[GH-ISSUE #2000] dns of util got a not same behaviour with named on querying from quic server #842

New issue

Closed

opened 2026-03-16 00:31:41 +03:00 by kerem · 8 comments

kerem commented 2026-03-16 00:31:41 +03:00

Owner

Copy link

Originally created by @hingbong on GitHub (Aug 16, 2023).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2000

What is the question?
When I am using dns command, I got

.\target\release\dns.exe -p quic -n [2a10:50c0::ad2:ff]:853 -t dns.adguard.com --debug query dns.google A
; using quic:[2a10:50c0::ad2:ff]:853 dns_name:dns.adguard.com
; sending query: dns.google IN A
2023-08-16T11:21:34.118803Z DEBUG trust_dns_proto::xfer::dns_handle: querying: dns.google A
2023-08-16T11:21:34.119046Z DEBUG trust_dns_proto::xfer: enqueueing message:QUERY:[Query { name: Name("dns.google"), query_type: A, query_class: IN }]
2023-08-16T11:21:34.119502Z DEBUG trust_dns_proto::quic::quic_stream: received packet len: 39 bytes: b"\0\0\x01\0\0\x01\0\0\0\0\0\x01\x03dns\x06google\0\0\x01\0\x01\0\0)\x04\xd0\0\0\0\0\0\0"
2023-08-16T11:21:34.196541Z DEBUG trust_dns_proto::quic::quic_stream: received packet len: 71 bytes: b"\0\0\x81\x80\0\x01\0\x02\0\0\0\x01\x03dns\x06google\0\0\x01\0\x01\xc0\x0c\0\x01\0\x01\0\0\0\xf1\0\x04\x08\x08\x08\x08\xc0\x0c\0\x01\0\x01\0\0\0\xf1\0\x04\x08\x08\x04\x04\0\0)\0\0\0\0\0\0\0\0"
; received response
; header 0:RESPONSE:RD,RA:NoError:QUERY:2/0/1
; edns version: 0 dnssec_ok: false max_payload: 512 opts: 0
; query
;; dns.google. IN A
; answers 2
dns.google. 241 IN A 8.8.8.8
dns.google. 241 IN A 8.8.4.4
; nameservers 0
; additionals 1

2023-08-16T11:21:34.198127Z DEBUG trust_dns_proto::xfer::dns_exchange: io_stream is done, shutting down

and I set up named with config ./target/release/trust-dns -c forwarder.toml -z ./tests/test-data/test_configs/ -p 24141

log_level = "debug"
listen_addrs_ipv4 = [ "0.0.0.0" ]

[[zones]]
zone = "."

zone_type = "Forward"
stores = { type = "forward", name_servers = [{ socket_addr = "[2a10:50c0:0:0:0:0:ad2:ff]:853", protocol = "quic", tls_dns_name = "dns.adguard.com"}] }

