Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

cs dnscrypt-proxy server TIMEOUT

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
cryptomon
Posts: 28
Joined: Fri Feb 23, 2018 7:32 am

cs dnscrypt-proxy server TIMEOUT

Post by cryptomon » Mon Nov 04, 2019 8:52 am

Been trying to work through an issue of dnscrypt-proxy not connecting to the cs resolver servers. I keep getting TIMEOUT on all servers.
Previously it was telling me "No useable certificate found", but this doesn't seem to be showing up now - only the TIMEOUT errors.

[...] dnscrypt-proxy[149367]: Source [/var/cache/dnscrypt-proxy/public-resolvers.md] loaded
[...] dnscrypt-proxy[149367]: Firefox workaround initialized
[...] dnscrypt-proxy[149367]: Now listening to 127.0.0.1:53 [UDP]
[...] dnscrypt-proxy[149367]: Now listening to 127.0.0.1:53 [TCP]
[...] dnscrypt-proxy[149367]: No useable certificate found
[...] dnscrypt-proxy[149367]: dnscrypt-proxy is waiting for at least one server to be reachable
[...] dnscrypt-proxy[149367]: [cs-fi] TIMEOUT
[...] dnscrypt-proxy[149367]: [cs-nl2] TIMEOUT
[...] dnscrypt-proxy[149367]: [cs-ca] TIMEOUT

Is there any known issues wtih these servers? Changing to some other servers that are not CS based seem to work okay. May be the anoymous relay servers offerred now are a better/equivalent option?

UPDATE: I just found this article
https://cryptostorm.is/blog/anondns
and
https://github.com/DNSCrypt/dnscrypt-pr ... ymized-DNS
https://twitter.com/cryptostorm_is
which seems to imply these servers are no longer available with the anon servers preferred?

So if anonymous servers are the future how should one configure the .toml file? i.e.
Before I had the list of "cs- " type servers listed after "server_names". Now this should remain commented?
Are the cs- resolvers still accessible from an anon-cs relay?


Topic Author
cryptomon
Posts: 28
Joined: Fri Feb 23, 2018 7:32 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by cryptomon » Mon Nov 04, 2019 10:36 am

I guess one has to now manually provide a list of routes for each resolver used or listed in the "server_names" list?

User avatar

df
Site Admin
Posts: 421
Joined: Thu Jan 01, 1970 5:00 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by df » Mon Nov 04, 2019 6:34 pm

The new setup is backwards compatible with the old setup, so no changes need to be made to the .toml file client-side.
Looks like the problem is that keys aren't rotating correctly, or maybe they're not rotating often enough like with the old setup.
I'll go through the code and see what the problem is, but everything should work correctly now, no more "No useable certificate found" or TIMEOUT errors.

EDIT:
Ah, there it is. The dnscrypt-proxy.toml that comes with our widget and the one on our GitHub does:
cert_refresh_delay = 240
which would refresh the cert every 4 hours (240 minutes), but the new encrypted-dns thing on the server does:
pub const DNSCRYPT_CERTS_RENEWAL: u32 = 28800;
which would refresh the cert every 8 hours (28800 seconds).
So we could change that server-side 28800 to 14400 seconds (4 hours), but I think instead we'll do a cron job that restarts the instance every 20 minutes (causing a certificate renewal too) since lower is better with that

User avatar

df
Site Admin
Posts: 421
Joined: Thu Jan 01, 1970 5:00 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by df » Tue Nov 05, 2019 4:39 am

There was another problem with the cron job we made earlier, it was trying to restart encrypted-dns before the last instance cleanly exited, which caused it to sometimes not run.
Should be good now.

EDIT:
https://github.com/jedisct1/encrypted-d ... er/pull/13
submitted a pull request so encrypted-dns-server's cert refresh is the same as dnscrypt-proxy's default of 4 hours.
our cron script seems to be doing the trick though.


Topic Author
cryptomon
Posts: 28
Joined: Fri Feb 23, 2018 7:32 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by cryptomon » Tue Nov 05, 2019 7:30 am

I seem to be having more success now.

So I have a full list of "cs- " type servers listed after "server_names", as before.
It seems to actually make each of these dns servers accessible only via an anon relay I have to manually create the "route" list for each item under server_names. One is okay, but for a long list it becomes more tedious. Might have to automate that in some way myself with some criteria say of differing country of anon relay to dns server country.


Topic Author
cryptomon
Posts: 28
Joined: Fri Feb 23, 2018 7:32 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by cryptomon » Tue Nov 05, 2019 9:14 am

Strangely at the same time I have having trouble resolving the Balancer vpn option. No issue if I change to Switzerland for example.

