[Feature Request] Upstream failover and Upstream IP.

[twifty]

I run doh-server on my server under two domains. My server is proxied by cloudflare, so I have 3 IPs for each domain, plus the servers real IP address.

I've configured doh-client locally with the two domains, and added the six cloudflare IPs to my /etc/hosts file. Now, here is the problem. Sometimes, a cloudflare IP will become unstable with massive packet drops, causing the doh-client to timeout and return an empty response. We need the client to try again with either a different upstream or a different IP (if one exists) for the same domain.

I suggest adding the ability to specify the upstream IP address alongside the domain, thus eliminating the need to add them to the hosts file. This should allow us to add multiple entries for the same domain. In addition, when the first query fails I'd like to see a failover to the next upstream server. A maximum_failover setting could be introduced and/or an individual upstream timeout (with the current timeout setting acting as a global timeout).

Please note, I live in China which has recently blocked all DNS-over-TLS. Regular DNS53 IPs get blocked for a short time if I query banned domains (youtube/facebook etc). I cannot risk using my servers real IP, and must proxy it with cloudfare, out of the chance it will get blocked by the GFW. Currently dns-over-https is the only software I've found that actually works. But every time one of my IPs becomes unstable I have to edit the hosts file and restart services.

I would offer a pull request myself, but I unfortunately know nothing about the GO language.

[m13253]

Actually this is the exact problem I have observed on my lab environment in China.
I have made various attempts through the years trying to fix this.
But the HTTP/2.0 protocol stack of Go is so complicated that I can not completely solve the problem without introducing new bugs.

(sigh...)

If you are really good at DIY, you might want to run a HAProxy / Nginx at your local computer.
Connect HAProxy / Nginx to Cloudflare, and connect doh-client to it.
Since DoH is standard HTTPS, it will work for sure.
It's just you will need to run a lot of software and consume more RAM.

[m13253]

The problem is: if a single HTTP/2.0 connection to the server fails, my code detects it and tries to start a new connection, but the Go standard library did not detect this connection failure and still tries to reuse the existing connection pool.
This way, even if I let it resolve to a different address, the new connection still cannot make through.

[m13253]

Please note, I live in China which has recently blocked all DNS-over-TLS.

Yeah. That's why I never recommend DoT: they are doomed to get blocked from day one.

[twifty]

Yeah. That's why I never recommend DoT: they are doomed to get blocked from day one.

It really surprised me the other day when my ISP blocked it. Was quite a hassle trying to fix the problem when standard DNS53 returned funky results. Over HTTPS is a much more stealthier approach, but there too few clients and those I have found are poorly implemented.

I've just setup dnscrypt-proxy with 6 sdns:// URIs for each of my IPs. I'll give it a test for a few days. doh-server on the other end has been working flawlessly.

IMHO, the internet as it stands right now needs a complete overhaul.

[m13253]

Yes, I spend more efforts on doh-server because there aren't many DoH servers that supports ECS. My support of ECS is a great strength.
Speaking of clients, I now use the DoH client included in my MikroTik router.