Bypass ISP's 3rd-party DNS service (e.g., level3.net) with DNSCrypt

Comments

4 comments

  • Avatar
    rotblitz

    It seems you didn't understand the concept of a proxy.

    The proxy listens on an IP address on your local machine for DNS queries on port 53 and forwards those encrypted to the DNS service of your choice (e.g. OpenDNS).  As you want also your router to go this path, this listener address cannot be the localhost IP address (127.0.0.1) but must be the IP address of your computer (192.168.0.100).  Also your local DNS server address must be 192.168.0.100, so that DNS queries reach the listener entry of the dnscrypt-proxy.

    That said...

    • Set preferred DNS server in router as local machine internal IP (192.168.0.100)
    • Set preferred DNS server under local machine TCP/IPv4 properties to router (192.168.0.1)

    This would cause a loopback between the router and the local machine with your DNS queries going nowhere... 
    As said, you'll set the local machine also to 192.168.0.100 as DNS server where the dnscrypt-proxy is listening on.

     --resolver-name=dnscrypt.eu-nl
    • I'd then see: [NOTICE] Proxying from 192.168.0.100:53 to 176.56.237.171:443

    Sure, you will see this.  If you want to use OpenDNS, you must not select "dnscrypt.eu-nl" [176.56.237.171], but "opendns" [208.67.220.220], of course.  What else?

    • Ran the following in cmd as admin: dnscrypt-proxy.exe --resolver-name=dnscrypt.eu-nl --resolvers-list="C:\Program Files\DNSCrypt\bin\dnscrypt-resolvers.csv" --local-address=192.168.0.1 --install

    What is this good for?  Wanted to just install dnscrypt-proxy as a service?  Then the command is just: 
    dnscrypt-proxy.exe -R "name" -L "<full path to the dnscrypt-resolvers.csv file>" --install

    • Verified setting at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dnscrypt-proxy\Parameters\LocalAddress as 192.168.0.1

    Yes, as I said, this is wrong.  Must be 192.168.0.100.  The dnscrypt-proxy cannot listen on the router, just on the machine where it's installed.  And 192.168.0.1 is not on the local machine, but on the router.

    • Ran the following in cmd as admin: ipconfig /flushdns 
    • Cleared browser DNS cache and restarted

    These are useless activities in this context.  Where did you find the related instructions?

    • Deselected Block internal IP addresses under my network's security settings at https://dashboard.opendns.com/settings

    This is an irrelevant activity in this context.

    (No dice: "Oops. You're not using OpenDNS yet.")

    nslookup -port=443 -type=txt debug.opendns.com
    .. times out.

    You know now why this is... 
    And you forgot the trailing dot after the domain name.
    And sending to port 443 is of no sense in this context.  Your local machine and your router send everything DNS related to port 53. 

    After you have set up dnscrypt-proxy correctly, you can verify it by using this command: 
    nslookup -type=txt debug.opendns.com.

    0
    Comment actions Permalink
  • Avatar
    500

    • Verified preferred DNS server setting in router as local machine internal IP (192.168.0.100)
    • Changed preferred DNS server under local machine TCP/IPv4 properties to proxy service at local machine (192.168.0.100)
    • Ran dnscrypt-proxy.exe --uninstall
    • Ran dnscrypt-proxy.exe -R opendns -L "C:\Program Files\DNSCrypt\bin\dnscrypt-resolvers.csv" --local-address=192.168.0.100 --install
    • Ran nslookup -type=txt debug.opendns.com.
        [i]debug.opendns.com text= "dnscrypt enabled ... "[/i]
        Success! OpenDNS Updater and https://store.opendns.com/settings indicate OpenDNS enabled.

    Uninstalling and reinstalling the service as indicated corrected the registry value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dnscrypt-proxy\Parameters\LocalAddress to 192.168.0.100. Prior to that, with manual adjustment of registry without restarting the service, I had been getting:

        [i][NOTICE] Proxying from 192.168.0.100:53 to 208.67.220.220:443
        [WARNING] recvfrom<client>: [Connection reset by peer [WSAECONNRESET ]][/i]

    An aside for user reference, how to copy/paste in cmd: http://blogs.msdn.com/b/adioltean/archive/2004/12/27/332974.aspx

    This issue is now fixed.
    Sincere thanks for taking the time to correct my mistakes and for sharing your expertise, rotblitz.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Excellent!  Thanks for the feed-back.

    0
    Comment actions Permalink
  • Avatar
    ym25

    Thank you very much for @500 and @rotblitz for this tutorial. You're fantastic!

    0
    Comment actions Permalink

Please sign in to leave a comment.