User avatar

df
Site Admin
Posts: 421
Joined: Thu Jan 01, 1970 5:00 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by df » Wed Nov 06, 2019 5:53 am

works for me

Code: Select all

[root@b ~]# host switzerland.cstorm.is
switzerland.cstorm.is has address 81.17.31.49
switzerland.cstorm.is has address 81.17.31.51
switzerland.cstorm.is has address 81.17.31.39
switzerland.cstorm.is has address 81.17.31.58
switzerland.cstorm.is has address 81.17.31.52
switzerland.cstorm.is has address 81.17.31.42
switzerland.cstorm.is has address 81.17.31.40
switzerland.cstorm.is has address 81.17.31.50
switzerland.cstorm.is has address 81.17.31.44
switzerland.cstorm.is has address 81.17.31.55
switzerland.cstorm.is has address 81.17.31.43
switzerland.cstorm.is has address 81.17.31.62
switzerland.cstorm.is has address 81.17.31.36
switzerland.cstorm.is has address 81.17.31.47
switzerland.cstorm.is has address 81.17.31.54
switzerland.cstorm.is has address 81.17.31.59
switzerland.cstorm.is has address 81.17.31.61
switzerland.cstorm.is has address 81.17.31.48
switzerland.cstorm.is has address 81.17.31.60
switzerland.cstorm.is has address 81.17.31.53
switzerland.cstorm.is has address 81.17.31.56
switzerland.cstorm.is has address 81.17.31.41
switzerland.cstorm.is has address 81.17.31.57
switzerland.cstorm.is has address 81.17.31.46
switzerland.cstorm.is has address 81.17.31.45
[root@b ~]# host balancer.cstorm.is
balancer.cstorm.is has address 5.104.108.10
balancer.cstorm.is has address 185.117.118.23
balancer.cstorm.is has address 64.42.181.228
balancer.cstorm.is has address 109.71.42.231
balancer.cstorm.is has address 192.158.232.98
balancer.cstorm.is has address 5.133.8.131
balancer.cstorm.is has address 213.163.64.200
balancer.cstorm.is has address 185.94.193.237
balancer.cstorm.is has address 108.62.5.173
balancer.cstorm.is has address 167.114.84.135
balancer.cstorm.is has address 142.234.200.148
balancer.cstorm.is has address 162.221.207.74
balancer.cstorm.is has address 128.127.104.109
balancer.cstorm.is has address 178.175.139.213
balancer.cstorm.is has address 82.163.72.124
balancer.cstorm.is has address 104.152.222.6
balancer.cstorm.is has address 174.34.157.65
balancer.cstorm.is has address 109.248.149.131
balancer.cstorm.is has address 185.107.80.85
balancer.cstorm.is has address 173.208.77.65
balancer.cstorm.is has address 5.254.96.226
balancer.cstorm.is has address 212.83.189.89
balancer.cstorm.is has address 162.210.192.210
balancer.cstorm.is has address 185.212.169.142
balancer.cstorm.is has address 209.58.147.37
balancer.cstorm.is has address 84.16.240.40
balancer.cstorm.is has address 81.17.31.35
balancer.cstorm.is has address 37.120.147.4


tigernero

Re: cs dnscrypt-proxy server TIMEOUT

Post by tigernero » Fri Jan 31, 2020 4:37 pm

I also have the same problem when I use anon-cs relays for anonymity with dnscrypt-proxy, if I use different relays it works. parse error and server timeout with DNS scaleway-fr and your anonymous relay

Code: Select all

[2020-01-31 07:55:32]  127.0.0.1    ftp.pensierando.it   AAAA  PARSE_ERROR   0ms   -                              
[2020-01-31 07:55:32]  127.0.0.1    ftp.pensierando.it   A    PARSE_ERROR   0ms   -                              
[2020-01-31 07:55:34]  127.0.0.1    www.windowsblogitalia.com    A    PARSE_ERROR   0ms   -                          
[2020-01-31 07:55:35]  127.0.0.1    www.windowsblogitalia.com    A    PARSE_ERROR   1ms   -                          
[2020-01-31 07:55:42]  127.0.0.1    www.windowsblogitalia.com    A    SERVER_TIMEOUT 5002ms scaleway-fr                     
[2020-01-31 07:55:42]  127.0.0.1    ftp.pensierando.it   A    SERVER_TIMEOUT 5006ms scaleway-fr                         
[2020-01-31 07:55:42]  127.0.0.1    ftp.pensierando.it   AAAA  SERVER_TIMEOUT 5001ms scaleway-fr                         
[2020-01-31 07:55:47]  127.0.0.1    www.windowsblogitalia.com    A    SERVER_TIMEOUT 5005ms scaleway-fr                     
[2020-01-31 07:55:52]  127.0.0.1    www.windowsblogitalia.com    A    SERVER_TIMEOUT 5003ms scaleway-fr                     
[2020-01-31 07:55:57]  127.0.0.1    www.windowsblogitalia.com    A    SERVER_TIMEOUT 5002ms scaleway-fr                     
[2020-01-31 07:56:04]  127.0.0.1    a3.tuyaeu.com  A    SERVER_TIMEOUT 5002ms scaleway-fr                             
[2020-01-31 07:56:05]  127.0.0.1    a3.tuyaeu.com  A    SERVER_TIMEOUT 5003ms scaleway-fr                             
[2020-01-31 07:56:06]  127.0.0.1    a3.tuyaeu.com  A    SERVER_TIMEOUT 5004ms scaleway-fr                             
[2020-01-31 07:56:08]  127.0.0.1    a3.tuyaeu.com  A    SERVER_TIMEOUT 5002ms scaleway-fr                             
[2020-01-31 07:56:20]  127.0.0.1    ftp.pensierando.it   A    SERVER_TIMEOUT 5001ms scaleway-fr                         
[2020-01-31 07:56:20]  127.0.0.1    ftp.pensierando.it   AAAA  SERVER_TIMEOUT 5007ms scaleway-fr


