From c4287c799fdd2feb15c0a03adc4835db5c646abc Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Tue, 24 Mar 2020 14:32:23 +0100
Subject: [PATCH] Quad9 doesn't seem to block fragments on all networks

So, remove them from the static list and trust the runtime checks
for detection.
---
 dnscrypt-proxy/config.go                   | 2 +-
 dnscrypt-proxy/example-dnscrypt-proxy.toml | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/dnscrypt-proxy/config.go b/dnscrypt-proxy/config.go
index 5179c2c3..b1994cb2 100644
--- a/dnscrypt-proxy/config.go
+++ b/dnscrypt-proxy/config.go
@@ -134,7 +134,7 @@ func newConfig() Config {
 		LBEstimator:              true,
 		BlockedQueryResponse:     "hinfo",
 		BrokenImplementations: BrokenImplementationsConfig{
-			BrokenQueryPadding: []string{"cisco", "cisco-ipv6", "cisco-familyshield", "quad9-dnscrypt-ip4-filter-alt", "quad9-dnscrypt-ip4-filter-pri", "quad9-dnscrypt-ip4-nofilter-alt", "quad9-dnscrypt-ip4-nofilter-pri", "quad9-dnscrypt-ip6-filter-alt", "quad9-dnscrypt-ip6-filter-pri", "quad9-dnscrypt-ip6-nofilter-alt", "quad9-dnscrypt-ip6-nofilter-pri"},
+			BrokenQueryPadding: []string{"cisco", "cisco-ipv6", "cisco-familyshield"},
 		},
 	}
 }
diff --git a/dnscrypt-proxy/example-dnscrypt-proxy.toml b/dnscrypt-proxy/example-dnscrypt-proxy.toml
index 8f4fee8d..778de5ce 100644
--- a/dnscrypt-proxy/example-dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml
@@ -626,10 +626,10 @@ cache_neg_max_ttl = 600
 # truncate reponses larger than questions as expected by the DNSCrypt protocol.
 # This prevents large responses from being received, and breaks relaying.
 # A workaround for the first issue will be applied to servers in list below.
-# Quad9 appears to currently have a similar issue.
+# Quad9 appears to be dropping fragmented UDP queries, but only for some networks.
 # Do not change that list until the bugs are fixed server-side.
 
-broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri']
+broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield']
 
 
 
@@ -637,10 +637,13 @@ broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'quad9-dnsc
 #   TLS Client Authentication  #
 ################################
 
+# This is only useful if you are operating your own, private DoH server(s).
+# (for DNSCrypt, see the `query_meta` feature instead)
+
 [tls_client_auth]
 
 # creds = [
-#    { server_name='myserver', client_cert='client.crt', client_key='client.key' },
+#    { server_name='myserver', client_cert='client.crt', client_key='client.key' }
 # ]