Bootstrap can't launch DoH.

[DogancanYr]

I am configuring DNSCrypt Proxy with Pi-hole to use Doh.
I understand that a bootstrap resolver is required to initially resolve the DoH endpoint.

However, in my setup the modem/router cannot access the internet unless DNS is already working, which creates a chicken-and-egg problem:

DNSCrypt Proxy needs a bootstrap resolver to reach the DoH server

But without DNSCrypt Proxy working, the modem/system cannot resolve anything or access the internet

As a result, DoH does not work at all in my environment.

Pi-hole is running behind DNSCrypt Proxy

DoH server is manually configured

I know bootstrap resolvers are required, but I cannot make it work due to the lack of initial internet/DNS access

My question:
How should bootstrap resolvers be configured in this situation?
What is the correct way to handle DoH + DNSCrypt Proxy when the modem/router cannot reach the internet before DNS is available?

[jedisct1]

the modem/router cannot access the internet unless DNS is already working,

I don't get it. DNS requires internet connectivity to work. So, internet connectivity can't depend on DNS "already working".

If you are behind some kind of captive portal, you can add the names and IP addresses they should resolve to to the captive-portals.txt file. IP addresses defined there will be returned even before internet connectivity is detected.

[DogancanYr]

I'm on normal home internet. I enter the DNS address of my Pi hole and dnscrypt device into the modem as dns.

If I delete all dns servers from everywhere and only get used to dnscrypt and it forces doh, I won't have internet, the software needs to download the doh list at first or Doh itself needs to download its own servers.

I have to write normal dns at first, can I do something about it?

What does Bootstrap Resolvers do?

[DogancanYr]

For what purpose do you use it and how?

[jedisct1]

Cloudflare resolvers already use static IP addresses, so your actual problem is probably unrelated to bootstrap resolvers. You probably also already tried using DNSCrypt servers instead.

it gets blocked

What is "it" and what is blocked?

Does the router need to phone home when it starts in order to check for internet connectivity?

In that case you can try to enable logging in dnscrypt-proxy to see what exact query it is sending, and then add the corresponding IP address to the captive-portals.txt file.

[DogancanYr]

I tried it with the default settings, and now I tried it with this one. https://github.com/mapi68/dnscrypt-proxy-pihole
What is "it" and what is blocked?
Sometimes it says “proxy loop detected,” the modem completely blocks it, or even PPPoE cannot authenticate.
Does the router need to phone home when it starts in order to check for internet connectivity?
No. Keenetic VDSL modem
Logs.zip
@jedisct1

[jedisct1]

I'm sorry, I'm not familiar with that router.

[DogancanYr]

@jedisct1
I don't install it on the modem, I just showed the modem logs.
I have an Orange Pi device, the application works correctly, but after closing it modem, the internet connection is lost.

Can you install it with Anydesk, let's talk about it on discord?
DogancanYr.

[jedisct1]

I can't, sorry.

[DogancanYr]

I also tested this behavior on my modem. Initially, DoH did not work, but after some time it started working. When I checked the logs, I saw that the DNS resolver was discovered recursively. (I don't know how accessed it, maybe queried it with the isp dns, maybe asked the root servers.)

The main issue with DNSCrypt Proxy not working is that it fails to resolve the DoH endpoint https://cloudflare-dns.com/dns-query. This raises a fundamental problem: a URL-based DoH request cannot be made without first resolving the domain via DNS.

If DoH is not available or fails, the system is expected to fall back to plain DNS. However, this fallback does not occur, which causes DNS resolution to fail entirely.

@jedisct1

[jedisct1]

This is not expected, since Cloudflare's stamps include the IP addresses to connect to.

And you said you initially tried in the default configuration, which includes DNSCrypt. And that protocol doesn't use host names at all.

So your issue is likely something else.

You should still have a valid resolver configured as the bootstrap resolver, regardless.

[DogancanYr]

Could it be because the package manager installed the old version?
I also tried this but the configuration of this is different.
https://github.com/mapi68/dnscrypt-proxy-pihole

[ACEx86]

@jedisct1 i also suggest that the proxy can use cloack rules before anything else to try and connect to stamp servers.
for example i only download from github i have a cloack but it doesn't count it it will bootstap.