I got

1692185284:INFO:trust_dns:336:Trust-DNS 0.23.0-alpha.5 starting
1692185284:INFO:trust_dns:341:loading configuration from: ".\\tests\\test-data\\test_configs\\example_forwarder.toml"
1692185284:DEBUG:trust_dns:147:loading zone with config: ZoneConfig {
    zone: ".",
    zone_type: Forward,
    file: None,
    allow_update: None,
    allow_axfr: None,
    enable_dnssec: None,
    keys: [],
    stores: Some(
        Forward(
            ForwardConfig {
                name_servers: NameServerConfigGroup(
                    [
                        NameServerConfig {
                            socket_addr: [2a10:50c0::ad2:ff]:853,
                            protocol: Quic,
                            tls_dns_name: Some(
                                "dns.adguard.com",
                            ),
                            trust_negative_responses: false,
                            tls_config: None,
                            bind_addr: None,
                        },
                    ],
                    None,
                ),
                options: None,
            },
        ),
    ),
}
1692185284:INFO:trust_dns_server::store::forwarder::authority:54:loading forwarder config: .
1692185284:INFO:trust_dns_server::store::forwarder::authority:82:forward resolver configured: .:
1692185284:INFO:trust_dns:268:zone successfully loaded: .
1692185284:INFO:trust_dns:401:binding UDP to 0.0.0.0:24141
1692185284:INFO:trust_dns:406:listening for UDP on 0.0.0.0:24141
1692185284:DEBUG:trust_dns_server::server::server_future:63:registering udp: PollEvented { io: Some(UdpSocket { addr: 0.0.0.0:24141, socket: 332 }) }
1692185284:INFO:trust_dns:419:binding TCP to 0.0.0.0:24141
1692185284:INFO:trust_dns:424:listening for TCP on 0.0.0.0:24141
1692185284:DEBUG:trust_dns_server::server::server_future:138:register tcp: PollEvented { io: Some(TcpListener { addr: 0.0.0.0:24141, socket: 340 }) }
1692185284:INFO:trust_dns:689:
1692185284:INFO:trust_dns:690:    o                      o            o
1692185284:INFO:trust_dns:691:    |                      |            |
1692185284:INFO:trust_dns:692:  --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o
1692185284:INFO:trust_dns:693:    |    |    |  |   \     |         |  |  |  |   \
1692185284:INFO:trust_dns:694:    o    o    o--o  o-o    o          o-o  o  o  o-o
1692185284:INFO:trust_dns:695:
1692185284:INFO:trust_dns:479:awaiting connections...
1692185284:INFO:trust_dns:484:Server starting up
1692185287:DEBUG:trust_dns_server::server::server_future:87:received udp request from: 172.28.8.212:55191
1692185287:DEBUG:trust_dns_server::server::server_future:934:request:55483 src:UDP://172.28.8.212#55191 type:QUERY dnssec:false QUERY:dns.google.:A:IN qflags:RD,AD
1692185287:DEBUG:trust_dns_server::authority::catalog:139:query received: 55483
1692185287:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: dns.google.
1692185287:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: google.
1692185287:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: .
1692185287:DEBUG:trust_dns_server::authority::catalog:408:request: 55483 found authority: .
1692185287:DEBUG:trust_dns_server::authority::catalog:456:no DAU in request, used default SupportAlgorithms
1692185287:DEBUG:trust_dns_server::authority::catalog:488:performing name: dns.google. type: A class: IN on .
1692185287:DEBUG:trust_dns_server::authority::authority_object:190:performing name: dns.google. type: A class: IN on .
1692185287:DEBUG:trust_dns_server::store::forwarder::authority:129:forwarding lookup: dns.google. A
1692185287:DEBUG:trust_dns_proto::xfer::dns_handle:67:querying: dns.google. A
1692185287:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN, mdns_unicast_response: false }]
1692185287:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: false, tls_config: None, bind_addr: None }
1692185287:DEBUG:trust_dns_proto::xfer::dns_exchange:330:stream errored while connecting error=error with quic connection: aborted by peer: the cryptographic handshake failed: error 120
1692185287:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN, mdns_unicast_response: false }]
1692185287:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: false, tls_config: None, bind_addr: None }
1692185287:DEBUG:trust_dns_proto::xfer::dns_exchange:330:stream errored while connecting error=error with quic connection: aborted by peer: the cryptographic handshake failed: error 120
1692185287:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN, mdns_unicast_response: false }]
1692185287:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: false, tls_config: None, bind_addr: None }
1692185287:DEBUG:trust_dns_proto::xfer::dns_exchange:330:stream errored while connecting error=error with quic connection: aborted by peer: the cryptographic handshake failed: error 120
1692185287:DEBUG:trust_dns_server::authority::catalog:642:error resolving: Forward resolution error: proto error: error with quic connection: aborted by peer: the cryptographic handshake failed: error 120
1692185287:DEBUG:trust_dns_server::server::response_handler:106:response: 55483 response_code: No Error
1692185287:INFO:trust_dns_server::server::server_future:882:request:55483 src:UDP://172.28.8.212#55191 QUERY:dns.google.:A:IN qflags:RD,AD response:NoError rr:0/0/1 rflags:RD,RA

How to modify the config to make it work?
Thanks

Originally created by @hingbong on GitHub (Aug 16, 2023). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2000 What is the question? When I am using `dns` command, I got ``` .\target\release\dns.exe -p quic -n [2a10:50c0::ad2:ff]:853 -t dns.adguard.com --debug query dns.google A ; using quic:[2a10:50c0::ad2:ff]:853 dns_name:dns.adguard.com ; sending query: dns.google IN A 2023-08-16T11:21:34.118803Z DEBUG trust_dns_proto::xfer::dns_handle: querying: dns.google A 2023-08-16T11:21:34.119046Z DEBUG trust_dns_proto::xfer: enqueueing message:QUERY:[Query { name: Name("dns.google"), query_type: A, query_class: IN }] 2023-08-16T11:21:34.119502Z DEBUG trust_dns_proto::quic::quic_stream: received packet len: 39 bytes: b"\0\0\x01\0\0\x01\0\0\0\0\0\x01\x03dns\x06google\0\0\x01\0\x01\0\0)\x04\xd0\0\0\0\0\0\0" 2023-08-16T11:21:34.196541Z DEBUG trust_dns_proto::quic::quic_stream: received packet len: 71 bytes: b"\0\0\x81\x80\0\x01\0\x02\0\0\0\x01\x03dns\x06google\0\0\x01\0\x01\xc0\x0c\0\x01\0\x01\0\0\0\xf1\0\x04\x08\x08\x08\x08\xc0\x0c\0\x01\0\x01\0\0\0\xf1\0\x04\x08\x08\x04\x04\0\0)\0\0\0\0\0\0\0\0" ; received response ; header 0:RESPONSE:RD,RA:NoError:QUERY:2/0/1 ; edns version: 0 dnssec_ok: false max_payload: 512 opts: 0 ; query ;; dns.google. IN A ; answers 2 dns.google. 241 IN A 8.8.8.8 dns.google. 241 IN A 8.8.4.4 ; nameservers 0 ; additionals 1 2023-08-16T11:21:34.198127Z DEBUG trust_dns_proto::xfer::dns_exchange: io_stream is done, shutting down ``` and I set up named with config `./target/release/trust-dns -c forwarder.toml -z ./tests/test-data/test_configs/ -p 24141` ``` log_level = "debug" listen_addrs_ipv4 = [ "0.0.0.0" ] [[zones]] zone = "." zone_type = "Forward" stores = { type = "forward", name_servers = [{ socket_addr = "[2a10:50c0:0:0:0:0:ad2:ff]:853", protocol = "quic", tls_dns_name = "dns.adguard.com"}] } ``` I got ``` 1692185284:INFO:trust_dns:336:Trust-DNS 0.23.0-alpha.5 starting 1692185284:INFO:trust_dns:341:loading configuration from: ".\\tests\\test-data\\test_configs\\example_forwarder.toml" 1692185284:DEBUG:trust_dns:147:loading zone with config: ZoneConfig { zone: ".", zone_type: Forward, file: None, allow_update: None, allow_axfr: None, enable_dnssec: None, keys: [], stores: Some( Forward( ForwardConfig { name_servers: NameServerConfigGroup( [ NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some( "dns.adguard.com", ), trust_negative_responses: false, tls_config: None, bind_addr: None, }, ], None, ), options: None, }, ), ), } 1692185284:INFO:trust_dns_server::store::forwarder::authority:54:loading forwarder config: . 1692185284:INFO:trust_dns_server::store::forwarder::authority:82:forward resolver configured: .: 1692185284:INFO:trust_dns:268:zone successfully loaded: . 1692185284:INFO:trust_dns:401:binding UDP to 0.0.0.0:24141 1692185284:INFO:trust_dns:406:listening for UDP on 0.0.0.0:24141 1692185284:DEBUG:trust_dns_server::server::server_future:63:registering udp: PollEvented { io: Some(UdpSocket { addr: 0.0.0.0:24141, socket: 332 }) } 1692185284:INFO:trust_dns:419:binding TCP to 0.0.0.0:24141 1692185284:INFO:trust_dns:424:listening for TCP on 0.0.0.0:24141 1692185284:DEBUG:trust_dns_server::server::server_future:138:register tcp: PollEvented { io: Some(TcpListener { addr: 0.0.0.0:24141, socket: 340 }) } 1692185284:INFO:trust_dns:689: 1692185284:INFO:trust_dns:690: o o o 1692185284:INFO:trust_dns:691: | | | 1692185284:INFO:trust_dns:692: --O-- o-o o o o-o --O-- o-o o-O o-o o-o 1692185284:INFO:trust_dns:693: | | | | \ | | | | | \ 1692185284:INFO:trust_dns:694: o o o--o o-o o o-o o o o-o 1692185284:INFO:trust_dns:695: 1692185284:INFO:trust_dns:479:awaiting connections... 