You are not logged in.

#1 2013-06-12 06:10:24

Hurricane
Member
Registered: 2012-10-18
Posts: 77

[SOLVED] Checking if DNSCrypt is working

I successfully installed DNSCrypt.

systemctl enable dnscrypt-proxy.service
systemctl start dnscrypt-proxy.service

When I run

systemctl status dnscrypt-proxy.service

it tells me that it's active.

However, when I go in Firefox to welcome.opendns.com it gives me the page that says
I'm not on OpenDNS yet. I'm assuming that this is because I'm not using their servers directly,
since DNSCrypt uses localhost as the nameserver address.

So how would I got about checking whether or not DNSCrypt is actually working?

Last edited by Hurricane (2013-06-14 01:26:49)


Computers are extra dumb, which is why it takes extra smart people to make them work.

Offline

#2 2013-06-12 09:51:24

Dissident85
Member
From: Sydney, Australia
Registered: 2010-01-15
Posts: 18

Re: [SOLVED] Checking if DNSCrypt is working

Install tcpdump

then run

sudo tcpdump -i eth0 dst host 208.67.222.222 or dst host 208.67.220.220 or src host 208.67.222.222 or src host 208.67.220.220 -n

visit a website or something and you should see something like this.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:48:45.124397 IP 192.168.1.15.53084 > 208.67.220.220.443: UDP, length 260
10:48:45.125171 IP 192.168.1.15.53084 > 208.67.220.220.443: UDP, length 324
10:48:45.125534 IP 192.168.1.15.53084 > 208.67.220.220.443: UDP, length 324
10:48:45.126483 IP 192.168.1.15.53084 > 208.67.220.220.443: UDP, length 260
10:48:45.150944 IP 208.67.220.220.443 > 192.168.1.15.53084: UDP, length 304
10:48:45.152111 IP 208.67.220.220.443 > 192.168.1.15.53084: UDP, length 422
10:48:45.153479 IP 208.67.220.220.443 > 192.168.1.15.53084: UDP, length 304
10:48:45.154981 IP 208.67.220.220.443 > 192.168.1.15.53084: UDP, length 304

you can also open up another terminal and run

sudo tcpdump -i eth0 dst port 53 or src port 53 -n -x -X -v

That way you can see if any non encrypted DNS queries are getting through.

Last edited by Dissident85 (2013-06-12 09:53:29)

Offline

#3 2013-06-12 16:01:39

jedisct1
Member
Registered: 2013-06-12
Posts: 2

Re: [SOLVED] Checking if DNSCrypt is working

If you are using dnscrypt to connect to OpenDNS, there is another way:

drill txt debug.opendns.com

or

dig txt debug.opendns.com

You should see a line that says "dnscrypt".

If you're using a different dnscrypt-enabled server or if you're running your own dnscrypt-wrapper instance, tcpdump is indeed the best way to test that the client works as expected.

Offline

#4 2013-06-13 02:42:18

Hurricane
Member
Registered: 2012-10-18
Posts: 77

Re: [SOLVED] Checking if DNSCrypt is working

Dissident, for the small exception of changing the device I was listening on (I'm connected wirelessly) I got pretty much the same output as what you showed.

jedisct1, aren't you the one that is hosting the project on git? Or do you have the ppa under Ubuntu? Your handle is oddly familiar.
If so, can you explain to me why I'm seeing the connection to an OpenDNS server even though my nameserver is set to localhost in resolv.conf?


Computers are extra dumb, which is why it takes extra smart people to make them work.

Offline

#5 2013-06-13 23:02:47

jedisct1
Member
Registered: 2013-06-12
Posts: 2

Re: [SOLVED] Checking if DNSCrypt is working

Hurricane: Yes, I'm the maintainer of the project. I don't have a ppa for Ubuntu (is there any?), but the git repository contains an fpm script to build RPMs and DEBs for it: https://github.com/jedisct1/dnscrypt-pr … ckages/fpm

This is a proxy. It accepts connections to localhost, then forwards the queries to a remote server (OpenDNS by default -for now-, but you can change that with command-line switches).

If you are using something like tcpdump to watch the traffic, make sure you specify the correct interface, either lo for localhost, or (probably) eth0 for the external interface.

Offline

#6 2013-06-14 01:26:28

Hurricane
Member
Registered: 2012-10-18
Posts: 77

Re: [SOLVED] Checking if DNSCrypt is working

Thanks for explaining it. I get it now. As for the ppa, I don't know if there is one but I could have sworn there was. But yeah I remember seeing your name on github now.


Computers are extra dumb, which is why it takes extra smart people to make them work.

Offline

#7 2013-11-14 20:48:13

leptserkhan
Member
Registered: 2013-11-14
Posts: 2

Re: [SOLVED] Checking if DNSCrypt is working

I've setup dnscrypt successfully on a local machine now trying to get it to work on a machine hosting openvpn without much luck.  Using tcpdump files created on the server, what woudl be the best way to verify that it is working on openvpn?

I notice that when my desktop connects to the the openvpn server dnsleaks are clean, but when my android phone connects to the openvpn server, dnsleaks are dirty.

any illumination on this subject woudl be greatly appreciated.

Offline

Board footer

Powered by FluxBB