Resolved: DNScrypt's queries randomly fail with the error RESPONSE_ERROR.

[OoLunar]

DNScrypt's queries randomly fail with the error RESPONSE_ERROR.

Log:

[2021-09-14 22:40:36]   127.0.0.1   scanner-27.ch1.censys-scanner.com   A   PASS
[2021-09-14 22:40:36]   127.0.0.1   scanner-27.ch1.censys-scanner.com   AAAA    RESPONSE_ERROR
[2021-09-14 22:40:36]   127.0.0.1   114.14.120.74.in-addr.arpa  PTR PASS
[2021-09-14 22:40:36]   127.0.0.1   scanner-27.ch1.censys-scanner.com.dbl.spamhaus.org  A   NXDOMAIN
[2021-09-14 22:40:36]   127.0.0.1   114.14.120.74.origin.asn.cymru.com  TXT RESPONSE_ERROR
[2021-09-14 22:40:36]   127.0.0.1   114.14.120.74.in-addr.arpa  PTR PASS
[2021-09-14 22:40:44]   127.0.0.1   www.censys.io   AAAA    PASS
[2021-09-14 22:40:44]   127.0.0.1   www.censys.io   A   PASS
[2021-09-14 22:40:44]   127.0.0.1   www.censys.io   TXT RESPONSE_ERROR
[2021-09-14 22:40:44]   127.0.0.1   www.censys.io.dbl.spamhaus.org  A   RESPONSE_ERROR
[2021-09-14 22:42:32]   127.0.0.1   1.0.0.127.zen.spamhaus.org  A   NXDOMAIN
[2021-09-14 22:42:32]   127.0.0.1   1.0.0.127.b.barracudacentral.org    A   NXDOMAIN
[2021-09-14 22:42:32]   127.0.0.1   1.0.0.127.bl.spamcop.net    A   NXDOMAIN
[2021-09-14 22:42:32]   127.0.0.1   2.0.0.127.zen.spamhaus.org  A   RESPONSE_ERROR
[2021-09-14 22:42:32]   127.0.0.1   2.0.0.127.b.barracudacentral.org    A   RESPONSE_ERROR
[2021-09-14 22:42:32]   127.0.0.1   2.0.0.127.bl.spamcop.net    A   RESPONSE_ERROR
[2021-09-14 22:42:32]   127.0.0.1   1.0.0.127.spamsources.fabel.dk  A   NXDOMAIN
[2021-09-14 22:42:32]   127.0.0.1   2.0.0.127.spamsources.fabel.dk  A   RESPONSE_ERROR

Config:

# Empty listen_addresses to use systemd socket activation
listen_addresses = []
server_names = ['cloudflare']

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'

[sources]
  [sources.'public-resolvers']
  url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
  minisign_key = 'redacted'
  refresh_delay = 72
  prefix = ''

[ghost]

Same issue here ! so frustrating
version: 2.0.21 with default configuration
server_names = ['cloudflare']

[jdrch]

Same problem here since around the same time. Based on this thread it seems Cloudflare are either mishandling or deliberately rate limiting signed or encrypted DNS queries.

Looks like we might have to file an issue with Cloudflare themselves.

[jdrch]

Update: apparently you can no longer file a Cloudflare ticket with a free account, so I created a thread at their community about this. Please chime in there if this issue is also affecting you.

[ianbashford]

The cloudflare entry is registered as DoH so you'd need to have this in the main config file
doh_servers = true

You can put the sdns string into this web page to see how it's setup https://dnscrypt.info/stamps

I see Google is also showing as DoH - their stamps from the file are:

[cloudflare] with stamp [sdns://AgcAAAAAAAAABzEuMC4wLjEAEmRucy5jbG91ZGZsYXJlLmNvbQovZG5zLXF1ZXJ5]
[google] with stamp [sdns://AgUAAAAAAAAABzguOC44LjigHvYkz_9ea9O63fP92_3qVlRn43cpncfuZnUWbzAMwbmgdoAkR6AZkxo_AEMExT_cbBssN43Evo9zs5_ZyWnftEUgalBisNF41VbxY7E7Gw8ZQ10CWIKRzHVYnf7m6xHI1cMKZG5zLmdvb2dsZQovZG5zLXF1ZXJ5]

Can you check your main config file to see if doh_servers is set? As soon as I flicked the flag both google and cloudflare started to work.

