Merge remote-tracking branch 'upstream/master'

Author: Gedsh

.ci/ci-build.sh

@@ -66,6 +66,13 @@ ln dnscrypt-proxy freebsd-arm/
 ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt freebsd-arm/
 tar czpvf dnscrypt-proxy-freebsd_arm-${PACKAGE_VERSION:-dev}.tar.gz freebsd-arm
 
+go clean
+env GOOS=freebsd GOARCH=arm64 go build -mod vendor -ldflags="-s -w"
+mkdir freebsd-arm64
+ln dnscrypt-proxy freebsd-arm64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt freebsd-arm64/
+tar czpvf dnscrypt-proxy-freebsd_arm64-${PACKAGE_VERSION:-dev}.tar.gz freebsd-arm64
+
 go clean
 env GOOS=dragonfly GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
 mkdir dragonflybsd-amd64
@@ -157,6 +164,13 @@ ln dnscrypt-proxy linux-riscv64/
 ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-riscv64/
 tar czpvf dnscrypt-proxy-linux_riscv64-${PACKAGE_VERSION:-dev}.tar.gz linux-riscv64
 
+go clean
+env CGO_ENABLED=0 GOOS=linux GOARCH=loong64 go build -mod vendor -ldflags="-s -w"
+mkdir linux-loong64
+ln dnscrypt-proxy linux-loong64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-loong64/
+tar czpvf dnscrypt-proxy-linux_loong64-${PACKAGE_VERSION:-dev}.tar.gz linux-loong64
+
 go clean
 env GOOS=darwin GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
 mkdir macos-x86_64

.ci/ci-test.sh

@@ -13,7 +13,7 @@ t() {
 }
 
 fail() (
-    echo "*** Test #${TEST_COUNT} FAILED ***" >&2
+    echo "*** Test #${TEST_COUNT} FAILED, line: $1 ***" >&2
 )
 
 section() {
@@ -26,20 +26,20 @@ t || (
     cd ../dnscrypt-proxy
     go test -mod vendor
     go build -mod vendor -race
-) || fail
+) || fail $LINENO
 
 section
 sed -e "s/127.0.0.1:53/127.0.0.1:${DNS_PORT}/g" -e "s/# server_names =.*/server_names = ['scaleway-fr']/" ../dnscrypt-proxy/example-dnscrypt-proxy.toml >test-dnscrypt-proxy.toml
 ../dnscrypt-proxy/dnscrypt-proxy -loglevel 3 -config test-dnscrypt-proxy.toml -pidfile /tmp/dnscrypt-proxy.pidfile &
 sleep 5
 
 t ||
-    dig -p${DNS_PORT} . @127.0.0.1 | grep -Fq 'root-servers.net.' || fail
-t || dig -p${DNS_PORT} +dnssec . @127.0.0.1 | grep -Fq 'root-servers.net.' || fail
-t || dig -p${DNS_PORT} +dnssec . @127.0.0.1 | grep -Fq 'flags: do;' || fail
-t || dig -p${DNS_PORT} +short one.one.one.one @127.0.0.1 | grep -Fq '1.1.1.1' || fail
-t || dig -p${DNS_PORT} +dnssec dnscrypt.info @127.0.0.1 | grep -Fq 'flags: qr rd ra ad' || fail
-t || dig -p${DNS_PORT} +dnssec dnscrypt.info @127.0.0.1 | grep -Fq 'flags: do;' || fail
+    dig -p${DNS_PORT} . @127.0.0.1 | grep -Fq 'root-servers.net.' || fail $LINENO
+t || dig -p${DNS_PORT} +dnssec . @127.0.0.1 | grep -Fq 'root-servers.net.' || fail $LINENO
+t || dig -p${DNS_PORT} +dnssec . @127.0.0.1 | grep -Fq 'flags: do;' || fail $LINENO
+t || dig -p${DNS_PORT} +short one.one.one.one @127.0.0.1 | grep -Fq '1.1.1.1' || fail $LINENO
+t || dig -p${DNS_PORT} +dnssec dnscrypt.info @127.0.0.1 | grep -Fq 'flags: qr rd ra ad' || fail $LINENO
+t || dig -p${DNS_PORT} +dnssec dnscrypt.info @127.0.0.1 | grep -Fq 'flags: do;' || fail $LINENO
 
