DoH Resolution Failure with Internal Resolver Exception

[theAester]

Scenario and configuration

I have set up Technitium on a server as a conditional forwarder. essentially, some requests need to be forwarded through different DNS's.

I am using zones with conditional forwarders to forward certain domains to a DoH proxy server that I Own. Say https://my-proxy.doh.com

So in Technitium there is a zone for googlevideo.com which has a FWD Record for *, set to use dns-over-Https with no DNSSEC resolved by https://my-proxy.doh.com/dns-query

The server is configured to allow recursive queries from any host.

The server is configured to bypass QPM restrictions for MY computers IP address.

The server is configured to NOT use QNAME Minimization.

The server is configured to NOT cache failures (Cache Failure TTL = 0)

The server is configured to use https://my-proxy.doh.com as the forwarder for everything else (from Settings > Forwarders & proxy) (this is just for testing, in reality this will be a normal DNS-over-UDP address for default recursive resolution)

Technitium Version: v14.2

Running on Ubuntu 24, with network managed by netplan.

The Issue

When i try resolving somethingsomething.googlevideos.com using Technitium (on 127.0.0.1:53) i get an error:

dig a.googlevideos.com

; <<>> DiG 9.18.39-0ubuntu.0.22.04.2-Ubuntu <<>> a.googlevideos.com
;; ...
...
;; OPT PSEUDOSECTION
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (No response from name servers for a.googlevideos.com. A IN)
;; QUESTION SECTION:
...

This tells me that the server is receiving the DNS query, and forwarding it over HTTPS to https://my-proxy.doh.com, but that DoH server is not responding.

Here is some additional information:

I use the DNS Client tab from the web panel to resolve an address:

{
  "Metadata": {
    "NameServer": "homeserver (127.0.0.1)",
    "Protocol": "Udp",
    "DatagramSize": "88 bytes",
    "RoundTripTime": "1.91 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "ServerFailure",
    "Version": 0,
    "Flags": "None",
    "Options": [
      {
        "Code": "EXTENDED_DNS_ERROR",
        "Length": "20 bytes",
        "Data": {
          "InfoCode": "Other",
          "ExtraText": "Resolver exception"
        }
      }
    ]
  },
  "DnsClientExtendedErrors": [
    {
      "InfoCode": "NoReachableAuthority",
      "ExtraText": "homeserver (127.0.0.1) returned RCODE=ServerFailure for rr3---sn-qxau5-btqd.googlevideo.com. A IN"
    }
  ],
  "Identifier": 56739,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "ServerFailure",
  "QDCOUNT": 1,
  "ANCOUNT": 0,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "rr3---sn-qxau5-btqd.googlevideo.com",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "0 (0s)",
      "RDLENGTH": "24 bytes",
      "RDATA": {
        "Options": [
          {
            "Code": "EXTENDED_DNS_ERROR",
            "Length": "20 bytes",
            "Data": {
              "InfoCode": "Other",
              "ExtraText": "Resolver exception"
            }
          }
        ]
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

and when i view the Server Logs this is what I see:

[2025-11-25 XX:XX:XX UTC] DNS Server failed to resolve the request 'rr3---sn-qxau5-btqd.googlevideo.com. A IN' using forwarders: https://my-proxy.doh.com/dns-query.
DnsServerCore.Dns.DnsServerException: All name servers failed to answer the request 'rr3---sn-qxau5-btqd.googlevideo.com. A IN'. Received last response with RCODE=Refused from: unknown
   at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 4503

However this is the catch, the issue does NOT seem to lie with https://my-proxy.doh.com, because when i test it manually:

curl https://my-proxy.doh.com/dns-query?dns=5SYBAAABAAAAAAAAE3JyMy0tLXNuLXF4YXU1LWJ0cWQLZ29vZ2xldmlkZW8DY29tAAABAAE | base64
5SaBgAABAAIAAAAAE3JyMy0tLXNuLXF4YXU1LWJ0cWQLZ29vZ2xldmlkZW8DY29tAAABAAHADAAFAAEAAAcIABQDcnIzDXNuLXF4YXU1LWJ0cWTAIMBBAAEAAQAABwgABD7U/g4=