[OoLunar]

Will give it a shot later

[ianbashford]

I'm not so sure this will cause the random failures actually....
I'll set up a test to monitor them, but it's most likely an issue hidden behind their load balancers...

[jdrch]

Can you check your main config file to see if doh_servers is set? As soon as I flicked the flag both google and cloudflare started to work.

Yep, it's been set all this time.

[jdrch]

both google and cloudflare

@ianbashford Wait, are you saying both Google and Cloudflare DNS have this issue? I've noticed it with Cloudflare only but that's because Cloudflare is my only upstream DNS. If Google DNS is also affected then that would seem to be indicative either of a dnscrypt-proxy issue or something more systemic to the DNSCrypt ecosystem

FWIW, I've also pinged Cloudflare support on Twitter about this. If anyone wants to RT or reply to that tweet to get some traction on this, it would be much appreciated. >2 months of breakage no es bueno.

[jdrch]

Anybody having any luck with this at all? I don't see any further replies, so if anyone managed to resolve the problem kindly share the solution with the rest of us.

UPDATE

at this point I've even tried replacing the standalone dnscrypt-proxy binary with the Debian 11 repo package, changing listen ports, even trying Quad9 instead of Cloudflare. None of the above works.

At the same time, NextDNS DoH works on my phone on the same home network. This leads me to believe the DNS stamps used by dnscrypt-proxy are wrong.

[ianbashford]

query.log.gz
I did some tests -- I didn't find anything too out of the ordinary, but see how this compares with what you're seeing.

dnsperf -s 127.0.0.1 -p 5353 -d ./clean_test_data_dnsperf.txt -l 86400 -c 5 -Q 1 <- That's 1 query/sec for 24 hours aimed only at cloudflare; no local caching set, and I use a set of hostnames ( 450k in the set ) to make sure there's no bias from my own house's internet usage.

Output:

Statistics:

  Queries sent:         86400
  Queries completed:    86374 (99.97%)
  Queries lost:         26 (0.03%)

  Response codes:       NOERROR 86220 (99.82%), SERVFAIL 111 (0.13%), NXDOMAIN 43 (0.05%)

In total I got 26 'NETWORK_ERROR' written into the logs ( which tallies with the lost queries )

I'll happily keep these running if we can get any more useful input from them, but I don't see much...

If you're seeing much higher numbers than I'm seeing in this test, could it be something to do with some locations? Since cloudflare run an anycast address, if we're in different geographic locations, we'll be hitting different cloudflare datacentres...
I'm in the UK -- don't know where you all are but maybe there's a clue in there

Any luck from twitter ?

--
UPDATE
I've attached the query.log generated
I've started another 24H run with dnssec ( which may only affect some domains in the list ) @ 2 queries/sec

[OoLunar]

I'm definitely getting more errors than that. I'll run the same tests and report back the results tomorrow

[OoLunar]

Just got home, setting up the test now. In order to get the domain names from your query.log file, I ran the following command:

cut -f 3-4 query.log | uniq > domain_names.txt

When I was starting the dnscrypt-proxy service, I got the following error:

[2021-12-22 18:27:17] [CRITICAL] Unable to retrieve source [public-resolvers]: [Invalid encoded public key]

With the following config:

listen_addresses = ['127.0.0.1:53']
server_names = ['cloudflare']
doh_servers = true

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'

[sources]
  [sources.'public-resolvers']
  url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
  minisign_key = 'redacted'
  refresh_delay = 72
  prefix = ''

Forgive me if my config is wrong, this is my second time setting up DNSCrypt

[jdrch]

[2021-12-22 18:27:17] [CRITICAL] Unable to retrieve source [public-resolvers]: [Invalid encoded public key]

I'm strongly inclined to say this is (1 of) our root problem(s). I was wondering if the lists weren't downloading at all but I couldn't think of any way to verify.