 kill $(cat /tmp/dnscrypt-proxy.pidfile)
 sleep 5
@@ -49,102 +49,102 @@ section
 sleep 5
 
 section
-t || dig -p${DNS_PORT} A microsoft.com @127.0.0.1 | grep -Fq "NOERROR" || fail
-t || dig -p${DNS_PORT} A MICROSOFT.COM @127.0.0.1 | grep -Fq "NOERROR" || fail
+t || dig -p${DNS_PORT} A microsoft.com @127.0.0.1 | grep -Fq "NOERROR" || fail $LINENO
+t || dig -p${DNS_PORT} A MICROSOFT.COM @127.0.0.1 | grep -Fq "NOERROR" || fail $LINENO
 
 section
-t || dig -p${DNS_PORT} AAAA ipv6.google.com @127.0.0.1 | grep -Fq 'locally blocked' || fail
+t || dig -p${DNS_PORT} AAAA ipv6.google.com @127.0.0.1 | grep -Fq 'locally blocked' || fail $LINENO
 
 section
-t || dig -p${DNS_PORT} invalid. @127.0.0.1 | grep -Fq NXDOMAIN || fail
-t || dig -p${DNS_PORT} +dnssec invalid. @127.0.0.1 | grep -Fq 'flags: do;' || fail
-t || dig -p${DNS_PORT} PTR 168.192.in-addr.arpa @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail
-t || dig -p${DNS_PORT} +dnssec PTR 168.192.in-addr.arpa @127.0.0.1 | grep -Fq 'flags: do;' || fail
+t || dig -p${DNS_PORT} invalid. @127.0.0.1 | grep -Fq NXDOMAIN || fail $LINENO
+t || dig -p${DNS_PORT} +dnssec invalid. @127.0.0.1 | grep -Fq 'flags: do;' || fail $LINENO
+t || dig -p${DNS_PORT} PTR 168.192.in-addr.arpa @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail $LINENO
+t || dig -p${DNS_PORT} +dnssec PTR 168.192.in-addr.arpa @127.0.0.1 | grep -Fq 'flags: do;' || fail $LINENO
 
 section
-t || dig -p${DNS_PORT} +dnssec darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' || fail
-t || dig -p${DNS_PORT} +dnssec www.darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' || fail
-t || dig -p${DNS_PORT} A download.windowsupdate.com @127.0.0.1 | grep -Fq "NOERROR" || fail
+t || dig -p${DNS_PORT} +dnssec darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' || fail $LINENO
+t || dig -p${DNS_PORT} +dnssec www.darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' || fail $LINENO
+t || dig -p${DNS_PORT} A download.windowsupdate.com @127.0.0.1 | grep -Fq "NOERROR" || fail $LINENO
 
