DNScrypt stopped working

Discussion in 'privacy technology' started by ComputerSaysNo, Mar 10, 2013.

Thread Status:
Not open for further replies.
  1. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,412
    DNScrypt version 0.06 stopped working suddenly. It only shows red and is unable to connect.

    Anyone else experiencing the same o_O
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Check maybe even viewer logs for errors/warnings and check security software rules/logs in case it is blocked somehown
     
  3. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    I just tried DNScrypt today (windows version) and had the following problems:
    • momentary lapses in protection status
    • high cpu use by OpenDNSInterface.exe (around 5-7% normally with very high spikes when I open a web browser or other network program)
    I only observed the breaks in protection while I had utorrent running (VPN and peerblock were on too).

    If anyone knows a fix for these issues please let me know.
     
  4. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,804
    I know this kind of stray's away from the topic at hand, but...

    Do they update this thing anymore?

    It's been awhile since I've heard of an update.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
  6. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,804
  7. tlu

    tlu Guest

  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    I'm aware of the standalone proxy, I use it myself. It is not simple enough for normal users to understand, and this topic is about the GUI version.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    You mean because it hasn't been updated in ages or is it officially declared dead? Btw, the latest version of the unofficial GUI is only a month younger than OpenDNS's version.
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    The author of DNSCrypt removed references to the OpenDNS GUI version in a recent change, I'd say that makes it officially MIA.

    The thing about the unofficial GUI is that it doesn't matter how old it is because it doesn't bundle the proxy. It's just a GUI for the proxy that you download separately. However the "official" OpenDNS GUI DOES bundle the proxy, an ancient version of it.
     
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Ah thanks. While it may not be bundled it seems compatibility is still needed, the comments on the binaries in your link state: Binaries compatible with DNSCrypt 1.1.0, do you know if it also works with newer versions of the proxy?
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Nope, but there are no complaints about it not working and you know what they say, people only comment when something is broken :p
     
  13. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    ok, so i uninstalled DNScrypt GUI version and downloaded and installed dnscrypt-proxy.exe using the command:
    Code:
    dnscrypt-proxy.exe --install
    I then went to OpenDNS welcome page and it says my connection is faster and safer because I'm using OpenDNS... I can also see dnscrypt-proxy.exe in task manager, and it has a tiny footprint; no more CPU issues.

    BUT --- there's no tray icon to indicate that it really is working, so how can I check that (1) my DNS really is encrypted now, and (2) there are no lapses in protection (status) like with the GUI version of DNScrypt?
     
  14. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I tried the official client the other day after seeing it mentioned somewhere and it is really buggy and wipes the NIC DNS settings on reboot, so that there's no internet connectivity. It's meant to set it to 127.0.0.1 and then the client either uses the OpenDNS server or the previous NIC settings if protection is disabled but as I say, it doesn't work properly.

    I've just tried the dnscrypt-proxy and unofficial WinClient but that's not really practical because a) as pajenn says, without a tray app it's not easy to see if it's working/protected or not and the WinClient doesn't have the same options (fallback, etc) to select and b) it opens an intrusive cmdline window which one has to be careful not to close. It also has a similar fault to the official client, in that when stopping the DNSCrypt, it breaks connectivity by leaving the NIC DNS setting on 127.0.0.1 but apparently not copying the previous settings from there to fallback to when disabled. It has now restored the previous settings strangely after I restarted DNSCrypt and now it won't change back to using 127.0.0.1 after starting/stopping it a couple of times, so even though it says DNSCrypt is enabled, it's not using it!

    So hopefully a better client will be available one day but for now I don't really see it as a viable option for the average user.
     
  15. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    fwiw, dnscrypt-winclient.exe refused to run on my system because I'm using 64-bit windows and apparently it's for 32-bit systems.

    as for dnscrypt-proxy.exe, I followed the quickstart quide here, and it worked fine, no reboot or loss of connection issues. also, it runs happily in the background when I boot windows, no command prompt windows or anything like that necessary. my problem still is that I just don't know if it's really working.

    note: for step 4 in quickstart (Change your DNS settings to 127.0.0.1), I opened Network and sharing center, clicked on my active wireless connection -> properties -> TCP/IPv4 settings, and changed the DNS there from automatic to 127.0.0.1. I assume that's enough, I don't think anything uses IPv6.
     