1692185284:INFO:trust_dns:484:Server starting up 1692185287:DEBUG:trust_dns_server::server::server_future:87:received udp request from: 172.28.8.212:55191 1692185287:DEBUG:trust_dns_server::server::server_future:934:request:55483 src:UDP://172.28.8.212#55191 type:QUERY dnssec:false QUERY:dns.google.:A:IN qflags:RD,AD 1692185287:DEBUG:trust_dns_server::authority::catalog:139:query received: 55483 1692185287:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: dns.google. 1692185287:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: google. 1692185287:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: . 1692185287:DEBUG:trust_dns_server::authority::catalog:408:request: 55483 found authority: . 1692185287:DEBUG:trust_dns_server::authority::catalog:456:no DAU in request, used default SupportAlgorithms 1692185287:DEBUG:trust_dns_server::authority::catalog:488:performing name: dns.google. type: A class: IN on . 1692185287:DEBUG:trust_dns_server::authority::authority_object:190:performing name: dns.google. type: A class: IN on . 1692185287:DEBUG:trust_dns_server::store::forwarder::authority:129:forwarding lookup: dns.google. A 1692185287:DEBUG:trust_dns_proto::xfer::dns_handle:67:querying: dns.google. A 1692185287:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN, mdns_unicast_response: false }] 1692185287:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: false, tls_config: None, bind_addr: None } 1692185287:DEBUG:trust_dns_proto::xfer::dns_exchange:330:stream errored while connecting error=error with quic connection: aborted by peer: the cryptographic handshake failed: error 120 1692185287:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN, mdns_unicast_response: false }] 1692185287:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: false, tls_config: None, bind_addr: None } 1692185287:DEBUG:trust_dns_proto::xfer::dns_exchange:330:stream errored while connecting error=error with quic connection: aborted by peer: the cryptographic handshake failed: error 120 1692185287:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN, mdns_unicast_response: false }] 1692185287:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: false, tls_config: None, bind_addr: None } 1692185287:DEBUG:trust_dns_proto::xfer::dns_exchange:330:stream errored while connecting error=error with quic connection: aborted by peer: the cryptographic handshake failed: error 120 1692185287:DEBUG:trust_dns_server::authority::catalog:642:error resolving: Forward resolution error: proto error: error with quic connection: aborted by peer: the cryptographic handshake failed: error 120 1692185287:DEBUG:trust_dns_server::server::response_handler:106:response: 55483 response_code: No Error 1692185287:INFO:trust_dns_server::server::server_future:882:request:55483 src:UDP://172.28.8.212#55191 QUERY:dns.google.:A:IN qflags:RD,AD response:NoError rr:0/0/1 rflags:RD,RA ``` How to modify the config to make it work? Thanks

kerem closed this issue 2026-03-16 00:31:46 +03:00

kerem commented 2026-03-16 00:31:51 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Aug 22, 2023):

Can you share the configuration you used when compiling? I'm not sure why you're having an issue. There is also the resolve command, which is closer to the subsystem used by the Forwarder in trust-dns. Do you think you could see if that command produces different behavior? resolve is closer to nslookup whereas dns is closer to dig.

