Comments

38 comments

  • Avatar
    opendns

    How does one secure IPv6 DNS requests on Windows 7? I have installed the latest DNSCrypt (1.4.3) from Github. I tested then installed it as a service, and confirmed that LocalAddress is set to the localhost address:port (127.0.0.1:53), ResolverName to opendns-ipv6. I set the Windows IPv4 adapter preferred dns setting to the IPv4 address 127.0.0.1, and confirmed that setting with ipconfig /all. So far, so good.

    However, setting the IPv6 adapter preferred dns setting to the IPv6 localhost address of ::1 (as described in various how-to articles on the web) fails. In a command prompt window "nslookup google.com" returns "Server UnKnown  Address ::1".  It won't even fall back to IPv4.

    The only way I can get a result is to set the IPv6 adapter preferred dns setting to "fec0:0:0:ffff::1%1". nslookup then uses 1.0.0.127.in-addr.arpa at 127.0.0.1 rather than a real IPv6 address.

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Setting the local address to 127.0.0.1:53 for the dnscrypt-proxy and configuring ::1 as the adapter DNS address cannot work.  These must be consistent.

    Therefore as from http://dnscrypt.org/

    dnscrypt-proxy --local-address='[::1]:53'

    Consequently, you must set the local adapter address to [::1] as well then.

    As you run dnscrypt-proxy as service, you must configure the parameters in the registry, as explained at
    https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown

    0
    Comment actions Permalink
  • Avatar
    opendns

    So it is not possible to protect both IPv4 and IPv6 simultaneously?

    There are any number of tutorials that direct one to change both IPv4 and IPv6 adapter settings to their respective localhost addresses with no mention of changing the registry to suit, which led me to believe dnscrypt was capable of handling both. EG:

    http://thepileof.blogspot.ca/2012/03/using-encrypted-dns-with-windows-via.html

    http://www.maketecheasier.com/encrypt-dns-traffic-windows/

    http://blog.qresolve.com/blog/2014/12/31/all-you-need-to-do-to-encrypt-your-dns-and-enjoy-secure-browsing/

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "So it is not possible to protect both IPv4 and IPv6 simultaneously?"

    It is easily possible.  Did I say it was not?  No!

    If you want to use the dnscrypt-proxy for both, IPv4 and IPv6, then you must run two instances of it, one handling IPv4 and one handling IPv6.  For example:

    dnscrypt-proxy --local-address=127.0.0.1:53 --resolver-name=opendns
    dnscrypt-proxy --local-address=[::1]:53 --resolver-name=opendns-ipv6


    "There are any number of tutorials that direct one to change both IPv4 and IPv6 adapter settings to their respective localhost addresses with no mention of changing the registry to suit, which led me to believe dnscrypt was capable of handling both."

    What, the dnscrypt-proxy handling your adapter settings?  In no way!  This would be a bad idea and took away any flexibility for doing what you want to do.  For example, I use my computer's internal IP address 192.168.2.11 as the local address, not localhost 127.0.0.1.  This allows me to use my computer as DNS server for the whole network which again allows to use the dnscrypt-proxy for all devices via my computer.

    If you run the dnscrypt-proxy as a Windows service, you must specify the command line parameters in the registry instead, because with a Windows service you don't have a command line to specify parameters.  And dnscrypt-proxy cannot handle these parameters automatically, because it cannot know what you want.  So if you don't specify anything, it takes its defaults.

    Also, if you want to cover both, IPv4 and IPv6, and you run two instances of dnscrypt-proxy therefore, only one instance can run as Windows service.  The other instance must be started by other means, e.g. by the Task Scheduler, from the Startup folder, or from a Run registry entry.

    0
    Comment actions Permalink
  • Avatar
    opendns

    Thanks for the information. Hopefully a future version will be capable of listening to both stacks. For now, I may just leave this laptop configured as it is (which is kludgy but works) and see if I can get 2 instances of dnscrypt running on my router at home.

    0
    Comment actions Permalink
  • Avatar
    opendns

    I'm still beating myself about the head with this. I did successfully install DNSCrypt on my home router -- but it breaks IPv6 connectivity. I uninstalled it for now and went back to trying to install a second instance on this laptop.

    I created a .bat file in Startup consisting of the line

    [code]C:\Progra~1\DNSCrypt\dnscrypt-proxy --local-address=[::1]:53 --resolver-name=opendns-ipv6[/code]

    That fails, the error being that it cannot find the .csv file. However, I can run the command from a command prompt from within the DNSCrypt directory. When I do, it seems to work, in that it generates a new key pair, gets a valid certificate and announces that it is proxying from [::1]:53.

    Ok, time to set the adapter dns settings in properties. However, if I attempt to change the IPv6 DNS setting to [::1]:53, I get an error message that "The network address entered is invalid", and it refuses to accept it. I also tried [::1]#53, 0:0:0:0:0:0:0:0:1:53, ::1#53, and 0:0:0:0:0:0:0:0:1#53. It will accept any variation of [::1] -- ie: no port specified. However, when I do that, Windows ignores the running proxy and uses the router's IP for DNS (according to ipconfig/all).

    Any more suggestions? Apparently you should use small words and short sentences 'cause I'm just not getting this at all! :(

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "That fails, the error being that it cannot find the .csv file."

    I do not know what the dnscrypt-proxy default is for searching the .csv file, but it is the program directory and/or the current directory.  You may try it out.

    If the program cannot find this file, you add the parameter

    --resolvers-list=<file>

    where you specify the path to and name of the .csv file, as documented at http://dnscrypt.org/ too.

    "Ok, time to set the adapter dns settings in properties."

    Port settings in the adapter?  Never ever, for nothing!  You do not and cannot specify a port.  Port 53 is default for DNS anyway. 
    And brackets are not to be used here either.
    You simply enter:  ::1

    0
    Comment actions Permalink
  • Avatar
    opendns

    Ok, I'll try that, thanks!

    0
    Comment actions Permalink

Please sign in to leave a comment.