When DNS caching is enabled, the ISP's DNS does not work properly

[UnbeatenEast2]

Prerequisites

• I have checked the Wiki and Discussions and found no answer

• I have searched other issues and found no duplicates

• I want to report a bug and not ask a question or ask for help

• I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Linux, AMD64 (aka x86_64)

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

v0.107.50

Action

AdGuardHome IP address: 192.168.5.5
AdGuardHome upstream DNS server is set to 58.20.127.238.
(58.20.127.238 is an ISP DNS.)

Expected result

DNS caching is disabled.
Using the dig command, DNS resolves normally.

apline:~# dig @192.168.5.5 jd.com

; <<>> DiG 9.18.24 <<>> @192.168.5.5 jd.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4212
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;jd.com.                                IN      A

;; ANSWER SECTION:
jd.com.                 96      IN      A       211.144.24.218
jd.com.                 96      IN      A       211.144.27.126
jd.com.                 96      IN      A       106.39.171.134
jd.com.                 96      IN      A       111.13.149.108

;; Query time: 0 msec
;; SERVER: 192.168.5.5#53(192.168.5.5) (UDP)
;; WHEN: Sat Jun 01 18:37:42 CST 2024
;; MSG SIZE  rcvd: 99

Actual result

When DNS caching is enabled and using the dig command, DNS cannot resolve.

apline:~# dig @192.168.5.5 jd.com

; <<>> DiG 9.18.24 <<>> @192.168.5.5 jd.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24397
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jd.com.                                IN      A

;; Query time: 2000 msec
;; SERVER: 192.168.5.5#53(192.168.5.5) (UDP)
;; WHEN: Sat Jun 01 18:37:20 CST 2024
;; MSG SIZE  rcvd: 24

2024/06/01 18:18:30.691023 [error] dnsproxy: 58.20.127.238:53: response received over udp: "exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:50007->58.20.127.238:53: i/o timeout"

Additional information and/or screenshots

apline:~# nslookup jd.com 58.20.127.238
Server:         58.20.127.238
Address:        58.20.127.238#53

Non-authoritative answer:
Name:   jd.com
Address: 211.144.24.218
Name:   jd.com
Address: 111.13.149.108
Name:   jd.com
Address: 211.144.27.126
Name:   jd.com
Address: 106.39.171.134

This issue occurs specifically with ISP DNS servers (58.20.127.238, 110.52.127.202)
When using public DNS servers (223.5.5.5, 8.8.8.8), everything works fine
This issue did not occur before; it has only started happening in the last one or two months

[ainar-g]

Thanks for the thorough report. Caching shouldn't really affect upstream queries in any way. Please try to:

1. Increase the cache size and see if that changes the frequency of failures. 10 KB is really not a lot.

2. Make a few dig queries directly to the upstream to see if that's some kind of intermittent issue.

3. Enable verbose logging to see if cache is even involved at all, and if so, how. What would be the difference between outgoing messages with cache enabled or disabled.

[UnbeatenEast2]

@ainar-g
Now I have set the DNS cache size to 4194304. Below are the log results:

DNS cache is disabled

apline:~# dig @127.0.0.1 jd.com

; <<>> DiG 9.18.24 <<>> @127.0.0.1 jd.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11511
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;jd.com.                                IN      A

;; ANSWER SECTION:
jd.com.                 31      IN      A       211.144.24.218
jd.com.                 31      IN      A       106.39.171.134
jd.com.                 31      IN      A       211.144.27.126
jd.com.                 31      IN      A       111.13.149.108

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Jun 03 22:17:17 CST 2024
;; MSG SIZE  rcvd: 99

2024/06/03 22:17:17.594075 3288#98 [debug] dnsproxy: handling new udp packet from 127.0.0.1:47563
2024/06/03 22:17:17.594150 3288#98 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 11511
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1232
; COOKIE: 4f4ca67a261cea56

