DNSCrypt (Open DNS)

Discussion in 'privacy technology' started by TomAZ, Nov 12, 2012.

Thread Status:
Not open for further replies.
  1. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    With DNSCrypt installed as a Service, how can you verify that it's doing what it's supposed to do and working properly?
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,084
    Location:
    USA
    Good question. You can open a command window and run ipconfig /all to confirm that DNS is set to use OpenDNS servers, but I'm not sure how to check that the encryption is enabled.
     
  3. jedisct1

    jedisct1 Registered Member

    Joined:
    Jul 7, 2012
    Posts:
    39
    Location:
    San Francisco, CA
    Open cmd.exe and type:

    nslookup
    set type=txt
    debug.opendns.com

    It should say dnscrypt.

    You can also fire up a packet logger like Wireshark and check that outgoing DNS queries look like gibberish.
     
  4. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Not exactly sure why I'm asking this because I'm sure a program like Wireshark is WAY over my head. But just out of curiosity, in what column or field of Wireshark would this "gibberish" be found -- and basically, what does it look like?
     
  5. jedisct1

    jedisct1 Registered Member

    Joined:
    Jul 7, 2012
    Posts:
    39
    Location:
    San Francisco, CA
    Record a capture, then filter for "domain". Wireshark shouldn't display what your queries were, only something it's not able to parse.

    Or just do the nslookup thing. nslookup showing a "dnscrypt" line only works if you are using dnscrypt with OpenDNS, though.
     
  6. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I am using OpenDNS and just tried this. It came back showing "dnscrypt" so I guess it's working -- right?

    By the way, thanks for all your help.
     
  7. joedoe

    joedoe Registered Member

    Joined:
    Nov 24, 2012
    Posts:
    5
    Hi,
    please can someone clarify for me the following since there are lots of technical info around but I'am still not sure how things work:

    1. If I search for ex. in google for word "Moon" and I use plain http - this can be seen by my ISP and google (I mean the word/phrase I searched for) and all websites I visited (things I downloaded) will be in logs of my ISP's?

    2. If I search/visit/download with help of https everywhere - what is the
    situation in that case?
    What traffic is encrypted and who can see and what?

    3. If I search/visit/download with help of https everywhere and DNSCrypt -
    what is the situation in this case?

    I think that download will be always visible and in case of using ssl it still be noticed but it will be encrypted and my ISP will not be able to find out what I downloaded but it will know from what site I downloaded files?

    If I use DNSCrypt with router on which I don't have admin rights changing DNS severs in Windows networking will cause what exactly? I can't change DNS data in my router.

    I know that using VPN is answer for my questions but I would know this basic things above.

    Thanks
     
  8. Snowden

    Snowden Registered Member

    Joined:
    May 2, 2012
    Posts:
    68
    I've noticed since using DNSCrypt as a service my VPN DNS takes precedence w/ dnscrypt as the secondary.

    Two questions: That's because I haven't set my TAP DNS as 127.0.0.1 correct? I've also read that using both is redundant but I'd rather any type of leak go to opendns than my ISP

    Would you recommend my current setup?
     
  9. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,273
    Location:
    Hollow Earth - Telos
    My DNSCrypt Status is Protected only if i Disable my Comodo Firewall. With the Firewall Enabled it does not protect. i have ATT with a HW FW..So should i use Crypt but not the CFW or Use the CFW and not the Crypt..
     
  10. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Anyone know why the downloads page from GitHub has disappeared?
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It still exists -https://github.com/opendns/dnscrypt-proxy/downloads, but if one checks the main page closer -https://github.com/opendns/dnscrypt-proxy, then you'll see that where it says Download the latest version and extract it:, it will point to -http://dnscrypt.org/ instead of the downloads page. It used to point to it.

    So, I'll take it any future upgrades will have to be checked on -http://dnscrypt.org/ instead? :doubt:

    -edit-

    On the other hand, if one goes to -http://dnscrypt.org, and hits the download link, we'll be taken to the Github download page -https://github.com/opendns/dnscrypt-proxy/downloads.

    Confusing... :argh:
     
    Last edited: Dec 16, 2012
  12. jedisct1

    jedisct1 Registered Member

    Joined:
    Jul 7, 2012
    Posts:
    39
    Location:
    San Francisco, CA
    Yes, Github are going to remove the Downloads section for all projects in a couple weeks.
    That really plenty sucks.

    The files are likely to be moved to dnscrypt.org. I will update the download button here to reflect the new location no matter what.

    So, well, just go to dnscrypt.org, this will always have the most up to date links.
     
  13. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Thanks for the links! The "new" service install feature is great, makes things a lot easier.
     
