plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

DNScrypt-proxy plugin randomly changes DNS servers despite static configuration

Open jrm523 opened this issue 1 year ago • 1 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [yes ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [ yes] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [ yes] The title contains the plugin to which this issue belongs

Describe the bug The DNScrypt-proxy plugin in OPNsense randomly switches between DNS servers even when explicitly configured to use only a single static DoH server (NextDNS). The plugin occasionally uses the configured NextDNS DoH server but then immediately switches to alternative servers after a few successful lookups, ignoring the static configuration.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce Steps to reproduce the behavior:

Configure DNScrypt-Proxy Plugin

  1. Install and enable the DNScrypt-proxy plugin
  2. Navigate to System > Firmware > Plugins
  3. Install os-dnscrypt-proxy and apply changes
  4. Configure DNScrypt-proxy with a single static DoH server
  5. Navigate to Services > DNScrypt-proxy > General
  6. Set Listen Address to 127.0.0.1:5354
  7. Uncheck all options for "Enable Require DNSSEC", "Enable Require NoFiltering", "Enable Require NoLog" and apply changes
  8. Add a static NextDNS server
  9. Navigate to Services > DNScrypt-proxy > Servers and add a new server with the name: NextDNS-[my NextDNS config id] and add SDNS stamp. Ensure only this server is enabled and apply changes.
  10. Disable all other server options
  11. Navigate through all tabs (DNSCrypt, DoH, etc.) and disable all options except those needed for DoH.
  12. Apply changes and restart the add-on.

Configure Unbound DNS

  1. Configure Unbound to forward to DNScrypt-proxy
  2. Navigate to Services > Unbound DNS > Query Forwarding and add 127.0.0.1:5354 as forwarding server.
  3. Apply changes and restart the add-on.

Verify the inconsistent behavior

  1. Check NextDNS profile and test.nextdns.io to confirm only some queries arrive at NextDNS.
  2. Observe that DNS provider randomly changes between NextDNS and other providers.

Actual Behavior DNScrypt-proxy initially uses the configured NextDNS server for a few queries but then randomly switches to other DNS servers (such as those hosted on Vultr or other providers), despite having only one static server configured. This behavior persists after multiple restarts and configuration adjustments.

Expected behavior DNScrypt-proxy should consistently use only the explicitly configured static NextDNS DoH server for all DNS queries, with no random switching to alternative servers.

Screenshots If applicable, add screenshots to help explain your problem.

Relevant log files `

[2025-04-05 13:40:28] [NOTICE] Server with the lowest initial latency: nextdns-ultralow (rtt: 2ms) |   -- | --   |   |   | [2025-04-05 13:40:28] [NOTICE] - 1081ms ahadns-doh-la |     |   |   | [2025-04-05 13:40:28] [NOTICE] - 812ms adguard-dns-family-doh |     |   |   | [2025-04-05 13:40:28] [NOTICE] - 337ms doh-ibksturm |     |   |   | [2025-04-05 13:40:28] [NOTICE] - 331ms alidns-doh |     |   |   | [2025-04-05 13:40:28] [NOTICE] - 301ms jp.tiarap.org |     |   |   | [2025-04-05 13:40:28] [NOTICE] - 289ms adfilter-per `

Additional context

  • The issue consistently appears even after multiple plugin reinstallations and reboots.
  • My goal is to have unbound DNS handle internal DNS queries and to forward external queries to DNSCrypt-proxy so that they are encrypted (DoH) using NextDNS.

Environment OPNsense Version: 25.1.4_1 (amd64) DNScrypt-proxy plugin version: 1.15_2 Hardware: Virtual (proxmox) 8GB Mem, 6 CPU cores

jrm523 avatar Apr 05 '25 21:04 jrm523

I am relatively new to submitting bugs so please let me know if I overlooked anything or if you need additional information. Thank you very much.

jrm523 avatar Apr 05 '25 21:04 jrm523

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Oct 02 '25 20:10 OPNsense-bot