That said, I couldn't get dnscrypt-proxy to work even when I specified the DNS Stamp using [static] but I suspect dnscrypt-proxy ignores [static] when a list is specified.

[OoLunar]

Ah, I forgot to replace the minisign_key

[ianbashford]

@OoLunar
this is a link to the file that will input directly into dnsperf
https://github.com/ianbashford/dns-loadtest/blob/main/testdata/clean_test_data_dnsperf.txt

something like this should work

nohup dnsperf -s 127.0.0.1 -p 5353 -d ./clean_test_data_dnsperf.txt -l 86400 -c 7 -Q 5 -D >24hr_us.out 2>&1 &

-d == file to read
-l 86400 == time to run in seconds
-c 7 == emulate 7 clients
-Q 5 == 5 queries / second
-D == dnssec

Obvs the ip address and port ( -s 127.0.0.1 -p 5353 ) you make as appropriate for your system
(apologies if you know all of that -- hopefully it'll also help others who follow this in the future)

[jdrch]

I tried cloudflared last night and got the exact same problems. FWIW, I use Pi-hole for downstream DNS request filtering. When I set up dnscrypt-proxy from scratch from the Debian 11 repos, querying it directly via dig @127.0.0.1 -p dnscrypt-proxy_listen_port_number working_URL would work, but queries passed through Pi-hole would fail. I tried enabling and disabling DNSSEC in Pi-hole, to no avail. The same thing happened with cloudflared.

From forum convos with Pi-hole devs and mods it seems they've largely migrated to unbound, which may mean that other services like dnscrypt-proxy and cloudflared are no longer being properly or thoroughly tested. "Why not just use unbound?" has been a standard Pi-hole forum reply to every issue using a different upstream for over a year now.

Anyway, I deployed unbound in the wee hours of this morning. Not only was the deployment easier but it's been flawless since. Unless something goes horribly wrong, I guess I'll consider myself migrated to unbound at this point. For those who may be hesitant about doing so, the deployment (using the instructions linked to) is easier than either of the other upstreams in this post, and the performance is as described at the link.

@ianbashford I'm on MetroNet in SE Iowa, USA.

[ianbashford]

Thanks -- so am I right in thinking that's not encrypted upstream unless you apply additional steps?

[jdrch]

@ianbashford Depends on how you define "encrypted". Because I have DNSSEC enabled in Pi-hole, the replies are cryptographically signed. However as far as I can tell the queries unbound sends to the various root servers are visible. Per Pi-hole's link in my previous comment, unbound's privacy model is:

Benefit: Privacy - as you're directly contacting the responsive servers, no server can fully log the exact paths you're going, as e.g. the Google DNS servers will only be asked if you want to visit a Google website, but not if you visit the website of your favorite newspaper, etc.

In other words, your entire DNS query activity is no longer fed directly to any single entity, which makes gaining a master view of the former considerably more difficult for a privacy attacker.

unbound's security model is:

from the point of an attacker, the DNS servers of larger providers are very worthwhile targets, as they only need to poison one DNS server, but millions of users might be affected. Instead of your bank's actual IP address, you could be sent to a phishing site hosted on some island. This scenario has already happened and it isn't unlikely to happen again...

When you operate your own (tiny) recursive DNS server, then the likeliness of getting affected by such an attack is greatly reduced.

There's also a slight (depending on whether the user thinks they can achieve better uptime with their own hardware than a company with global datacenters and an army of engineers 😜) reliability benefit as the user no longer has to worry about upstream quirks (such as the one on this thread) or outages.

