Fix DoH crash and improve resilience

- Fix NetworkOnMainThreadException when disabling DoH by moving
  connection pool eviction to a background thread
- Add circuit breaker to skip DoH for 60s after 10 consecutive failures,
  avoiding timeout latency on every query when the endpoint is down
- Validate DoH responses are at least 12 bytes (minimum DNS header)
- Don't retry on 4xx client errors (only server errors are worth retrying)
- Use null-safe comparison for endpoint in getInstance()

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: kasnder

app/src/main/java/net/kollnig/missioncontrol/dns/DnsOverHttpsClient.java

@@ -21,6 +21,7 @@
 import net.kollnig.missioncontrol.BuildConfig;
 
 import java.io.IOException;
+import java.util.Objects;
 import java.util.concurrent.TimeUnit;
 
 import okhttp3.ConnectionPool;
@@ -70,7 +71,7 @@ public static synchronized DnsOverHttpsClient getInstance(Context context) {
      * Get instance with specific endpoint (used by DnsProxyServer).
      */
     public static synchronized DnsOverHttpsClient getInstance(String endpoint) {
-        if (instance == null || !instance.endpoint.equals(endpoint)) {
+        if (instance == null || !Objects.equals(instance.endpoint, endpoint)) {
             if (instance != null) {
                 instance.shutdown();
             }
@@ -89,14 +90,13 @@ public static synchronized void resetInstance() {
     /**
      * Shutdown the OkHttpClient and release resources.
      * Call this when DoH is disabled to prevent idle connections from draining
-     * battery.
+     * battery. Runs on a background thread to avoid NetworkOnMainThreadException
+     * when closing sockets.
      */
     public void shutdown() {
         Log.i(TAG, "Shutting down DoH client");
         client.dispatcher().cancelAll();
-        client.connectionPool().evictAll();
-        // Note: We don't call executorService().shutdown() because it would
-        // make the client unusable if a new instance isn't created in time
+        new Thread(() -> client.connectionPool().evictAll(), "DoH-shutdown").start();
     }
 
     /**
@@ -137,6 +137,7 @@ public byte[] resolve(@NonNull byte[] dnsQuery) {
                 try (Response response = client.newCall(request).execute()) {
                     if (!response.isSuccessful()) {
                         Log.w(TAG, "DoH request failed with code: " + response.code());
+                        if (response.code() < 500) return null; // Don't retry client errors
                         continue;
                     }
 
@@ -147,6 +148,10 @@ public byte[] resolve(@NonNull byte[] dnsQuery) {
                     }
 
                     byte[] dnsResponse = responseBody.bytes();
+                    if (dnsResponse.length < 12) {
+                        Log.w(TAG, "DoH response too short: " + dnsResponse.length + " bytes");
+                        continue;
+                    }
                     Log.d(TAG, "DoH response received: " + dnsResponse.length + " bytes");
                     return dnsResponse;
                 }

app/src/main/java/net/kollnig/missioncontrol/dns/DnsProxyServer.java

@@ -55,6 +55,9 @@ public class DnsProxyServer {
     private ServerSocket tcpServerSocket;
     private ExecutorService executor;
     private final AtomicInteger dohFailures = new AtomicInteger(0);
+    private static final int CIRCUIT_BREAKER_THRESHOLD = 10;
+    private static final long CIRCUIT_BREAKER_COOLDOWN_MS = 60_000;
+    private volatile long circuitOpenUntil = 0;
 
     private DnsProxyServer(Context context) {
         this.context = context.getApplicationContext();
@@ -221,32 +224,38 @@ private void runServer() {
      */
     private void handleQuery(byte[] queryData, InetAddress clientAddress, int clientPort) {
         try {
-            // Get the DoH client
             SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
-            String endpoint = prefs.getString("doh_endpoint", BuildConfig.DEFAULT_DOH_ENDPOINT);
-            DnsOverHttpsClient dohClient = DnsOverHttpsClient.getInstance(endpoint);
-
-            // Forward the query via DoH (the query is already in DNS wire format)
-            byte[] responseData = dohClient.resolve(queryData);
+            byte[] responseData = null;
+
+            // Circuit breaker: skip DoH if we recently had too many failures
+            boolean circuitOpen = System.currentTimeMillis() < circuitOpenUntil;
+            if (!circuitOpen) {
+                String endpoint = prefs.getString("doh_endpoint", BuildConfig.DEFAULT_DOH_ENDPOINT);
+                DnsOverHttpsClient dohClient = DnsOverHttpsClient.getInstance(endpoint);
+                responseData = dohClient.resolve(queryData);
+            }
 
