dns.circl.lu reply wrong

[gansui]

when dnsproxy point upstream dns to following, reply is wrong(peer reset the connection) ,but dig reply correct if dig point to dns.circl.lu directly. there are also other dns reply wrong,I can't list all

circl-doh
DoH server operated by CIRCL, Computer Incident Response Center Luxembourg. Hosted in Bettembourg, Luxembourg.
Protocol DoH
Addresses [ "dns.circl.lu", "185.194.94.71" ]
Ports [ 443 ]
DNSSEC false
No filters true
No logs true
Stamp sdns://AgYAAAAAAAAADTE4NS4xOTQuOTQuNzEADGRucy5jaXJjbC5sdQovZG5zLXF1ZXJ5

2023/07/15 10:27:37 1227322#3 [debug] dnsproxy: cache: disabled; not caching
2023/07/15 10:27:37 1227322#3 [debug] https://dns.circl.lu:443/dns-query: sending request over tcp: A www.youtube.com.
2023/07/15 10:27:37 1227322#5 [debug] bootstrap: dialing 185.194.94.71:443 (1/1)
2023/07/15 10:27:37 1227322#5 [debug] bootstrap: connection to 185.194.94.71:443 succeeded in 244.511957ms
2023/07/15 10:27:37 1227322#3 [debug] https://dns.circl.lu:443/dns-query: response received over tcp: requesting https://dns.circl.lu:443/dns-query: Get "https://dns.circl.lu:443/dns-query?dns=AAABIAABAAAAAAABA3d3dwd5b3V0dWJlA2NvbQAAAQABAAApBNAAAAAAAAwACgAIwXwyIjGOIK4": read tcp 192.168.0.155:52380->185.194.94.71:443: read: connection reset by peer
2023/07/15 10:27:37 1227322#3 [debug] re-creating the http client due to requesting https://dns.circl.lu:443/dns-query: Get "https://dns.circl.lu:443/dns-query?dns=AAABIAABAAAAAAABA3d3dwd5b3V0dWJlA2NvbQAAAQABAAApBNAAAAAAAAwACgAIwXwyIjGOIK4": read tcp 192.168.0.155:52380->185.194.94.71:443: read: connection reset by peer
2023/07/15 10:27:37 1227322#3 [debug] using HTTP/2 for this upstream: HTTP3 support is not enabled
2023/07/15 10:27:37 1227322#3 [debug] github.com/AdguardTeam/dnsproxy/proxy.exchangeWithUpstream(): upstream https://dns.circl.lu:443/dns-query failed to exchange ;www.youtube.com. IN A in 252.715784ms. Cause: requesting https://dns.circl.lu:443/dns-query: Get "https://dns.circl.lu:443/dns-query?dns=AAABIAABAAAAAAABA3d3dwd5b3V0dWJlA2NvbQAAAQABAAApBNAAAAAAAAwACgAIwXwyIjGOIK4": read tcp 192.168.0.155:52380->185.194.94.71:443: read: connection reset by peer
2023/07/15 10:27:37 1227322#3 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).replyFromUpstream(): RTT: 252.87266ms
2023/07/15 10:27:37 1227322#3 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: SERVFAIL, id: 3417
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

[gansui]

if dnsproxy point to comodo-02,dnsproxy will crash,but dnscrypt go client(https://github.com/ameshkov/dnscrypt) works

comodo-02
Comodo Dome Shield (anycast) - https://cdome.comodo.com/shield/
Protocol DNSCrypt
Addresses [ "8.20.247.2" ]
Ports [ 443 ]
DNSSEC true
No filters true
No logs false
Stamp sdns://AQUAAAAAAAAACjguMjAuMjQ3LjIg0sJUqpYcHsoXmZb1X7yAHwg2xyN5q1J-zaiGG-Dgs7AoMi5kbnNjcnlwdC1jZXJ0LnNoaWVsZC0yLmRuc2J5Y29tb2RvLmNvbQ

===========================

2023/07/15 10:52:32 1228497#3 [debug] dnsproxy: cache: disabled; not caching
2023/07/15 10:52:32 1228497#3 [debug] [2.dnscrypt-cert.shield-2.dnsbycomodo.com.] fetched certificate 8
2023/07/15 10:52:32 1228497#3 [debug] [2.dnscrypt-cert.shield-2.dnsbycomodo.com.] fetched certificate 7
2023/07/15 10:52:32 1228497#3 [debug] [2.dnscrypt-cert.shield-2.dnsbycomodo.com.] bad cert: dnscrypt: cert has invalid ts-start or ts-end
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x4 pc=0x74955f]

goroutine 3 [running]:
github.com/ameshkov/dnscrypt/v2.(*Client).DialStamp(0xc0001b6000?, {{0xc000024290, 0xe}, {0xc00002e195, 0x20, 0x49}, {0x0, 0x0, 0x0}, {0xc00002a150, ...}, ...})
github.com/ameshkov/dnscrypt/v2@v2.2.6/client.go:78 +0x1df
github.com/ameshkov/dnscrypt/v2.(*Client).Dial(0xc000112090?, {0xc0001b6000?, 0x4b047c?})
github.com/ameshkov/dnscrypt/v2@v2.2.6/client.go:54 +0x125
github.com/AdguardTeam/dnsproxy/upstream.(*dnsCrypt).resetClient(0xc00012d6b0)
github.com/AdguardTeam/dnsproxy/upstream/upstream_dnscrypt.go:136 +0x11f
github.com/AdguardTeam/dnsproxy/upstream.(*dnsCrypt).exchangeDNSCrypt(0xc00012d6b0, 0xc0001a2000)
github.com/AdguardTeam/dnsproxy/upstream/upstream_dnscrypt.go:98 +0xc8
github.com/AdguardTeam/dnsproxy/upstream.(*dnsCrypt).Exchange(0x600aaa?, 0xc0000b0010?)
github.com/AdguardTeam/dnsproxy/upstream/upstream_dnscrypt.go:56 +0x27
github.com/AdguardTeam/dnsproxy/proxy.exchangeWithUpstream({0xa791a0, 0xc00012d6b0}, 0xc0001a2000)
github.com/AdguardTeam/dnsproxy/proxy/exchange.go:69 +0x72
github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).exchange(0xc00013d500?, 0xc0001a6000?, {0xc000132ff0?, 0x8ed640?, 0xc000024230?})
github.com/AdguardTeam/dnsproxy/proxy/exchange.go:30 +0xf6
github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).replyFromUpstream(0xc00013d500, 0xc0001a6000)
github.com/AdguardTeam/dnsproxy/proxy/proxy.go:490 +0x98
github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).Resolve(0xc00013d500, 0xc0001a6000)
github.com/AdguardTeam/dnsproxy/proxy/proxy.go:574 +0xa5
github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).handleDNSRequest(0xc00013d500, 0xc0001a6000)
github.com/AdguardTeam/dnsproxy/proxy/server.go:133 +0x3de
github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(0xc00013d500, {0xc00006c140, 0x38, 0x38}, {0xc000024150, 0x4, 0x4}, 0xc00007a000, 0xc0000b0610)
github.com/AdguardTeam/dnsproxy/proxy/server_udp.go:115 +0x2e6
github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpPacketLoop.func1()
github.com/AdguardTeam/dnsproxy/proxy/server_udp.go:82 +0x4f
created by github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpPacketLoop
github.com/AdguardTeam/dnsproxy/proxy/server_udp.go:81 +0x37e