tigernero
Posts: 2
Joined: Fri Jan 31, 2020 4:40 pm

Re: cs dnscrypt-proxy server TIMEOUT

Post by tigernero » Fri Jan 31, 2020 5:52 pm

I am running dnscrypt-proxy with scaleway-fr servers and your anonymous relays,
in particular anon-cs-it and anon-cs-po but on all your relays
I get a parse and server timeout error
I attach the query log.

Code: Select all

[2020-01-31 07:55:32]  127.0.0.1    ftp.pensierando.it   AAAA  PARSE_ERROR   0ms   -                              
[2020-01-31 07:55:32]  127.0.0.1    ftp.pensierando.it   A    PARSE_ERROR   0ms   -                              
[2020-01-31 07:55:34]  127.0.0.1    www.windowsblogitalia.com    A    PARSE_ERROR   0ms   -                          
[2020-01-31 07:55:35]  127.0.0.1    www.windowsblogitalia.com    A    PARSE_ERROR   1ms   -                          
[2020-01-31 07:55:42]  127.0.0.1    www.windowsblogitalia.com    A    SERVER_TIMEOUT 5002ms scaleway-fr                     
[2020-01-31 07:55:42]  127.0.0.1    ftp.pensierando.it   A    SERVER_TIMEOUT 5006ms scaleway-fr                         
[2020-01-31 07:55:42]  127.0.0.1    ftp.pensierando.it   AAAA  SERVER_TIMEOUT 5001ms scaleway-fr                         
[2020-01-31 07:55:47]  127.0.0.1    www.windowsblogitalia.com    A    SERVER_TIMEOUT 5005ms scaleway-fr                     
[2020-01-31 07:55:52]  127.0.0.1    www.windowsblogitalia.com    A    SERVER_TIMEOUT 5003ms scaleway-fr                     
[2020-01-31 07:55:57]  127.0.0.1    www.windowsblogitalia.com    A    SERVER_TIMEOUT 5002ms scaleway-fr                     
[2020-01-31 07:56:04]  127.0.0.1    a3.tuyaeu.com  A    SERVER_TIMEOUT 5002ms scaleway-fr                             
[2020-01-31 07:56:05]  127.0.0.1    a3.tuyaeu.com  A    SERVER_TIMEOUT 5003ms scaleway-fr                             
[2020-01-31 07:56:06]  127.0.0.1    a3.tuyaeu.com  A    SERVER_TIMEOUT 5004ms scaleway-fr                             
[2020-01-31 07:56:08]  127.0.0.1    a3.tuyaeu.com  A    SERVER_TIMEOUT 5002ms scaleway-fr                             
[2020-01-31 07:56:20]  127.0.0.1    ftp.pensierando.it   A    SERVER_TIMEOUT 5001ms scaleway-fr                         
[2020-01-31 07:56:20]  127.0.0.1    ftp.pensierando.it   AAAA  SERVER_TIMEOUT 5007ms scaleway-fr
speaking with the founder of dnscrypt-proxy @jedisct1 he himself asked me to ask you

https://github.com/DNSCrypt/dnscrypt-proxy/issues/1172

also how to resolve the parser and timeout errors that have been occurring for some time using your relays with his service, which I want to clarify works with relas not your cs


AnonAsPossible
Posts: 13
Joined: Fri Feb 10, 2017 3:49 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by AnonAsPossible » Sat Feb 01, 2020 11:06 pm

The Polish server is off-line and 1 of their French servers was recently removed? You should check their server status page for their online status, here;
https://uptime.statuscake.com/?TestID=tZj3HbyKm5


tigernero
Posts: 2
Joined: Fri Jan 31, 2020 4:40 pm

Re: cs dnscrypt-proxy server TIMEOUT

Post by tigernero » Sun Feb 02, 2020 12:09 pm

I report to your anonymous dns relay

unfortunately the problem exists with all anonymous dns relays that interface with dnscrypt-proxy.
I use Frank's server as a dns server (scaleway-fr) and to have Anonymized DNS of the IP around the requests on at least 2 Anonymized DNS relays
I usually used anon-cs-it being in Italy and as a secondary anon-cs-po,
but also using other anon-cs relays parse-error as you can see from the logs above and frank's server goes into server-timeout.
everything works if I use relays other than anon-cs see:

"anon-dnscrypt.one" and "anon-ibksturm"

I get the anonymous relay list from here:

https://github.com/DNSCrypt/dnscrypt-re ... /relays.md

I repeat everything works if as Anonymized DNS I use those not yours. as soon as i use your it will parse error and server timeout.

sometimes setting the anon-cs relays i surf for a few hours and then have a problem with parse error and server timeout could be a certificate renewal problem?

Post Reply