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/03 22:17:17.594201 3288#98 [debug] dnsforward: started processing initial
2024/06/03 22:17:17.594244 3288#98 [debug] applying filters: looking for client with ip 127.0.0.1 and clientid ""
2024/06/03 22:17:17.594281 3288#98 [debug] applying filters: no clients with ip 127.0.0.1 and clientid ""
2024/06/03 22:17:17.594290 3288#66 [debug] clients: processing 127.0.0.1 with rdns
2024/06/03 22:17:17.594304 3288#98 [debug] dnsforward: finished processing initial
2024/06/03 22:17:17.594314 3288#66 [debug] clients: finished processing 127.0.0.1 with rdns in 37.538µs
2024/06/03 22:17:17.594324 3288#98 [debug] dnsforward: started processing ddr
2024/06/03 22:17:17.594349 3288#66 [debug] clients: processing 127.0.0.1 with whois
2024/06/03 22:17:17.594353 3288#98 [debug] dnsforward: finished processing ddr
2024/06/03 22:17:17.594375 3288#66 [debug] clients: finished processing 127.0.0.1 with whois in 34.2µs
2024/06/03 22:17:17.594378 3288#98 [debug] dnsforward: started processing dhcp hosts
2024/06/03 22:17:17.594400 3288#98 [debug] dnsforward: finished processing dhcp hosts
2024/06/03 22:17:17.594419 3288#98 [debug] dnsforward: started processing dhcp addrs
2024/06/03 22:17:17.594437 3288#98 [debug] dnsforward: finished processing dhcp addrs
2024/06/03 22:17:17.594456 3288#98 [debug] dnsforward: started processing filtering before req
2024/06/03 22:17:17.594487 3288#98 [debug] dnsforward: finished processing filtering before req
2024/06/03 22:17:17.594506 3288#98 [debug] dnsforward: started processing upstream
2024/06/03 22:17:17.594531 3288#98 [debug] dnsproxy: cache: disabled; not caching
2024/06/03 22:17:17.594572 3288#98 [debug] dnsproxy: sending request to 58.20.127.238:53 over udp: A "jd.com."
2024/06/03 22:17:17.594604 3288#98 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/03 22:17:17.594684 3288#98 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 47.56µs
2024/06/03 22:17:17.596102 3288#98 [debug] dnsproxy: 58.20.127.238:53: response received over udp: "ok"
2024/06/03 22:17:17.596139 3288#98 [debug] dnsproxy: upstream 58.20.127.238:53 exchanged ;jd.com.	IN	 A successfully in 1.570898ms
2024/06/03 22:17:17.596168 3288#98 [debug] dnsproxy: replying from upstream: rtt is 1.607521ms
2024/06/03 22:17:17.596193 3288#98 [debug] dnsforward: finished processing upstream
2024/06/03 22:17:17.596212 3288#98 [debug] dnsforward: started processing filtering after resp
2024/06/03 22:17:17.596245 3288#98 [debug] dnsforward: checked A 211.144.24.218 for jd.com.
2024/06/03 22:17:17.596273 3288#98 [debug] dnsforward: checked A 106.39.171.134 for jd.com.
2024/06/03 22:17:17.596299 3288#98 [debug] dnsforward: checked A 211.144.27.126 for jd.com.
2024/06/03 22:17:17.596325 3288#98 [debug] dnsforward: checked A 111.13.149.108 for jd.com.
2024/06/03 22:17:17.596345 3288#98 [debug] dnsforward: finished processing filtering after resp
2024/06/03 22:17:17.596364 3288#98 [debug] dnsforward: ipset: started processing
2024/06/03 22:17:17.596384 3288#98 [debug] dnsforward: ipset: finished processing
2024/06/03 22:17:17.596402 3288#98 [debug] dnsforward: started processing querylog and stats
2024/06/03 22:17:17.596423 3288#98 [debug] dnsforward: client ip for stats and querylog: 127.0.0.1
2024/06/03 22:17:17.596464 3288#98 [debug] dnsforward: finished processing querylog and stats
2024/06/03 22:17:17.596497 3288#98 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 11511
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1232

;; QUESTION SECTION:
;jd.com.	IN	 A

;; ANSWER SECTION:
jd.com.	31	IN	A	211.144.24.218
jd.com.	31	IN	A	106.39.171.134
jd.com.	31	IN	A	211.144.27.126
jd.com.	31	IN	A	111.13.149.108

DNS cache is enabled

apline:~# dig @127.0.0.1 jd.com
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.24 <<>> @127.0.0.1 jd.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

2024/06/03 22:19:07.063998 3288#104 [debug] dnsproxy: handling new udp packet from 127.0.0.1:46711
2024/06/03 22:19:07.064075 3288#104 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 3661
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1232
; COOKIE: fcdf431cc297f815

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/03 22:19:07.064120 3288#104 [debug] dnsforward: started processing initial
2024/06/03 22:19:07.064164 3288#104 [debug] applying filters: looking for client with ip 127.0.0.1 and clientid ""
2024/06/03 22:19:07.064200 3288#104 [debug] applying filters: no clients with ip 127.0.0.1 and clientid ""
2024/06/03 22:19:07.064215 3288#100 [debug] clients: processing 127.0.0.1 with rdns
2024/06/03 22:19:07.064224 3288#104 [debug] dnsforward: finished processing initial
2024/06/03 22:19:07.064253 3288#104 [debug] dnsforward: started processing ddr
2024/06/03 22:19:07.064286 3288#104 [debug] dnsforward: finished processing ddr
2024/06/03 22:19:07.064306 3288#104 [debug] dnsforward: started processing dhcp hosts
2024/06/03 22:19:07.064328 3288#104 [debug] dnsforward: finished processing dhcp hosts
2024/06/03 22:19:07.064261 3288#100 [debug] clients: finished processing 127.0.0.1 with rdns in 41.323µs
2024/06/03 22:19:07.064348 3288#104 [debug] dnsforward: started processing dhcp addrs
2024/06/03 22:19:07.064358 3288#100 [debug] clients: processing 127.0.0.1 with whois
2024/06/03 22:19:07.064373 3288#104 [debug] dnsforward: finished processing dhcp addrs
2024/06/03 22:19:07.064383 3288#100 [debug] clients: finished processing 127.0.0.1 with whois in 22.242µs
2024/06/03 22:19:07.064393 3288#104 [debug] dnsforward: started processing filtering before req
2024/06/03 22:19:07.064425 3288#104 [debug] dnsforward: finished processing filtering before req
2024/06/03 22:19:07.064443 3288#104 [debug] dnsforward: started processing upstream
2024/06/03 22:19:07.064488 3288#104 [debug] dnsproxy: sending request to 58.20.127.238:53 over udp: A "jd.com."
2024/06/03 22:19:07.064520 3288#104 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/03 22:19:07.064601 3288#104 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 48.082µs
2024/06/03 22:19:12.069285 3288#89 [debug] dnsproxy: handling new udp packet from 127.0.0.1:57923
2024/06/03 22:19:12.069362 3288#89 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 3661
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1232
; COOKIE: fcdf431cc297f815