[jedisct1]

Alternate view:

• DNSSEC provides no practical security, just makes everything slower and less reliable. It doesn't encrypt anything. Virtually no domains are signed (and no major website supports DNSSEC, including Google).
• DNS cache poisoning is a sales pitch, rarely happens in the real world. The only time I've seen DNS cache poisoning was OpenDNS, due to a major bug in their implementation. Registrars and everything between ISPs and clients is where DNS tampering actually happens.
• Operating your own resolver doesn't prevent unsigned records from being tampered with. It's no different than sending queries directly, except that it requires more round trips, doesn't benefit from upstream caches.
• If you care about privacy, Anonymized DNS is a far better option these days.

[jdrch]

@jedisct1 I agree. However, to quote a lead software developer at my 2nd job out of grad school: a decent idea that works is better than an excellent idea that doesn't. dnscrypt-proxy (and cloudflared) hasn't been working for months, and there has literally been no resolution here, on the Cloudflare forums, or tweeting at Cloudflare Support.

Pi-hole works just fine with either Cloudflare directly upstream or unbound, and of those 2 unbound is the more secure and private option. So that's what I'm being forced to go with. I wish I could stay on the DoH/DNSCrypt bus, but I can't.

[OoLunar]

@OoLunar - are you also on pihole or dnscrypt direct

I'm using DNSCrypt directly with a Wireguard VPN, on VoidLinux. These requests are failing on both my VPN clients and my server

[ianbashford]

@OoLunar Are you also in the the US or elsewhere?
FWIW I also have a setup that go out via wireguard, one via open vpn and two straight to the internet.
I don't use cloudflare at all on those, but the dnsperf test is using exclusively cloudflare and is so far not exhibiting this behaviour

Also, no pihole here...

[ianbashford]

@OoLunar follow up - perhaps a better question. Where does the wireguard termination think it is?

[OoLunar]

@OoLunar Are you also in the the US or elsewhere? FWIW I also have a setup that go out via wireguard, one via open vpn and two straight to the internet. I don't use cloudflare at all on those, but the dnsperf test is using exclusively cloudflare and is so far not exhibiting this behaviour

Also, no pihole here...

My server is in St. Louis, Missouri. My VPN client is in Texas. I use Cloudflare on all possible devices, but only notice the issue when using DNSCrypt.

Where does the wireguard termination think it is?

What do you mean by "termination"?

[ianbashford]

You answered it for me -- so I have an openvpn provider, but it can terminate in the US/Australia/Germany etc. and make it look like I'm located there.
I'm thinking that we could try to diagnose something that way...
If I get 100% using cloudflare from the UK, but using a VPN ( to the US ) I get different results, then that might help us narrow things down. )

[OoLunar]

Let's double check everything here:

• Everyone has had this problem, and is still having this problem.
• The issue doesn't seem to come from a configuration error, nor from a software bug
• This doesn't happen with any other providers other than Cloudflare

Are all of these correct?

[jdrch]

1. Correct
2. Correct
3. Using Quad9's DNSCrypt DNS as the upstream produces the same problem. Per @ianbashford Google's DoH DNS also has the same issue.

However, as Ian also pointed out, the problem seems also to vary by the user's geographic location. For him, for example, the failure rate is too low to be disruptive, while for me stuff like, for example, # apt update fails entirely because none of the repos are reachable and websites fail to load.

It could be that the major DoH providers (except NextDNS?) are using Cloudflare's load balancing system so as to not reinvent the wheel. Assuming this load balancing system is in the cloud, it would explain why my switching from Cloudflare to Quad9 resulted in the same problems.

All that said, here's an interesting tidbit from Cloudflare's own documentation on Rate Limiting:

[Avoid] tunnelling or proxying all queries from a single IP address at high rates.

The writeup doesn't define "high", BUT my Pi-Hole dashboard says it handles ~115K queries/day (11 PCs, multiple smart TVs, phones, consoles, etc.). IIRC things functioned just fine back when I was below 100K. For reference, NextDNS starts charging at ~10K queries/day.

