DoH3 upstream gets stuck with http3 timeouts / "transport is closed" until ctrld is restarted (dev-882c59d on UniFi OS 10.0.162)

[KittyFarts]

Summary

After running for a while, ctrld CLI (dev-882c59d) on my UniFi UCG-Fiber stops resolving all queries.
Internet connectivity on the router is fine (routing works, ping to external IPs works), but every DNS query through ctrld fails.

The only way to recover is to either:

• restart the ctrld CLI process, or
• reboot the UCG-Fiber

Once restarted, resolution immediately works again using the same config and upstream.

---

Environment

• Device: Ubiquiti UCG-Fiber (Cloud Gateway Fiber)
• OS: UniFiOS 10.0.162 (EA release)
• ctrld CLI version: dev-882c59d
• Platform: Linux arm64 (UniFi OS)
• Config (relevant parts):

[service]
cache_enable = true
cache_size = 300000
cache_ttl_override = 0
cache_serve_stale = true
max_concurrent_requests = 4096
metrics_query_stats = true
leak_on_upstream_failure = false
log_level = "info"
log_path = "/tmp/ctrld.log"

[listener]
  [listener.0]
  ip = '0.0.0.0'
  port = 5354

[network]
  [network.0]
  name = 'Network 0'
  cidrs = ['0.0.0.0/0', '::/0']

[upstream]
  [upstream.0]
  type = 'doh3'
  endpoint = 'https://dns.controld.com/RESOLVERID'

• What happens:

After some time (in this case around 2025-12-07T17:23), ctrld starts logging a burst of http3 errors, then marks upstream.0 as down and never recovers on its own.

Example snippet (resolver ID was removed):

{"level":"warn","time":"2025-12-07T17:23:16-08:00.501","message":"using direct IP for \"https://dns.controld.com/RESOLVERID\": 76.76.2.22"}
{"level":"warn","error":"Get \"https://dns.controld.com/RESOLVERID?...\": http3: parsing frame failed: timeout: no recent network activity","time":"2025-12-07T17:23:16-08:00.501","message":"[a11b40] retrying request after fallback to direct ip"}
{"level":"error","error":"could not perform request: Get \"https://dns.controld.com/RESOLVERID?...\": http3: parsing frame failed: timeout: no recent network activity","time":"2025-12-07T17:23:16-08:00.506","message":"[27f140] failed to resolve query"}

{"level":"error","error":"could not perform request: Get \"https://76.76.2.22/RESOLVERID?...\": http3: transport is closed","time":"2025-12-07T17:23:23-08:00.467","message":"[fffc79] failed to resolve query"}
{"level":"warn","time":"2025-12-07T17:23:26-08:00.507","message":"upstream \"upstream.0\" marked as down after 10 seconds (failure count: 5)"}

... then many repeats of:

{"level":"error","error":"could not perform request: Get \"https://76.76.2.22/RESOLVERID?...\": http3: transport is closed","time":"2025-12-07T17:24:13-08:00.722","message":"[...] failed to resolve query"}
{"level":"warn","time":"2025-12-07T17:24:13-08:00.722","message":"upstream \"upstream.0\" marked as down immediately (failure count: 5x)"}
{"level":"error","time":"2025-12-07T17:24:13-08:00.722","message":"[...] all [upstream.0] endpoints failed"}

During this time, clients keep sending queries and all of them fail with the same http3: transport is closed / parsing frame failed: timeout: no recent network activity messages. No successful replies are logged until I restart ctrld.

After restarting the ctrld service, resolution works again immediately against the same DoH3 endpoint.

• What I’ve checked:

Router still has internet: ping 1.1.1.1 and ping 76.76.2.22 from the UCG-Fiber succeed while ctrld is in this broken state.

No firewall blocks between the UCG-Fiber and 76.76.2.22.

This has happened multiple times on dev-882c59d with the same pattern and is always fixed by restarting ctrld or rebooting the gateway.

[cuonglm]

Thanks for reporting.

Does this happen with stable version of ctrld?

[blandishb]

Thanks for reporting.

Does this happen with stable version of ctrld?

Dev & Prod have the same bug.

[KittyFarts]

I did not encounter this issue in the production releases (1.4.7 or 1.4.8). It appears only in dev-882c59d and the previous development build (unfortunately I don't have that build number).

I’ve enabled debug logging on the CLI and will attach additional logs once the issue occurs again. It may take a few hours before the Control D CLI fails.

[jsimcina]

I don't have logs to support this since they weren't enabled, but I'm running the same Unifi OS version and experiencing ctrld failures. I just finished rolling back to version 1.4.8 as I've had this failure occur twice in the last 12 hours under 1.4.8.

[mugabenkomo]

I have the same issue on UDM SE, I switched to DOH, then it works.

DNS stops working because ctrld’s HTTP/3 connection to ControlD breaks when the UDM’s WAN route flips, and ctrld never recovers that HTTP/3 transport. After that, every query to the ControlD upstreams fails with http3: transport is closed until you restart ctrld.

[matrix8967]

🙏️ Thanks for the reports and patience here. I've started tracking this internally for our developers.

Has anyone seen this issue when using an upstream configured with DoT or regular DoH (meaning not DoH3)? Has anyone experienced this on non-ubiquiti hardware?

[KittyFarts]

I haven’t tested DoH or DoT as upstream options - my configuration has only been using DoH3 (and I only have a UCG-Fiber ;) ).

I was able to capture a debug log when the issue occurred today.

The Control D dashboard indicates the CLI stopped reporting about five hours ago, even though the internet connection remained active. The log file is quite large, and I’d prefer not to remove anything that may be relevant.

If acceptable, I can open a support ticket and share a link to the full log file (for example, via Google Drive). Please let me know if that approach works or if there is a preferred method for submitting large logs.

[matrix8967]

I haven’t tested DoH or DoT as upstream options - my configuration has only been using DoH3 (and I only have a UCG-Fiber ;) ).

I was able to capture a debug log when the issue occurred today.

The Control D dashboard indicates the CLI stopped reporting about five hours ago, even though the internet connection remained active. The log file is quite large, and I’d prefer not to remove anything that may be relevant.

If acceptable, I can open a support ticket and share a link to the full log file (for example, via Google Drive). Please let me know if that approach works or if there is a preferred method for submitting large logs.

Yes this would be incredibly helpful. 🙏 Please open a support ticket and reference this thread and we'll be sure to have a look.

[matrix8967]

@KittyFarts Just confirming that I've got your logs from your support ticket and have shared them with @cuonglm internally.

Let us know here (or via your support ticket) if anything changes on your side, and we'll do the same. 🙏 Again - we appreciate the report.

[KittyFarts]

I do see a new dev version of the CLI - dev-ac9ad6b. I've installed this one and will see if the issue is still present.

Not too sure if a fix was rolled out in this version, but wouldn't hurt to try! ;)

[cuonglm]

I do see a new dev version of the CLI - dev-ac9ad6b. I've installed this one and will see if the issue is still present.

Not too sure if a fix was rolled out in this version, but wouldn't hurt to try! ;)

The fix is not rolled out for this dev version.

We are working on a fix internally, and will report here once we verify it working.

[cuonglm]

@KittyFarts There's an update to dev version, please give it a try and let me know if it fixed the issue for you.

$ ./ctrld --version
ctrld version dev-ae71837

Thank you.