diff --git a/docs/circumvention.rst b/docs/circumvention.rst
index 8c220cc8f321c4f0096a55b7ee4c5577520935f1..ee31e58a29e6a7efba999ef2bd7a3d6b59dc95de 100644
--- a/docs/circumvention.rst
+++ b/docs/circumvention.rst
@@ -9,9 +9,23 @@ Bootstrapping the connection
 
 There are two different steps where circumvention can be used: boostrapping the
 connection (getting a certificate and the configuration files) and using an
-obfuscated transport protocol. At the moment RiseupVPN offers obfs4 transport
-"bridges" (you can try them with the `--obfs4` command line argument). For the
-initial bootstrap, there are a couple of techniques that will be attempted.
+obfuscated transport protocol. 
+
+For the initial bootstrap, there are a couple of techniques that will be
+attempted. If this fails, please open an issue with the relevant log
+information.
+
+Obfuscated bridges
+-----------------------------
+
+At the moment RiseupVPN offers obfs4 transport "bridges" (you can try them with
+the `--obfs4` command line argument, a way to enable them from the gui will be
+following soon).
+
+If you know you need bridges but the current ones do not work for you, please
+get in contact. We're interested in learning what are the specific censorship
+measures being deployed in your concrete location, and we could work together
+to enable new bridges.
 
 Getting certificates off-band
 -----------------------------
diff --git a/pkg/vpn/bonafide/eip_service.go b/pkg/vpn/bonafide/eip_service.go
index 5755b6cac03f44ebdcf7f812b7767749cb62eaa8..c1061350ac6ab9f87f1d0d9e2355114c705816e9 100644
--- a/pkg/vpn/bonafide/eip_service.go
+++ b/pkg/vpn/bonafide/eip_service.go
@@ -79,17 +79,17 @@ func (b *Bonafide) fetchEipJSON() error {
 	eip3API := config.APIURL + "3/config/eip-service.json"
 	resp, err := b.client.Post(eip3API, "", nil)
 	for err != nil {
-		log.Printf("Error fetching eip v3 json: %v", err)
-		// TODO why exactly 1 retry? Make it configurable, for tests
-		time.Sleep(retryFetchJSONSeconds * time.Second)
 		resp, err = b.client.Post(eip3API, "", nil)
 		if err != nil {
-			// TODO it might be that it's not an error, but an empty file or whatever done
+			// TODO it might be that we get no error, but an empty file or whatever done
 			// by DNS poisoning. Should try to parse the file.
 			uri := b.getURLNoDNS("eip")
-			log.Println("Fetching ", uri)
 			resp, err = b.client.Post(uri, "", nil)
 		}
+		if err != nil {
+			log.Printf("Error fetching eip v3 json: %v", err)
+			time.Sleep(retryFetchJSONSeconds * time.Second)
+		}
 	}
 	defer resp.Body.Close()
 
diff --git a/pkg/vpn/diagnose.go b/pkg/vpn/diagnose.go
new file mode 100644
index 0000000000000000000000000000000000000000..5d12d4d63fee45ba9f7d641f6bebebd7bfecd28b
--- /dev/null
+++ b/pkg/vpn/diagnose.go
@@ -0,0 +1,19 @@
+package vpn
+
+import (
+	"log"
+	"net"
+)
+
+func logDnsLookup(domain string) {
+	addrs, err := net.LookupHost(domain)
+	if err != nil {
+		log.Println("ERROR cannot resolve address:", domain)
+		log.Println(err)
+	}
+
+	log.Println("From here,", domain, "resolves to:")
+	for _, addr := range addrs {
+		log.Println(addr)
+	}
+}
diff --git a/pkg/vpn/openvpn.go b/pkg/vpn/openvpn.go
index a568a329ce979cc5117edf8585d244a83cb38036..244195bd11ec2796b850988f953462cff4fd2fbb 100644
--- a/pkg/vpn/openvpn.go
+++ b/pkg/vpn/openvpn.go
@@ -202,6 +202,8 @@ func (b *Bitmask) getCert() (certPath string, err error) {
 		}
 	}
 	if failed || !isValidCert(certPath) {
+		d := config.APIURL[8 : len(config.APIURL)-1]
+		logDnsLookup(d)
 		cert, err := b.bonafide.GetPemCertificateNoDNS()
 		if cert != nil {
 			log.Println("Successfully did certificate bypass")
@@ -214,6 +216,7 @@ func (b *Bitmask) getCert() (certPath string, err error) {
 			failed = true
 		}
 	}
+
 	return certPath, err
 }