

Hi, I host a DNS server on my LAN, named dns.local.example.org with address 10.0.0.2 (where example.org is my publicly accessible domain).

The zone local.example.org isn't publicly available. Only resolves when using the local resolver.

I connect to my local network using Wireguard, so 10.0.0.2 can be used as a resolver and the local.example.org zone made accessible. On v055t, Wireguard simple mode is buggy and DNS settings isn't respected, so I use advanced mode and DNS Proxy to 10.0.0.2 (see #2154).

I would like to enable DoH instead of plaintext proxy. Enabling DoH when a Wireguard proxy is enabled doesn't use the proxy's DNS server (10.0.0.2) to retrieve the IP of the DoH resolver, nor does it use the fallback DNS config (which was set to system DNS in my case) : it always uses RethinkDNS zero server. RethinkDNS resolver obviously returns 1.2.3.4 when asked about dns.local.example.org, and I can't enable DoH.

screenshots Image On this screenshot, we see the two requests used to retrieve the DoH resolver's IP, then two failed request to the DoH resolver (IP's wrong - I was trying to connect to the `dns.local.example.org` webpage through Vanadium)

Would it be possible to use Wireguard proxy DNS resolver to retrieve the DoH IP address ?

Respecting the Fallback DNS (as stated in #2181) would be useful but still not work for my use case as all options (System, Rethink, Cloudflare, Google) are public resolvers.

Aeris1One avatar Aug 30 '25 20:08 Aeris1One

On v055t, Wireguard simple mode is buggy and DNS settings isn't respected,

What Simple mode WireGuard usecase has v055t broken that worked in v055n? We'll want to fix that (if it wasn't intentional).

would like to enable DoH instead of plaintext proxy. Enabling DoH when a Wireguard proxy is enabled doesn't use the proxy's DNS server (10.0.0.2) to retrieve the IP of the DoH resolver, nor does it use the fallback DNS config (which was set to system DNS in my case) : it always uses RethinkDNS zero server

This shouldn't happen. If Configure -> Network -> Fallback DNS is set to System, then System DNS must be used. There's no scenario where zero.rethinkdns.com should take over (even when System DNS is not determinable).

Can you check what the RDNSInfo section of About -> Stats says? For me, because I've also setup Fallback DNS to System, it says:

DNSDefault:rethink.x.y.150.10:53[DNS/OK/24ms] x.y.150.10;x.y.241.26; DNSSystem:system.x.y.241.26:53[DNS/OK/101ms] x.y.150.10;x.y.241.26;

"DNSDefault" is Fallback and "DNSSystem" is the currently active underlying network's DNS resolvers (as reported to Rethink by Android).

Would it be possible to use Wireguard proxy DNS resolver to retrieve the DoH IP address

It is, but this will have to be its own setting. Or, we should do so by default when WireGuard is setup in Simple mode. And, we can let users provide a predefined list of IPs to connect to given a DoH hostname.

See also:

  • #1745

ignoramous avatar Aug 31 '25 04:08 ignoramous

What Simple mode WireGuard usecase has v055t broken that worked in v055n? We'll want to fix that (if it wasn't intentional).

See #2154

This shouldn't happen. If Configure -> Network -> Fallback DNS is set to System, then System DNS must be used. There's no scenario where zero.rethinkdns.com should take over (even when System DNS is not determinable).

Confirm that Fallback DNS is indeed respected, I think I did my testing wrong earlier. Switching Fallback DNS to Google or Cloudflare makes the initial DoH resolution use it.

Aeris1One avatar Aug 31 '25 08:08 Aeris1One

I noticed exactly the same. It happen just first few queries then it use the one of wireguard. Is there a way to toogle off fallback? Is there a way not use rethink and keep it just to my original DNS? The one in wireguard.

luciahk1 avatar Sep 03 '25 13:09 luciahk1

there a way to toogle off fallback?

To be clear, this isn't Rethink using "fallback" because it couldn't use user-set DNS. Rethink needs a bootstrap resolver to resolve domains for its own use (which is currently the same as Configure -> Network -> Fallback DNS).

there a way not use rethink and keep it just to my original DNS? The one in wireguard.

How? Say, a WireGuard has a domain name for a Peer Endpoint... To resolve it via WireGuard DNS, the WireGuard must be setup... but how can Rethink set WireGuard up if the Peer Endpoint itself needs to be resolved to set it up...

This catch 22 can be worked around, but as you might imagine, it is easy to get that wrong. I'm in no hurry to implement such a feature, if ever.

ignoramous avatar Sep 03 '25 15:09 ignoramous

What Simple mode WireGuard usecase has v055t broken that worked in v055n? We'll want to fix that (if it wasn't intentional).

See #2154

This shouldn't happen. If Configure -> Network -> Fallback DNS is set to System, then System DNS must be used. There's no scenario where zero.rethinkdns.com should take over (even when System DNS is not determinable).

Confirm that Fallback DNS is indeed respected, I think I did my testing wrong earlier. Switching Fallback DNS to Google or Cloudflare makes the initial DoH resolution use it.

@Aeris1One now fixed in v055u

error-reporting avatar Nov 09 '25 13:11 error-reporting