I think two additional aspects are worth mentioning here: 1. The DNSCrypt homepage explicitly says: I'm using it with dnsmasq on Linux and it improves the performance considerably. Instructions here. 2. The DNSCrypt homepage also says: Hence, if one resolver is down the second one is used. Here are instructions how to do it with unbound. Similarly you can add Code: server=127.0.0.1#40 server=127.0.0.1#41 to dnsmasq.conf. Precondition is that two dnscrypt-proxy instances are running, in my case dnscrypt-proxy and dnscrypt-proxy-backup (note that I have sandboxed them with firejail): and And systemctl status dnsmasq is reporting that dnsmasq is
Thanks, I just tested the polish server, openDNS with dnscrypt and also dnscrypt.eu-nl (which is down again). For my the polish server gives me a latency of 100-300ms where openDNS is at 30-80. Generally speaking, if I want to go with DNSSEC I only have a few options: DNSCrypt.eu (which is down very often) soltysiak (=located in poland and very slow for me) cloudDNS (=located in australia which I believe would be even slower than poland) Thanks for that... I wonder if I should just choose a dns-resolver without DNSSEC then (e.g. openDNS). Is there any reason not to trust openDNS? Oh god thanks.. why didn't I think of using the "automatic" secondary server lol... I will give it a try now !
Thank you, it worked just fine using the arch wiki. I just wonder: Is there now a way to quickly test which dns resolver is beeing used? Also I wonder why the manjaro link (first post of the linked topic) recommends to put the service files into "/etc/systemd/system/multi-user.target.wants/" ?
Well, if you create, e.g., dnscrypt-proxy-backup.service in /etc/systemd/system and enable it, a corresponding symbolic link is created in /etc/systemd/system/multi-user.target.wants/. I guess it doesn't make a difference.
You can start a test on https://dnsleaktest.com/. I'm sure there is also a command in Linux that will show it but right now I don't know.
Thanks again, now I re-did the setup and followed the manjaro link u posted: https://forum.manjaro.org/index.php?topic=20635.msg232702#msg232702 This will still work, how ever, there is only one socket running at port 40 but still the backup-service with port 41 is working? How ? Shouldn't there be a service + socket for port 40 and another service + socket for port 41? Also I skipped "mask dnscrypt-proxy.socket" as this will make it impossible to start the dnscrypt services?
Well, that simply means that you didn't follow the steps in that post. The original dnscrypt-proxy.service file in /lib/systemd/system contains Code: Requires=dnscrypt-proxy.socket The Code: Requires= line in /etc/systemd/system/dnscrypt-proxy.service.d/override.conf is needed to clear the command in the original service file. Similarly, both are needed as the first ExecStart= line clears the command in the original service file. Note also that after editing those files you have to execute sudo systemctl daemon-reload before restarting those services. Actually everything is explained in that post, it's important to follow the steps meticulously. One additional info: In the override.conf for dnscrypt-proxy-backup I added Code: [Unit] Requires= After=dnscrypt-proxy.service because without that After= statement I found that the backup service didn't always start reliably (probably because of a race condition during the boot process).
Well: sudo systemctl edit dnscrypt-proxy sudo systemctl edit dnscrypt-proxy-backup sudo nano /lib/systemd/system/dnscrypt-proxy.service Then: sudo systemctl status dnscrypt* So I ran all the commands, mask still fails, and only one .socket is running?
Actually no socket should be running. Try Code: sudo systemctl stop dnscrypt-proxy.socket sudo systemctl disable dnscrypt-proxy.socket sudo systemctl mask dnscrypt-proxy.socket and see if this helps.
Strange Perhaps the reason is that you didn't execute sudo systemctl daemon-reload after those changes and before restarting the services ...
Nope Maybe I have some left over files somewhere from previous configurations ? Should I try to completely re-install dnscrypt with pacman?
Guys back to topic, this is not about configuration or copy & paste entire dnscrypt page. The initial question was which resolver and why. I guess it doesn't matter much which one you choose, most of them are fine, but some are only more popular and some are a bit slower may because location or whatever reasons.
You neglected to mention the fact that quite a lot of them continually go offline, so I'd say it's quite important which one you select. The good thing about SimpleDNSCrypt is it allows you to run a secondary resolver easily which I'd definitely use if I wasn't using OpenDNS.
Well I am on Arch Linux so there is no "Simple DNSCrypt".. but for windows it is an awesome tool ! I went with: Primary: dnscrypt.eu-nl (fastest + most secure but sometimes offline) Secondary: cisco (also fast, known, 100% online/reliabe)
I am in the uk, I did some testing and made comment in my dnsmasq file which will serve to remind me of why specific server been used. Here are the comments. # fvz london server, slow, no dnssec support #server=127.0.0.1#65054 # dnscrypt france no logging server and dnssec support server=127.0.0.1#65055 # dnscrypt holland no logging server and dnssec support server=127.0.0.1#65056 # opendns, fast but no dnssec support #server=127.0.0.1#65053 I can confirm the holland server I have now as my primary feels just about as fast as opendns, latency I did also test, its 15ms to the holland server and 19ms to the french server, there is also a danish dnscrypt dnssec server but thats 30ms hence not in my list. Opendns was removed due to my dnssec requirements, likewise with the fvz server (which was also very slow). details of servers here https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv # ps | grep dns 1151 admin 1520 S ipset-dns Win10tracking Win10tracking 1919 8.8.8.8 1169 admin 2728 S dnscrypt-proxy --local-address=127.0.0.1:65053 --daemonize -R cisco 1179 admin 2728 S dnscrypt-proxy1 --local-address=127.0.0.1:65054 --daemonize -R fvz-rec-gb-lon-01 5648 admin 2728 S dnscrypt-proxy2 --local-address=127.0.0.1:65055 --daemonize -R dnscrypt.org-fr 5764 admin 2728 S dnscrypt-proxy3 --local-address=127.0.0.1:65056 --daemonize -R dnscrypt.eu-nl 5785 nobody 4128 S dnsmasq --log-async I am not using the --ephemeral-keys flag yet which I wasnt aware of until today, does that have a performance impact?
I don't think so as the certificate is received from the DNS server when dnscrpyt-proxy starts and is used during the complete session.
Don't forget there are other consequences to using a DNS server outside of your country. Some CDNs (such as those for YouTube) provide you with download servers based on the country of your DNS server IPs. You may end up downloading from CDN servers in Holland which may be outperformed by servers in your country.
@chrcol from man page: CPU load with --ephemeral-keys Code: https://github.com/jedisct1/dnscrypt-proxy/issues/239
Hello, From all the servers available at dnscrypt here the one that provides me faster responsiveness is "DNSCrypt.org France" - ~ 47/48/49ms. Cisco OpenDNS gives me ~68/69/70ms Soltysiak gives me ~76/77/78ms Then there's Google DNS which gives me ~17/18/19ms but this one is out of the equation as it isn't supported by dnscrypt. Should i stick to the one which provides me faster response times? It has both DNSSEC and no logs but i saw someone here on the thread saying DNSSEC is not a good thing. Also, i've come across Unbound and BIND. Tried both, but what those programs do exactly? Can i setup them with Google DNS and not worry about privacy or that is the same as just write them down on Windows DNS settings?
I did read that but as my primary language isn't English i tend to confuse those terms. If i understood it right, using a cache server avoids to forward the request to a specific DNS server (example, Soltysiak) once we visit a specific site and later go on to visit it again without the need to query it to the server, as it's now on our own local server cache, is that it? Also, do you guys deem cryptostorm trustable?