<!-- gh-comment-id:1688440097 --> @bluejekyll commented on GitHub (Aug 22, 2023): Can you share the configuration you used when compiling? I'm not sure why you're having an issue. There is also the `resolve` command, which is closer to the subsystem used by the Forwarder in trust-dns. Do you think you could see if that command produces different behavior? `resolve` is closer to `nslookup` whereas `dns` is closer to `dig`.

kerem commented 2026-03-16 00:31:57 +03:00

Author

Owner

Copy link

@hingbong commented on GitHub (Aug 22, 2023):

I built it just using cargo build --release -p trust-dns -F dns-over-https-rustls -F dns-over-quic -F resolver -F recursor to build, will it use different cert, such as ones from system and the others from somewhere?

<!-- gh-comment-id:1688574793 --> @hingbong commented on GitHub (Aug 22, 2023): I built it just using `cargo build --release -p trust-dns -F dns-over-https-rustls -F dns-over-quic -F resolver -F recursor` to build, will it use different cert, such as ones from system and the others from somewhere?

kerem commented 2026-03-16 00:32:02 +03:00

Author

Owner

Copy link

@hingbong commented on GitHub (Aug 22, 2023):

And I am on Windows.

<!-- gh-comment-id:1688586929 --> @hingbong commented on GitHub (Aug 22, 2023): And I am on Windows.

kerem commented 2026-03-16 00:32:07 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Sep 6, 2023):

I wonder if this is related to here: #2015

<!-- gh-comment-id:1708786690 --> @bluejekyll commented on GitHub (Sep 6, 2023): I wonder if this is related to here: #2015

kerem commented 2026-03-16 00:32:12 +03:00

Author

Owner

Copy link

@hingbong commented on GitHub (Oct 9, 2023):

I've updated to commit 45bd92f4ac07ef7d9fa1830a6b596239d01302da, and get this with same config, it looks like related to #2038

1696862737:DEBUG:trust_dns_server::server::server_future:90:received udp request from: 172.17.157.195:58687
1696862737:DEBUG:trust_dns_server::server::server_future:1021:request:21168 src:UDP://172.17.157.195#58687 type:QUERY dnssec:false QUERY:dns.google.:A:IN qflags:RD,AD
1696862737:DEBUG:trust_dns_server::authority::catalog:139:query received: 21168
1696862737:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: dns.google.
1696862737:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: google.
1696862737:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: .
1696862737:DEBUG:trust_dns_server::authority::catalog:408:request: 21168 found authority: .
1696862737:DEBUG:trust_dns_server::authority::catalog:456:no DAU in request, used default SupportAlgorithms
1696862737:DEBUG:trust_dns_server::authority::catalog:488:performing name: dns.google. type: A class: IN on .
1696862737:DEBUG:trust_dns_server::authority::authority_object:190:performing name: dns.google. type: A class: IN on .
1696862737:DEBUG:trust_dns_server::store::forwarder::authority:129:forwarding lookup: dns.google. A
1696862737:DEBUG:trust_dns_proto::xfer::dns_handle:67:querying: dns.google. A
1696862737:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN }]
1696862737:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: true, tls_config: None, bind_addr: None }
1696862737:DEBUG:trust_dns_proto::xfer::dns_exchange:341:stream errored while connecting error=error with quic connection: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer
1696862737:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN }]
1696862737:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: true, tls_config: None, bind_addr: None }
1696862737:DEBUG:trust_dns_proto::xfer::dns_exchange:341:stream errored while connecting error=error with quic connection: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer
1696862737:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN }]
1696862737:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: true, tls_config: None, bind_addr: None }
1696862739:DEBUG:trust_dns_proto::xfer::dns_exchange:341:stream errored while connecting error=error with quic connection: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer
1696862739:DEBUG:trust_dns_server::authority::catalog:642:error resolving: Forward resolution error: proto error: error with quic connection: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer
1696862739:DEBUG:trust_dns_server::server::response_handler:106:response: 21168 response_code: No Error
1696862739:INFO:trust_dns_server::server::server_future:969:request:21168 src:UDP://172.17.157.195#58687 QUERY:dns.google.:A:IN qflags:RD,AD response:NoError rr:0/0/1 rflags:RD,RA