Does anyone else experiencing this problem know how many queries per day they're sending upstream?

TBH if that's the issue then unbound or using an offsite upstream directly from Pi-hole would be the only workable solution for me anyway as I don't think I want to pay for DoH.

[ianbashford]

Per @ianbashford Google's DoH DNS also has the same issue.

No -- they're both DoH stamps, not dnscrypt, that's all I said

[ianbashford]

@OoLunar - I don't see this issue ( but don't use pihole )
The latest dnsperf I've setup should do 168k queries over the 24h period which might help to understand if it's a limit
If it is a limt, then I'd expect failures all to arrive at the end of the day i.e. after the 100k limit has been breached -- I suspect that might be easy to detect

[jdrch]

Per @ianbashford Google's DoH DNS also has the same issue.

No -- they're both DoH stamps, not dnscrypt, that's all I said

My apologies. Previous comment edited accordingly.

[ianbashford]

@OoLunar

Further question -- I see you have quite a few AAAA records in your initial report -- I don't have IPv6 here, so all my queries are IPv4. Are you on native IPv6? Is it possible all of your queries are being made over IPv6 ?
(Just trying to identify differences)

Update on the testing:
I completed the second 24 hour -- I put some extra pressure on to make sure I did > 100k
Out of 147175 rows, only 75 contained errors ( network error timeouts as before ).

I've setup a VPN to Chicago, IL (that's the closest termination point from my VPN provider I could find to MIssouri )

I've kept the rate high, so that 5 queries per second ( each query is for a different hostname so no repetition )
RTT is quite high [NOTICE] [cloudflare] OK (DoH) - rtt: 111ms

Looks like I'm being served from cloudflare's server in 'ORD', which is O'Hare:
Cf-Ray="[6c228f565af62a1e-ORD]"

[OoLunar]

Well, that's honestly a good question. My VPS provider claims they have ipv6 support, and I can retrieve my ipv6 address, and even have software listen on it. However, I can't seem to make any requests with it. What's even worse is that none of my devices seem to support ipv6, even with the VPN off. When I try to do any of the following, I get a "Network is unreachable" error:

[lunar@forsaken-borders ~]$ curl -6 google.com
curl: (7) Couldn't connect to server
[lunar@forsaken-borders ~]$ ssh -6 google.com
ssh: connect to host google.com port 22: Network is unreachable
[lunar@forsaken-borders ~]$ telnet -6 google.com
Trying 2607:f8b0:4009:81b::200e...
telnet: Unable to connect to remote host: Network is unreachable

For now I'll add the ipv6_servers = false option, which should help.

[jdrch]

OK folks, over 2 months later (LOL) this issue is finally getting Cloudfare staff attention. If you're still having problems, please chime in at this Cloudflare Community thread.

[OoLunar]

Not really sure what's laughable about a 2 month wait time, especially when the post wasn't properly tagged. I'm excited to see what the underlying issue is, if there is any.

[jdrch]

Well I'd also tried to file a support ticket, but apparently only paid customers can do that now. I also apologized for the wrong tag in the CC thread. 🤷‍♂️

Folks can argue about tags and other technicalities all they want, but at the end of the day if a user's problems aren't being addressed it's very likely they'll move on to something else ... which I have. I may not be a paying Cloudflare customer but there's absolutely no doubt even anonymized DNS traffic data is useful to them or they wouldn't be offering if for free.

I'm still here trying to connect those who use dnscrypt-proxy to whatever help they can get anyway. I also posted in the Pi-hole support thread; hopefully other people get in touch on Cloudflare Community.

[ianbashford]

Wow -- great response now they've got to it

"I think your issue has been solved. One of our attack mitigation system is not quite intelligent yet, which ratelimits a block of IPs that including yours. I’m really sorry about this."

