How do I know DNSCrypt is working?

Follow

nicklord

July 18, 2013 21:53

I've been using OpenDNS (set up in my wi-fi router) for a while now and have now installed DNSCrypt on my PC. I'm using Linux (openSUSE 12.3 64-bit). After installing the software I called

systemctl enable dnscrypt

and

systemctl start dnscrypt

I set the name server in the Network Settings to 127.0.0.1 and rebooted. How can I tell that DNSCrypt is actually working?

5

• 

  rotblitz July 18, 2013 22:22

  nslookup -type=txt debug.opendns.com.

  - or -

  dig debug.opendns.com txt

  0

  Comment actions Permalink
• 

  nicklord July 19, 2013 08:36

  Thank you very much, rotblitz, for your prompt and helpful reply.

  0

  Comment actions Permalink
• 

  umcsbi-admin August 07, 2013 02:08

  where can i download the DNScrypt? any link please..

  0

  Comment actions Permalink
• 

  rotblitz August 07, 2013 05:54

  http://download.dnscrypt.org/dnscrypt-proxy/

  0

  Comment actions Permalink
• 

  iamtiam September 18, 2013 18:07

  What are some error messages I might get if it is not working? What message should I get if it is?

  0

  Comment actions Permalink
• 

  iamtiam September 18, 2013 18:08

  ; <<>> DiG 9.8.3-P1 <<>> debug.opendns.com.txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53868 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;debug.opendns.com.txt. IN A ;; ANSWER SECTION: debug.opendns.com.txt. 0 IN A 67.215.65.132 ;; Query time: 68 msec ;; SERVER: 127.0.0.54#53(127.0.0.54) ;; WHEN: Wed Sep 18 14:04:57 2013 ;; MSG SIZE rcvd: 66

  0

  Comment actions Permalink
• 

  rotblitz September 18, 2013 22:24

  This was working. ;-)

  The domain debug.opendns.com.txt does not exist, therefore you got 67.215.65.132 (hit-nxdomain.opendns.com) returned. Your query went through 127.0.0.54.

  The correct command would have been:
  dig  debug.opendns.com  txt

  0

  Comment actions Permalink
• 

  rotblitz September 18, 2013 22:37

  "What message should I get if it is?"

  dig  debug.opendns.com  txt

  ; <<>> DiG 9.3.2 <<>> debug.opendns.com txt
  ; (1 server found)
  ;; global options:  printcmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1603
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
  
  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 4096
  ;; QUESTION SECTION:
  ;debug.opendns.com.             IN      TXT
  
  ;; ANSWER SECTION:
  debug.opendns.com.      0       IN      TXT     "server 5.fra"                                                Using Frankfurt OpenDNS location
  debug.opendns.com.      0       IN      TXT     "flags 20 0 2cc d00d82040001401"       The flags associated with my DNS query
  debug.opendns.com.      0       IN      TXT     "id 381599"                                                  My OpenDNS network ID
  debug.opendns.com.      0       IN      TXT     "source 217.254.45.71:14830"                My source IP address and port from where I queried
  debug.opendns.com.      0       IN      TXT     "dnscrypt enabled (7136666E76576A42)"      That says it all.
  
  ;; Query time: 31 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Thu Sep 19 00:32:53 2013
  ;; MSG SIZE  rcvd: 223

  0

  Comment actions Permalink
• 

  iamtiam September 19, 2013 00:35

  Rotblitz, Thanks! : )

  0

  Comment actions Permalink
• 

  r226 December 14, 2013 21:52

  ; <<>> DiG 9.8.3-P1 <<>> debug.opendns.com

  ;; global options: +cmd

  ;; Got answer:

  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18888

  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

   

  ;; OPT PSEUDOSECTION:

  ; EDNS: version: 0, flags:; udp: 4096

  ;; QUESTION SECTION:

  ;debug.opendns.com. IN A

   

  ;; AUTHORITY SECTION:

  opendns.com. 1996 IN SOA auth1.opendns.com. hostmaster.opendns.com. 1386897657 16384 2048 1048576 2560

