Web content filtering lost with DNSCrypt enabled
With DNSCrypt enabled, I loose my personally selected web filtering categories through OpenDNS. When I disable it, the web filtering returns. This leads me to believe that the OpenDNS resolvers can't see my IP address through DNSCrypt. Does anyone know this answer? I would like to have BOTH web filtering and DNSCrypt enabled. I would hate to have to choose one or the other.
I have already done the dnsleaktests, opendns welcome pages, and others and I am only pointing to OpenDNS resolvers.
** I would love to see the word spread on DNSCrypt especially with all of these MITM DNS vulnerabilities appearing everywhere now, especially on routers.
-
What does a visit at http://welcome.opendns.com/ show up with?
Post the complete plain text output of the following diagnostic command here:
nslookup -type=txt debug.opendns.com.
In case of Windows, post also the following command output:
netsh interface ip show dns
-
Rotblitz,
I get the "welcome to opendns" on the test page.
Here are the results:
1.0.0.127.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
(root) ??? unknown type 41 ???
Server: UnKnown
Address: 127.0.0.1Non-authoritative answer:
debug.opendns.com text ="server 11.ash"
debug.opendns.com text ="flags 20 0 70 5950800000000000000"
debug.opendns.com text ="originid 0"
debug.opendns.com text ="actype 0"
debug.opendns.com text ="source <my ip address>:62817"
debug.opendns.com text ="dnscrypt enabled (71447764594D3377)"
(root) ??? unknown type 41 ???
and...
Configuration for interface "Tripwire Tunnel Connection"
Statically Configured DNS Servers: None
Register with which suffix: Primary onlyConfiguration for interface "Local Area Connection 8"
DNS servers configured through DHCP: None
Register with which suffix: Primary onlyConfiguration for interface "Local Area Connection"
Statically Configured DNS Servers: 127.0.0.1
Register with which suffix: Primary onlyConfiguration for interface "Loopback Pseudo-Interface 1"
Statically Configured DNS Servers: None
Register with which suffix: Primary only -
This looks all fine as should be with one exception.
Your local network DNS configuration points to 127.0.0.1 as should be. This is where the dnscrypt-proxy is listening to catch your DNS queries. You're using the OpenDNS Ashburn/Virginia data center ("server 11.ash"). You have successfully "dnscrypt enabled".
The problem is that your IP address <my ip address> is not registered with your dashboard network at https://dashboard.opendns.com/settings/ ("originid 0").
Update it manually there, and run an Updater going forward. Else OpenDNS cannot associate your DNS queries with your settings, and you'll face the standard behavior of OpenDNS. -
First, thank you.. I added my IP address as an additional network and it works.
What's odd is that I have OpenDNS already set through the router with DDNS done through it so now I basically have 2 networks in my OpenDNS account and they both have the same IP address. I guess using the DNSCrypt resolver can't associate with the regular open ones even though it's the same IP address and the same network.
I guess we just uncovered a bug??
-
That's true. Normally it is not possible to register an IP address more than once, across all OpenDNS. Having "2 networks in my OpenDNS account and they both have the same IP address" therefore looks like a big bug! Let's see what staff have to answer. You may want to raise a support ticket in addition with a link to this thread.
"I guess using the DNSCrypt resolver can't associate with the regular open ones"
There is no "DNSCrypt resolver". These are the standard OpenDNS resolver IP addresses via ports 53, 443 and 5353 which can be used with or without DNSCrypt.
Please sign in to leave a comment.
Comments
6 comments