I DO get a response, which is decoded to:

id 58662
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
rr3---sn-qxau5-btqd.googlevideo.com. IN A
;ANSWER
rr3---sn-qxau5-btqd.googlevideo.com. 1352 IN CNAME rr3.sn-qxau5-btqd.googlevideo.com.
rr3.sn-qxau5-btqd.googlevideo.com. 1352 IN A 62.212.254.14
;AUTHORITY
;ADDITIONAL

So when i manually craft a DoH query and send it over to https://my-proxy.doh.com I get a perfectly fine response.

Same thing happens when i set https://my-proxy.doh.com as the DoH endpoint in firefox directly, everything works fine.

But somehow when technitium attemps to resolve this address from the same endpoint, it fails. I have Tweaked all settings i could think of and nothing seems to fix this, Another weird thing is that this is not the case for all domain names, it only seems to happen for this specific zone. every other domain that is supposed to be resolved through DoH, has been configured in the exact same way and they work just fine.

These two facts lead me to believe that this must be an internal issue with Technitium's DoH forwarder subsystem.

I'll be happy to provide any additional information if necessary.

[ShreyasZare]

Thanks for the post. Since the DNS Client output says Resolver exception, there should be another error log corresponding to it. The once you shared does not cover that response. Try to find and share that error log here.

I would also suggest that you test your DoH server from the DNS Client tool on the admin panel itself. This will make sure that the DoH request is being sent from the DNS server itself and thus give you the same behavior when the DNS server tries to do it internally. This also helps in case when the forwarder is answering based on the client IP address so testing from the DNS server itself will help with that too. Do share the output you get when you use DNS Client to query to your DoH server directly.

[theAester]

Thanks for the post. Since the DNS Client output says Resolver exception, there should be another error log corresponding to it. The once you shared does not cover that response. Try to find and share that error log here.

I went to the Logs > View Logs tab (since the Query Logs tab is not enabled) and cleared todays logs, I then removed cached entries for the googlevideos.com zone to force the resolver to forward again. After calling NsLookup on a googlevideos.com subdomain, these were the ONLY logs that i Could see:

[2025-11-26 13:03:34 UTC] DNS Server failed to resolve the request 'www.bing.com.edgekey.net. HTTPS IN' using forwarders: https://my-proxy.doh.com/dns-query (188.114.99.0).
DnsServerCore.Dns.DnsServerException: All name servers failed to answer the request 'www.bing.com.edgekey.net. HTTPS IN'. Received last response with RCODE=Refused from: https://my-proxy.doh.com/dns-query (188.114.99.0)
   at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 4503
[2025-11-26 13:03:35 UTC] DNS Server failed to resolve the request 'e86303.dscx.akamaiedge.net. HTTPS IN' using forwarders: https://my-proxy.doh.com/dns-query (188.114.99.0).
DnsServerCore.Dns.DnsServerException: All name servers failed to answer the request 'e86303.dscx.akamaiedge.net. HTTPS IN'. Received last response with RCODE=Refused from: https://my-proxy.doh.com/dns-query (188.114.99.0)
   at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 4503
[2025-11-26 13:03:40 UTC] DNS Server failed to resolve the request 'rr2---sn-5hne6nzs.googlevideo.com. A IN' using forwarders: https://my-proxy.doh.com/dns-query.
DnsServerCore.Dns.DnsServerException: All name servers failed to answer the request 'rr2---sn-5hne6nzs.googlevideo.com. A IN'. Received last response with RCODE=Refused from: unknown
   at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 4503
[2025-11-26 13:03:40 UTC] DNS Server failed to resolve the request 'rr2---sn-5hne6nzs.googlevideo.com. AAAA IN' using forwarders: https://my-proxy.doh.com/dns-query.
DnsServerCore.Dns.DnsServerException: All name servers failed to answer the request 'rr2---sn-5hne6nzs.googlevideo.com. AAAA IN'. Received last response with RCODE=Refused from: unknown
   at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 4503
[2025-11-26 13:03:40 UTC] DNS Server failed to resolve the request 'rr2---sn-5hne6nzs.googlevideo.com. A IN' using forwarders: https://my-proxy.doh.com/dns-query.
DnsServerCore.Dns.DnsServerException: All name servers failed to answer the request 'rr2---sn-5hne6nzs.googlevideo.com. A IN'. Received last response with RCODE=Refused from: unknown
   at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 4503
[2025-11-26 13:03:40 UTC] DNS Server failed to resolve the request 'rr2---sn-5hne6nzs.googlevideo.com. AAAA IN' using forwarders: https://my-proxy.doh.com/dns-query.
DnsServerCore.Dns.DnsServerException: All name servers failed to answer the request 'rr2---sn-5hne6nzs.googlevideo.com. AAAA IN'. Received last response with RCODE=Refused from: unknown
   at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 4503

