Am I doing something wrong, or did chromium/brave/google change something, and musl binary?

[bcookatpcsd]

Hey there.. just updated to the latest beta..

and noticed these in the logs:

@4000000060c4c26e0ec3caf4 [2021-06-12 10:19:16] 192.168.10.104 dkybpkhway.vlan10.dns A FORWARD 0ms 192.168.10.105:531
@4000000060c4c26e0ec5c2dc [2021-06-12 10:19:16] 192.168.10.104 orvzajihjrb.vlan10.dns A FORWARD 0ms 192.168.10.105:531
@4000000060c4c26e0ec6e3ec [2021-06-12 10:19:16] 192.168.10.104 jnygzusi.vlan10.dns A FORWARD 0ms 192.168.10.105:531

(if this helps..)
I tried to merge the changes from the new example

My question has to do with the rules:

block_unqualified = true
block_undelegated = true

The chrome/chromium dns checks used to do those random names without the local domain added.

In my forward rules I have my vlan10.dns pointed at dnsmasq, which is doing dhcp and local dns..

(not that you are dnsmasq author.. but I don't think I've done anything in my dnsmasq config to force this change..)

This config is on a home network, of 50+ devices

And I'm not sure if it's golang 1.16.5 or the new beta.. but things feel faster.

(also in case this helps or hurts.. Running on a physical void linux install. Void is musl based linux like Alpine so this is musl not glibc - your releases didn't have a musl build.. so I think I've built my own.. but I'm a hack programmer at best so I offer these details..)

[I] root@voidlnx ~# ldd /sbin/dnscrypt-proxy
/lib/ld-musl-x86_64.so.1 (0x7f8f0777e000)
libc.so => /lib/ld-musl-x86_64.so.1 (0x7f8f0777e000)

[I] root@voidlnx ~# /sbin/dnscrypt-proxy -version
2.0.46-beta3

[I] root@voidlnx ~ [2]# go version
go version go1.16.5 linux/amd64

[I] root@voidlnx ~# uname -a
Linux voidlnx 5.11.22_1 #1 SMP 1621481187 x86_64 GNU/Linux

[I] root@voidlnx ~# env | grep GO
CGO_CFLAGS=-Ofast -march=native -pipe
CGO_LDFLAGS=-Ofast -march=native -pipe
CGO_CPPFLAGS=
GOARCH=amd64
GOFLAGS=-trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw
GOOS=linux
CGO_FFLAGS=-Ofast -march=native -pipe
CGO_CXXFLAGS=-Ofast -march=native -pipe

[I] root@voidlnx ~# head /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 58
model name : Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
stepping : 9
microcode : 0x20
cpu MHz : 1600.000
cache size : 8192 KB
physical id : 0

cat /etc/sv/dnscrypt-proxy/run
#!/bin/sh
TZ=America/New_York; export TZ
ulimit -n 8192
exec /sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy.toml

egrep -v "^#|^$|#" /etc/dnscrypt-proxy.toml

listen_addresses = ['192.168.10.128:53']
max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
odoh_servers = false
require_dnssec = false
require_nolog = true
require_nofilter = true
disabled_server_names = []
force_tcp = false
timeout = 5000
keepalive = 30
edns_client_subnet = ["0.0.0.0/0"]
log_file = '/dev/stdout'
cert_refresh_delay = 240
fallback_resolvers = ['45.90.28.0:53', '8.8.8.8:53']
ignore_system_dns = true
netprobe_timeout = 60
netprobe_address = '45.90.28.0:53'
log_files_max_size = 0
log_files_max_age = 7
log_files_max_backups = 1
block_ipv6 = true
block_unqualified = true
block_undelegated = true
reject_ttl = 600
forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'
cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'
cache = true
cache_size = 16384
cache_min_ttl = 2400
cache_max_ttl = 2400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
[captive_portals]
map_file = '/etc/dnscrypt-proxy/captive-portals.txt'
[local_doh]
[query_log]
file = '/dev/stdout'
[nx_log]
format = 'tsv'
[blocked_names]
blocked_names_file = '/etc/dnscrypt-proxy/blocked-names.txt'
[blocked_ips]
[allowed_names]
[allowed_ips]
[schedules]
[sources]
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
[sources.'relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
cache_file = 'relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
[sources.'opennic']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/opennic.md', 'https://download.dnscrypt.info/resolvers-list/v3/opennic.md']
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
cache_file = 'opennic.md'
[sources.'odoh']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh.md']
cache_file = 'odoh.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 24
prefix = ''
[broken_implementations]
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
[doh_client_x509_auth]
[anonymized_dns]
skip_incompatible = false
[dns64]
[static]
[static.'nxdns-xyz123']
stamp = 'sdns://stamp-here'
[static.'waterproof']
stamp = 'sdns://stamp-here'

(waterproof is running encrypted-dns-server..)

Thanks in advance.

[jedisct1]

Is your question "why does Chrome send queries to names such as dkybpkhway.vlan10.dns"?

Chrome sends a query to a randomly generated hostname in order to check for resolvers returning ads on nonexistent domains.

These queries are limited to a single component. Such as dkybpkhway, not something like dkybpkhway.vlan10.dns.

Now, software (I know it's a broad term) can be configured to add a "default domain" when there is none. Your operating system can be configured to add vlan10.dns to anything that originally is a single word, turning dkybpkhway into dkybpkhway.vlan10.dns.

I don't know much about dnsmasq, but it may has an option to do the same.

descrypt-proxy never changes the query name. If it receives dkybpkhway, it will always keep it as dkybpkhway.

So, if you see dkybpkhway.vlan10.dns, there's something in your configuration that adds vlan10.dns as a default domain. And that happens before dnscrypt-proxy sees anything.