[jdrch]

@ianbashford I agree unbound doesn't offer dnscrypt-proxy's level of privacy. My main issue is my preferred upstream (Cloudflare) has been problematic. If it were a case of Cloudflare DNS being unresponsive for 5 min per week, I could deal with that as it happens from time to time with (especially cable) ISPs. But last year's outage lasted a couple days and this year's outage lasted a couple months. I'm not interested in giving Google my DNS data^1, and Quad9 had the same issue as Cloudflare in my testing while also lacking (public?) user forums.

I still think dnscrypt-proxy is a fantastic product. A chain is only as strong as its weakest link, and right now the weak link in my hypothetical DoH stack is Cloudflare.

As for the various methods of DNS protection available, per this opinion of an Infrastructure Security Architect who also teaches grad level sysadmin and programming courses at Stevens Institute of Technology:

From my perspective, I believe that we should work on pushing for wider adoption of DNSSEC, because I continue to come back to the core problem of DNS results not being authenticated or verified. This strikes me as a significantly larger problem than the privacy implications surrounding our collective lookups.

DNSSEC is going to be good enough for me for now.

---

^1 This is not because I don't trust Google but because I don't think Google's business is organized around being as resistant to state actor inquiry as Cloudflare is

[OoLunar]

@ianbashford, glad to hear that our issue was upstream and not with DNSCrypt itself. I'll still be running the tests, but it's safe to close the issue. Thank you, @ianbashford and @jdrch for your support

[jdrch]

@ianbashford, glad to hear that our issue was upstream and not with DNSCrypt itself. I'll still be running the tests, but it's safe to close the issue. Thank you, @ianbashford and @jdrch for your support

You're always welcome. Community isn't just a word 😉

[ianbashford]

You're welcome and I'm glad we seem to have a solution
Happy Holidays to you all

[jdrch]

You're welcome and I'm glad we seem to have a solution
Happy Holidays to you all

Happy Holidays to you too and stay safe!

[ianbashford]

FWIW, the test to the US cloudflare has completed -- although since I won't be exiting from the (hopefully) now fixed IP block I doubt they're worth much.

5 queries / second for 24 hours == 432k queries -- total lost was 336 ( 0.08% )

[poentodewo]

it happen with doh cloudflare gateway but its fine via Dot so much reply with respon 'REFUSED'

[jdrch]

it happen with doh cloudflare gateway but its fine via Dot so much reply with respon 'REFUSED'

Thanks for the useful information about DoT! It appears Cloudflare's abuse protection system is DNS encryption protocol-specific. I don't experience any rate limiting querying them directly using DNSSEC.

I suppose Cloudflare's DoH rate limit is related to the fact that DoH was intended to be application specific, but as deployed by most dnscrypt-proxy and cloudflared^1 users it winds up applying to all DNS queries for a particular public IP address.

If you read this very well written summary of various DNS protection methods you'll see DoT was apparently not designed to be application specific as DoH was.

^1 One could argue this discrepancy between design and use is somewhat self-inflicted as Cloudflare enables the latter via their 1st party package ;)

[OoLunar]

Hey @ianbashford, unsure if I should open up a new discussion or continue on this one, but since this one is already "open", I'll just ask here.

As per my comment over in the CF thread, I was going to continue the testing. Day before yesterday I flunked up the command and tried making DNS requests on the wrong port, which led to a bunch of timeout errors. Today I completed the correct command, however now I have to create my own source using the CF stamp provided to us. Now, I read through the wiki and got myself a provider file as shown:

# dns-cloudflare-resolver

Supports one source only: cloudflare

--

## cloudflare

Cloudflare, but instead of using dns.cloudflare.com we're using cloudflare-dns.com

https://community.cloudflare.com/t/doh-dnscrypt-queries-randomly-fail-with-the-error-response-error-solved/334624/8?u=oolunar

sdns://AgcAAAAAAAAABzEuMC4wLjEAEmNsb3VkZmxhcmUtZG5zLmNvbQovZG5zLXF1ZXJ5

Following the link provided to the minisign website, I ran the following commands to get myself a .minisign file:

sudo xbps-install minisign # Void Linux, a rolling release distro. Installed version 0.10
minisign -G # Generates the key pair
minisign -Sm dns-cloudflare-resolver.md