  14. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,286
    Location:
    EU
    I installed DNSCrypt yesterday, but this morning I had to uninstall it. At the start-up my PC went confused...I have got weird error message and some strange locking of McAfee Viruscan (I could not modify any setting).
    Maybe I'll give it a try again later.
     
  15. Now it has a Android application for DNScrypt. Very happy!
     
  16. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    Currently just installed the dnscrypt proxy as service. Should I turn off DNS Client or should I just leave it alone? Any more things I need to do? Aside from changing the DNS server to 127.0.0.1.
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I always have it (DNS Client) disabled. The only thing I did, was to create a very restricted standard user account from where I run DNSCrypt.

    Besides that, I also applied an explicit medium integrity level to dnscrypt-proxy process. It wouldn't work with a low integrity level... :D

    I did this, because it's advised on the Github page:

    Having a dedicated system user, with no privileges and with an empty home directory, is highly recommended. For extra security, DNSCrypt will chroot() to this user's home directory and drop root privileges for this user's uid as soon as possible.

    That's for the Unix based systems, though. So, I followed a similar approach for Windows.

    I'm wondering if DNSCrypt would ever be developed to have its own sandbox under Windows, though. Like Chromium... :D
     
  18. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    Any tips in how to do that? :D
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There's been a while since I took this approach. (Since dnscrypt first came out.) I don't recall all the steps from memory now, so it will take sometime to note them down, in case I forget something.

    I thought about creating a thread about it, but when I thought about it it was already too late, because I had done all the steps already, so it would be impossible to have screenshot step-by-step thread, which is always better to show. :(

    But, basically what I did was to first create a new standard user account, and then take ownership (as administrator) of both the user profiler folder and the HCKU portion of the registry. Then, I took away write and execution permissions from the profile folder as well, through ACLs (access control lists). I'm not sure, but I believe I also took away permissions to write/modify to the HKCU.

    Then, I created a scheduled task, running as batch, that runs under the credentials of this very restricted account. I have more than a couple user accounts, which is why I needed to start the task as batch. One needs to add this account to the security policy (sepol.msc) that allows it. I don't recall the exact name of the policy now, though.

    Otherwise, dnscrypt works quite well under Sandboxie as well. So, this would be another approach, somewhat faster as well. :D
     
  20. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    No you should not turn it off. The DNS Client service will prevent the need to transmit unnecessary DNS requests which would otherwise have been cached. It theoretically improves your security because you're transmitting less data overall.
     
    Last edited: Dec 21, 2012
  21. talapantas

    talapantas Registered Member

    Joined:
    Jul 3, 2012
    Posts:
    3
    Location:
    Ph
    i already had dnscrypt installed as a service (though later did i find out i have to literally set its compatibility to run as administrator in windows 7-x64 since it's not installing by this means) :rolleyes:

    i ran nslookup and followed jedisct1 test method and here's what i got

    *** UnKnown can't find debug.opendns.com: Non-existent domain

    sure enough it does not work from what it says...

    so i felt the need to utilize the advance settings from the above link in hopes it would work but as stupid as it may seem, i dont know what exactly should i be putting in the values of registry entries as opposed to the instruction saying it should be self-explanatory

    heres my full debug log

    ###########start###############
    C:\Windows\system32>nslookup
    1.0.0.127.in-addr.arpa
    primary name server = localhost
    responsible mail addr = nobody.invalid
    serial = 1
    refresh = 600 (10 mins)
    retry = 1200 (20 mins)
    expire = 604800 (7 days)
    default TTL = 10800 (3 hours)
    (root) o_O unknown type 41 o_O
    Default Server: UnKnown
    Address: 127.0.0.1

    > set type=txt
    > debug.opendns.com
    Server: UnKnown
    Address: 127.0.0.1

    Non-authoritative answer:
    debug.opendns.com text =

    "server 5.sin"
    debug.opendns.com text =

    "flags 20 0 2f4 0"
    debug.opendns.com text =

    "id 0"
    debug.opendns.com text =

    "source 112.198.82.26:25773"
    debug.opendns.com text =

    "dnscrypt enabled (7136666E76576A39)"

    (root) o_O unknown type 41 o_O
    >
    ############end################

    and i got six dns resolvers from test conducted by dnsleaktest.com, thats kind of weird since i am seeing that dnscrypt was enabled from logs :eek:
    dnsleaktest result

    apparently it does not route me to nearby opendns server

    note: i got it already working together with dnscrypt-winclient prior to this post but this time i would like it to run as a service for convenience

    any help will be greatly appreciated, and :thumb: for maintaining this project!

    ~tala
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.