dnscrypt Suddenly Stopped Working

Comments

7 comments

  • Avatar
    rotblitz

    "Why was my question erased?"

    Was it?  Probably because this is not OpenDNS specific but to be handled at http://dnscrypt.org/ ?

    "I am suspicioning my ISP has blocked 443/udp.  How can I prove this?"

    Run the dnscrypt-proxy interactively to see the stdout output. 

    You may be able to prove it further with:

    nslookup -port=443 -type=txt which.opendns.com. 208.67.220.220

    0
    Comment actions Permalink
  • Avatar
    quantum7

    # /usr/local/sbin/dnscrypt-proxy --local-address=127.0.0.1:40 --user=unbound --logfile=/var/log/dnscrypt.log --resolver-address=176.56.237.171:443 --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66 --edns-payload-size=1252
    Runs just fine and is listening on 40.  Which sure makes it look like Crumcast is blocking 443/udp.

     

    # nslookup -port=443 -type=txt which.opendns.com. 208.67.220.220
    Server:         208.67.220.220
    Address:        208.67.220.220#443

    Non-authoritative answer:
    which.opendns.com       text = "9.sea"

    Authoritative answers can be found from:

    ... whatever that means ...

    0
    Comment actions Permalink
  • Avatar
    quantum7

    Changed over to port 5353, and no better.  No firewall errors, as I'd opened 5353/udp out.

    /usr/local/sbin/dnscrypt-proxy --local-address=127.0.0.1:40 --user=unbound --logfile=/var/log/dnscrypt.log --resolver-address=113.20.8.17:5353 --provider-name=2.dnscrypt-cert-2.cloudns.com.au --provider-key=67A4:323E:581F:79B9:BC54:825F:54FE:1025:8B4F:37EB:0D07:0BCE:4010:6195:D94F:E330 --edns-payload-size=1252

    # nslookup -port=5353 -type=txt which.opendns.com. 208.67.220.220
    Server:         208.67.220.220
    Address:        208.67.220.220#5353

    Non-authoritative answer:
    which.opendns.com       text = "11.sea"

    Authoritative answers can be found from:

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    ".. whatever that means ..."

    It shows that udp/443 and udp/5353 are not being blocked, and that you are served by the OpenDNS Seattle location.  So, forget the theory about being blocked by your ISP.

    Your interactive dnscrypt-proxy output looks a bit poor.  Try with the additional parameter --loglevel=1024 to see if this produces more information, e.g.

    [INFO] Initializing libsodium for optimal performance
    [INFO] Generating a new key pair
    [INFO] Done
    [INFO] Server certificate #1408041567 received
    [INFO] This certificate looks valid
    [INFO] Server key fingerprint is 8201:4577:3D75:3934:FC25:B83C:8369:72DC:98A2:1368:AA0A:2C18:6C17:D7B4:30E8:CD63
    [INFO] Proxying from 127.0.0.1:53 to 208.67.220.220:443

    ...and so forth...

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Just seeing that you don't use OpenDNS, but CloudDNS.  So you got the wrong forum anyway, because DNSCrypt is not an OpenDNS product.  Better look for help at http://dnscrypt.org/

    0
    Comment actions Permalink
  • Avatar
    quantum7
    Turns out the nslookup command above is not recommended to diagnose DNS issues, according to the dnscrypt forum, and it doesn't use DNSCrypt, it's just directly sends an unauthenticated query to Open DNS. I thought this was the dnscrypt forum. Also turns out that Sydney's key has expired.
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "the nslookup command above is not recommended to diagnose DNS issues"

    But it has proved that udp/443 and udp/5353 are not blocked by your ISP, and this was the intended purpose, not something with DNSCrypt.

    "according to the dnscrypt forum"

    Ah yes, https://github.com/jedisct1/dnscrypt-proxy/issues/137 - this is jedisct1's personal opinion.  I know the arguments against nslookup, but these do not count in many cases.  And fact is that nslookup is installed on almost all operating systems unlike dig and host and the likes.  So it is simply handy to be used for many purposes.

    "it doesn't use DNSCrypt"

    No, this was not the purposes here.  But it can use DNSCrypt too: nslookup example.com. 127.0.0.1
    But this command would not have revealed if ports 443 and 5353 would be blocked by your ISP.  You simply wouldn't have got a response on your queries.

    "it's just directly sends an unauthenticated query to Open DNS"

    In the given case, yes, but no, it can send queries to everywhere, even to DNSCrypt.  You just need to specify.

    "I thought this was the dnscrypt forum."

    Yes, it is, for the OpenDNS server side, not for the client side or other DNS services.  OpenDNS resolvers do support DNSCrypt, but they have nothing to do with the client program.

    "Also turns out that Sydney's key has expired."

    Yes, as I said, this was CloudDNS, not OpenDNS, so it wasn't good for the OpenDNS forum either.  The DNSCrypt forum or the CloudDNS forums would have been the right place.

    No matter, I'm happy to see that your problem is solved.

    0
    Comment actions Permalink

Please sign in to leave a comment.