Periodic Query Spikes and Cache Bypass in dnscrypt-proxy with DoH Server

[vlasiuk-everstake]

Hello,
We are currently using dnscrypt-proxy version 2.1.7 with a custom DoH (DNS-over-HTTPS) server powered by CoreDNS . The configuration file in txt ([dnscrypt-proxy.txt]) dnscrypt-proxy.txt is attached for reference.

Every 12 hours, we observe a significant spike in the number of queries being sent to our DoH server. A screenshot of the query pattern is also attached for clarity.

We increased max_clinets from 250 to 10k but we have an issue [WARNING] Too many incoming connections (max=10000)
Dnscypt-proxy is trying to resolve DNS (doh.****.com) of our DOH server.
Despite enabling caching in dnscrypt-proxy, the queries seem to bypass the cache entirely.

We suspect there might be an issue with the configuration or behavior of dnscrypt-proxy, but we are unable to pinpoint the root cause. Could you help us identify and resolve this issue?

./dnscrypt-proxy -version
2.1.7

./dnscrypt-proxy -check
[2025-02-21 12:51:17] [NOTICE] dnscrypt-proxy 2.1.7
[2025-02-21 12:51:17] [NOTICE] Source [coredns-resolvers] loaded
[2025-02-21 12:51:17] [NOTICE] Configuration successfully checked

./dnscrypt-proxy -resolve goole.com
Resolving [google.com] using 127.0.0.1 port 53


Resolver : 172.217.40.22

Canonical name: google.com.

IPv4 addresses: 142.251.39.110
IPv6 addresses: 2a00:1450:400e:80f::200e

Name servers : ns3.google.com., ns4.google.com., ns2.google.com., ns1.google.com.
DNSSEC signed : no
Mail servers : 1 mail servers found

HTTPS alias : -
HTTPS info : [alpn]=[h2,h3]

Host info : -
TXT records : google-site-verification=4ibFUgB-wXLQ_S7vsXVomSTVamuOXBiVAzpR5IZ87D0, apple-domain-verification=30afIBcvSuDV2PLX, facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95, google-site-verification=TV9-DBe4R80X4v0M4U_bd_J9cpOJM0nikft0jAgjmsQ, docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e, v=spf1 include:_spf.google.com ~all, cisco-ci-domain-verification=479146de172eb01ddee38b1a455ab9e8bb51542ddd7f1fa298557dfa7b22d963, docusign=1b0a6754-49b1-4db5-8540-d2c12664b289, google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o, onetrust-domain-verification=de01ed21f2fa4d8781cbc3ffb89cf4ef, MS=E4A68B9AB2BB9670BCE15412F62916164C0B20BB, globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8=

[jedisct1]

(We?)

Looks like even Cloudflare DNS is having trouble resolving the name of that DoH server.

Check the configuration of the authoritative DNS server for that domain, and that the bootstrap servers are not firewalled.

Or, in order to not have to resolve the name, include the IP addresses in the stamp or use DNSCrypt.