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/03 22:19:12.069409 3288#89 [debug] dnsforward: started processing initial
2024/06/03 22:19:12.069465 3288#89 [debug] applying filters: looking for client with ip 127.0.0.1 and clientid ""
2024/06/03 22:19:12.069497 3288#89 [debug] applying filters: no clients with ip 127.0.0.1 and clientid ""
2024/06/03 22:19:12.069521 3288#89 [debug] dnsforward: finished processing initial
2024/06/03 22:19:12.069546 3288#89 [debug] dnsforward: started processing ddr
2024/06/03 22:19:12.069559 3288#100 [debug] clients: processing 127.0.0.1 with rdns
2024/06/03 22:19:12.069566 3288#89 [debug] dnsforward: finished processing ddr
2024/06/03 22:19:12.069592 3288#89 [debug] dnsforward: started processing dhcp hosts
2024/06/03 22:19:12.069610 3288#100 [debug] clients: finished processing 127.0.0.1 with rdns in 61.695µs
2024/06/03 22:19:12.069613 3288#89 [debug] dnsforward: finished processing dhcp hosts
2024/06/03 22:19:12.069639 3288#89 [debug] dnsforward: started processing dhcp addrs
2024/06/03 22:19:12.069639 3288#100 [debug] clients: processing 127.0.0.1 with whois
2024/06/03 22:19:12.069666 3288#89 [debug] dnsforward: finished processing dhcp addrs
2024/06/03 22:19:12.069670 3288#100 [debug] clients: finished processing 127.0.0.1 with whois in 32.288µs
2024/06/03 22:19:12.069689 3288#89 [debug] dnsforward: started processing filtering before req
2024/06/03 22:19:12.069722 3288#89 [debug] dnsforward: finished processing filtering before req
2024/06/03 22:19:12.069741 3288#89 [debug] dnsforward: started processing upstream
2024/06/03 22:19:12.069786 3288#89 [debug] dnsproxy: sending request to 58.20.127.238:53 over udp: A "jd.com."
2024/06/03 22:19:12.069818 3288#89 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/03 22:19:12.069916 3288#89 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 54.92µs
2024/06/03 22:19:17.065376 3288#104 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/03 22:19:17.065508 3288#104 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 57.979µs
2024/06/03 22:19:17.074469 3288#105 [debug] dnsproxy: handling new udp packet from 127.0.0.1:34968
2024/06/03 22:19:17.074519 3288#105 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 3661
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1232
; COOKIE: fcdf431cc297f815

