limited list of resolvers if using cyberghostvpn #3092
Description
Since quite some time i can only connect to a pretty limited list of dnscrypt resolvers if i connect/ route traffic trough a cyberghost vpn, no matter which country/vpn - ip i use from this provider.
logread | grep -i dns
...
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] [dnscry.pt-barcelona-ipv4] TIMEOUT
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] Sorted latencies:
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 45ms adguard-dns-unfiltered
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 49ms digitalprivacy.diy-dnscrypt-ipv4
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 54ms quad9-dnscrypt-ip4-nofilter-ecs-pri
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 54ms serbica
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 54ms quad9-dnscrypt-ip4-nofilter-pri
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 59ms dnscrypt.pl
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 63ms searx-se-ipv4
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 66ms nwps.fi
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 66ms ffmuc.net
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 72ms faelix-uk-ipv4
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 127ms plan9dns-nj
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 136ms dnscrypt.ca-ipv4
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 158ms plan9dns-fl
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 185ms plan9dns-mx
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 285ms jp.tiar.app
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 293ms saldns01-conoha-ipv4
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 293ms saldns02-conoha-ipv4
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 313ms saldns03-conoha-ipv4
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 314ms jp2.vr.ekinao.com
Tue Jan 13 12:15:01 2026 daemon.err dnscrypt-proxy[12676]: [2026-01-13 09:15:01] [NOTICE] - 2896ms ibksturm
here is the basic config i use right now:
grep -E -v "^#|^$" dnscrypt-proxy.toml
listen_addresses = ['127.0.0.53:53']
max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = false
odoh_servers = false
require_nolog = true
require_nofilter = true
disabled_server_names = []
force_tcp = false
http3 = false
http3_probe = false
timeout = 5000
keepalive = 30
blocked_query_response = 'refused'
lb_strategy = 'p9'
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
cert_refresh_concurrency = 8
cert_refresh_delay = 180
ignore_system_dns = true
netprobe_timeout = 60
netprobe_address = '9.9.9.9:53'
block_ipv6 = true
block_unqualified = true
block_undelegated = true
reject_ttl = 10
cache = true
cache_size = 4096
cache_min_ttl = 2400
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
[captive_portals]
[local_doh]
[query_log]
format = 'tsv'
[nx_log]
file = '/tmp/nx.log'
format = 'tsv'
[blocked_names]
[blocked_ips]
[allowed_names]
[allowed_ips]
[schedules]
[sources]
[sources.public-resolvers]
urls = [
'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md',
'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md',
]
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 73
prefix = ''
[sources.relays]
urls = [
'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md',
'https://download.dnscrypt.info/resolvers-list/v3/relays.md',
]
cache_file = 'relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 73
prefix = ''
[sources.dnscry-pt-resolvers]
urls = ["https://www.dnscry.pt/resolvers.md"]
minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"
cache_file = "dnscry.pt-resolvers.md"
refresh_delay = 73
prefix = "dnscry.pt-"
[broken_implementations]
fragments_blocked = [
'cisco',
'cisco-ipv6',
'cisco-familyshield',
'cisco-familyshield-ipv6',
'cisco-sandbox',
'cleanbrowsing-adult',
'cleanbrowsing-adult-ipv6',
'cleanbrowsing-family',
'cleanbrowsing-family-ipv6',
'cleanbrowsing-security',
'cleanbrowsing-security-ipv6',
]
[doh_client_x509_auth]
[anonymized_dns]
skip_incompatible = true
direct_cert_fallback = false
[dns64]
[ip_encryption]
algorithm = "none"
key = ""
[monitoring_ui]
enabled = false
listen_address = "127.0.0.1:8080"
username = "admin"
password = "changeme"
tls_certificate = ""
tls_key = ""
enable_query_log = true
privacy_level = 1
[static]
my config works everywhere else like it should and returns a huge list of resolvers if i disable the vpn or use that same config on a vps. which brings me to the point that A. the vpn provider either is intercepting dnscrypt queries and blocking them or B. that provider is for some kind of reason blocked by the whole list of resolvers which is pretty unlikely i guess. Besides of that its strange that exactly this list of resolvers is returned the whole time. Anyone else experiencing this or has an answer?