  16. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Ah I see thanks, so you install it as a service. That seems better.

    If your DNS settings are set to 127.0.0.1 then obviously it has to redirect the DNS queries through dnscrypt-proxy. I'd still like a GUI though, that shows me the current DNS server address and gives me some options for fallback or disable, because if it goes down temporarily I don't want to have to go and edit my DNS settings to restore connectivity.
     
  17. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I've installed it as a service and it seems to be working fine.

    dnscrypt-winclient.exe doesn't seem to recognise the service is running though and says "DNSCrypt is NOT running" so we can't use that as GUI/indication of whether the service is running unfortunately.
     
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Not as convenient as a GUI or tray icon, but you can check if it's working:
    https://www.wilderssecurity.com/showpost.php?p=2146019&postcount=28
     
  19. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    dns-crypt proxy service has been failing a lot for me lately, so that when I go to a page it shows "http://bthomehub.home/?org_url=http://" and then the rest of the link.

    I obviously need something more reliable (I'm setting this PC up for someone else, so need something that will just work) so I'm going to try https://cloudns.com.au/
     
  20. syrog

    syrog Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    30
    1) Don't use DNScrypt GUI versions (Windows is assumed. e.g. DNSCrypt WinClient & DNSCryptWin-v0.0.6.exe) because they use a lot of resources just for the sake of the intended component (which is dnscrypt-proxy.exe) to run. The goal and purpose of DNScrypt is achieved through dnscrypt-proxy.exe only. DNSCryptWin-v0.0.6.exe is the official program by OpenDNS. It is installed with 3 processes and a service. Its processes use a lot of CPU and very very high I/O Total Rate. In my opinion worst of all is that 2 of the 3 processes are elevated and running with administrative tights and without a "workaround" you are going to click "Yes" in the UAC prompt dialog each time you boot your computer to allow DNScrypt to start. These processes with administrative rights (apart from affecting the performance) are increasing your surface attack and the purpose of using DNScrypt (which is for privacy and security) is going to be defeated. Last but not least, DNSCryptWin-v0.0.6.exe contains a very outdated version of dnscrypt-proxy.exe in terms of security and reliability (it is back to 2012 and it does not support installation like a windows service).

    2) Uninstall DNScrypt GUI version you have.

    3) Download the latest dnscrypt-proxy.exe (which is version 1.3.2) from this official link:
    -http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-win32-1.3.2.zip-

    4) Unzip it. Then go to Program Files (x86) folder (I assume you have a x64 bit OS) and make a new folder renaming it to "DNScrypt".

    5) Copy "dnscrypt-proxy.exe" inside the unzipped folder and paste it into "C:\Program Files (x86)\DNScrypt".

    6) Open cmd.exe elevated.

    7) Inside cmd's window type "c:\program files (x86)\dnscrypt\dnscrypt-proxy.exe --install", OR just copy what is inside the quotation marks and inside cmd's window right click to pate it.

    :cool: Press Enter. Waite a moment until dnscrypt-proxy service is installed and then exit cmd.

    9) Now open Network and Sharing Center> Click on your primary connection or Local Area Connection under 'Active Networks'> Click the Properties button> Select 'Internet Protocol Version 4 (TCP/IPv4)' and click Properties> Click the radio button 'Use the following DNS server addresses:' and type "127.0.0.1" address in the Preferred DNS server.

    10) Congratulations, now you are using DNScrypt with OpenDNS!

    11) To verify if you are using OpenDNS with DNScrypt and to know if DNScrypt is really encrypting DNS requests (apart from the fact that dnscrypt-proxy.exe process and dnscrypt-proxy service are running through a task manager) follow the instructions below:

    * Open cmd.exe
    * Type "nslookup -type=txt debug.opendns.com."
    * Press Enter
    * You should get some information with "dnscrypt enabled " at the end bottom of the output message.