 section
-t || dig -p${DNS_PORT} +short cloakedunregistered.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail
-t || dig -p${DNS_PORT} +short MX cloakedunregistered.com @127.0.0.1 | grep -Fq 'locally blocked' || fail
-t || dig -p${DNS_PORT} +short MX example.com @127.0.0.1 | grep -Fvq 'locally blocked' || fail
-t || dig -p${DNS_PORT} NS cloakedunregistered.com @127.0.0.1 | grep -Fiq 'gtld-servers.net' || fail
-t || dig -p${DNS_PORT} +short www.cloakedunregistered2.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail
-t || dig -p${DNS_PORT} +short www.dnscrypt-test @127.0.0.1 | grep -Fq '192.168.100.100' || fail
-t || dig -p${DNS_PORT} a.www.dnscrypt-test @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail
-t || dig -p${DNS_PORT} +short ptr 101.100.168.192.in-addr.arpa. @127.0.0.1 | grep -Eq 'www.dnscrypt-test.com' || fail
-t || dig -p${DNS_PORT} +short ptr 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.f.ip6.arpa. @127.0.0.1 | grep -Eq 'ipv6.dnscrypt-test.com' || fail
+t || dig -p${DNS_PORT} +short cloakedunregistered.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail $LINENO
+t || dig -p${DNS_PORT} +short MX cloakedunregistered.com @127.0.0.1 | grep -Fq 'locally blocked' || fail $LINENO
+t || dig -p${DNS_PORT} +short MX example.com @127.0.0.1 | grep -Fvq 'locally blocked' || fail $LINENO
+t || dig -p${DNS_PORT} NS cloakedunregistered.com @127.0.0.1 | grep -Fiq 'gtld-servers.net' || fail $LINENO
+t || dig -p${DNS_PORT} +short www.cloakedunregistered2.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail $LINENO
+t || dig -p${DNS_PORT} +short www.dnscrypt-test @127.0.0.1 | grep -Fq '192.168.100.100' || fail $LINENO
+t || dig -p${DNS_PORT} a.www.dnscrypt-test @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail $LINENO
+t || dig -p${DNS_PORT} +short ptr 101.100.168.192.in-addr.arpa. @127.0.0.1 | grep -Eq 'www.dnscrypt-test.com' || fail $LINENO
+t || dig -p${DNS_PORT} +short ptr 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.f.ip6.arpa. @127.0.0.1 | grep -Eq 'ipv6.dnscrypt-test.com' || fail $LINENO
 
 section
-t || dig -p${DNS_PORT} telemetry.example @127.0.0.1 | grep -Fq 'locally blocked' || fail
+t || dig -p${DNS_PORT} telemetry.example @127.0.0.1 | grep -Fq 'locally blocked' || fail $LINENO
 
 section
-t || dig -p${DNS_PORT} dns.google @127.0.0.1 | grep -Fq 'locally blocked' || fail
+t || dig -p${DNS_PORT} dns.google @127.0.0.1 | grep -Fq 'locally blocked' || fail $LINENO
 
 section
-t || dig -p${DNS_PORT} tracker.xdebian.org @127.0.0.1 | grep -Fq 'locally blocked' || fail
-t || dig -p${DNS_PORT} tracker.debian.org @127.0.0.1 | grep -Fqv 'locally blocked' || fail
+t || dig -p${DNS_PORT} tracker.xdebian.org @127.0.0.1 | grep -Fq 'locally blocked' || fail $LINENO
+t || dig -p${DNS_PORT} tracker.debian.org @127.0.0.1 | grep -Fqv 'locally blocked' || fail $LINENO
 
 section
-t || curl --insecure -siL https://127.0.0.1:${HTTP_PORT}/ | grep -Fq 'HTTP/2 404' || fail
-t || curl --insecure -sL https://127.0.0.1:${HTTP_PORT}/dns-query | grep -Fq 'dnscrypt-proxy local DoH server' || fail
+t || curl --insecure -siL https://127.0.0.1:${HTTP_PORT}/ | grep -Fq 'HTTP/2 404' || fail $LINENO
+t || curl --insecure -sL https://127.0.0.1:${HTTP_PORT}/dns-query | grep -Fq 'dnscrypt-proxy local DoH server' || fail $LINENO
 t ||
     echo yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA== | base64 -d |
     curl -H'Content-Type: application/dns-message' -H'Accept: application/dns-message' --data-binary @- -D - --insecure https://127.0.0.1:${HTTP_PORT}/dns-query 2>/dev/null |
-        grep -Fq application/dns-message || fail
+        grep -Fq application/dns-message || fail $LINENO
 