The output of cat dns-cloudflare-resolver.md.minisig:

untrusted comment: signature from minisign secret key
RUQFkh3QI+pwFMUzV3AEIrUqxL700RHBhqEH0Y8Eb9HwlDh1M/MIEG0uS+xaMTIn5f0IYs7/8Bexu7yciKTTo6BXtpx/HK60cQM=
trusted comment: timestamp:1640481982	file:dns-cloudflare-resolver.md	hashed
/Lba4Fn9NLyTai+Hw/o0RlquNA7gI9ZWjptgmF7Hz+wvrL3eiCDsVpQTKzYiu2Uf9cPvi1TT9+A5nWZDsKvGCw==

Here's my dnscrypt-proxy.toml file:

listen_addresses = ['127.0.0.1:53']
server_names = ['cloudflare']

ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
odoh_servers = false

require_dnssec = true
require_nolog = true
require_nofilter = true

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'
  format = 'tsv'

[sources]
  [sources.'cloudflare']
  urls = ['https://files.forsaken-borders.net/dns-cloudflare-resolver.md']
  cache_file = '/var/cache/dnscrypt-proxy/dnscrypt-resolver.md'
  minisign_key = 'RWQFkh3QI+pwFA3sgq9pN8Q/CUvKBie8uTwINo+tpAm/G2bPhwH/AdZR' # This was grabbed from the minisign.pub generated from `minisign -G`

However, when I start dnscrypt, I get the following error:

@4000000061c7c7d62eac8a2c [2021-12-26 01:38:56] [NOTICE] dnscrypt-proxy 2.1.1
@4000000061c7c7d62eac91fc [2021-12-26 01:38:56] [NOTICE] Network connectivity detected
@4000000061c7c7d62eac95e4 [2021-12-26 01:38:56] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
@4000000061c7c7d62eac9db4 [2021-12-26 01:38:56] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
@4000000061c7c7d62eaca584 [2021-12-26 01:39:16] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [files.forsaken-borders.net] using bootstrap resolvers over udp
@4000000061c7c7d62eacad54 [2021-12-26 01:39:16] [CRITICAL] Unable to retrieve source [cloudflare]: [Incompatible signature algorithm]
@4000000061c7c7d62eacb524 [2021-12-26 01:39:16] [FATAL] Incompatible signature algorithm

(Ignore the @4000000061c7c7d62eac8a2c, that's likely the session id generated from my logging application).

What should I do about the incompatible signature algorithm? Is there something I did wrong? Is my software too "up-to-date" and DNSCrypt doesn't support the latest version of minisign?

Thanks again, apologies for my troubles.

[poentodewo]

You must add that stamp as static if You want to try that new stamp until get update as public resolver

[static.'cf-test']
stamp = 'sdns://AgcAAAAAAAAABzEuMC4wLjEAEmNsb3VkZmxhcmUtZG5zLmNvbQovZG5zLXF1ZXJ5'

change server_names

server_names = ['cf-test']

[OoLunar]

Oh! That makes so much more sense. Did I miss a section of the wiki that mentions this, or was it not on there at all?

[ianbashford]

This describes it
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration#an-example-static-server-entry

[bcookatpcsd]

Just finding this thread..

Was it actually stated that there was a possible problem between dnscrypt-proxy and Cloudflare.. and keeping Cloudflare was more important than dnscrypt-proxy?

Quad9 is a better alternative than Cloudflare.. and Frank pays better attention to us than Cloudflare..

Maybe just me..

#ThanksFrank

[jdrch]

Was it actually stated that there was a possible problem between dnscrypt-proxy and Cloudflare.. and keeping Cloudflare was more important than dnscrypt-proxy?

No, this is the root cause.

Quad9 is a better alternative than Cloudflare

AFAICT Quad9 lacks user forums and a ticket system, so reporting problems is difficult. I do this instead.