<!-- gh-comment-id:1753158519 --> @hingbong commented on GitHub (Oct 9, 2023): I've updated to commit `45bd92f4ac07ef7d9fa1830a6b596239d01302da`, and get this with same config, it looks like related to #2038 ``` 1696862737:DEBUG:trust_dns_server::server::server_future:90:received udp request from: 172.17.157.195:58687 1696862737:DEBUG:trust_dns_server::server::server_future:1021:request:21168 src:UDP://172.17.157.195#58687 type:QUERY dnssec:false QUERY:dns.google.:A:IN qflags:RD,AD 1696862737:DEBUG:trust_dns_server::authority::catalog:139:query received: 21168 1696862737:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: dns.google. 1696862737:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: google. 1696862737:DEBUG:trust_dns_server::authority::catalog:385:searching authorities for: . 1696862737:DEBUG:trust_dns_server::authority::catalog:408:request: 21168 found authority: . 1696862737:DEBUG:trust_dns_server::authority::catalog:456:no DAU in request, used default SupportAlgorithms 1696862737:DEBUG:trust_dns_server::authority::catalog:488:performing name: dns.google. type: A class: IN on . 1696862737:DEBUG:trust_dns_server::authority::authority_object:190:performing name: dns.google. type: A class: IN on . 1696862737:DEBUG:trust_dns_server::store::forwarder::authority:129:forwarding lookup: dns.google. A 1696862737:DEBUG:trust_dns_proto::xfer::dns_handle:67:querying: dns.google. A 1696862737:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN }] 1696862737:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: true, tls_config: None, bind_addr: None } 1696862737:DEBUG:trust_dns_proto::xfer::dns_exchange:341:stream errored while connecting error=error with quic connection: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer 1696862737:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN }] 1696862737:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: true, tls_config: None, bind_addr: None } 1696862737:DEBUG:trust_dns_proto::xfer::dns_exchange:341:stream errored while connecting error=error with quic connection: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer 1696862737:DEBUG:trust_dns_resolver::name_server::name_server_pool:258:sending request: [Query { name: Name("dns.google."), query_type: A, query_class: IN }] 1696862737:DEBUG:trust_dns_resolver::name_server::name_server:105:reconnecting: NameServerConfig { socket_addr: [2a10:50c0::ad2:ff]:853, protocol: Quic, tls_dns_name: Some("dns.adguard.com"), trust_negative_responses: true, tls_config: None, bind_addr: None } 1696862739:DEBUG:trust_dns_proto::xfer::dns_exchange:341:stream errored while connecting error=error with quic connection: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer 1696862739:DEBUG:trust_dns_server::authority::catalog:642:error resolving: Forward resolution error: proto error: error with quic connection: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer 1696862739:DEBUG:trust_dns_server::server::response_handler:106:response: 21168 response_code: No Error 1696862739:INFO:trust_dns_server::server::server_future:969:request:21168 src:UDP://172.17.157.195#58687 QUERY:dns.google.:A:IN qflags:RD,AD response:NoError rr:0/0/1 rflags:RD,RA ```

kerem commented 2026-03-16 00:32:17 +03:00

Author

Owner

Copy link

@djc commented on GitHub (Oct 10, 2023):

cc @daxpedda

<!-- gh-comment-id:1754705251 --> @djc commented on GitHub (Oct 10, 2023): cc @daxpedda

kerem commented 2026-03-16 00:32:22 +03:00

Author

Owner

Copy link

@hingbong commented on GitHub (Oct 10, 2023):

