DNS64 responses are not cached

[rnhmjoj]

Output of the following commands:

dnscrypt-proxy -version: 2.1.5

dnscrypt-proxy -check -config test.toml:

[2024-04-19 10:30:11] [NOTICE] dnscrypt-proxy 2.1.5 [2024-04-19 10:30:11] [NOTICE] Configuration successfully checked

./dnscrypt-proxy -resolve example.com

$ dnscrypt-proxy -resolve example.com -config dns.toml Resolving [example.com] using [::1] port 53

[2024-04-19 10:32:29] ::1 resolver.dnscrypt.info TXT PASS 0ms -
Resolver : [2024-04-19 10:32:29] ::1 136.228.47.212.in-addr.arpa PTR PASS 0ms -
212.47.228.136 (scaleway-fr.dnscrypt.info.)
Lying : [2024-04-19 10:32:29] ::1 nonexistent-zone.dnscrypt-test A PASS 0ms -
no
DNSSEC : yes, the resolver supports DNSSEC
ECS : ignored or selective

Canonical name: [2024-04-19 10:32:29] ::1 example.com CNAME PASS 0ms -
example.com.

IPv4 addresses: [2024-04-19 10:32:29] ::1 example.com A PASS 0ms -
93.184.215.14
IPv6 addresses: [2024-04-19 10:32:29] ::1 example.com AAAA PASS 0ms -
2606:2800:21f:cb07:6820:80da:af6b:8b2c

Name servers : [2024-04-19 10:32:29] ::1 example.com NS PASS 0ms -
b.iana-servers.net., a.iana-servers.net.
DNSSEC signed : yes
Mail servers : [2024-04-19 10:32:29] ::1 example.com MX PASS 0ms -
1 mail servers found

HTTPS alias : [2024-04-19 10:32:29] ::1 example.com HTTPS PASS 0ms -

HTTPS info : -

Host info : [2024-04-19 10:32:29] ::1 example.com HINFO PASS 0ms -

TXT records : [2024-04-19 10:32:29] ::1 example.com TXT PASS 0ms -
wgyf8z8cgvm2qmxpnbnldrcltvk4xqfn, v=spf1 -all

• Initially raised as discussion #...

What is affected by this bug?

The DNS64 plugin

When does this occur?

When resolving names with synthesised AAAA records.
The response time is more than 3 times that of normal AAAA records.

Where does it happen?

???

How do we replicate the issue?

1. Start dnscrypt-proxy using this configuration:

listen_addresses = ["[::]:53"]
server_names = ["test"]
cache = true

#[dns64]
#prefix = ["64:ff9b::/96"]

[static.test]
stamp = "sdns://AQcAAAAAAAAAFFs2NDpmZjliOjpkNDJmOmU0ODhdIOgBuE6mBr-wusDOQ0RbsV66ZLAvo8SqMa4QY2oHkDJNHzIuZG5zY3J5cHQtY2VydC5mci5kbnNjcnlwdC5vcmc"

2. Try to resolve names with and without AAAA records:

$ hyperfine 'host -t AAAA ripe.net ::1'
Benchmark 1: host -t AAAA ripe.net ::1
  Time (mean ± σ):      30.6 ms ±   5.9 ms    [User: 11.0 ms, System: 8.7 ms]
  Range (min … max):    19.7 ms …  43.7 ms    87 runs

$ hyperfine 'host -t AAAA github.com ::1' 
Benchmark 1: host -t AAAA github.com ::1
  Time (mean ± σ):      28.5 ms ±   9.0 ms    [User: 9.2 ms, System: 7.2 ms]
  Range (min … max):    18.2 ms …  60.0 ms    47 runs

3. Decomment the dns64 section and restart dnscrypt-proxy
4. Try to resolve the same name again:

$ hyperfine 'host -t AAAA github.com ::1'
Benchmark 1: host -t AAAA github.com ::1
  Time (mean ± σ):      80.8 ms ±  17.3 ms    [User: 15.3 ms, System: 13.0 ms]
  Range (min … max):    57.4 ms … 101.1 ms    39 runs

Expected behavior (i.e. solution)

Even including the time for resolving the A record (which should be cached), synthesizing the AAAA one shouldn't add more than double the latency.

Other Comments

[jedisct1]

Thanks for your report!

Just looking at the query_log shows that responses altered by DNS64 are not cached, and always require an upstream query.

This is a regression from 4eab88c (for systemd, grrr, it's always systemd).

[jedisct1]

Fixed, thanks!