Bypass ISP's 3rd-party DNS service (e.g., level3.net) with DNSCrypt
Been working on this for a few hours. Please know that I am not networking savvy. Any help is sincerely appreciated.
My ISP uses Level 3 as their DNS service. To bypass this I understand I need to use DNSCrypt. I've used posts toward the middle and bottom of this thread for reference: https://support.opendns.com/entries/21786854-OpenDNS-Not-Working-Again-Help-
My goal is simply to get OpenDNS to work by hiding DNS requests from my ISP's DNS service via DNSCrypt. Took me a while to sort out what to try, but at this point here's what I've done.
• Set preferred DNS server in router as local machine internal IP (192.168.0.100)
• Set preferred DNS server under local machine TCP/IPv4 properties to router (192.168.0.1)
• Ran the following in cmd as admin: cd "C:\Program Files\DNSCrypt\bin"
• Ran the following in cmd as admin: dnscrypt-proxy.exe --resolver-name=dnscrypt.eu-nl --resolvers-list="C:\Program Files\DNSCrypt\bin\dnscrypt-resolvers.csv" --local-address=192.168.0.1 --install
• Ran the following in cmd as admin: dnscrypt-proxy.exe --resolver-name=dnscrypt.eu-nl --resolvers-list="C:\Program Files\DNSCrypt\bin\dnscrypt-resolvers.csv" --local-address=192.168.0.100
(I inferred the local machine internal IP above, it seems to work, hope I got that part right.)
• I'd then see: [NOTICE] Proxying from 192.168.0.100:53 to 176.56.237.171:443
(Tried with several hosts. With each, this hangs for several minutes and does not seem to complete.)
• Ran the following in cmd as admin: ipconfig /flushdns
• Verified setting at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dnscrypt-proxy\Parameters\LocalAddress as 192.168.0.1
• Cleared browser DNS cache and restarted
• Deselected Block internal IP addresses under my network's security settings at https://dashboard.opendns.com/settings
• Tested at: https://store.opendns.com/settings
(No dice: "Oops. You're not using OpenDNS yet.")
nslookup -port=443 -type=txt debug.opendns.com
.. times out.
I'm using my own router and modem.
I'm lost at this point. Please let me know what other information I should provide, and thanks again for any help.
-
It seems you didn't understand the concept of a proxy.
The proxy listens on an IP address on your local machine for DNS queries on port 53 and forwards those encrypted to the DNS service of your choice (e.g. OpenDNS). As you want also your router to go this path, this listener address cannot be the localhost IP address (127.0.0.1) but must be the IP address of your computer (192.168.0.100). Also your local DNS server address must be 192.168.0.100, so that DNS queries reach the listener entry of the dnscrypt-proxy.
That said...
• Set preferred DNS server in router as local machine internal IP (192.168.0.100)
• Set preferred DNS server under local machine TCP/IPv4 properties to router (192.168.0.1)This would cause a loopback between the router and the local machine with your DNS queries going nowhere...
As said, you'll set the local machine also to 192.168.0.100 as DNS server where the dnscrypt-proxy is listening on.--resolver-name=dnscrypt.eu-nl
• I'd then see: [NOTICE] Proxying from 192.168.0.100:53 to 176.56.237.171:443Sure, you will see this. If you want to use OpenDNS, you must not select "dnscrypt.eu-nl" [176.56.237.171], but "opendns" [208.67.220.220], of course. What else?
• Ran the following in cmd as admin: dnscrypt-proxy.exe --resolver-name=dnscrypt.eu-nl --resolvers-list="C:\Program Files\DNSCrypt\bin\dnscrypt-resolvers.csv" --local-address=192.168.0.1 --install
What is this good for? Wanted to just install dnscrypt-proxy as a service? Then the command is just:
dnscrypt-proxy.exe -R "name" -L "<full path to the dnscrypt-resolvers.csv file>" --install• Verified setting at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dnscrypt-proxy\Parameters\LocalAddress as 192.168.0.1
Yes, as I said, this is wrong. Must be 192.168.0.100. The dnscrypt-proxy cannot listen on the router, just on the machine where it's installed. And 192.168.0.1 is not on the local machine, but on the router.
• Ran the following in cmd as admin: ipconfig /flushdns
• Cleared browser DNS cache and restartedThese are useless activities in this context. Where did you find the related instructions?
• Deselected Block internal IP addresses under my network's security settings at https://dashboard.opendns.com/settings
This is an irrelevant activity in this context.
(No dice: "Oops. You're not using OpenDNS yet.")
nslookup -port=443 -type=txt debug.opendns.com
.. times out.You know now why this is...
And you forgot the trailing dot after the domain name.
And sending to port 443 is of no sense in this context. Your local machine and your router send everything DNS related to port 53.After you have set up dnscrypt-proxy correctly, you can verify it by using this command:
nslookup -type=txt debug.opendns.com. -
• Verified preferred DNS server setting in router as local machine internal IP (192.168.0.100)
• Changed preferred DNS server under local machine TCP/IPv4 properties to proxy service at local machine (192.168.0.100)
• Ran dnscrypt-proxy.exe --uninstall
• Ran dnscrypt-proxy.exe -R opendns -L "C:\Program Files\DNSCrypt\bin\dnscrypt-resolvers.csv" --local-address=192.168.0.100 --install
• Ran nslookup -type=txt debug.opendns.com.
[i]debug.opendns.com text= "dnscrypt enabled ... "[/i]
Success! OpenDNS Updater and https://store.opendns.com/settings indicate OpenDNS enabled.
Uninstalling and reinstalling the service as indicated corrected the registry value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dnscrypt-proxy\Parameters\LocalAddress to 192.168.0.100. Prior to that, with manual adjustment of registry without restarting the service, I had been getting:
[i][NOTICE] Proxying from 192.168.0.100:53 to 208.67.220.220:443
[WARNING] recvfrom<client>: [Connection reset by peer [WSAECONNRESET ]][/i]
An aside for user reference, how to copy/paste in cmd: http://blogs.msdn.com/b/adioltean/archive/2004/12/27/332974.aspx
This issue is now fixed.
Sincere thanks for taking the time to correct my mistakes and for sharing your expertise, rotblitz.
Please sign in to leave a comment.
Comments
4 comments