0

Tl;Dr: want to know, how to debug Android DNS resolution problems with Private DNS.

I've created my own DoH (Dns-over-Https) proxy server, to use it as a "Private DNS" in android. It proxifies requests to my own installation of dnscrypt-proxy, that is configured to block some of unwanted domains. It works on my Android as planned.

The problem: when my private DNS is enabled in Android, many applications from time to time complains about "network inaccessible" or "domain could not be resolved". It happens on a regular basis, and if I turn Private DNS off, this problem completly disappears. For example: web-browser could load site by second try, online taxi application complains that there is no internet, and after I restart it - works normally.

What I've tried:

  • Rewrite my DoH-proxy from php (first ad-hoc version) to async python+aiohttp (to solve problem with workers depletion on php)
  • Made a load-testing benchmark of my DoH - it works fine, request-response time is quite small, even then thousands of requests per second are made.
  • Added redis cache on my proxy, so, all answers are cached for the domain ttl's
  • Checked accessibility from different providers and regions of country - no visible problems.

So, as I'm not an Android developer, I want to know, are there any way on debug third-party apps on my android device via USB debugger and Android SDK tools. I need deep logging of the process of name resolution to detect, where are source of the problem.

Also, if you want, you can check my DoH server on https://dns.mihanentalpo.me (you can try it with awesome dnslookup tool, or by writing dns.mihanentalpo.me into your android Private DNS setting, beware, some domains are short-circuit to the same server to "blackhole" them)

Update:

I've dumped logcat of the Android device while trying to open some applications that are usually suffer from DNS problems with my DNS server. And I got folowing messages:

java.net.UnknownHostException: Unable to resolve host "relaycn.icloseli.com": No address associated with hostname
   at java.net.Inet6AddressImpl.lookupHostByName(Inet6AddressImpl.java:156)
   at java.net.Inet6AddressImpl.lookupAllHostAddr(Inet6AddressImpl.java:103)
   at java.net.InetAddress.getByName(InetAddress.java:1106)
   at com.v3.clsdk.session.CLSessionRouter$b.a(CLSessionRouter.java:24)
   at com.v3.clsdk.session.CLSessionRouter$b.call(CLSessionRouter.java:1)
   at java.util.concurrent.FutureTask.run(FutureTask.java:264)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
   at java.lang.Thread.run(Thread.java:1012)
Caused by: android.system.GaiException: android_getaddrinfo failed: EAI_NODATA (No address associated with hostname)
   at libcore.io.Linux.android_getaddrinfo(Native Method)
   at libcore.io.ForwardingOs.android_getaddrinfo(ForwardingOs.java:133)
   at libcore.io.BlockGuardOs.android_getaddrinfo(BlockGuardOs.java:222)
   at libcore.io.ForwardingOs.android_getaddrinfo(ForwardingOs.java:133)
   at java.net.Inet6AddressImpl.lookupHostByName(Inet6AddressImpl.java:135)

Before this and after this are messages not related to the network problems. Also, I've filtered all logcat log by process ID, and also not found any other messages.

So, this is actually a "No address associated with hostname", but why does it happen? Maybe there are some timeout on name resolution? How to debug this problem at more deep level?

Update 2: I'll try to use dnscrypt-proxy, that I've already have and it's DoH functionality without my own implementation to see is it better or not.

MihanEntalpo
  • 1,952
  • 2
  • 14
  • 31
  • Android's Private DNS is DoT, which is different from DoH (there is partial DoH3 support, but only for hardcoded Google & Cloudflare servers). You could try dumping the logcat and filter for getaddrinfo, but it's much easier to use AdGuard app (from their site, not from the playstore) to check the DNS logs, Rethink or Intra might work too. If it's intermittent, then it's possible your ISP bungled up on handling DoT traffic – Martheen Aug 29 '23 at 17:02
  • Thanks for you suggestion, @Martheen. However, I'm absolutely shure, that on my Android 12 its DoH, not DoT, bacause I've spent a lot of effort to find the right protocol and implement in firslty on php, and then on python. Despite the fact that my dnscrypt proxy receives DoT requests through Nginx, if I turn off my DoH server, Android starts complaining that there is no access to Private DNS. I saw AnguardHome, and it's wonderful, but I need some additional functionality not only to blackhole bad domains. I'll try to dump logcat, thanks! – MihanEntalpo Aug 30 '23 at 05:05
  • @Martheen as you've recommend, dumped logcat and found that it's actually getaddinfo problem (captain obvious to the rescue), don't know what to do next :) – MihanEntalpo Aug 30 '23 at 05:39
  • I think what happened is your DoT proxy is tied to your DoH proxy. Have you verified that when DoH is disabled, DoT requests through dnslookup (with tls:// address) still go through? As for failing to resolve the test domain, you'd have to check the log in your server if during that time the request went through and resolved normally. Another possible intermittent bug is faulty IPv6 routing. – Martheen Aug 30 '23 at 06:02

0 Answers0