             if (responseData != null) {
                 dohFailures.set(0);
-                // Send response back to client
+                circuitOpenUntil = 0;
                 DatagramSocket socket = serverSocket;
                 if (socket == null || socket.isClosed()) return;
                 DatagramPacket response = new DatagramPacket(
                         responseData, responseData.length, clientAddress, clientPort);
                 socket.send(response);
                 Log.d(TAG, "DoH query successful, response sent to " + clientAddress + ":" + clientPort);
             } else {
-                int failures = dohFailures.incrementAndGet();
-                Log.w(TAG, "DoH query returned null response, failures=" + failures);
-
-                if (failures >= 10) {
-                    if (eu.faircode.netguard.Util.isInternetWorking(context)) {
-                        Log.w(TAG, "DoH server unreachable even though internet is working, showing notification");
-                        eu.faircode.netguard.ServiceSinkhole.dohError(context);
-                        dohFailures.set(0); // Reset to wait for the next 10 failures
+                if (!circuitOpen) {
+                    int failures = dohFailures.incrementAndGet();
+                    Log.w(TAG, "DoH query returned null response, failures=" + failures);
+
+                    if (failures >= CIRCUIT_BREAKER_THRESHOLD) {
+                        circuitOpenUntil = System.currentTimeMillis() + CIRCUIT_BREAKER_COOLDOWN_MS;
+                        dohFailures.set(0);
+                        if (eu.faircode.netguard.Util.isInternetWorking(context)) {
+                            Log.w(TAG, "DoH circuit breaker tripped, skipping DoH for 60s");
+                            eu.faircode.netguard.ServiceSinkhole.dohError(context);
+                        }
                     }
                 }
 
@@ -335,26 +344,35 @@ private void handleTcpConnection(Socket client) {
             // Let's copy the resolution logic here for safety.
 
             SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
-            String endpoint = prefs.getString("doh_endpoint", BuildConfig.DEFAULT_DOH_ENDPOINT);
-            DnsOverHttpsClient dohClient = DnsOverHttpsClient.getInstance(endpoint);
+            byte[] responseData = null;
 
-            byte[] responseData = dohClient.resolve(queryData);
+            boolean circuitOpen = System.currentTimeMillis() < circuitOpenUntil;
+            if (!circuitOpen) {
+                String endpoint = prefs.getString("doh_endpoint", BuildConfig.DEFAULT_DOH_ENDPOINT);
+                DnsOverHttpsClient dohClient = DnsOverHttpsClient.getInstance(endpoint);
+                responseData = dohClient.resolve(queryData);
+            }
 
             if (responseData != null) {
                 dohFailures.set(0);
-                // Write response with 2-byte length prefix
+                circuitOpenUntil = 0;
                 out.writeShort(responseData.length);
                 out.write(responseData);
                 out.flush();
                 Log.d(TAG, "DoH TCP query successful");
             } else {
-                int failures = dohFailures.incrementAndGet();
-                if (failures >= 10 && eu.faircode.netguard.Util.isInternetWorking(context)) {
-                    eu.faircode.netguard.ServiceSinkhole.dohError(context);
-                    dohFailures.set(0);
+                if (!circuitOpen) {
+                    int failures = dohFailures.incrementAndGet();
+                    if (failures >= CIRCUIT_BREAKER_THRESHOLD) {
+                        circuitOpenUntil = System.currentTimeMillis() + CIRCUIT_BREAKER_COOLDOWN_MS;
+                        dohFailures.set(0);
+                        if (eu.faircode.netguard.Util.isInternetWorking(context)) {
+                            Log.w(TAG, "DoH circuit breaker tripped (TCP), skipping DoH for 60s");
+                            eu.faircode.netguard.ServiceSinkhole.dohError(context);
+                        }
+                    }
                 }
 
-                // Fallback to standard DNS if enabled
                 boolean dnsFallback = prefs.getBoolean("doh_dns_fallback", false);
                 if (dnsFallback) {
                     byte[] fallbackResponse = resolveViaStandardDns(queryData);