DNSCrypt on an AD DNS server

Comments

17 comments

  • Avatar
    midrash_shmuel

    I just updated to v1.4 and followed the directions on https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown.  When I run the test, it fails every time it tries to "fetch the server certificate"

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Can you run the dnscrypt-proxy interactively to see its output?  It may produce error messages which you cannot see when running as service:
    dnscrypt-proxy --local-address=127.0.0.7 
    (Stop the service before you run it interactively!)

    What DNS server address(es) are you using in your IPv4 properties?  I.e. what "Server" is displayed in the nslookup output or with "ipconfig /all"?

    The dnscrypt-proxy forwards DNS traffic to 208.67.220.220:443 by default.  Did you ensure that this UDP and TCP traffic is not blocked outbound or inbound?
    Prove it for TCP:   telnet 208.67.220.220 443    or    nslookup -port=443 -tcp example.com. 208.67.220.220
    Prove it for UDP:  nslookup -port=443 example.com. 208.67.220.220
    You must do this on your Windows server, not on a connected workstation.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Oops, sorry, the command for TCP above:  nslookup -port=443 -tcp example.com. 208.67.220.220 
    should read:  nslookup -port=443 -vc example.com. 208.67.220.220

    0
    Comment actions Permalink
  • Avatar
    midrash_shmuel

    The nslookup test succeeded: nslookup -port=443 -vc internetbadguys.com 208.67.220.220

    Returns: 67.215.65.133

     

    When I try to run dnscrypt-proxy locally with: dnscrypt-proxy.exe --local-address=127.0.0.7 -R opendns -L dnscrypt-resolvers.csv

    I get
    [NOTICE] Starting dnscrypt-proxy 1.4.0
    [INFO] Initializing libsodium for optimal performance
    [INFO] Generating a new key pair
    [INFO] Done
    [ERROR] Unable to bind (TCP)

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "The nslookup test succeeded"

    And the other test for UDP?

    "[ERROR] Unable to bind (TCP)"

    Something seems to prevent binding to 127.0.0.7.  Is another process possibly using this already?  Did you stop the dnscrypt-proxy before as I said?

    Execute on the server
        netstat -nao | findstr /i "foreign 127.0.0.7"
    to see already existing bindings.

    0
    Comment actions Permalink
  • Avatar
    midrash_shmuel

    I ran netstat -nao | findstr /i "foreign 127.0.0.7" it shows no results.

    The nslookup test for both TCP and UDP passed.

    0
    Comment actions Permalink
  • Avatar
    midrash_shmuel

    I also tried using a different local address 127.0.0.70 and the same error message came up.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "I ran netstat -nao | findstr /i "foreign 127.0.0.7" it shows no results."

    Then this address 127.0.0.7 is not explicitly being used, but may be implicitly used as e.g. 0.0.0.0 which would include the localhost IP address range as a whole, see below.

    "The nslookup test for both TCP and UDP passed."

    Then there are no issues with the DNS connection to OpenDNS. 

    What happens if you use your localhost address for DNS queries?

    nslookup example.com. 127.0.0.XX 

    Your DNS server may be listening there as 0.0.0.0:53, and you cannot use it again for listening by the dnscrypt-proxy and as forwarders in the DNS server.  The first results in a binding error, and the second leads to an endless loop with no DNS responses.  To test this out, you had to temporarily change the DNS server forwarders to something different again, e.g. the OpenDNS resolver addresses.

    "I also tried using a different local address 127.0.0.70 and the same error message came up."

    You may also try dnscrypt-proxy with local address 127.0.0.1, the normal "localhost" loopback address.  There is no reason not to do it unless this address is one of the DNS servers defined in the active network connection's IPv4 properties.

    In case your DNS server is listening on 0.0.0.0:53, you had to try limiting this to a specific IP address, the one of your server, e.g. 192.168.1.15:53.  Else you cannot have a second listener (like dnscrypt-proxy) on port 53 at all within this system, because 0.0.0.0:53 catches all port 53 traffic from everywhere.

