Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is dnscrypt-proxy working?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
n05ph3r42
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jul 2016
Posts: 98

PostPosted: Sat Jan 27, 2018 9:18 am    Post subject: Is dnscrypt-proxy working? Reply with quote

Hi there.
I set up pdnsd + dnscrypt-proxy.
rc-status is ok for all.
configs adjusted

To check that dnscrypt-proxy i run
Code:
# dig debug.opendns.com TXT

; <<>> DiG 9.11.2-P1 <<>> debug.opendns.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53407
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;debug.opendns.com.      IN   TXT

;; AUTHORITY SECTION:
opendns.com.      3266   IN   SOA   auth1.opendns.com. noc.opendns.com. 1517037688 16384 2048 1048576 2560

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 27 09:05:23 -00 2018
;; MSG SIZE  rcvd: 92


but it should return something like
Code:
dig  debug.opendns.com  txt

; <<>> DiG 9.3.2 <<>> debug.opendns.com txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1603
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.             IN      TXT

;; ANSWER SECTION:
debug.opendns.com.      0       IN      TXT     "server 5.fra"                                                Using Frankfurt OpenDNS location
debug.opendns.com.      0       IN      TXT     "flags 20 0 2cc d00d82040001401"       The flags associated with my DNS query
debug.opendns.com.      0       IN      TXT     "id 381599"                                                  My OpenDNS network ID
debug.opendns.com.      0       IN      TXT     "source 217.254.45.71:14830"                My source IP address and port from where I queried
debug.opendns.com.      0       IN      TXT     "dnscrypt enabled (7136666E76576A42)"      That says it all.

;; Query time: 31 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 19 00:32:53 2013
;; MSG SIZE  rcvd: 223


I cannot understand what is wrong, i see no line with
Code:
 debug.opendns.com.      0       IN      TXT     "dnscrypt enabled (7136666E76576A42)"



/etc/pdnsd/pdnsd.conf
Code:
global {
    perm_cache   = 9600;
    cache_dir    = "/var/cache/pdnsd";
    run_as       = "pdnsd";
    server_ip    = 127.0.0.1;
    status_ctl   = on;
    query_method = udp_tcp;
   
    par_queries  = 4;

    neg_ttl = 2m;        # negative answer cache time   
    min_ttl = 15m;       # Retain cached entries at least 15 minutes.
    max_ttl = 1w;        # One week.
    timeout = 10;        # Global timeout option (10 seconds).

    neg_domain_pol = on;
    udpbufsize = 1024;   # Upper limit on the size of UDP messages.
}

server {
    label      = "dnscrypt-proxy";
    ip         = 127.0.0.1;
    port       = 5353;
    timeout    = 4;
    proxy_only = on;

    uptest     = if;     # Test if the network interface is active.
    interface  = enp2s0; # The name of the interface to check.
    interval   = 10m;    # Check every 10 minutes.
    purge_cache= off;    # Keep stale cache entries in case the ISP's
                         # DNS servers go offline.
    edns_query = yes;    # Use EDNS for outgoing queries to allow UDP messages
                           # larger than 512 bytes. May cause trouble with some
}

source {
    owner = localhost;
    file = "/etc/hosts";


dnscrypt-proxy.conf
Code:
ResolverName random
ResolversList /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
Daemonize yes
PidFile /run/dnscrypt-proxy.pid
User dnscrypt
LocalAddress 127.0.0.1:5353
LocalCache on
EphemeralKeys off
EDNSPayloadSize 4096


/etc/resolv.conf
Code:
nameserver 127.0.0.1
options edns0


Last edited by n05ph3r42 on Mon Jan 29, 2018 6:21 pm; edited 1 time in total
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1226

PostPosted: Mon Jan 29, 2018 12:12 pm    Post subject: Reply with quote

Try setting a ResolverName for dnscrypt, e.g.,
Code:

Daemonize yes
PidFile /run/dnscrypt-proxy.pid
User dnscrypt
LocalAddress 127.0.0.1:5353
LocalCache on
EphemeralKeys off
EDNSPayloadSize 4096
ResolverName cisco

_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
n05ph3r42
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jul 2016
Posts: 98

PostPosted: Mon Jan 29, 2018 6:19 pm    Post subject: Reply with quote

Quote:
Try setting a ResolverName for dnscrypt, e.g.,

Ah, i forgot to put into my original message those lines:
Code:

ResolverName random
ResolversList /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv

so mine full dnscrypt conf in fact is
Code:
ResolverName random
ResolversList /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
Daemonize yes
PidFile /run/dnscrypt-proxy.pid
User dnscrypt
LocalAddress 127.0.0.1:5353
LocalCache on
EphemeralKeys off
EDNSPayloadSize 4096
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1226

PostPosted: Tue Jan 30, 2018 7:36 am    Post subject: Reply with quote

As I said give it a shot with cisco.
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
n05ph3r42
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jul 2016
Posts: 98

PostPosted: Tue Jan 30, 2018 6:17 pm    Post subject: Reply with quote

massimo wrote:
As I said give it a shot with cisco.

w00t!
Code:
 # dig debug.opendns.com TXT

; <<>> DiG 9.11.2-P1 <<>> debug.opendns.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9229
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;debug.opendns.com.      IN   TXT

;; ANSWER SECTION:
debug.opendns.com.   900   IN   TXT   "actype 0"
debug.opendns.com.   900   IN   TXT   "source 217.*.*.*:42807"
debug.opendns.com.   900   IN   TXT   "dnscrypt enabled (713156774457306E)"
debug.opendns.com.   900   IN   TXT   "server m2.wrw"
debug.opendns.com.   900   IN   TXT   "flags 20 0 70 7950800000000000000"
debug.opendns.com.   900   IN   TXT   "originid 0"

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 30 18:13:25 -00 2018
;; MSG SIZE  rcvd: 248


But why dig debug.opendns.com with other resolver gives authoritative answer? Does it mean, that in fact, that resolver doesnt work as crypting?
Also i have next message
Code:
Tue Jan 30 18:12:56 2018 [INFO] - [cisco] does not support DNS Security Extensions
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1226

PostPosted: Wed Jan 31, 2018 9:37 am    Post subject: Reply with quote

I do not understand your last question/note.

The last piece of information tells you that DNSSEC is not supported by this particular resolver.
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
n05ph3r42
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jul 2016
Posts: 98

PostPosted: Wed Jan 31, 2018 6:25 pm    Post subject: Reply with quote

massimo wrote:
I do not understand your last question/note.

I mean why some other resolvers from file may not act as encrypting dns, and they give authoritative answer? I checked this on names blocked in local area.

massimo wrote:
The last piece of information tells you that DNSSEC is not supported by this particular resolver.

That was clear for me, thank u, just wondered why cisco cannot support this spec.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum