os-dnscrypt-proxy: bootstrap_resolvers template incorrectly formats multiple comma-separated resolvers #5162
Description
- I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- I have searched the existing issues, open and closed, and I'm convinced that mine is new.
- The title contains the plugin to which this issue belongs
Description
The os-dnscrypt-proxy plugin template incorrectly generates the bootstrap_resolvers configuration when multiple comma-separated DNS servers are specified in the "Fallback Resolver" field. This causes dnscrypt-proxy to fail to start with a FATAL error.
The template at dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml line 98 generates:
bootstrap_resolvers = ['1.1.1.1:53,9.9.9.9:53']But it should generate:
bootstrap_resolvers = ['1.1.1.1:53', '9.9.9.9:53']The comma ends up inside the string instead of separating array elements, causing dnscrypt-proxy to reject it as an invalid IP address.
This appears to have been present since the fallback_resolver field was introduced. The same template correctly handles comma-separated values for listen_addresses (line 12), server_names (line 4), and relaylist (line 192) using a split/join pattern, but bootstrap_resolvers was not updated to use this pattern.
To reproduce:
- Go to Services → DNSCrypt-Proxy → General
- In "Fallback Resolver" field, enter multiple resolvers:
1.1.1.1:53,9.9.9.9:53 - Click Save and Apply
- Check service status - dnscrypt-proxy fails to start
- Check
/var/log/dnscrypt-proxy/dnscrypt-proxy.logfor FATAL error
Expected behavior:
dnscrypt-proxy should start successfully and use both resolvers for bootstrapping DNS-over-HTTPS connections. Multiple bootstrap resolvers provide redundancy if one fails.
Screenshots:: N/A - CLI-based issue
Relevant log files:
[2026-01-23 04:32:27] [NOTICE] dnscrypt-proxy 2.1.5
[2026-01-23 04:32:27] [FATAL] Bootstrap resolver [1.1.1.1:53,9.9.9.9:53]: Host does not parse as IP '1.1.1.1:53,9.9.9.9:53'
Generated config (/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml):
bootstrap_resolvers = ['1.1.1.1:53,9.9.9.9:53']XML config stores value correctly (/conf/config.xml):
<fallback_resolver>1.1.1.1:53,9.9.9.9:53</fallback_resolver>Additional context
Root cause: Line 98 of the template uses:
bootstrap_resolvers = ['{{ OPNsense.dnscryptproxy.general.fallback_resolver }}']Proposed fix: Change to match the pattern used elsewhere in the same template:
bootstrap_resolvers = [{{ "'" + ("','".join(OPNsense.dnscryptproxy.general.fallback_resolver.split(','))) + "'" }}]Workaround: Users can use only a single bootstrap resolver (e.g., just 1.1.1.1:53) until this is fixed.
Environment
OPNsense 25.7.10 (amd64)
FreeBSD 14.3-RELEASE-p7
Hardware: QEMU/KVM Virtual Machine (Q35 + ICH9)
CPU: Intel Core i7-8550U @ 1.80GHz (4 cores)
Memory: 8 GB
Network Interfaces:
- igb0 (WAN): Intel I211 Gigabit Network Connection (PCIe passthrough)
- igb1: Intel I211 Gigabit Network Connection (PCIe passthrough)
- vtnet0 (LAN): VirtIO Network Adapter
Plugins:
- os-dnscrypt-proxy 1.16
- dnscrypt-proxy 2.1.5_20