    0
    Comment actions Permalink
  • Avatar
    midrash_shmuel

    I disabled my DNS server temporarily to test, and I found I can bind to 127.0.0.7, but it will not route the DNS query properly.  Here's the output:

    C:\Program Files\dnscrypt-proxy-win32\bin> dnscrypt-proxy.exe -R opendns -L dnscrypt-resolvers.csv --local-address 127.0.0.7

    [NOTICE] Starting dnscrypt-proxy 1.4.0
    [INFO] Initializing libsodium for optimal performance
    [INFO] Generating a new key pair
    [INFO] Done
    [INFO] Server certificate #1380734687 received
    [INFO] This certificate looks valid
    [INFO] Server key fingerprint is 227C:86C7:7574:81AB:6AE2:402B:4627:6E18:CFBB:60FA:DF92:652F:D694:01E8:EBF2:B007
    [NOTICE] Proxying from 127.0.0.7:53 to 208.67.220.220:443
    [WARNING] sendto: [No route to host [WSAEHOSTUNREACH ]]
    [WARNING] sendto: [No route to host [WSAEHOSTUNREACH ]]
    [WARNING] sendto: [No route to host [WSAEHOSTUNREACH ]]
    [WARNING] sendto: [No route to host [WSAEHOSTUNREACH ]]
    [WARNING] sendto: [No route to host [WSAEHOSTUNREACH ]]
    [WARNING] sendto: [No route to host [WSAEHOSTUNREACH ]]
    [WARNING] sendto: [No route to host [WSAEHOSTUNREACH ]]

    If I do not specify a local address, it defaults to 127.0.0.1 and it works fine.

    C:\Program Files\dnscrypt-proxy-win32\bin> dnscrypt-proxy.exe -R opendns -L dnscrypt-resolvers.csv --local-address 127.0.0.7

    [NOTICE] Starting dnscrypt-proxy 1.4.0
    [INFO] Initializing libsodium for optimal performance
    [INFO] Generating a new key pair
    [INFO] Done
    [INFO] Server certificate #1380734687 received
    [INFO] This certificate looks valid
    [INFO] Server key fingerprint is 227C:86C7:7574:81AB:6AE2:402B:4627:6E18:CFBB:60FA:DF92:652F:D694:01E8:EBF2:B007
    [NOTICE] Proxying from 127.0.0.1:53 to 208.67.220.220:443

    And the nslookup:

    1.0.0.127.in-addr.arpa
    primary name server = localhost
    responsible mail addr = nobody.invalid
    serial = 1
    refresh = 600 (10 mins)
    retry = 1200 (20 mins)
    expire = 604800 (7 days)
    default TTL = 10800 (3 hours)
    (root) ??? unknown type 41 ???
    Server: UnKnown
    Address: 127.0.0.1

    Name: opensdns.com

     

    0
    Comment actions Permalink
  • Avatar
    midrash_shmuel

    As an additional test, I tried to assign the local address to an address on my WAN subnet:

    C:\Program Files\dnscrypt-proxy-win32\bin> dnscrypt-proxy.exe -R opendns -L dnscrypt-resolvers.csv --local-address 192.168.2.100

    [NOTICE] Starting dnscrypt-proxy 1.4.0
    [INFO] Initializing libsodium for optimal performance
    [INFO] Generating a new key pair
    [INFO] Done
    [ERROR] Unable to bind (UDP) [Cannot assign requested address [WSAEADDRNOTAVAIL ]]

    I checked w/ netstat -aon | find "192.168.2.100" and it showed no results.  I do not know why the address is unavailable.

     

    My server has 2 physical NICs in it (one connected to the internet, one connected to the local network).  It also has a virtual NIC attached to the company VPN.  They are all configured on different subnets.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "If I do not specify a local address, it defaults to 127.0.0.1 and it works fine.
    C:\Program Files\dnscrypt-proxy-win32\bin> dnscrypt-proxy.exe -R opendns -L dnscrypt-resolvers.csv --local-address 127.0.0.7"

    ...but you did specify the local address.  Or did you copy&paste the wrong command for the output?

