How do I know DNSCrypt is working?

Comments

15 comments

  • Avatar
    rotblitz

    nslookup -type=txt debug.opendns.com.

    - or -

    dig debug.opendns.com txt

  • Avatar
    nicklord
    Thank you very much, rotblitz, for your prompt and helpful reply.
  • Avatar
    umcsbi-admin

    where can i download the DNScrypt? any link please..

  • Avatar
    iamtiam
    What are some error messages I might get if it is not working? What message should I get if it is?
  • Avatar
    iamtiam
    ; <<>> DiG 9.8.3-P1 <<>> debug.opendns.com.txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53868 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;debug.opendns.com.txt. IN A ;; ANSWER SECTION: debug.opendns.com.txt. 0 IN A 67.215.65.132 ;; Query time: 68 msec ;; SERVER: 127.0.0.54#53(127.0.0.54) ;; WHEN: Wed Sep 18 14:04:57 2013 ;; MSG SIZE rcvd: 66
  • Avatar
    rotblitz

    This was working. ;-)

    The domain debug.opendns.com.txt does not exist, therefore you got 67.215.65.132 (hit-nxdomain.opendns.com) returned. Your query went through 127.0.0.54.

    The correct command would have been:
    dig  debug.opendns.com  txt

  • Avatar
    rotblitz

    "What message should I get if it is?"

    dig  debug.opendns.com  txt

    ; <<>> DiG 9.3.2 <<>> debug.opendns.com txt
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1603
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;debug.opendns.com.             IN      TXT

    ;; ANSWER SECTION:
    debug.opendns.com.      0       IN      TXT     "server 5.fra"                                                Using Frankfurt OpenDNS location
    debug.opendns.com.      0       IN      TXT     "flags 20 0 2cc d00d82040001401"       The flags associated with my DNS query
    debug.opendns.com.      0       IN      TXT     "id 381599"                                                  My OpenDNS network ID
    debug.opendns.com.      0       IN      TXT     "source 217.254.45.71:14830"                My source IP address and port from where I queried
    debug.opendns.com.      0       IN      TXT     "dnscrypt enabled (7136666E76576A42)"      That says it all.

    ;; Query time: 31 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Thu Sep 19 00:32:53 2013
    ;; MSG SIZE  rcvd: 223

  • Avatar
    iamtiam
    Rotblitz, Thanks! : )
  • Avatar
    r226

    ; <<>> DiG 9.8.3-P1 <<>> debug.opendns.com

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18888

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

     

    ;; OPT PSEUDOSECTION:

    ; EDNS: version: 0, flags:; udp: 4096

    ;; QUESTION SECTION:

    ;debug.opendns.com. IN A

     

    ;; AUTHORITY SECTION:

    opendns.com. 1996 IN SOA auth1.opendns.com. hostmaster.opendns.com. 1386897657 16384 2048 1048576 2560

     

    ;; Query time: 29 msec

    ;; SERVER: 127.0.0.54#53(127.0.0.54)

    ;; WHEN: Sat Dec 14 15:51:29 2013

    ;; MSG SIZE  rcvd: 121

     

     

    [Process completed]

     

  • Avatar
    r226

    ; <<>> DiG 9.8.3-P1 <<>> debug.opendns.com

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18888

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

     

    ;; OPT PSEUDOSECTION:

    ; EDNS: version: 0, flags:; udp: 4096

    ;; QUESTION SECTION:

    ;debug.opendns.com. IN A

     

    ;; AUTHORITY SECTION:

    opendns.com. 1996 IN SOA auth1.opendns.com. hostmaster.opendns.com. 1386897657 16384 2048 1048576 2560

     

    ;; Query time: 29 msec

    ;; SERVER: 127.0.0.54#53(127.0.0.54)

    ;; WHEN: Sat Dec 14 15:51:29 2013

    ;; MSG SIZE  rcvd: 121

     

     

    [Process completed]

     

  • Avatar
    r226

    is  dns crypt set up correctly

  • Avatar
    rotblitz

    Once again, the correct command would be:

    dig  debug.opendns.com  txt

  • Avatar
    stevehendo34

    I got it to work with DNSCrypt.org client and ubuntu 14.04 
    --libsodium4_0.4.5-0~trusty5_amd64.deb
    --dnscrypt-proxy-1.4.2
    --install them with gdebi-gtk

    Nether in official ppa yet for Ubuntu 14.04 had to download them from:
    --https://launchpad.net/~shnatsel/+archive/ubuntu/dnscrypt/+files/libsodium4_0.4.5-0~trusty5_amd64.deb
    --https://launchpad.net/~shnatsel/+archive/ubuntu/dnscrypt/+files/dnscrypt-proxy_1.4.0-0~oldconf2%2Bsaucy1_amd64.deb

    Set DNS address 127.0.0.2 network tools KDE
    sudo start it sudo service ddclient restart
    sudo service network-manager restart

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    $ dig debug.opendns.com txt

    ; <<>> DiG 9.9.5-3-Ubuntu <<>> debug.opendns.com txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57152
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;debug.opendns.com. IN TXT

    ;; ANSWER SECTION:
    debug.opendns.com. 0 IN TXT "server 5.ash"
    debug.opendns.com. 0 IN TXT "flags 20 0 2F6 0"
    debug.opendns.com. 0 IN TXT "originid 26933670"
    debug.opendns.com. 0 IN TXT "actype 2"
    debug.opendns.com. 0 IN TXT "bundle 6932830"
    debug.opendns.com. 0 IN TXT "source 66.168.29.120:54722"
    debug.opendns.com. 0 IN TXT "dnscrypt enabled (71447764594D3377)"

    ;; Query time: 58 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Sun Jan 04 12:46:15 CST 2015
    ;; MSG SIZE rcvd: 265

     

  • Avatar
    jedisct1

    What is being described here is a terrible and unreliable way to check that you are actually using DNSCrypt.

    A non-signed DNS record that returns "it's secure" is just as a good security indicator as a picture of a padlock on a web page actually served over plain HTTP.

    In order to check that your queries are going through the dnscrypt client proxy, stop or pause the proxy. If DNS resolution doesn't work any more, the proxy was actually being used :)

     

     

Please sign in to leave a comment.