 kill $(cat /tmp/dnscrypt-proxy.pidfile)
 
 sleep 5
 
 section
-t || grep -Fq 'telemetry.example' blocked-names.log || fail
-t || grep -Fq 'telemetry.*' blocked-names.log || fail
-t || grep -Fq 'tracker.xdebian.org' blocked-names.log || fail
-t || grep -Fq 'tracker.*' blocked-names.log || fail
+t || grep -Fq 'telemetry.example' blocked-names.log || fail $LINENO
+t || grep -Fq 'telemetry.*' blocked-names.log || fail $LINENO
+t || grep -Fq 'tracker.xdebian.org' blocked-names.log || fail $LINENO
+t || grep -Fq 'tracker.*' blocked-names.log || fail $LINENO
 
 section
-t || grep -Fq 'dns.google' blocked-ips.log || fail
-t || grep -Fq '8.8.8.8' blocked-ips.log || fail
+t || grep -Fq 'dns.google' blocked-ips.log || fail $LINENO
+t || grep -Fq '8.8.8.8' blocked-ips.log || fail $LINENO
 
 section
-t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail
+t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail $LINENO
 
 section
-t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail
+t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail $LINENO
 
 section
-t || grep -Eq 'microsoft.com.*PASS.*[^-]$' query.log || fail
-t || grep -Eq 'microsoft.com.*PASS.*-$' query.log || fail
-t || grep -Eq 'ipv6.google.com.*SYNTH' query.log || fail
-t || grep -Eq 'invalid.*SYNTH' query.log || fail
-t || grep -Eq '168.192.in-addr.arpa.*SYNTH' query.log || fail
-t || grep -Eq 'darpa.mil.*FORWARD' query.log || fail
-t || grep -Eq 'www.darpa.mil.*FORWARD' query.log || fail
-t || grep -Eq 'download.windowsupdate.com.*FORWARD' query.log || fail
-t || grep -Eq 'cloakedunregistered.com.*CLOAK' query.log || fail
-t || grep -Eq 'www.cloakedunregistered2.com.*CLOAK' query.log || fail
-t || grep -Eq 'www.dnscrypt-test.*CLOAK' query.log || fail
-t || grep -Eq 'a.www.dnscrypt-test.*NXDOMAIN' query.log || fail
-t || grep -Eq 'telemetry.example.*REJECT' query.log || fail
-t || grep -Eq 'dns.google.*REJECT' query.log || fail
-t || grep -Eq 'tracker.xdebian.org.*REJECT' query.log || fail
-t || grep -Eq 'tracker.debian.org.*PASS' query.log || fail
-t || grep -Eq '[.].*NS.*PASS' query.log || fail
+t || grep -Eq 'microsoft.com.*PASS.*[^-]$' query.log || fail $LINENO
+t || grep -Eq 'microsoft.com.*PASS.*-$' query.log || fail $LINENO
+t || grep -Eq 'ipv6.google.com.*SYNTH' query.log || fail $LINENO
+t || grep -Eq 'invalid.*SYNTH' query.log || fail $LINENO
+t || grep -Eq '168.192.in-addr.arpa.*SYNTH' query.log || fail $LINENO
+t || grep -Eq 'darpa.mil.*FORWARD' query.log || fail $LINENO
+t || grep -Eq 'www.darpa.mil.*FORWARD' query.log || fail $LINENO
+t || grep -Eq 'download.windowsupdate.com.*FORWARD' query.log || fail $LINENO
+t || grep -Eq 'cloakedunregistered.com.*CLOAK' query.log || fail $LINENO
+t || grep -Eq 'www.cloakedunregistered2.com.*CLOAK' query.log || fail $LINENO
+t || grep -Eq 'www.dnscrypt-test.*CLOAK' query.log || fail $LINENO
+t || grep -Eq 'a.www.dnscrypt-test.*NXDOMAIN' query.log || fail $LINENO
+t || grep -Eq 'telemetry.example.*REJECT' query.log || fail $LINENO
+t || grep -Eq 'dns.google.*REJECT' query.log || fail $LINENO
+t || grep -Eq 'tracker.xdebian.org.*REJECT' query.log || fail $LINENO
+t || grep -Eq 'tracker.debian.org.*PASS' query.log || fail $LINENO
+t || grep -Eq '[.].*NS.*PASS' query.log || fail $LINENO
 
