Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Randomize the order of DNS servers to prevent reaching the limitations of public resolvers #1980

Open
1 task done
serge-r opened this issue Apr 18, 2024 · 2 comments
Open
1 task done

Randomize the order of DNS servers to prevent reaching the limitations of public resolvers #1980

serge-r opened this issue Apr 18, 2024 · 2 comments
Labels
client feature request New feature, we are tracking it network configuration

Comments

@serge-r
Copy link

serge-r commented Apr 18, 2024

Is there an existing issue that is already proposing this?

  • I have searched the existing issues

Application

Outline Client

What are you trying to do? What is your use case?

Hello.

I understand that it might seem odd, but I am conducting research on mobile app issues related to Outline VPN, Apple, and Cloudflare's DNS over TLS.

You can find many details along with logs here: https://community.cloudflare.com/t/1-1-1-1-1-0-0-1-dns-over-tls-limitations/643561
I am still awaiting a response from the Cloudflare Community, but it seems like it might take some time.

For those who are unable to follow the link I provided, here is a TL;DR:

When Outline is connected, MacOS (and iOS too) starts using DNS over TLS with Cloudflare servers, because 1.1.1.1 is listed first.

My theory is that Cloudflare has some per-IP limits for DNS DoT queries, and when these limits are reached, I receive a REFUSED response for any domain.

The problem with MacOS X and iOS (which use the same system resolver service, mDNSResponder) when DoT is enabled, is that this negative response is cached for a period, causing all apps that use the system resolver to fail. As a result, retries and other DNS servers configured in the system do not work. This is a significant problem for mobile users, as mobile apps can generate tons of DNS traffic, and iOS users of our mobile app who use Outline are experiencing issues with the application.

I have an Apple developer certificate, and I was able to build and test the Outline Client with different DNS servers. The problems appear only with 1.1.1.1. It seems that changing the order of servers could help us resolve many issues for mobile users.

Im not sure about Windows and Android users, because I don't have devices for testing, but I think would be better to use same behavior on all platforms.

Is your feature request related to a problem? Please describe it.

Problem not with the Outline but with Cloudflare, details are here: https://community.cloudflare.com/t/1-1-1-1-1-0-0-1-dns-over-tls-limitations/643561

Describe the solution you'd like.

Would be better to have random order of DNS servers here

Describe alternatives you've considered

An alternative way is to move 1.1.1.1 from the first position to another, as I did not reproduce the issue with other public resolvers. But Im not sure about others limitations.
@serge-r serge-r added the feature request New feature, we are tracking it label Apr 18, 2024
@cornzzy
Copy link

cornzzy commented Apr 18, 2024

Could also set from dynamic access links

@serge-r
Copy link
Author

serge-r commented Apr 19, 2024
edited

@cornzzy yeah it's a variant too, but anyway I need to redefine default behavior because a lot of clients are using defaults and 1.1.1.1 only as a first resolver

@serge-r serge-r mentioned this issue May 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
client feature request New feature, we are tracking it network configuration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@daniellacosse @serge-r @cornzzy