Forums/OpenDNS Community/DNSCrypt

Answered

How do I know DNSCrypt is working?

nicklord
asked this on July 18, 2013, 14:53

I've been using OpenDNS (set up in my wi-fi router) for a while now and have now installed DNSCrypt on my PC. I'm using Linux (openSUSE 12.3 64-bit). After installing the software I called

systemctl enable dnscrypt

and

systemctl start dnscrypt

I set the name server in the Network Settings to 127.0.0.1 and rebooted. How can I tell that DNSCrypt is actually working?

 

Comments

User photo
rotblitz
Check Answer

nslookup -type=txt debug.opendns.com.

- or -

dig debug.opendns.com txt

July 18, 2013, 15:22
User photo
nicklord
Thank you very much, rotblitz, for your prompt and helpful reply.
July 19, 2013, 01:36
User photo
umcsbi-admin

where can i download the DNScrypt? any link please..

August 6, 2013, 19:08
User photo
rotblitz
August 6, 2013, 22:54
User photo
braddakine
What are some error messages I might get if it is not working? What message should I get if it is?
September 18, 2013, 11:07
User photo
braddakine
; <<>> DiG 9.8.3-P1 <<>> debug.opendns.com.txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53868 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;debug.opendns.com.txt. IN A ;; ANSWER SECTION: debug.opendns.com.txt. 0 IN A 67.215.65.132 ;; Query time: 68 msec ;; SERVER: 127.0.0.54#53(127.0.0.54) ;; WHEN: Wed Sep 18 14:04:57 2013 ;; MSG SIZE rcvd: 66
September 18, 2013, 11:08
User photo
rotblitz

This was working. ;-)

The domain debug.opendns.com.txt does not exist, therefore you got 67.215.65.132 (hit-nxdomain.opendns.com) returned. Your query went through 127.0.0.54.

The correct command would have been:
dig  debug.opendns.com  txt

September 18, 2013, 15:24
User photo
rotblitz

"What message should I get if it is?"

dig  debug.opendns.com  txt

; <<>> DiG 9.3.2 <<>> debug.opendns.com txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1603
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.             IN      TXT

;; ANSWER SECTION:
debug.opendns.com.      0       IN      TXT     "server 5.fra"                                                Using Frankfurt OpenDNS location
debug.opendns.com.      0       IN      TXT     "flags 20 0 2cc d00d82040001401"       The flags associated with my DNS query
debug.opendns.com.      0       IN      TXT     "id 381599"                                                  My OpenDNS network ID
debug.opendns.com.      0       IN      TXT     "source 217.254.45.71:14830"                My source IP address and port from where I queried
debug.opendns.com.      0       IN      TXT     "dnscrypt enabled (7136666E76576A42)"      That says it all.

;; Query time: 31 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 19 00:32:53 2013
;; MSG SIZE  rcvd: 223

September 18, 2013, 15:37
User photo
braddakine
Rotblitz, Thanks! : )
September 18, 2013, 17:35
User photo
r226

; <<>> DiG 9.8.3-P1 <<>> debug.opendns.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18888

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;debug.opendns.com. IN A

 

;; AUTHORITY SECTION:

opendns.com. 1996 IN SOA auth1.opendns.com. hostmaster.opendns.com. 1386897657 16384 2048 1048576 2560

 

;; Query time: 29 msec

;; SERVER: 127.0.0.54#53(127.0.0.54)

;; WHEN: Sat Dec 14 15:51:29 2013

;; MSG SIZE  rcvd: 121

 

 

[Process completed]

 

December 14, 2013, 13:52
User photo
r226

; <<>> DiG 9.8.3-P1 <<>> debug.opendns.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18888

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;debug.opendns.com. IN A

 

;; AUTHORITY SECTION:

opendns.com. 1996 IN SOA auth1.opendns.com. hostmaster.opendns.com. 1386897657 16384 2048 1048576 2560

 

;; Query time: 29 msec

;; SERVER: 127.0.0.54#53(127.0.0.54)

;; WHEN: Sat Dec 14 15:51:29 2013

;; MSG SIZE  rcvd: 121

 

 

[Process completed]

 

December 14, 2013, 13:52
User photo
r226

is  dns crypt set up correctly

December 14, 2013, 13:53
User photo
rotblitz

Once again, the correct command would be:

dig  debug.opendns.com  txt

December 14, 2013, 16:43
User photo
stevehendo34

I got it to work with DNSCrypt.org client and ubuntu 14.04 
--libsodium4_0.4.5-0~trusty5_amd64.deb
--dnscrypt-proxy-1.4.2
--install them with gdebi-gtk

Nether in official ppa yet for Ubuntu 14.04 had to download them from:
--https://launchpad.net/~shnatsel/+archive/ubuntu/dnscrypt/+files/lib...
--https://launchpad.net/~shnatsel/+archive/ubuntu/dnscrypt/+files/dns...

Set DNS address 127.0.0.2 network tools KDE
sudo start it sudo service ddclient restart
sudo service network-manager restart

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

$ dig debug.opendns.com txt

; <<>> DiG 9.9.5-3-Ubuntu <<>> debug.opendns.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57152
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT

;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server 5.ash"
debug.opendns.com. 0 IN TXT "flags 20 0 2F6 0"
debug.opendns.com. 0 IN TXT "originid 26933670"
debug.opendns.com. 0 IN TXT "actype 2"
debug.opendns.com. 0 IN TXT "bundle 6932830"
debug.opendns.com. 0 IN TXT "source 66.168.29.120:54722"
debug.opendns.com. 0 IN TXT "dnscrypt enabled (71447764594D3377)"

;; Query time: 58 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sun Jan 04 12:46:15 CST 2015
;; MSG SIZE rcvd: 265

 

January 5, 2015, 07:11
User photo
jedisct1

What is being described here is a terrible and unreliable way to check that you are actually using DNSCrypt.

A non-signed DNS record that returns "it's secure" is just as a good security indicator as a picture of a padlock on a web page actually served over plain HTTP.

In order to check that your queries are going through the dnscrypt client proxy, stop or pause the proxy. If DNS resolution doesn't work any more, the proxy was actually being used :)

 

 

January 6, 2015, 12:33