PARSE_ERROR when querying large size TXT records

[0xpsyduck]

When DNS responses from upstream are large in size dnscrypt-proxy fails with a PARSE_ERROR, only visible in DEBUG logs and doesn't return anything to the client.
Some test domains with ~4000 bytes of TXT records are - microsoft.com, amazon.com

Ideal Behaviour

• Client queries dig microsoft.com TXT @dnscrypt-proxy-instance.
• dnscrypt-proxy should get response from upstream and then send a TC(Truncation) flag to client so that client switches to TCP for successfully receiving the large DNS response.

Observed Behaviour

• dnscrypt-proxy tries to get answer from upstream as seen on packet capture.
• fails with PARSE_ERROR
• doesn't send anything back to client, client retries and timeouts.

Steps taken to resolve issue

• tried different upstreams namely google cloudflare cloudflare-ipv6 etc.
• tried force_tcp = true
• tried querying from client over tcp with dig +tcp

Logs

[2026-02-18 23:27:32] [NOTICE] dnscrypt-proxy 2.1.15
[2026-02-18 23:27:32] [NOTICE] Using default Weighted Power of Two (WP2) load balancing strategy
[2026-02-18 23:27:32] [NOTICE] Network connectivity detected
[2026-02-18 23:27:32] [NOTICE] Now listening to 127.0.0.1:5369 [UDP]
[2026-02-18 23:27:32] [NOTICE] Now listening to 127.0.0.1:5369 [TCP]
[2026-02-18 23:27:32] [NOTICE] Source [public-resolvers] loaded
[2026-02-18 23:27:32] [NOTICE] Source [relays] loaded
[2026-02-18 23:27:32] [NOTICE] Firefox workaround initialized
[2026-02-18 23:27:32] [NOTICE] Hot reload is disabled
[2026-02-18 23:27:33] [INFO] [cloudflare-ipv6] TLS version: 304 - Protocol: h3 - Cipher suite: 4865
[2026-02-18 23:27:33] [NOTICE] [cloudflare-ipv6] OK (DoH) - rtt: 46ms
[2026-02-18 23:27:33] [NOTICE] Server with the lowest initial latency: cloudflare-ipv6 (rtt: 46ms), live servers: 1
[2026-02-18 23:27:43]   127.0.0.1       google.com      A       PASS    16ms    cloudflare-ipv6
[2026-02-18 23:27:52]   127.0.0.1       microsoft.com   TXT     PARSE_ERROR     18ms    -
[2026-02-18 23:28:02]   127.0.0.1       amazon.com      TXT     PARSE_ERROR     63ms    -

[jedisct1]

DNS responses are limited to 4096 bytes, which is already quite large. Legitimate responses (i.e., not used for tunneling or DDoS amplification) exceeding this size are extremely rare.

You can change the MaxDNSPacketSize value in src/common.go and recompile. However, keep in mind that DNSCrypt server proxies and relays also enforce a 4096-byte limit on their side.

The examples you mentioned are an accumulation of forgotten one-time service verification tokens. It's unlikely that they are relevant to your applications or even to the original reason they were added.

For legitimate usage, the limit is large enough and will not be changed.

[ACEx86]

dnscrypt-proxy/dnscrypt-proxy/resolve.go

Line 59 in 7b90eaf

response, rtt, err := client.Exchange(ctx, msg, "udp", server)

@jedisct1 Force TCP bypass?

[jedisct1]

This is connecting to localhost. UDP is fine. https://github.com/DNSCrypt/dnscrypt-proxy/blob/7b90eaf0ddf22f34a0095d9395b879474ee4e6f5/dnscrypt-proxy/resolve.go#L32C1-L33C1

[ACEx86]

The TXT of microsoft.com is 3122bytes