DNS request timed out. time out was 2 seconds.

Comments

10 comments

  • Avatar
    mattwilson9090

    If your government is indeed going for that level of control over the internet it's likely that in addition to the "DNS Hijacking / Redirection" they may be blocking all traffic to known DNS providers, such as OpenDNS or Google. See if you can at least ping 208.67.220.220 It is pingable, but in your case I wouldn't be surprised if you get no response.

    But back to your initial concern, government control of the internet. DNSCrypt is only going to encrypt your DNS traffic, it's not a proxy or VPN service that is going to encrypt or obscure all of your internet traffic. If they are indeed setting up a national proxy server much of your internet traffic may be monitored, filtered, modified, or blocked. DNSCrypt won't be able to do anything to protect against that. You'd need some sort of VPN or perhaps anonymizer to deal with that, but in that case they may just block the traffic entirely. Unfortunately that kind of solution and discussion is well beyond the scope of this forum, but we can help you to get DNSCrypt working, if it's possible to get it working at all.

  • Avatar
    nv.zs.aa

    i can ping opendns and google, no problem. here is the explanation :

    1. my machine was trying to access reddit.com, requesting address to opendns.

    2. my machine was trying to ask opendns to resolve the address, but our gov intercept it before actually reach opendns and redirect my packet to gov dns.

    3. my gov dns acknowledge reddit.com as forbidden site, so gov dns send modified address of reddit.com to my machine.

    4. my machine will never reach reddit.com since my machine never get the right address in the first place.

  • Avatar
    nv.zs.aa

    i've found an alternative solution for this(without DNScrypt), by manipulating firewall NAT on my router (Mikrotik)

    1. redirecting all client DNS request that using port 53 to 208.67.220.220:443 (secure OpenDNS)

    2. redirecting all connection port 80 to port 443 (forcing them to use https)

    Result :

    1. nslookup -> resolving IP address correctly.

    2. ping -> no problem.

    3. internet browsing -> little bit slower than usual, but, hey! everything is locked and loaded!

    it works like a charm.

    it solve the main concern of internet censoring, but does'nt solve the DNScrypt problem. but i'll stay here for a while if somehow you guys figure it out.

  • Avatar
    rotblitz

    "DNS request timed out.
        timeout was 2 seconds."

    Did you also configure your local DNS server as 127.0.0.1 ?  It's not sufficient to just start the dnscrypt-proxy, you must also change the active network DNS settings to transmit to the address the dnscrypt-proxy is listening too!

    "1. redirecting all client DNS request that using port 53 to 208.67.220.220:443 (secure OpenDNS) 
      2. redirecting all connection port 80 to port 443"

    Yeah, this is also what the dnscrypt-proxy does if you configured it correctly.

    "(forcing them to use https)"

    Never ever!  DNS cannot use HTTPS, no way!  These are totally different protocols.

  • Avatar
    rotblitz

    "(secure OpenDNS)"

    Also wrong.  The DNS over port 443 has the same security as over port 53 or 5353.  With DNSCrypt it is a bit more secure, no matter what of the three ports you use.

  • Avatar
    nv.zs.aa

    @rotblitz :

    DNS cannot use HTTPS, i knew it, its the basic of networking knowledge. just in case you misread my post , here's my explanation:

    "redirecting all client DNS request (port 53) to OpenDNS (port443)" -> router will only redirect packet that contain DNS request, so any other packet will never be redirected to OpenDNS.

    "redirecting port 80 to 443" -> all http:// request made by client redirected to https:// port. no single IP from source(client) to destination(target site) is redirected, only the port. it means that router is forcing them to use https while the clients never realise it. they are browsing with no problem at all, just a little bit slower than usual.

    "Secure OpenDNS" -> "secure" word, dont take it as technical word, but take it as literal word. My gov has been redirecting all packet that contain DNS request via port 53 to my gov's DNS, so i tried to conceal all clients DNS requests by redirecting them to OpenDNS on port 443, hoping that all of them will go through my gov filtering safely.

  • Avatar
    rotblitz

    No matter, this looks like wrong understanding or at least bad and confusing terminology.

    For example, "redirecting port 80 to 443" is totally unrelated to DNS, but purely related to HTTP/HTTPS.  And if you're doing so, you will break all web surfing where a website doesn't support HTTPS but HTTP only.

    "i tried to conceal all clients DNS requests by redirecting them to OpenDNS on port 443, hoping that all of them will go through my gov filtering safely."

    If they did a good job with e.g. DPI, you will not be able to trick them out this way, because they will catch all ports you're trying to use for DNS.  You may still be able to trick them out with DNSCrypt, because they may not recognize the traffic being DNS related.

  • Avatar
    nv.zs.aa

    i'm doing that for anonymity, and avoid getting spied.

    so far, nothing bad happened. as i said earlier, everything is fine, just a little bit slower when loading a web page.

    thanks for the warning tho.

    about the dnscrypt, yeah i alr changed the dns to 127.0.0.1 when the error was encountered, i just forgot to put that detail on the first post, sorry.

  • Avatar
    rotblitz

    "i'm doing that for anonymity, and avoid getting spied."

    Then you're lost.  The measures you have described are in no way eligible for your anonymity, security or safety.  You got the wrong approaches.

    Also, you first said that your intention was to circumvent ISP restrictions like DNS Hijacking / Redirection introduced by your government.  Circumvention and anonymity are almost not the same thing but two different ones.  You may be able to cover both and more by using a VPN service if you find some you trust.

  • Avatar
    nv.zs.aa

    at least at the current condition, i can get away safely without noticed by my gov.

    I'll use VPN when somehow my gov really go that far (national proxy server), as for now, im pretty content with what i've done so far, (no redirection, no gov intervention, total freedom). i guess my gov will never go that far just like china did for their people"

Please sign in to leave a comment.