 section
-t || grep -Fq 'tracker.debian.org' allowed-names.log || fail
-t || grep -Fq '*.tracker.debian' allowed-names.log || fail
+t || grep -Fq 'tracker.debian.org' allowed-names.log || fail $LINENO
+t || grep -Fq '*.tracker.debian' allowed-names.log || fail $LINENO
 
 section
 ../dnscrypt-proxy/dnscrypt-proxy -loglevel 3 -config test3-dnscrypt-proxy.toml -pidfile /tmp/dnscrypt-proxy.pidfile &
 sleep 5
 
 section
-t || dig -p${DNS_PORT} A microsoft.com @127.0.0.1 | grep -Fq "NOERROR" || fail
-t || dig -p${DNS_PORT} A MICROSOFT.COM @127.0.0.1 | grep -Fq "NOERROR" || fail
+t || dig -p${DNS_PORT} A microsoft.com @127.0.0.1 | grep -Fq "NOERROR" || fail $LINENO
+t || dig -p${DNS_PORT} A MICROSOFT.COM @127.0.0.1 | grep -Fq "NOERROR" || fail $LINENO
 
 kill $(cat /tmp/dnscrypt-proxy.pidfile)
 sleep 5
@@ -154,8 +154,8 @@ section
 sleep 5
 
 section
-t || dig -p${DNS_PORT} A microsoft.com @127.0.0.1 | grep -Fq "NOERROR" || fail
-t || dig -p${DNS_PORT} A cloudflare.com @127.0.0.1 | grep -Fq "NOERROR" || fail
+t || dig -p${DNS_PORT} A microsoft.com @127.0.0.1 | grep -Fq "NOERROR" || fail $LINENO
+t || dig -p${DNS_PORT} A cloudflare.com @127.0.0.1 | grep -Fq "NOERROR" || fail $LINENO
 
 kill $(cat /tmp/odoh-proxied.pidfile)
 sleep 5

.github/workflows/codeql-analysis.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         fetch-depth: 2
 
@@ -23,10 +23,10 @@ jobs:
         go-version-file: 'go.mod'
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v4
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4

.github/workflows/releases.yml

@@ -35,7 +35,7 @@ jobs:
           echo "Tag version: $VERSION"
 
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6
@@ -76,7 +76,7 @@ jobs:
           ls -l dnscrypt-proxy*
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: dnscrypt-proxy-${{ steps.get_version.outputs.VERSION }}
           path: |

ChangeLog

@@ -1,3 +1,22 @@
+# Version 2.1.15
+ - The proxy now dynamically reduces timeouts as the connection limit is
+approached, improving performance and preventing connection exhaustion under
+heavy load.
+ - Fixed crashes in the configuration file watcher when fsnotify creation
+fails.
+ - DHCP resolver errors ($DHCP forwarding) are now properly logged and
+visible to system administrators.
+ - Fixed double-bracketing of IPv6 addresses in DoH stamps that could prevent
+proper connection to IPv6 DoH servers.
+ - Cache statistics are now more accurate by only counting queries that
+actually participate in caching.
+ - The monitoring UI has been enhanced with server health indicators and
+improved display of resolver performance metrics.
+ - Proxy hostnames (when using SOCKS/HTTP proxies) are now pre-resolved using
+bootstrap resolvers if they are domain names.
+ - Multiple IP addresses per hostname are now cached instead of randomly
+selecting one, improving connection reliability for multi-homed servers.
+
 # Version 2.1.14
  - Added support for client IP address encryption in logs using IPCrypt
 (https://ipcrypt-std.github.io/). Three algorithms are supported:

dnscrypt-proxy/coldstart.go

@@ -59,12 +59,10 @@ func HandleCaptivePortalQuery(msg *dns.Msg, question *dns.Question, ips *Captive
 	} else if question.Qtype == dns.TypeAAAA {
 		for _, xip := range *ips {
 			if xip.To4() == nil {
-				if ip := xip.To16(); ip != nil {
-					rr := new(dns.AAAA)
-					rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: ttl}
-					rr.AAAA = ip
-					respMsg.Answer = append(respMsg.Answer, rr)
-				}
+				rr := new(dns.AAAA)
+				rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: ttl}
+				rr.AAAA = xip
+				respMsg.Answer = append(respMsg.Answer, rr)
 			}
 		}
 	}
@@ -78,7 +76,7 @@ func HandleCaptivePortalQuery(msg *dns.Msg, question *dns.Question, ips *Captive
 }
 
 func handleColdStartClient(clientPc *net.UDPConn, cancelChannel chan struct{}, ipsMap *CaptivePortalMap) bool {
-	buffer := make([]byte, MaxDNSPacketSize-1)
+	buffer := make([]byte, MaxDNSPacketSize)
 	clientPc.SetDeadline(time.Now().Add(time.Duration(1) * time.Second))
 	length, clientAddr, err := clientPc.ReadFrom(buffer)
 	exit := false

dnscrypt-proxy/config.go

@@ -82,6 +82,7 @@ type Config struct {
 	SourceIPv4               bool                        `toml:"ipv4_servers"`
 	SourceIPv6               bool                        `toml:"ipv6_servers"`
 	MaxClients               uint32                      `toml:"max_clients"`
+	TimeoutLoadReduction     float64                     `toml:"timeout_load_reduction"`
 	BootstrapResolversLegacy []string                    `toml:"fallback_resolvers"`
 	BootstrapResolvers       []string                    `toml:"bootstrap_resolvers"`
 	IgnoreSystemDNS          bool                        `toml:"ignore_system_dns"`
@@ -147,6 +148,7 @@ func newConfig() Config {
 		SourceDoH:                true,
 		SourceODoH:               false,
 		MaxClients:               250,
+		TimeoutLoadReduction:     0.75,
 		BootstrapResolvers:       []string{DefaultBootstrapResolver},
 		IgnoreSystemDNS:          false,
 		LogMaxSize:               10,
@@ -694,14 +696,6 @@ func (config *Config) loadSources(proxy *Proxy) error {
 	if err := proxy.updateRegisteredServers(); err != nil {
 		return err
 	}
-	rs1 := proxy.registeredServers
-	rs2 := proxy.serversInfo.registeredServers
-	rand.Shuffle(len(rs1), func(i, j int) {
-		rs1[i], rs1[j] = rs1[j], rs1[i]
-	})
-	rand.Shuffle(len(rs2), func(i, j int) {
-		rs2[i], rs2[j] = rs2[j], rs2[i]
-	})
 	return nil
 }
 
@@ -780,6 +774,11 @@ func isIPAndPort(addrStr string) error {
 		return fmt.Errorf("Port missing '%s'", addrStr)
 	} else if _, err := strconv.ParseUint(strconv.Itoa(port), 10, 16); err != nil {
 		return fmt.Errorf("Port does not parse '%s' [%v]", addrStr, err)
+	} else if ip.To4() == nil {
+		// IPv6 address must use bracket notation to avoid ambiguity
+		if !strings.HasPrefix(host, "[") || !strings.HasSuffix(host, "]") {
+			return fmt.Errorf("IPv6 addresses must use bracket notation, e.g., [%s]:%d", ip.String(), port)
+		}
 	}
 	return nil
 }