dnscrypt-proxy gives up trying to resolve download-dnscrypt-info and raw.githubusercontent.com if the first bootstrap resolver can't return a result

[ell1e]

Output of the following commands:

# dnscrypt-proxy -version
2.1.13

# dnscrypt-proxy -check -config /etc/dnscrypt-proxy/dnscrypt
-proxy.toml 
[2025-12-30 21:58:56] [NOTICE] Using default Weighted Power of Two (WP2) load balancing strategy
[2025-12-30 21:58:56] [NOTICE] Source [relays] loaded
[2025-12-30 21:58:56] [NOTICE] Source [public-resolvers] loaded
[2025-12-30 21:58:56] [NOTICE] Configuration successfully checked
#

# dnscrypt-proxy -resolve example.com -config /etc/dnscrypt-
proxy/dnscrypt-proxy.toml 
Resolving [example.com] using [::1] port 53

Resolver      : 89.238.154.6
Lying         : no
DNSSEC        : yes, the resolver supports DNSSEC
ECS           : ignored or selective

Canonical name: example.com.

IPv4 addresses: 104.18.26.120, 104.18.27.120
IPv6 addresses: 2606:4700::6812:1b78, 2606:4700::6812:1a78

Name servers  : hera.ns.cloudflare.com., elliott.ns.cloudflare.com.
DNSSEC signed : yes
Mail servers  : 1 mail servers found

HTTPS alias   : -
HTTPS info    : [alpn]=[h2], [ipv4hint]=[104.18.26.120,104.18.27.120], [ipv6hint]=[2606:4700::6812:1a78,2606:4700::6812:1b78]

Host info     : -
TXT records   : _k2n1y4vw3qtb4skdx9e7dxt97qrmmq9, v=spf1 -all

What is affected by this bug?

Apparently, dnscrypt-proxy gives up trying to resolve download-dnscrypt-info and raw.githubusercontent.com if the first bootstrap resolver can't return a result:

# dig @194.242.2.2 download.dnscrypt.info

; <<>> DiG 9.20.16 <<>> @194.242.2.2 download.dnscrypt.info
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10818
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 2525ff111a37c2110100000069543bf4206c5d9b046d14be (good)
;; QUESTION SECTION:
;download.dnscrypt.info.		IN	A

;; Query time: 54 msec
;; SERVER: 194.242.2.2#53(194.242.2.2) (UDP)
;; WHEN: Tue Dec 30 01:13:35 CET 2025
;; MSG SIZE  rcvd: 79

# dig @8.8.8.8 download.dnscrypt.info

; <<>> DiG 9.20.16 <<>> @8.8.8.8 download.dnscrypt.info
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26522
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;download.dnscrypt.info.		IN	A

;; ANSWER SECTION:
download.dnscrypt.info.	63	IN	CNAME	download-dnscrypt-info.b-cdn.net.
download-dnscrypt-info.b-cdn.net. 35 IN	A	185.111.111.158

;; Query time: 39 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Dec 30 01:15:03 CET 2025
;; MSG SIZE  rcvd: 113

# cat /etc/dnscrypt-proxy/dnscrypt-proxy.toml | grep bootstrap
## DoH, bootstrap resolvers should ideally be operated by a different entity
bootstrap_resolvers = ['194.242.2.2:53', '8.8.8.8:53']

# ping example.com
ping: bad address 'example.com'

When does this occur?

1. Your bootstrap_resolvers config entry has multiple servers, e.g. these: bootstrap_resolvers = ['194.242.2.2:53', '8.8.8.8:53']

2. The first one is experiencing some temporary issue where any query will return an empty result, like seen in the output farther above.

3. Now reboot your system with dnscrypt-proxy started up, and /etc/resolv.conf set to use your dnscrypt-proxy.

4. The dnscrypt-proxy logfile will show something like this:

   # cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log 
   [2025-12-30 01:12:46] [NOTICE] dnscrypt-proxy 2.1.13
   [2025-12-30 01:12:46] [NOTICE] Using default Weighted Power of Two (WP2) load balancing strategy
   [2025-12-30 01:12:46] [NOTICE] Network connectivity detected
   [2025-12-30 01:12:46] [NOTICE] Now listening to [::]:53 [UDP]
   [2025-12-30 01:12:46] [NOTICE] Now listening to [::]:53 [TCP]
   [2025-12-30 01:12:46] [NOTICE] Source [relays] loaded
   [2025-12-30 01:12:46] [INFO] Source [public-resolvers] loading from URL [https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md]
   [2025-12-30 01:12:46] [NOTICE] dnscrypt-proxy service is not usable yet
   [2025-12-30 01:12:46] [NOTICE] Resolving server host [download.dnscrypt.info] using bootstrap resolvers over udp
   [2025-12-30 01:12:46] [WARNING] no IPv4 address found for [download.dnscrypt.info]
   

Where does it happen?

Any name resolution will fail until the temporarily broken resolver is removed from bootstrap_resolvers which makes me wonder why there are multiple entries in there.

How do we replicate the issue?

See above

Expected behavior (i.e. solution)

If the first bootstrap resolver doesn't resolve the names it would usually resolve, for whatever reason including NXDOMAIN, all bootstrap resolvers should be tried before dnscrypt-proxy concludes the name cannot be resolved. (My apologies if this is somehow a bad idea for some reason I'm missing, but it seems to me like this would be the natural solution.)

Other Comments

[jedisct1]

I think that was fixed in b50cac2

Can you try the current version which is 2.1.15 ?

[ell1e]

Oh neat, didn't expect it to have been fixed recently! I'm not sure how to replace the Alpine version with the development version in-place, but if this has been reworked then I guess it makes sense to just close the ticket.