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/03 22:19:17.074564 3288#105 [debug] dnsforward: started processing initial
2024/06/03 22:19:17.074606 3288#105 [debug] applying filters: looking for client with ip 127.0.0.1 and clientid ""
2024/06/03 22:19:17.074647 3288#105 [debug] applying filters: no clients with ip 127.0.0.1 and clientid ""
2024/06/03 22:19:17.074652 3288#100 [debug] clients: processing 127.0.0.1 with rdns
2024/06/03 22:19:17.074678 3288#105 [debug] dnsforward: finished processing initial
2024/06/03 22:19:17.074690 3288#100 [debug] clients: finished processing 127.0.0.1 with rdns in 42.222µs
2024/06/03 22:19:17.074698 3288#105 [debug] dnsforward: started processing ddr
2024/06/03 22:19:17.074714 3288#100 [debug] clients: processing 127.0.0.1 with whois
2024/06/03 22:19:17.074721 3288#105 [debug] dnsforward: finished processing ddr
2024/06/03 22:19:17.074741 3288#100 [debug] clients: finished processing 127.0.0.1 with whois in 23.715µs
2024/06/03 22:19:17.074744 3288#105 [debug] dnsforward: started processing dhcp hosts
2024/06/03 22:19:17.074785 3288#105 [debug] dnsforward: finished processing dhcp hosts
2024/06/03 22:19:17.074805 3288#105 [debug] dnsforward: started processing dhcp addrs
2024/06/03 22:19:17.074823 3288#105 [debug] dnsforward: finished processing dhcp addrs
2024/06/03 22:19:17.074842 3288#105 [debug] dnsforward: started processing filtering before req
2024/06/03 22:19:17.074885 3288#105 [debug] dnsforward: finished processing filtering before req
2024/06/03 22:19:17.074904 3288#105 [debug] dnsforward: started processing upstream
2024/06/03 22:19:17.074945 3288#105 [debug] dnsproxy: sending request to 58.20.127.238:53 over udp: A "jd.com."
2024/06/03 22:19:17.074976 3288#105 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/03 22:19:17.075050 3288#105 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 41.617µs
2024/06/03 22:19:22.070685 3288#89 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/03 22:19:22.070815 3288#89 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 61.432µs
2024/06/03 22:19:27.066315 3288#104 [error] dnsproxy: 58.20.127.238:53: response received over udp: "exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:56630->58.20.127.238:53: i/o timeout"
2024/06/03 22:19:27.066394 3288#104 [debug] dnsproxy: upstream 58.20.127.238:53 failed to exchange ;jd.com.	IN	 A in 20.00190377s: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:56630->58.20.127.238:53: i/o timeout
2024/06/03 22:19:27.066424 3288#104 [debug] dnsproxy: replying from upstream: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:56630->58.20.127.238:53: i/o timeout
2024/06/03 22:19:27.066451 3288#104 [debug] dnsforward: finished processing upstream
2024/06/03 22:19:27.066485 3288#104 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: SERVFAIL, id: 3661
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/03 22:19:27.066552 3288#104 [debug] dnsproxy: handling dns (proto udp) request: using request handler: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:56630->58.20.127.238:53: i/o timeout
2024/06/03 22:19:27.075697 3288#105 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/03 22:19:27.075790 3288#105 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 51.851µs
2024/06/03 22:19:32.071685 3288#89 [error] dnsproxy: 58.20.127.238:53: response received over udp: "exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:40270->58.20.127.238:53: i/o timeout"
2024/06/03 22:19:32.071749 3288#89 [debug] dnsproxy: upstream 58.20.127.238:53 failed to exchange ;jd.com.	IN	 A in 20.001961732s: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:40270->58.20.127.238:53: i/o timeout
2024/06/03 22:19:32.071779 3288#89 [debug] dnsproxy: replying from upstream: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:40270->58.20.127.238:53: i/o timeout
2024/06/03 22:19:32.071818 3288#89 [debug] dnsforward: finished processing upstream
2024/06/03 22:19:32.071853 3288#89 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: SERVFAIL, id: 3661
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/03 22:19:32.071920 3288#89 [debug] dnsproxy: handling dns (proto udp) request: using request handler: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:40270->58.20.127.238:53: i/o timeout
2024/06/03 22:19:37.075935 3288#105 [error] dnsproxy: 58.20.127.238:53: response received over udp: "exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:39912->58.20.127.238:53: i/o timeout"
2024/06/03 22:19:37.076012 3288#105 [debug] dnsproxy: upstream 58.20.127.238:53 failed to exchange ;jd.com.	IN	 A in 20.001064159s: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:39912->58.20.127.238:53: i/o timeout
2024/06/03 22:19:37.076065 3288#105 [debug] dnsproxy: replying from upstream: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:39912->58.20.127.238:53: i/o timeout
2024/06/03 22:19:37.076097 3288#105 [debug] dnsforward: finished processing upstream
2024/06/03 22:19:37.076128 3288#105 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: SERVFAIL, id: 3661
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/03 22:19:37.076201 3288#105 [debug] dnsproxy: handling dns (proto udp) request: using request handler: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:39912->58.20.127.238:53: i/o timeout

[ainar-g]

Thanks. It seems like the upstream is dropping the queries for some reason. Could be the DNSSEC flags, which are added whenever cache is enabled. Please try to:

1. Query your AGH with +cd option for dig and/or uncheck Enable DNSSEC checkbox on the UI.
2. Use dig to query the upstream directly, with or without +cd and +dnssec flags.

[UnbeatenEast2]

apline:~# dig @127.0.0.1 jd.com +cd

; <<>> DiG 9.18.24 <<>> @127.0.0.1 jd.com +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3747
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;jd.com.                                IN      A

;; ANSWER SECTION:
jd.com.                 1       IN      A       106.39.171.134
jd.com.                 1       IN      A       211.144.24.218
jd.com.                 1       IN      A       111.13.149.108
jd.com.                 1       IN      A       211.144.27.126

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Jun 04 11:46:06 CST 2024
;; MSG SIZE  rcvd: 99

2024/06/04 11:46:06.024101 4500#64 [debug] dnsproxy: handling new udp packet from 127.0.0.1:50950
2024/06/04 11:46:06.024179 4500#64 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 3747
;; flags: rd ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1232
; COOKIE: db33443e479bf8b1