    "And the nslookup:"

    What was the exact nslookup command here?  Was it "nslookup opendns.com. 127.0.0.1"?  Then it should have returned an IP address, not just the name.  Whatever, the output shows that the address 127.0.0.1 is being served by a DNS service and responded to.

    "No route to host"
    "My server has 2 physical NICs in it (one connected to the internet, one connected to the local network).  It also has a virtual NIC attached to the company VPN.  They are all configured on different subnets."

    Ah yes, this is new information and most likely the key of your issues.  This scenario may confuse your routes, and you may need to configure certain persistent routes with the "route" command to make it work.
    route print 
    tracert 208.67.220.220
    See if 208.67.220.220 would take the right route and gateway, the one to the internet, not the one to the LAN or VPN.

    0
    Comment actions Permalink
  • Avatar
    midrash_shmuel

    It was a copy/paste error w/ the wrong command for the output.

    Here is my route print output


    IPv4 Route Table
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x2 ...4c 00 10 53 0c 4c ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Kerio WinRoute Firewall
    0x3 ...00 16 76 c8 8c cc ...... Intel(R) 82566DC Gigabit Network Connection - Kerio WinRoute Firewall
    0x10005 ...44 45 53 54 4f 53 ...... Kerio Virtual Network Adapter - Kerio WinRoute Firewall
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.2 1
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
    192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
    192.168.2.0 255.255.255.0 192.168.2.2 192.168.2.2 20
    192.168.2.2 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.2.255 255.255.255.255 192.168.2.2 192.168.2.2 20
    192.168.3.0 255.255.255.0 192.168.3.1 192.168.3.1 20
    192.168.3.1 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.3.255 255.255.255.255 192.168.3.1 192.168.3.1 20
    224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
    224.0.0.0 240.0.0.0 192.168.2.2 192.168.2.2 20
    224.0.0.0 240.0.0.0 192.168.3.1 192.168.3.1 20
    255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
    255.255.255.255 255.255.255.255 192.168.2.2 192.168.2.2 1
    255.255.255.255 255.255.255.255 192.168.3.1 192.168.3.1 1
    Default Gateway: 192.168.2.1
    ===========================================================================
    Persistent Routes:
    None

    192.168.1.x is the LAN, 192.168.2.x is internet, 192.168.3.x is VPN.

    I did tracert 208.67.220.220 and it goes through 192.168.2.1 as expected.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "0.0.0.0   0.0.0.0   192.168.2.1   192.168.2.2   1"

    Yes, it should go out the right way.  Honestly, I ran a bit out of ideas.  Let's see what others have to say, or try to reach the owner of dnscrypt.org.

    0
    Comment actions Permalink
  • Avatar
    Zack Gilman

    Hello,

    It sounds like the issues being experienced here are mostly unique to your network setup and not necessarily to DNSCrypt.

    We have written a detailed article on having DNSCrypt play nicely with Windows Server and Windows DNS here: https://support.opendns.com/entries/69002720-Encrypting-DNS-in-Windows-Server-with-DNSCrypt

    Hope this helps!

    1
    Comment actions Permalink
  • Avatar
    aneoimsl

    Apologies for the gravedig, but the article you've linked to, Zach, gives a " You're not authorized to access this page" error with no explanation. I'd really love to take a look at what you've outlined for getting the service to place nicely lol. Any suggestions?

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Go to DNSCrypt.org 

    That is the official "home" for DNSCrypt, and will have the information you need for configuring DNSCrypt on a Windows server. It will not be specific to OpenDNS, but rather will work with all DNS providers that support DNSCrypt

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    "the article you've linked to, Zach, gives a " You're not authorized to access this page" error with no explanation"

    This is the explanation.  It's an outdated link.  More current links are:
    https://support.opendns.com/hc/en-us/articles/227989107
    https://support.opendns.com/hc/en-us/articles/227989147
    These are easily to find if searching the forum for DNSCrypt.

    For configuring it on an AD server, you follow the OpenDNS instructions for configuring OpenDNS on a server, but you use 127.0.0.1 as the only one DNS forwarder address instead.

    0
    Comment actions Permalink

Please sign in to leave a comment.