I cannot find any additional error logs or information about this anywhere, unless theres another logging destination that I dont know about.

Moreover to your inquiry i will include another, seemingly unrelated but longer error that i have encountered in the logs. This is a timeout error and it happens because the DoH proxy (my-proxy.doh.com) is a little unstable sometimes, the timeouts are temporary and I have not had issues that i could trace back to these error logs and as far as I am concerned these errors are unrelated to this, or any other issue that I have, But I will include one example for your discretion:

[2025-11-26 13:07:20 UTC] DNS Server failed to resolve the request '1337.abcvg.info. A IN' using forwarders: https://my-proxy.doh.com/dns-query (188.114.98.0).
TechnitiumLibrary.Net.Dns.DnsClientNoResponseException: DnsClient failed to resolve the request '1337.abcvg.info. A IN': request timed out for name server [https://my-proxy.doh.com/dns-query (188.114.98.0)].
   at TechnitiumLibrary.Net.Dns.ClientConnection.HttpsClientConnection.QueryAsync(DnsDatagram request, Int32 timeout, Int32 retries, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\ClientConnection\HttpsClientConnection.cs:line 381
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass89_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4512
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass89_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4738
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass89_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4428
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func`3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4900
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalNoDnssecResolveAsync(DnsDatagram request, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4919
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<<InternalCachedResolveQueryAsync>b__0>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 5095
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.ResolveQueryAsync(DnsQuestionRecord question, Func`2 resolveAsync) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4236
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalCachedResolveQueryAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 5075
   at DnsServerCore.Dns.DnsServer.DefaultRecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, IDnsCache dnsCache, Boolean dnssecValidation, Boolean skipDnsAppAuthoritativeRequestHandlers, CancellationToken cancellationToken) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 4708
   at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 4491

I would also suggest that you test your DoH server from the DNS Client tool on the admin panel itself. This will make sure that the DoH request is being sent from the DNS server itself and thus give you the same behavior when the DNS server tries to do it internally. This also helps in case when the forwarder is answering based on the client IP address so testing from the DNS server itself will help with that too. Do share the output you get when you use DNS Client to query to your DoH server directly.

I in fact, have done that, I just forgot to mention it. There is a peculiar behavior here.

Firstly, I have tried digging from the same linux server that is hosting Technitium, same thing happens. Also the server and the computer I'm working on are on the same subnet behind a NAT. So the DoH proxy sees the exact same address when i test it from my computer or from the server. Essentially the server is meant to answer queries in the subnet behind the NAT only.

Secondly, I have also used the DNS Client tab to query from this server before and i have included the results in my original issue.

From the DNS Client Tab, when i select "this server" in the Server field (which we know is essentially the same as my-proxy.doh.com since I've set it to be the default forwarder) I get the same error as I've quoted in my original issue.

However, when i type {https://my-proxy.doh.com/dns-query} into the DNS Client tab's Server field, sometimes it times out, but most of the time it returns successfully!!