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/04 11:46:06.024226 4500#64 [debug] dnsforward: started processing initial
2024/06/04 11:46:06.024272 4500#64 [debug] applying filters: looking for client with ip 127.0.0.1 and clientid ""
2024/06/04 11:46:06.024306 4500#33 [debug] clients: processing 127.0.0.1 with rdns
2024/06/04 11:46:06.024354 4500#33 [debug] clients: finished processing 127.0.0.1 with rdns in 44.211µs
2024/06/04 11:46:06.024375 4500#33 [debug] clients: processing 127.0.0.1 with whois
2024/06/04 11:46:06.024312 4500#64 [debug] applying filters: no clients with ip 127.0.0.1 and clientid ""
2024/06/04 11:46:06.024397 4500#33 [debug] clients: finished processing 127.0.0.1 with whois in 19.656µs
2024/06/04 11:46:06.024409 4500#64 [debug] dnsforward: finished processing initial
2024/06/04 11:46:06.024444 4500#64 [debug] dnsforward: started processing ddr
2024/06/04 11:46:06.024466 4500#64 [debug] dnsforward: finished processing ddr
2024/06/04 11:46:06.024486 4500#64 [debug] dnsforward: started processing dhcp hosts
2024/06/04 11:46:06.024509 4500#64 [debug] dnsforward: finished processing dhcp hosts
2024/06/04 11:46:06.024530 4500#64 [debug] dnsforward: started processing dhcp addrs
2024/06/04 11:46:06.024550 4500#64 [debug] dnsforward: finished processing dhcp addrs
2024/06/04 11:46:06.024571 4500#64 [debug] dnsforward: started processing filtering before req
2024/06/04 11:46:06.024604 4500#64 [debug] dnsforward: finished processing filtering before req
2024/06/04 11:46:06.024625 4500#64 [debug] dnsforward: started processing upstream
2024/06/04 11:46:06.024652 4500#64 [debug] dnsproxy: cache: dnssec check disabled; not caching
2024/06/04 11:46:06.024695 4500#64 [debug] dnsproxy: sending request to 58.20.127.238:53 over udp: A "jd.com."
2024/06/04 11:46:06.024728 4500#64 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/04 11:46:06.024811 4500#64 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 48.977µs
2024/06/04 11:46:06.026012 4500#64 [debug] dnsproxy: 58.20.127.238:53: response received over udp: "ok"
2024/06/04 11:46:06.026051 4500#64 [debug] dnsproxy: upstream 58.20.127.238:53 exchanged ;jd.com.	IN	 A successfully in 1.361027ms
2024/06/04 11:46:06.026080 4500#64 [debug] dnsproxy: replying from upstream: rtt is 1.399174ms
2024/06/04 11:46:06.026106 4500#64 [debug] dnsforward: finished processing upstream
2024/06/04 11:46:06.026127 4500#64 [debug] dnsforward: started processing filtering after resp
2024/06/04 11:46:06.026171 4500#64 [debug] dnsforward: checked A 106.39.171.134 for jd.com.
2024/06/04 11:46:06.026200 4500#64 [debug] dnsforward: checked A 211.144.24.218 for jd.com.
2024/06/04 11:46:06.026226 4500#64 [debug] dnsforward: checked A 111.13.149.108 for jd.com.
2024/06/04 11:46:06.026252 4500#64 [debug] dnsforward: checked A 211.144.27.126 for jd.com.
2024/06/04 11:46:06.026272 4500#64 [debug] dnsforward: finished processing filtering after resp
2024/06/04 11:46:06.026292 4500#64 [debug] dnsforward: ipset: started processing
2024/06/04 11:46:06.026312 4500#64 [debug] dnsforward: ipset: finished processing
2024/06/04 11:46:06.026331 4500#64 [debug] dnsforward: started processing querylog and stats
2024/06/04 11:46:06.026352 4500#64 [debug] dnsforward: client ip for stats and querylog: 127.0.0.1
2024/06/04 11:46:06.026396 4500#64 [debug] dnsforward: finished processing querylog and stats
2024/06/04 11:46:06.026430 4500#64 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 3747
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1232

;; QUESTION SECTION:
;jd.com.	IN	 A

;; ANSWER SECTION:
jd.com.	1	IN	A	106.39.171.134
jd.com.	1	IN	A	211.144.24.218
jd.com.	1	IN	A	111.13.149.108
jd.com.	1	IN	A	211.144.27.126

#############################################################

apline:~# dig @127.0.0.1 jd.com +dnssec
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.24 <<>> @127.0.0.1 jd.com +dnssec
; (1 server found)
;; global options: +cmd
;; no servers could be reached

2024/06/04 11:47:43.584072 4500#80 [debug] dnsproxy: handling new udp packet from 127.0.0.1:46639
2024/06/04 11:47:43.584149 4500#80 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 38324
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232
; COOKIE: fb4e3862316e2ac5

