# Is dnscrypt-proxy working?

## n05ph3r42

Hi there.

I set up pdnsd + dnscrypt-proxy.

rc-status is ok for all.

configs adjusted

To check that dnscrypt-proxy i run

```
# dig debug.opendns.com TXT

; <<>> DiG 9.11.2-P1 <<>> debug.opendns.com TXT

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53407

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1024

;; QUESTION SECTION:

;debug.opendns.com.      IN   TXT

;; AUTHORITY SECTION:

opendns.com.      3266   IN   SOA   auth1.opendns.com. noc.opendns.com. 1517037688 16384 2048 1048576 2560

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Sat Jan 27 09:05:23 -00 2018

;; MSG SIZE  rcvd: 92

```

but it should return something like

```
dig  debug.opendns.com  txt

; <<>> DiG 9.3.2 <<>> debug.opendns.com txt

; (1 server found)

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1603

;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;debug.opendns.com.             IN      TXT

;; ANSWER SECTION:

debug.opendns.com.      0       IN      TXT     "server 5.fra"                                                Using Frankfurt OpenDNS location

debug.opendns.com.      0       IN      TXT     "flags 20 0 2cc d00d82040001401"       The flags associated with my DNS query

debug.opendns.com.      0       IN      TXT     "id 381599"                                                  My OpenDNS network ID

debug.opendns.com.      0       IN      TXT     "source 217.254.45.71:14830"                My source IP address and port from where I queried

debug.opendns.com.      0       IN      TXT     "dnscrypt enabled (7136666E76576A42)"      That says it all.

;; Query time: 31 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Thu Sep 19 00:32:53 2013

;; MSG SIZE  rcvd: 223

```

I cannot understand what is wrong, i see no line with

```
 debug.opendns.com.      0       IN      TXT     "dnscrypt enabled (7136666E76576A42)"
```

/etc/pdnsd/pdnsd.conf

```
global {

    perm_cache   = 9600;

    cache_dir    = "/var/cache/pdnsd";

    run_as       = "pdnsd";

    server_ip    = 127.0.0.1;

    status_ctl   = on;

    query_method = udp_tcp;

    

    par_queries  = 4;

    neg_ttl = 2m;        # negative answer cache time   

    min_ttl = 15m;       # Retain cached entries at least 15 minutes.

    max_ttl = 1w;        # One week.

    timeout = 10;        # Global timeout option (10 seconds).

    neg_domain_pol = on;

    udpbufsize = 1024;   # Upper limit on the size of UDP messages.

}

server {

    label      = "dnscrypt-proxy";

    ip         = 127.0.0.1;

    port       = 5353;

    timeout    = 4;

    proxy_only = on;

    uptest     = if;     # Test if the network interface is active.

    interface  = enp2s0; # The name of the interface to check.

    interval   = 10m;    # Check every 10 minutes.

    purge_cache= off;    # Keep stale cache entries in case the ISP's

                         # DNS servers go offline.

    edns_query = yes;    # Use EDNS for outgoing queries to allow UDP messages

                           # larger than 512 bytes. May cause trouble with some

}

source {

    owner = localhost;

    file = "/etc/hosts";
```

dnscrypt-proxy.conf

```
ResolverName random

ResolversList /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv 

Daemonize yes

PidFile /run/dnscrypt-proxy.pid

User dnscrypt

LocalAddress 127.0.0.1:5353

LocalCache on

EphemeralKeys off

EDNSPayloadSize 4096

```

/etc/resolv.conf

```
nameserver 127.0.0.1

options edns0

```

Last edited by n05ph3r42 on Mon Jan 29, 2018 6:21 pm; edited 1 time in total

----------

## massimo

Try setting a ResolverName for dnscrypt, e.g., 

```

Daemonize yes 

PidFile /run/dnscrypt-proxy.pid 

User dnscrypt 

LocalAddress 127.0.0.1:5353 

LocalCache on 

EphemeralKeys off 

EDNSPayloadSize 4096 

ResolverName cisco

```

----------

## n05ph3r42

 *Quote:*   

> Try setting a ResolverName for dnscrypt, e.g., 

 

Ah, i forgot to put into my original message those lines:

```

ResolverName random

ResolversList /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv

```

so mine full dnscrypt conf in fact is

```
ResolverName random

ResolversList /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv

Daemonize yes

PidFile /run/dnscrypt-proxy.pid

User dnscrypt

LocalAddress 127.0.0.1:5353

LocalCache on

EphemeralKeys off

EDNSPayloadSize 4096 
```

----------

## massimo

As I said give it a shot with cisco.

----------

## n05ph3r42

 *massimo wrote:*   

> As I said give it a shot with cisco.

 

w00t!

```
 # dig debug.opendns.com TXT

; <<>> DiG 9.11.2-P1 <<>> debug.opendns.com TXT

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9229

;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1024

;; QUESTION SECTION:

;debug.opendns.com.      IN   TXT

;; ANSWER SECTION:

debug.opendns.com.   900   IN   TXT   "actype 0"

debug.opendns.com.   900   IN   TXT   "source 217.*.*.*:42807"

debug.opendns.com.   900   IN   TXT   "dnscrypt enabled (713156774457306E)"

debug.opendns.com.   900   IN   TXT   "server m2.wrw"

debug.opendns.com.   900   IN   TXT   "flags 20 0 70 7950800000000000000"

debug.opendns.com.   900   IN   TXT   "originid 0"

;; Query time: 16 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Jan 30 18:13:25 -00 2018

;; MSG SIZE  rcvd: 248

```

But why dig debug.opendns.com with other resolver gives authoritative answer? Does it mean, that in fact, that resolver doesnt work as crypting?

Also i have next message 

```
Tue Jan 30 18:12:56 2018 [INFO] - [cisco] does not support DNS Security Extensions
```

----------

## massimo

I do not understand your last question/note.

The last piece of information tells you that DNSSEC is not supported by this particular resolver.

----------

## n05ph3r42

 *massimo wrote:*   

> I do not understand your last question/note.

 

I mean why some other resolvers  from file may not act as encrypting dns, and they give authoritative answer? I checked this on names blocked in local area.

 *massimo wrote:*   

> The last piece of information tells you that DNSSEC is not supported by this particular resolver.

 

That was clear for me, thank u, just wondered why cisco cannot support this spec.

----------