{
  "Metadata": {
    "NameServer": "https://my-proxy.doh.com/dns-query (188.114.99.0)",
    "Protocol": "Https",
    "DatagramSize": "108 bytes",
    "RoundTripTime": "238.91 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 512,
    "ExtendedRCODE": "NoError",
    "Version": 0,
    "Flags": "None",
    "Options": []
  },
  "Identifier": 0,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "NoError",
  "QDCOUNT": 1,
  "ANCOUNT": 2,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "rr2---sn-5hne6nzs.googlevideo.com",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [
    {
      "Name": "rr2---sn-5hne6nzs.googlevideo.com",
      "Type": "CNAME",
      "Class": "IN",
      "TTL": "39 (39s)",
      "RDLENGTH": "18 bytes",
      "RDATA": {
        "Domain": "rr2.sn-5hne6nzs.googlevideo.com"
      },
      "DnssecStatus": "Disabled"
    },
    {
      "Name": "rr2.sn-5hne6nzs.googlevideo.com",
      "Type": "A",
      "Class": "IN",
      "TTL": "70 (1m10s)",
      "RDLENGTH": "4 bytes",
      "RDATA": {
        "IPAddress": "74.125.8.103"
      },
      "DnssecStatus": "Disabled"
    }
  ],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "512",
      "TTL": "0 (0s)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "Options": []
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

Same domain, same server, different result.

I should've mentioned this in my original issue because It is strange that even though i expect the responses from these two requests to be the same (the will essentially be resolved from the same server), They are not. This issue only happens when THIS server is queried, and the query is subsequently forwarded to the DoH proxy. When querying the DoH proxy directly, everything works fine.

[theAester]

I have found another interesting piece of information.

Apparently the issue is ONLY limited to the domain names that are being forwarded by a conditional forwarder zone.

Here is a scenario:

From Settings > Proxy & Forwarders, i have set the server to use DNS-over-HTTPS: https://my-proxy.doh.com/dns-query as the server's main forwarder.

I then create a conditional forwarder zone for googlevideos.com, and add a FWD record for *, which is configured to forward the queries using DNS-over-HTTPS: https://my-proxy.doh.com/dns-query (the exact same thing as the server's default forwarder)

In this case all of the errors i have talked about previously happens (this is the exact same scenario that i described in all of my previous comments)

BUT

When I DISABLE the Conditional forwarder zone from the Zones tab, the server essentially has to do the same thing, because now the googlevideos.com sub domains do not have authoritative zones and are therefore resolved by the default forwarder which i have set to be the my-proxy.doh.com.

BUT IN THIS SCENARIO EVERYTHING WORKS.

The issue ONLY arises when i define a conditional forwarder zone for a domain and add FWD records for it's subdomains. Other than that, anything that is forwarded using the default forwarder, even if its the same domains as before, even if they are forwarded to the same DoH Proxy as before, they all are resolved normally and without issue.

[ShreyasZare]

A lot of error log entries say that the DoH server responded with RCODE=REFUSED which means that its an issue with upstream config and its refusing to answer queries coming from your IP address.

I would also suggest to do the debugging using the DNS Client tab on the admin panel since it reduces scope of making mistakes while debugging such issues since it will ensure that the "This Server" queries go to the local DNS server itself.

From the DNS Client Tab, when i select "this server" in the Server field (which we know is essentially the same as my-proxy.doh.com since I've set it to be the default forwarder) I get the same error as I've quoted in my original issue.

No, its not the same thing. Query to "This Server" will send a request to your local DNS server whereas entering a DoH URL will send a query directly to the specified DoH server. The "This Server" will use its cache to answer if it has any data available. Testing queries directly to upstream will help you know if the upstream is responding correctly for queries you are making.

Since you see this issue with the specific DoH upstream server, I will suggest that you change it to some other DoH server and repeat the tests and see if the issue replicates with a different DoH upstream.

I would also suggest that you check the Cache tab for the queries you make while testing. The cache entries include meta data that tells you form what server the record was received.

Another thing, you do not need to use wildcard char for FWD record. Just using @ for the FWD record name will work since the record does catch all for the domain name and all subdomain names.