0

I am using dnscrpyt-proxy as a local stub for using DoH. Resolving subdomains claims that they "probably" don't exist or are blocked by the proxy but the IP returned is correct. I am not sure if this is to be expected or indicative of some issue.

How is the output for below two examples to be interpreted?

generic@motorbrot:/etc$ /opt/dnscrypt-proxy-2.0.44/dnscrypt-proxy -resolve docs.google.com
Resolving [docs.google.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: docs.google.com.
IP addresses:   216.58.200.14, 2404:6800:4005:805::200e
TXT records:    google-site-verification=Ea9DtyEruwUPQhZm6VkAeu8Ww7RdLyfV-ounIdQlkuY
Resolver IP:    104.238.170.136 (104.238.170.136.vultr.com.)

generic@motorbrot:/etc$ /opt/dnscrypt-proxy-2.0.44/dnscrypt-proxy -resolve drive.google.com
Resolving [drive.google.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: drive.google.com.
IP addresses:   172.217.16.142, 2404:6800:4005:802::200e
TXT records:    google-site-verification=pGMCXdTAsGW_L3o1ks9eToJ4g1R-l3r8TcXdkcA9RqY
Resolver IP:    185.95.216.116

generic@motorbrot:/etc$ /opt/dnscrypt-proxy-2.0.44/dnscrypt-proxy -resolve eric.mink.li
Resolving [eric.mink.li]

Domain exists:  probably not, or blocked by the proxy
Canonical name: eric.mink.li.
IP addresses:   80.74.154.155
TXT records:    -
Resolver IP:    185.95.216.116

generic@motorbrot:/etc$ /opt/dnscrypt-proxy-2.0.44/dnscrypt-proxy -resolve mink.li
Resolving [mink.li]

Domain exists:  yes, 3 name servers found
Canonical name: mink.li.
IP addresses:   80.74.154.155
TXT records:    -
Resolver IP:    185.95.216.116

It's also interesting to note that not all subdomains exhibit this behaviour. For example this other website:

generic@motorbrot:/etc$ /opt/dnscrypt-proxy-2.0.44/dnscrypt-proxy -resolve eric.mink.com
Resolving [eric.mink.com]

Domain exists:  yes, 2 name servers found
Canonical name: eric.mink.com.
IP addresses:   69.172.201.153
TXT records:    -
Resolver IP:    185.95.216.116

These subdomains are all accessible in the browser (the eric.mink.com example is a redirect though).

lucidbrot
  • 198
  • 1
  • 11

1 Answers1

1

Granted, Domain exists: probably not, or blocked by the proxy is a little bit confusing.

It actually means that a query for that name returned a response that doesn't include any name servers.

A query for an actual domain (not host name) such as google.com would return a set of name servers instead:

Domain exists:  yes, 4 name servers found

Some resolvers may always return the name servers, some may return minimal responses instead. So, this Domain exists: line properly returns the number of servers when the name is a domain, but is not reliable when it is a fully-qualified host name.

Frank Denis
  • 205
  • 1
  • 4
  • Thank you, but I'm still confused: If it does not find any nameservers, then how does it find the respective IP Address of the website? – lucidbrot Jul 30 '20 at 17:55
  • 1
    Nameservers exist, but for the zone. When asked for `docs.example.com`, the response is `no nameservers`, so another query is made for only `example.com`. Then we get name servers, and these are used to get the IP address of everything within that zone. – Frank Denis Jul 30 '20 at 17:59
  • 1
    By the way, as it was confusing, this indication has been removed in the development version of `dnscrypt-proxy`. – Frank Denis Jul 30 '20 at 17:59
  • Ah, wonderful. So there's nothing wrong with my setup except that testing it with a subdomain as query is not really intended. – lucidbrot Jul 30 '20 at 18:00