   

  ;; Query time: 29 msec

  ;; SERVER: 127.0.0.54#53(127.0.0.54)

  ;; WHEN: Sat Dec 14 15:51:29 2013

  ;; MSG SIZE  rcvd: 121

   

   

  [Process completed]

   

  0

  Comment actions Permalink
• 

  r226 December 14, 2013 21:52

  ; <<>> DiG 9.8.3-P1 <<>> debug.opendns.com

  ;; global options: +cmd

  ;; Got answer:

  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18888

  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

   

  ;; OPT PSEUDOSECTION:

  ; EDNS: version: 0, flags:; udp: 4096

  ;; QUESTION SECTION:

  ;debug.opendns.com. IN A

   

  ;; AUTHORITY SECTION:

  opendns.com. 1996 IN SOA auth1.opendns.com. hostmaster.opendns.com. 1386897657 16384 2048 1048576 2560

   

  ;; Query time: 29 msec

  ;; SERVER: 127.0.0.54#53(127.0.0.54)

  ;; WHEN: Sat Dec 14 15:51:29 2013

  ;; MSG SIZE  rcvd: 121

   

   

  [Process completed]

   

  0

  Comment actions Permalink
• 

  r226 December 14, 2013 21:53

  is  dns crypt set up correctly

  0

  Comment actions Permalink
• 

  rotblitz December 15, 2013 00:43

  Once again, the correct command would be:

  dig  debug.opendns.com  txt

  0

  Comment actions Permalink
• 

  stevehendo34 January 05, 2015 15:11

  I got it to work with DNSCrypt.org client and ubuntu 14.04 
  --libsodium4_0.4.5-0~trusty5_amd64.deb
  --dnscrypt-proxy-1.4.2
  --install them with gdebi-gtk

  Nether in official ppa yet for Ubuntu 14.04 had to download them from:
  --https://launchpad.net/~shnatsel/+archive/ubuntu/dnscrypt/+files/libsodium4_0.4.5-0~trusty5_amd64.deb
  --https://launchpad.net/~shnatsel/+archive/ubuntu/dnscrypt/+files/dnscrypt-proxy_1.4.0-0~oldconf2%2Bsaucy1_amd64.deb

  Set DNS address 127.0.0.2 network tools KDE
  sudo start it sudo service ddclient restart
  sudo service network-manager restart

  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

  $ dig debug.opendns.com txt

  ; <<>> DiG 9.9.5-3-Ubuntu <<>> debug.opendns.com txt
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57152
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 4096
  ;; QUESTION SECTION:
  ;debug.opendns.com. IN TXT

  ;; ANSWER SECTION:
  debug.opendns.com. 0 IN TXT "server 5.ash"
  debug.opendns.com. 0 IN TXT "flags 20 0 2F6 0"
  debug.opendns.com. 0 IN TXT "originid 26933670"
  debug.opendns.com. 0 IN TXT "actype 2"
  debug.opendns.com. 0 IN TXT "bundle 6932830"
  debug.opendns.com. 0 IN TXT "source 66.168.29.120:54722"
  debug.opendns.com. 0 IN TXT "dnscrypt enabled (71447764594D3377)"

  ;; Query time: 58 msec
  ;; SERVER: 127.0.1.1#53(127.0.1.1)
  ;; WHEN: Sun Jan 04 12:46:15 CST 2015
  ;; MSG SIZE rcvd: 265

   

  0

  Comment actions Permalink
• 

  jedisct1 January 06, 2015 20:33

  What is being described here is a terrible and unreliable way to check that you are actually using DNSCrypt.

  A non-signed DNS record that returns "it's secure" is just as a good security indicator as a picture of a padlock on a web page actually served over plain HTTP.

  In order to check that your queries are going through the dnscrypt client proxy, stop or pause the proxy. If DNS resolution doesn't work any more, the proxy was actually being used :)

   

   

  0

  Comment actions Permalink

Please sign in to leave a comment.