    12) The green tray bar icon is not such a big deal. It is just a matter of time and psychological adaptation. Now you are encrypting your DNS requests with OpenDNS servers with minimum surface attack and unnoticeable performance impact.

    13) To furthermore harden "dnscrypt-proxy.exe" process run it under EMET with all mitigation techniques enabled.

    For more information you may follow the following links:
    - Official DNScrypt forum:
    https://support.opendns.com/forums/21313132-DNSCrypt

    - Official directory on GitHub:
    https://github.com/opendns/dnscrypt-proxy

    - DNScrypt Home Page:
    http://dnscrypt.org/

    - Download directory:
    http://download.dnscrypt.org/dnscrypt-proxy/
     
    Last edited by a moderator: Aug 25, 2013
  21. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Already doing all that but it still only works intermittently.

    Apparently I have v1.3.0 but as there's no automatic way to keep it up to date, it's impractical to have to keep checking websites manually to see if there might be an update available, so until something more automated comes along I think I'll just have to use unencrypted but reliable DNS.
     
  22. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    Nicely done. :thumb:
     
  23. syrog

    syrog Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    30
    What do you mean by "works intermittently"? How do you know that?

    As of the version, you already know the newer the version of any program the better is security and reliability, so give v1.3.2 a try. Furthermore, please notice (from the download directory link I provided above) that the time gap between v1.3.0 and v.1.3.2 is only 1 day! v1.3.0 is released on 19 Jul 2013 and v1.3.2 on 20 Jul 2013. It seems to me that there was something wrong with v1.3.0. Interestingly, VirusTotal's report of v1.3.0 gives detection rate of 3/46:
    ~ VirusTotal Results Removed per Policy ~
    whilst that of v1.3.2 gives 1/46:
    ~ VirusTotal Results Removed per Policy ~
    nevertheless, the code of dnscrypt is public on GitHub and an expert can investigate it.

    I do not know if there is going to be a mechanism of implementing automatic updates into dnscrypt or not. Either ways it is not an excuse for me not to use DNScrypt.
    I personally use Page Monitor (which is a Google Chrome extension used to monitor a webpage for changes) to notify me about updates of dnscrypt-proxy.exe and updates of any other programs!!! In my opinion this small extention (which could be obtained from Web Store of Google Chrome) has the potential to be the best way of notifying of updates. Just install it within Google Chrome and browse to the webpage that shows the version of a program you are interested (in this case browse to http://download.dnscrypt.org/dnscrypt-proxy/ and click on Page Monitor extension icon, then click "Monitor This Page".
     
    Last edited by a moderator: Aug 25, 2013
  24. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Because I've been using it for a while and recently had a lot of trouble and couldn't connect to any webpages until I disabled it and set my DNS servers to something unencrypted (I used google's 8.8.8.8 just because it's easy to remember).

    It's very much an excuse for other people though. I can't setup DNScrypt for someone and then tell them they have to check a website every day to see if there's a new version.

    I see there's already a 1.3.3 (although not for Windows yet) and it says using older clients with this version will make resolving names very slow, so it's obviously vital to keep it updated.

    Thanks for the tip. I use Iron myself so can use that but some people still prefer IE or Opera and I can't tell them they have to use Chrome instead so that they keep on top of dnscrypt-proxy updates.

    EDIT: Hmm, when I go to install Page Monitor it says it can

    "Access your data on all websites"
    "Access your tabs and browsing activity"

    I don't know exactly what that means or what it might do with that data but it seems a bit daft to use DNSCrypt to encrypt my DNS lookups and then allow some random plugin author access to all my browsing data.
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    I noticed that there are now 2 downloads for Windows:
    dnscrypt-proxy-win32-1.3.2.zip
    dnscrypt-proxy-win32-full-1.3.2.zip

    The full zip contains quite a few files, but I'm not sure what they are all for.
     
Loading...
Thread Status:
Not open for further replies.