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/04 11:47:43.584194 4500#80 [debug] dnsforward: started processing initial
2024/06/04 11:47:43.584237 4500#80 [debug] applying filters: looking for client with ip 127.0.0.1 and clientid ""
2024/06/04 11:47:43.584275 4500#80 [debug] applying filters: no clients with ip 127.0.0.1 and clientid ""
2024/06/04 11:47:43.584286 4500#33 [debug] clients: processing 127.0.0.1 with rdns
2024/06/04 11:47:43.584298 4500#80 [debug] dnsforward: finished processing initial
2024/06/04 11:47:43.584323 4500#80 [debug] dnsforward: started processing ddr
2024/06/04 11:47:43.584329 4500#33 [debug] clients: finished processing 127.0.0.1 with rdns in 41.996µs
2024/06/04 11:47:43.584352 4500#80 [debug] dnsforward: finished processing ddr
2024/06/04 11:47:43.584353 4500#33 [debug] clients: processing 127.0.0.1 with whois
2024/06/04 11:47:43.584377 4500#80 [debug] dnsforward: started processing dhcp hosts
2024/06/04 11:47:43.584398 4500#33 [debug] clients: finished processing 127.0.0.1 with whois in 27.599µs
2024/06/04 11:47:43.584403 4500#80 [debug] dnsforward: finished processing dhcp hosts
2024/06/04 11:47:43.584426 4500#80 [debug] dnsforward: started processing dhcp addrs
2024/06/04 11:47:43.584446 4500#80 [debug] dnsforward: finished processing dhcp addrs
2024/06/04 11:47:43.584467 4500#80 [debug] dnsforward: started processing filtering before req
2024/06/04 11:47:43.584499 4500#80 [debug] dnsforward: finished processing filtering before req
2024/06/04 11:47:43.584520 4500#80 [debug] dnsforward: started processing upstream
2024/06/04 11:47:43.584566 4500#80 [debug] dnsproxy: sending request to 58.20.127.238:53 over udp: A "jd.com."
2024/06/04 11:47:43.584600 4500#80 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/04 11:47:43.584685 4500#80 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 49.739µs
2024/06/04 11:47:48.589365 4500#81 [debug] dnsproxy: handling new udp packet from 127.0.0.1:53723
2024/06/04 11:47:48.589439 4500#81 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 38324
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232
; COOKIE: fb4e3862316e2ac5

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/04 11:47:48.589491 4500#81 [debug] dnsforward: started processing initial
2024/06/04 11:47:48.589536 4500#81 [debug] applying filters: looking for client with ip 127.0.0.1 and clientid ""
2024/06/04 11:47:48.589567 4500#81 [debug] applying filters: no clients with ip 127.0.0.1 and clientid ""
2024/06/04 11:47:48.589593 4500#81 [debug] dnsforward: finished processing initial
2024/06/04 11:47:48.589603 4500#33 [debug] clients: processing 127.0.0.1 with rdns
2024/06/04 11:47:48.589613 4500#81 [debug] dnsforward: started processing ddr
2024/06/04 11:47:48.589638 4500#81 [debug] dnsforward: finished processing ddr
2024/06/04 11:47:48.589646 4500#33 [debug] clients: finished processing 127.0.0.1 with rdns in 39.07µs
2024/06/04 11:47:48.589659 4500#81 [debug] dnsforward: started processing dhcp hosts
2024/06/04 11:47:48.589668 4500#33 [debug] clients: processing 127.0.0.1 with whois
2024/06/04 11:47:48.589684 4500#81 [debug] dnsforward: finished processing dhcp hosts
2024/06/04 11:47:48.589691 4500#33 [debug] clients: finished processing 127.0.0.1 with whois in 21.495µs
2024/06/04 11:47:48.589704 4500#81 [debug] dnsforward: started processing dhcp addrs
2024/06/04 11:47:48.589726 4500#81 [debug] dnsforward: finished processing dhcp addrs
2024/06/04 11:47:48.589744 4500#81 [debug] dnsforward: started processing filtering before req
2024/06/04 11:47:48.589774 4500#81 [debug] dnsforward: finished processing filtering before req
2024/06/04 11:47:48.589793 4500#81 [debug] dnsforward: started processing upstream
2024/06/04 11:47:48.589837 4500#81 [debug] dnsproxy: sending request to 58.20.127.238:53 over udp: A "jd.com."
2024/06/04 11:47:48.589869 4500#81 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/04 11:47:48.589952 4500#81 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 50.483µs
2024/06/04 11:47:53.585524 4500#80 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/04 11:47:53.585663 4500#80 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 70.186µs
2024/06/04 11:47:53.592404 4500#97 [debug] dnsproxy: handling new udp packet from 127.0.0.1:51214
2024/06/04 11:47:53.592458 4500#97 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 38324
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232
; COOKIE: fb4e3862316e2ac5