I compiled it for OpenWRT and it got a same result, so it's not a Windows-only issue.

<!-- gh-comment-id:1756156782 --> @hingbong commented on GitHub (Oct 10, 2023): I compiled it for OpenWRT and it got a same result, so it's not a Windows-only issue.

kerem commented 2026-03-16 00:32:27 +03:00

Author

Owner

Copy link

@daxpedda commented on GitHub (Oct 11, 2023):

I'm not entirely familiar with the CLI, but as far as I can see:

1696862739:DEBUG:trust_dns_server::authority::catalog:642:error resolving: Forward resolution error: proto error: error > with quic connection: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer

root certificates seem to be missing.

I built it just using cargo build --release -p trust-dns -F dns-over-https-rustls -F dns-over-quic -F resolver -F recursor to build, will it use different cert, such as ones from system and the others from somewhere?

Doesn't include a crate feature that pulls in certificates. On the other hand, I just realized, we messed up in #2005 because the trust-dns CLI doesn't seem to include any root certificates or crate features to enable them. I will make a PR soonish.

<!-- gh-comment-id:1757324607 --> @daxpedda commented on GitHub (Oct 11, 2023): I'm not entirely familiar with the CLI, but as far as I can see: > ``` > 1696862739:DEBUG:trust_dns_server::authority::catalog:642:error resolving: Forward resolution error: proto error: error > with quic connection: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer > ``` root certificates seem to be missing. > I built it just using `cargo build --release -p trust-dns -F dns-over-https-rustls -F dns-over-quic -F resolver -F recursor` to build, will it use different cert, such as ones from system and the others from somewhere? Doesn't include a crate feature that pulls in certificates. On the other hand, I just realized, we messed up in #2005 because the `trust-dns` CLI doesn't seem to include any root certificates or crate features to enable them. I will make a PR soonish.