[DogancanYr]

How do I set it up in the simplest way?

[DogancanYr]

orangepizero3::# journalctl -f -u dnscrypt-proxy
Feb 10 16:01:43 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:43] [NOTICE] [dnscry.pt-fremont02-ipv4] TIMEOUT
Feb 10 16:01:44 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:44] [NOTICE] [dnscry.pt-chisinau-ipv4] TIMEOUT
Feb 10 16:01:45 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:45] [NOTICE] [dnscry.pt-miami-ipv4] TIMEOUT
Feb 10 16:01:46 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:46] [NOTICE] [dnscry.pt-durham-ipv4] TIMEOUT
Feb 10 16:01:47 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:47] [NOTICE] [dnscry.pt-chicago-ipv4] TIMEOUT
Feb 10 16:01:47 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:47] [NOTICE] [dnscry.pt-gdansk-ipv4] TIMEOUT
Feb 10 16:01:47 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:47] [NOTICE] [dnscry.pt-jena-ipv4] TIMEOUT
Feb 10 16:01:47 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:47] [NOTICE] dnscrypt-proxy service is not usable yet
Feb 10 16:01:47 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:47] [NOTICE] Resolving server host [jp.tiarap.org] using bootstrap resolvers over udp
Feb 10 16:01:48 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:48] [NOTICE] [dnscry.pt-detroit-ipv4] TIMEOUT
Feb 10 16:01:50 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:50] [NOTICE] [dnscry.pt-ebenecity-ipv4] TIMEOUT
Feb 10 16:01:51 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:51] [NOTICE] [dnscry.pt-tbilisi-ipv4] TIMEOUT
Feb 10 16:01:52 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:52] [NOTICE] [dnscry.pt-paris-ipv4] TIMEOUT
Feb 10 16:01:52 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:52] [NOTICE] [jp.tiar.app] TIMEOUT
Feb 10 16:01:53 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:53] [NOTICE] [scaleway-fr] TIMEOUT
Feb 10 16:01:54 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:01:54] [NOTICE] [dnscry.pt-luxembourg-ipv4] TIMEOUT
^C
orangepizero3::# dig dnssec-failed.org @127.0.0.1 -p 53533
;; communications error to 127.0.0.1#53533: connection refused
;; communications error to 127.0.0.1#53533: connection refused
;; communications error to 127.0.0.1#53533: connection refused

; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> dnssec-failed.org @127.0.0.1 -p 53533
;; global options: +cmd
;; no servers could be reached
orangepizero3:~:# journalctl -f -u dnscrypt-proxy
Feb 10 16:02:30 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:02:30] [NOTICE] [dnscry.pt-toronto02-ipv4] TIMEOUT
Feb 10 16:02:30 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:02:30] [NOTICE] [dnscry.pt-thessaloniki-ipv4] TIMEOUT
Feb 10 16:02:30 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:02:30] [NOTICE] [dnscry.pt-allendale-ipv4] TIMEOUT
Feb 10 16:02:32 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:02:32] [NOTICE] [dnscry.pt-newyork-ipv4] TIMEOUT
Feb 10 16:02:33 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:02:33] [NOTICE] [dnscry.pt-calgary-ipv4] TIMEOUT
Feb 10 16:02:34 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:02:34] [NOTICE] Resolving server host [jp.tiarap.org] using bootstrap resolvers over tcp
Feb 10 16:02:34 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:02:34] [NOTICE] [dnscry.pt-prague-ipv4] TIMEOUT
Feb 10 16:02:36 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:02:36] [NOTICE] [dnscry.pt-johannesburg-ipv4] TIMEOUT
Feb 10 16:02:36 orangepizero3 dnscrypt-proxy[1154]: [2026-02-10 16:02:36] [NOTICE] [dnscry.pt-losangeles-ipv4] T● dnscrypt-proxy.socket - dnscrypt-proxy listening sock>
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-p> Active: active (running) since Tue 2026-02-10 16:0> Triggers: ● dnscrypt-proxy.service
Docs: https://github.com/DNSCrypt/dnscrypt-proxy> Listen: 127.0.2.1:53533 (Stream) 127.0.2.1:53533 (Datagram)
Tasks: 0 (limit: 2183) Memory: 8.0K (peak: 264.0K) CPU: 6ms
CGroup: /system.slice/dnscrypt-proxy.socket
Feb 10 16:00:14 orangepizero3 systemd[1]: dnscrypt-prox>Feb 10 16:00:14 orangepizero3 systemd[1]: Listening on >
~
~ ~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
lines 1-14/14 (END)...skipping...
● dnscrypt-proxy.socket - dnscrypt-proxy listening sock>
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-p>
Active: active (running) since Tue 2026-02-10 16:0>
● dnscrypt-proxy.socket - dnscrypt-proxy listening sock>
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-p>
Active: active (running) since Tue 2026-02-10 16:0>
Triggers: ● dnscrypt-proxy.service
Docs: https://github.com/DNSCrypt/dnscrypt-proxy>
Listen: 127.0.2.1:53533 (Stream)
127.0.2.1:53533 (Datagram)
Tasks: 0 (limit: 2183)
Memory: 8.0K (peak: 264.0K)
CPU: 6ms
CGroup: /system.slice/dnscrypt-proxy.socket