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/04 11:47:53.592492 4500#97 [debug] dnsforward: started processing initial
2024/06/04 11:47:53.592533 4500#97 [debug] applying filters: looking for client with ip 127.0.0.1 and clientid ""
2024/06/04 11:47:53.592563 4500#97 [debug] applying filters: no clients with ip 127.0.0.1 and clientid ""
2024/06/04 11:47:53.592586 4500#97 [debug] dnsforward: finished processing initial
2024/06/04 11:47:53.592611 4500#33 [debug] clients: processing 127.0.0.1 with rdns
2024/06/04 11:47:53.592615 4500#97 [debug] dnsforward: started processing ddr
2024/06/04 11:47:53.592645 4500#33 [debug] clients: finished processing 127.0.0.1 with rdns in 48.393µs
2024/06/04 11:47:53.592648 4500#97 [debug] dnsforward: finished processing ddr
2024/06/04 11:47:53.592670 4500#97 [debug] dnsforward: started processing dhcp hosts
2024/06/04 11:47:53.592682 4500#33 [debug] clients: processing 127.0.0.1 with whois
2024/06/04 11:47:53.592698 4500#97 [debug] dnsforward: finished processing dhcp hosts
2024/06/04 11:47:53.592705 4500#33 [debug] clients: finished processing 127.0.0.1 with whois in 37.284µs
2024/06/04 11:47:53.592718 4500#97 [debug] dnsforward: started processing dhcp addrs
2024/06/04 11:47:53.592737 4500#97 [debug] dnsforward: finished processing dhcp addrs
2024/06/04 11:47:53.592756 4500#97 [debug] dnsforward: started processing filtering before req
2024/06/04 11:47:53.592785 4500#97 [debug] dnsforward: finished processing filtering before req
2024/06/04 11:47:53.592804 4500#97 [debug] dnsforward: started processing upstream
2024/06/04 11:47:53.592854 4500#97 [debug] dnsproxy: sending request to 58.20.127.238:53 over udp: A "jd.com."
2024/06/04 11:47:53.592885 4500#97 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/04 11:47:53.592975 4500#97 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 57.503µs
2024/06/04 11:47:58.590157 4500#81 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/04 11:47:58.590287 4500#81 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 65.781µs
2024/06/04 11:48:03.585986 4500#80 [error] dnsproxy: 58.20.127.238:53: response received over udp: "exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:36460->58.20.127.238:53: i/o timeout"
2024/06/04 11:48:03.586114 4500#80 [debug] dnsproxy: upstream 58.20.127.238:53 failed to exchange ;jd.com.	IN	 A in 20.001538522s: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:36460->58.20.127.238:53: i/o timeout
2024/06/04 11:48:03.586143 4500#80 [debug] dnsproxy: replying from upstream: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:36460->58.20.127.238:53: i/o timeout
2024/06/04 11:48:03.586171 4500#80 [debug] dnsforward: finished processing upstream
2024/06/04 11:48:03.586206 4500#80 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: SERVFAIL, id: 38324
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/04 11:48:03.586280 4500#80 [debug] dnsproxy: handling dns (proto udp) request: using request handler: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:36460->58.20.127.238:53: i/o timeout
2024/06/04 11:48:03.593500 4500#97 [debug] bootstrap: dialing 58.20.127.238:53 (1/1)
2024/06/04 11:48:03.593603 4500#97 [debug] bootstrap: connection to 58.20.127.238:53 succeeded in 56.212µs
2024/06/04 11:48:08.590524 4500#81 [error] dnsproxy: 58.20.127.238:53: response received over udp: "exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:36257->58.20.127.238:53: i/o timeout"
2024/06/04 11:48:08.590613 4500#81 [debug] dnsproxy: upstream 58.20.127.238:53 failed to exchange ;jd.com.	IN	 A in 20.000774023s: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:36257->58.20.127.238:53: i/o timeout
2024/06/04 11:48:08.590641 4500#81 [debug] dnsproxy: replying from upstream: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:36257->58.20.127.238:53: i/o timeout
2024/06/04 11:48:08.590669 4500#81 [debug] dnsforward: finished processing upstream
2024/06/04 11:48:08.590702 4500#81 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: SERVFAIL, id: 38324
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/04 11:48:08.590779 4500#81 [debug] dnsproxy: handling dns (proto udp) request: using request handler: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:36257->58.20.127.238:53: i/o timeout
2024/06/04 11:48:13.593839 4500#97 [error] dnsproxy: 58.20.127.238:53: response received over udp: "exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:40995->58.20.127.238:53: i/o timeout"
2024/06/04 11:48:13.593929 4500#97 [debug] dnsproxy: upstream 58.20.127.238:53 failed to exchange ;jd.com.	IN	 A in 20.001070271s: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:40995->58.20.127.238:53: i/o timeout
2024/06/04 11:48:13.593959 4500#97 [debug] dnsproxy: replying from upstream: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:40995->58.20.127.238:53: i/o timeout
2024/06/04 11:48:13.593987 4500#97 [debug] dnsforward: finished processing upstream
2024/06/04 11:48:13.594039 4500#97 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: SERVFAIL, id: 38324
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jd.com.	IN	 A

2024/06/04 11:48:13.594115 4500#97 [debug] dnsproxy: handling dns (proto udp) request: using request handler: exchanging with 58.20.127.238:53 over udp: read udp 192.168.5.5:40995->58.20.127.238:53: i/o timeout

