View previous topic :: View next topic |
Author |
Message |
n05ph3r42 Tux's lil' helper
Joined: 11 Jul 2016 Posts: 134
|
Posted: Sat Jan 27, 2018 9:18 am Post subject: Is dnscrypt-proxy working? |
|
|
Hi there.
I set up pdnsd + dnscrypt-proxy.
rc-status is ok for all.
configs adjusted
To check that dnscrypt-proxy i run
Code: | # dig debug.opendns.com TXT
; <<>> DiG 9.11.2-P1 <<>> debug.opendns.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53407
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;debug.opendns.com. IN TXT
;; AUTHORITY SECTION:
opendns.com. 3266 IN SOA auth1.opendns.com. noc.opendns.com. 1517037688 16384 2048 1048576 2560
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 27 09:05:23 -00 2018
;; MSG SIZE rcvd: 92
|
but it should return something like
Code: | dig debug.opendns.com txt
; <<>> DiG 9.3.2 <<>> debug.opendns.com txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1603
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT
;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server 5.fra" Using Frankfurt OpenDNS location
debug.opendns.com. 0 IN TXT "flags 20 0 2cc d00d82040001401" The flags associated with my DNS query
debug.opendns.com. 0 IN TXT "id 381599" My OpenDNS network ID
debug.opendns.com. 0 IN TXT "source 217.254.45.71:14830" My source IP address and port from where I queried
debug.opendns.com. 0 IN TXT "dnscrypt enabled (7136666E76576A42)" That says it all.
;; Query time: 31 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 19 00:32:53 2013
;; MSG SIZE rcvd: 223
|
I cannot understand what is wrong, i see no line with
Code: | debug.opendns.com. 0 IN TXT "dnscrypt enabled (7136666E76576A42)" |
/etc/pdnsd/pdnsd.conf
Code: | global {
perm_cache = 9600;
cache_dir = "/var/cache/pdnsd";
run_as = "pdnsd";
server_ip = 127.0.0.1;
status_ctl = on;
query_method = udp_tcp;
par_queries = 4;
neg_ttl = 2m; # negative answer cache time
min_ttl = 15m; # Retain cached entries at least 15 minutes.
max_ttl = 1w; # One week.
timeout = 10; # Global timeout option (10 seconds).
neg_domain_pol = on;
udpbufsize = 1024; # Upper limit on the size of UDP messages.
}
server {
label = "dnscrypt-proxy";
ip = 127.0.0.1;
port = 5353;
timeout = 4;
proxy_only = on;
uptest = if; # Test if the network interface is active.
interface = enp2s0; # The name of the interface to check.
interval = 10m; # Check every 10 minutes.
purge_cache= off; # Keep stale cache entries in case the ISP's
# DNS servers go offline.
edns_query = yes; # Use EDNS for outgoing queries to allow UDP messages
# larger than 512 bytes. May cause trouble with some
}
source {
owner = localhost;
file = "/etc/hosts"; |
dnscrypt-proxy.conf
Code: | ResolverName random
ResolversList /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
Daemonize yes
PidFile /run/dnscrypt-proxy.pid
User dnscrypt
LocalAddress 127.0.0.1:5353
LocalCache on
EphemeralKeys off
EDNSPayloadSize 4096
|
/etc/resolv.conf
Code: | nameserver 127.0.0.1
options edns0
|
Last edited by n05ph3r42 on Mon Jan 29, 2018 6:21 pm; edited 1 time in total |
|
Back to top |
|
|
massimo Veteran
Joined: 22 Jun 2003 Posts: 1226
|
Posted: Mon Jan 29, 2018 12:12 pm Post subject: |
|
|
Try setting a ResolverName for dnscrypt, e.g.,
Code: |
Daemonize yes
PidFile /run/dnscrypt-proxy.pid
User dnscrypt
LocalAddress 127.0.0.1:5353
LocalCache on
EphemeralKeys off
EDNSPayloadSize 4096
ResolverName cisco
|
_________________ Hello 911? How are you? |
|
Back to top |
|
|
n05ph3r42 Tux's lil' helper
Joined: 11 Jul 2016 Posts: 134
|
Posted: Mon Jan 29, 2018 6:19 pm Post subject: |
|
|
Quote: | Try setting a ResolverName for dnscrypt, e.g., |
Ah, i forgot to put into my original message those lines:
Code: |
ResolverName random
ResolversList /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
|
so mine full dnscrypt conf in fact is
Code: | ResolverName random
ResolversList /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
Daemonize yes
PidFile /run/dnscrypt-proxy.pid
User dnscrypt
LocalAddress 127.0.0.1:5353
LocalCache on
EphemeralKeys off
EDNSPayloadSize 4096 |
|
|
Back to top |
|
|
massimo Veteran
Joined: 22 Jun 2003 Posts: 1226
|
Posted: Tue Jan 30, 2018 7:36 am Post subject: |
|
|
As I said give it a shot with cisco. _________________ Hello 911? How are you? |
|
Back to top |
|
|
n05ph3r42 Tux's lil' helper
Joined: 11 Jul 2016 Posts: 134
|
Posted: Tue Jan 30, 2018 6:17 pm Post subject: |
|
|
massimo wrote: | As I said give it a shot with cisco. |
w00t!
Code: | # dig debug.opendns.com TXT
; <<>> DiG 9.11.2-P1 <<>> debug.opendns.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9229
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;debug.opendns.com. IN TXT
;; ANSWER SECTION:
debug.opendns.com. 900 IN TXT "actype 0"
debug.opendns.com. 900 IN TXT "source 217.*.*.*:42807"
debug.opendns.com. 900 IN TXT "dnscrypt enabled (713156774457306E)"
debug.opendns.com. 900 IN TXT "server m2.wrw"
debug.opendns.com. 900 IN TXT "flags 20 0 70 7950800000000000000"
debug.opendns.com. 900 IN TXT "originid 0"
;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 30 18:13:25 -00 2018
;; MSG SIZE rcvd: 248
|
But why dig debug.opendns.com with other resolver gives authoritative answer? Does it mean, that in fact, that resolver doesnt work as crypting?
Also i have next message
Code: | Tue Jan 30 18:12:56 2018 [INFO] - [cisco] does not support DNS Security Extensions |
|
|
Back to top |
|
|
massimo Veteran
Joined: 22 Jun 2003 Posts: 1226
|
Posted: Wed Jan 31, 2018 9:37 am Post subject: |
|
|
I do not understand your last question/note.
The last piece of information tells you that DNSSEC is not supported by this particular resolver. _________________ Hello 911? How are you? |
|
Back to top |
|
|
n05ph3r42 Tux's lil' helper
Joined: 11 Jul 2016 Posts: 134
|
Posted: Wed Jan 31, 2018 6:25 pm Post subject: |
|
|
massimo wrote: | I do not understand your last question/note. |
I mean why some other resolvers from file may not act as encrypting dns, and they give authoritative answer? I checked this on names blocked in local area.
massimo wrote: | The last piece of information tells you that DNSSEC is not supported by this particular resolver. |
That was clear for me, thank u, just wondered why cisco cannot support this spec. |
|
Back to top |
|
|
|