Feb 10 16:00:14 orangepizero3 systemd[1]: dnscrypt-prox>
Feb 10 16:00:14 orangepizero3 systemd[1]: Listening

[ACEx86]

what is the config file?

[DogancanYr]

#################################

Global settings

#################################
listen_addresses = ['127.0.0.1:53533']
bootstrap_resolvers = ['1.1.1.1:53', '8.8.8.8:53', '9.9.9.9:53']
ignore_system_dns = true
max_clients = 250
force_tcp = false
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
odoh_servers = false
require_dnssec = true
require_nolog = true
require_nofilter = true
lb_strategy = 'p15'
lb_estimator = true
block_unqualified = true
block_undelegated = true

###########################

DNS cache

###########################
cache = true
cache_size = 10000
cache_min_ttl = 7200
cache_max_ttl = 86400
cache_neg_min_ttl = 1800
cache_neg_max_ttl = 7200

#####################

Log

#####################
log_files_max_size = 20
log_files_max_age = 10

[query_log]
file = '/var/log/dnscrypt-proxy/query.log'

[nx_log]
file = '/var/log/dnscrypt-proxy/nx.log'

#############################################

Public Resolvers and Relays

#############################################
[sources]

[sources.public-resolvers]
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 73
prefix = ''

[sources.relays]
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
cache_file = '/var/cache/dnscrypt-proxy/relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 73
prefix = ''

[ACEx86]

try server_names = ['dnscry.pt-istanbul-ipv4']

[DogancanYr]

Same.

[ACEx86]

Try this and show me the log file if it fails.

[DogancanYr]

Ok. But come to discord.
DogancanYr

[DogancanYr]

I send.

[ACEx86]

I think it will work now.
If it doesn't resolve dns, you may need to change the dns settings to 192.168.x.1listen_addresses = 192.168.x.1:53
with this all the querys that come to your router will be handled by dnscrypt.
also you can run the dnscrypt in windows and make the dns listen to your pc local dhcp 1listen_addresses = (example make it static)192.168.x.20:53 and router 192.168.x.20 and then your pc dnscrypt will handle all the dns requests of the devices

[DogancanYr]

Didn't work again. Modem log.
proxy loop detected: 192.168.1.2 <-> 192.168.1.2, request dropped.
DNS server 192.168.1.2 deactivated.
It looks like it is asking the modem again for the DNS request.

[ACEx86]

Configure DNS 192.169.1.2 on DHCP addresses, router has Network Loop Detection enabled and it won't connect to 192.168.x on start up, you can only change the setting when running.
All the devices will get the dns address 192.168.1.2 but that doesn't change anything if you want to hide the request. (The devices do plain dns request until PiHole so devices can know what you search and then PiHole is doing the query to internet)
The dsl router internal local host VLAN can see the plain dns request to PiHole and probably manipulate it with arp poisoning.
No service provider unless they use Tr0 ssh ftp vnc or device logging.