[UnbeatenEast2]

apline:~# dig @58.20.127.238 jd.com +cd

; <<>> DiG 9.18.24 <<>> @58.20.127.238 jd.com +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38558
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jd.com.                                IN      A

;; ANSWER SECTION:
jd.com.                 1       IN      A       106.39.171.134
jd.com.                 1       IN      A       211.144.24.218
jd.com.                 1       IN      A       211.144.27.126
jd.com.                 1       IN      A       111.13.149.108

;; Query time: 0 msec
;; SERVER: 58.20.127.238#53(58.20.127.238) (UDP)
;; WHEN: Tue Jun 04 11:55:00 CST 2024
;; MSG SIZE  rcvd: 88

apline:~# dig @58.20.127.238 jd.com +dnssec
;; communications error to 58.20.127.238#53: timed out
;; communications error to 58.20.127.238#53: timed out
;; communications error to 58.20.127.238#53: timed out

; <<>> DiG 9.18.24 <<>> @58.20.127.238 jd.com +dnssec
; (1 server found)
;; global options: +cmd
;; no servers could be reached

apline:~# dig @58.20.127.238 jd.com +dnssec +cd
;; communications error to 58.20.127.238#53: timed out
;; communications error to 58.20.127.238#53: timed out
;; communications error to 58.20.127.238#53: timed out

; <<>> DiG 9.18.24 <<>> @58.20.127.238 jd.com +dnssec +cd
; (1 server found)
;; global options: +cmd
;; no servers could be reached

[ainar-g]

Yep. Seems like that upstream doesn't support DNSSEC OK flag and just drops messages with it. You might want to contact your ISP about that.

@EugeneOne1, in the meantime, please investigate what is the correct behavior here according to the RFCs.

[EugeneOne1]

Hello @UnbeatenEast2. It appears that RFC-2671 Section-5.3 specifies the behavior of DNS responders when EDNS0 is not supported:

Responders who do not understand these protocol extensions are expected to send a response with RCODE NOTIMPL, FORMERR, or SERVFAIL.

It seems that the upstream you are using doesn't respond at all and just drops the request. May we ask you to make the above requests over TCP (+tcp option in dig), just in case?

If it behaves the same, the possible workaround would be to install and use some kind of DNS proxy server (e.g. Unbound) as AdGuard Home's upstream.

[UnbeatenEast2]

apline:~# dig @58.20.127.238 jd.com

; <<>> DiG 9.18.24 <<>> @58.20.127.238 jd.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57449
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jd.com.                                IN      A

;; ANSWER SECTION:
jd.com.                 20      IN      A       211.144.24.218
jd.com.                 20      IN      A       106.39.171.134
jd.com.                 20      IN      A       211.144.27.126
jd.com.                 20      IN      A       111.13.149.108

;; Query time: 0 msec
;; SERVER: 58.20.127.238#53(58.20.127.238) (UDP)
;; WHEN: Wed Jun 05 11:58:53 CST 2024
;; MSG SIZE  rcvd: 88

apline:~# dig @58.20.127.238 jd.com +tcp
;; Connection to 58.20.127.238#53(58.20.127.238) for jd.com failed: timed out.
;; no servers could be reached

;; Connection to 58.20.127.238#53(58.20.127.238) for jd.com failed: timed out.
;; no servers could be reached

;; Connection to 58.20.127.238#53(58.20.127.238) for jd.com failed: timed out.
;; no servers could be reached

apline:~# dig @58.20.127.238 jd.com +tcp +dnssec
;; Connection to 58.20.127.238#53(58.20.127.238) for jd.com failed: timed out.
;; no servers could be reached

;; Connection to 58.20.127.238#53(58.20.127.238) for jd.com failed: timed out.
;; no servers could be reached

;; Connection to 58.20.127.238#53(58.20.127.238) for jd.com failed: timed out.
;; no servers could be reached

apline:~# dig @58.20.127.238 jd.com +tcp +cd
;; Connection to 58.20.127.238#53(58.20.127.238) for jd.com failed: timed out.
;; no servers could be reached

;; Connection to 58.20.127.238#53(58.20.127.238) for jd.com failed: timed out.
;; no servers could be reached

;; Connection to 58.20.127.238#53(58.20.127.238) for jd.com failed: timed out.
;; no servers could be reached

[UnbeatenEast2]

Thanks. It seems like the upstream is dropping the queries for some reason. Could be the DNSSEC flags, which are added whenever cache is enabled. Please try to:

Would this be considered a bug in AdGuardHome?
When I click the "Test upstreams" button, AdGuardHome shows "Specified DNS servers are working correctly."

[ADV-R]

@UnbeatenEast2

AGH is the only forwarder with such behavior (forcing DO flag). Not only does it cause problems like yours, but can also slow down name resolution significantly. #5856

As already suggested you can use any caching proxy in front of AGH to fix this. CoreDNS, dnscrypt-proxy, blocky, routedns do not force DO.