kerem referenced this issue 2026-03-16 02:22:29 +03:00

[PR #842] [MERGED] Aug 1 2019 updates #1735

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

release/0.26

david/conformance-dnssec-negative-tests

query-api

opt-types

cname-nsec

no-cname-recursion

conformance-min-ttl

dname-base

drop-message-request

no-error-queries

cpu-sig0-rm-message-sig_dev

cpu-tsig-test-update_dev

windows-config

dnssec-net

release/0.25

opp-enc-persist

integration-test

cpu-tidying-recursor-opts_dev

happy-eyeballs

david/authoritative-zone-storage-trait

dnssec-ad

no-authority

release/0.24

pvdrz/remove-top-file

pvdrz/h3-handshake-timeout

pvdrz/quic-handshake-timeout

nxdomain-for-recursor

ja-test-merque-queue

ja-fix-ci-again

sz-add-ede-tests

sz-test-tc-bit-with-large-response

sz-fix-tokio-dependency

gh-2275-test-rrsig-signature

refactor-sign-zone-file

fix-1.79-cleanliness

update-nightly-hash

release/0.23

gh-pages

use-just-for-server-toml

release/0.22

revert-1874-cpu-zone-parse-default-class

disable-bind-compatibility-tests

disable-test_tls_client_stream_ipv4

update-native-tls-0.2.11

recursor-tests

fix-clippy-self

release/0.20

saethlin-fix-rdata-zero

release/0.19

flat_name

drop_unused_futures

release/0.18

release-r0.12-cs0.17

release/r0.12-cs0.17

trust-dns-book

r0.10

test-connections-not-dropped

fix_exec_status_on_rs_files

release-0.9

add-mutex-to-integration-tests

0.8_release

bfry/dns-crypt

v0.26.0

v0.26.0-beta.4

v0.26.0-beta.3

v0.26.0-beta.2

v0.26.0-beta.1

v0.26.0-alpha.1

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.25.0-alpha.5

v0.24.2

v0.25.0-alpha.4

v0.25.0-alpha.3

v0.25.0-alpha.2

v0.25.0-alpha.1

v0.24.1

v0.23.2

v0.24.0

v0.23.1

v0.23.0

v0.23.0-alpha.5

v0.23.0-alpha.4

v0.23.0-alpha.3

v0.22.1

v0.23.0-alpha.2

v0.23.0-alpha.1

v0.22.0

v0.21.2

v0.21.1

v0.21.0

v0.21.0-alpha.5

v0.20.4

v0.21.0-alpha.4

v0.21.0-alpha.3

v0.21.0-alpha.2

v0.21.0-alpha.1

v0.20.3

v0.20.2

v0.20.1

v0.19.7

v0.20.0

0.19.6

v0.20.0-alpha.3

v0.20.0-alpha.2

v0.20.0-alpha.1

0.19.5

0.19.4

0.19.3

0.19.0

0.18.1

0.18

0.18.0.alpha.2

r0.12_cs0.17

r0.11.1

cs0.16.1

r0.11

cs0.16

r0.10.1

r0.10.0

cs0.15.0

r0.9.1

v0.14.0

r0.9.0

r0.8.1

r0.8.0

v0.13.0

r0.7.0

c0.12.0

r0.6.0

r0.5.0

resolver.0.4.0

0.11.0

0.10.5

0.10.4

0.10.3

0.10.2

0.10.1

0.10.0

0.9.3

0.9.2

0.9.1

0.9.0

0.8.1

0.8.0

0.7.3

0.7.2

0.7.1

0.7.0

0.6.0

0.5.3

0.5.1

0.5.0

0.4.0

0.3.1

0.3.0

0.2.1

0.2.0

0.1.0

Labels

Clear labels   

blocked

  

breaking-change

  

bug

  

bug:critical

  

bug:tests

  

cleanup

  

compliance

  

compliance

  

compliance

  

crate:all

  

crate:client

  

crate:native-tls

  

crate:proto

  

crate:recursor

  

crate:resolver

  

crate:resolver

  

crate:rustls

  

crate:server

  

crate:util

  

dependencies

  

docs

  

duplicate

  

easy

  

easy

  

enhance

  

enhance

  

enhance

  

feature:dns-over-https

  

feature:dns-over-quic

  

feature:dns-over-tls

  

feature:dnsssec

  

feature:global_lb

  

feature:mdns

  

feature:tsig

  

features:edns

  

has workaround

  

ops

  

perf

  

platform:WASM

  

platform:android

  

platform:fuchsia

  

platform:linux

  

platform:macos

  

platform:windows

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

test

  

tools

  

tools

  

trust

  

unclear

  

wontfix

No labels

blocked

breaking-change

bug

bug:critical

bug:tests

cleanup

compliance

compliance

compliance

crate:all

crate:client

crate:native-tls

crate:proto

crate:recursor

crate:resolver

crate:resolver

crate:rustls

crate:server

crate:util

dependencies

docs

duplicate

easy

easy

enhance

enhance

enhance

feature:dns-over-https

feature:dns-over-quic

feature:dns-over-tls

feature:dnsssec

feature:global_lb

feature:mdns

feature:tsig

features:edns

has workaround

ops

perf

platform:WASM

platform:android

platform:fuchsia

platform:linux

platform:macos

platform:windows

pull-request

question

test

tools

tools

trust

unclear

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/hickory-dns#842

No description provided.