-
Notifications
You must be signed in to change notification settings - Fork 1k
Checking
Once everything has been setup, in order to to verify that your DNS traffic is actually encrypted and authenticated, here are a couple options
For these tests to be relevant, dnscrypt-proxy
(usually 127.0.0.1
) should be the only resolver configured on your system.
On Unix systems the following commands will pause the proxy:
pkill -STOP dnscrypt-proxy
If applications, including web browsers, cannot resolve DNS names any longer, it probably means that all your DNS traffic was going through the proxy, and was therefore encrypted and authenticated.
To resume execution, use the following command:
pkill -CONT dnscrypt-proxy
On Windows systems, the service can be stopped and restarted with the service-uninstall.bat
and service-start.bat
script, or by using the Task Manager.
Add a filter to block a name that is very likely to resolve under normal circumstances.
If you can't access it any more, it means that your DNS traffic is using the proxy, and is therefore encrypted. If you still do, then make sure to flush your DNS caches and restart dnscrypt-proxy service.
Enable query logging, use your device normally, and check that the log file gets filled by queries you just made.
The command-line tool tcpdump
can be used to see if there is outgoing non-encrypted traffic:
sudo tcpdump -n dst port 53 and \
'not dst net (::1 or 10 or 127 or 172.16/12 or 192.168/16)'
The dnsleaktest.com is a popular website to check what DNS resolvers you may be using.
Note that it will only check the configuration of your web browser. Other software may be using a different DNS configuration. A HTTP proxy can also cause this test to return incorrect results.
Below, there is an example of the Extended test, with two configured resolvers:
IP | Hostname | ISP | Country |
---|---|---|---|
212.47.228.136 | scaleway-fr.dnscrypt.info. | Scaleway | France |
130.59.118.147 | kirby.switch.ch. | Swiss Education and Research Network | Zurich, Switzerland |
"DNS leak" is a a misleading phrase, making people nervous, especially for those who are using proxy/VPN. Read https://en.wikipedia.org/wiki/DNS_leak first.
For proxy/VPN users, the first thing is you are using a proxy/VPN to visit websites, obviously.
In this process:
- there always will be a DNS resolver knows who (IP) is querying what (server name),
- you would expect it provide you a quick/nearby IP,
- the website always knows who (IP) is querying what (target IP, host name and resources), and they can check if the IP you connect to is the expected one based on your (proxy) IP.
So, what's important is who this DNS resolver is. Keeping DNS queries at the same exit node as the proxy which directly connects to the target website, will make it most likely that you are the exit node. It is critical when you are using a proxy/VPN!
Do not use side-loaded DNS for proxies, only if you know what you are doing!
In somecases if you want to run dnscrypt-proxy as a non-root user you'll get the error "[FATAL] listen udp 0.0.0.0:53: bind: permission denied"
to solve this problem you can run the following command and allow dnscrypt to have access to a low level port :
sudo setcap cap_net_bind_service=+ep $(which dnscrypt-proxy)
- Home
- Installation
- Configuration
- Checking that your DNS traffic is encrypted
- Automatic Updates
- Server sources
- Combining blocklists
- Public Blocklist and other configuration files
- Building from source
- Run your own DNSCrypt server in under 10 minutes
- DNS stamps specifications
- Windows Tips
- dnscrypt-proxy in the media
- Planned Features