Skip to content
szemley edited this page Mar 25, 2021 · 40 revisions

Checking that your DNS traffic is encrypted and authenticated

Once everything has been setup, if you want to verify that your DNS traffic is actually encrypted and authenticated, here are a couple things you can try:

Stop or pause the proxy

On Unix systems the following commands will pause the proxy:

pkill -STOP dnscrypt-proxy

If applications cannot resolve anything now (e.g. no website is available and/or reachable), it probably means that all your DNS traffic was going through the proxy, and was therefore encrypted and authenticated.

To resume execution, use the following command:

pkill -CONT dnscrypt-proxy

Alternatively, on Linux, you can completely stop - now DNSCrypt-Proxy shouldn't resolve anything - and start service again using e.g. systemd systemctl(1) utility (which is the service manager found in distributions, that have made the switch to systemd) or service(8) command (which works even for distributions, that have migrated to systemd). Here are examples:

sudo systemctl stop dnscrypt-proxy
sudo systemctl start dnscrypt-proxy

sudo service dnscrypt-proxy stop
​sudo service dnscrypt-proxy start

On Windows systems, User can achieve similar results, simply by closing and start application again. There is popular "Task Manager" (to open, press Ctrl+Alt+Delete and click "Task Manager" on the screen or just press Ctrl+Shift+Esc) where User can close application and then start it again etc.

Block a domain

Add a filter to block a name that is very likely to resolve under normal circumstances.

If you can't access it any more, it means that your DNS traffic is using the proxy, and is therefore encrypted. If you still do, then make sure to flush your DNS cache and restart dnscrypt-proxy service.

Enable query logging

Enable query logging, use your device normally, and check that the log file gets filled by queries you just made.

Use third-party tools

The command-line tool tcpdump can be used to see if there is outgoing non-encrypted traffic:

sudo tcpdump -n dst port 53 and \
  'not dst net (::1 or 10 or 127 or 172.16/12 or 192.168/16)'

Verify DNS provider via DNS Leak test

Another thing User can do, to verify if DNSCrypt-Proxy works is to perform simple DNS Leak test. It can be done by using e.g. dnsleaktest.com website. Differences between Standard and Extended tests can be found here: Standard vs Extended.

Below, there is an example of an extended test, with three servers configured via server_names option found in dnscrypt-proxy.toml file. Here they are: meganerd (DNSCrypt server by MegaNerd.nl, hosted in Amsterdam), scaleway-fr (DNSCrypt servers donated by Scaleway.com, maintained by Frank Denis, in Paris) and dnscrypt.one (DNSCrypt resolver hosted in Germany, Nuremberg).

,-------------------------------------------------------------------------------------------------.
| IP 		  | Hostname 		         | ISP 		         | Country                |
'-------------------------------------------------------------------------------------------------'
| 209.250.241.25    jarjar.meganerd.nl. 	   Choopa, LLC 	           Amsterdam, Netherlands |
| 212.47.228.136    scaleway-fr.dnscrypt.info.     Scaleway 	           France                 |
| 144.91.106.227    dnscrypt.one.	           Contabo GmbH            Nuremberg, Germany     |
`-------------------------------------------------------------------------------------------------'

The output should contain informations about server or servers configured by User (as in above example) or choosed by DNSCrypt-Proxy itself (based on configuration with available filters in dnscrypt-proxy.toml file, such as require_{dnssec,nolog,nofilter} and {doh,dnscrypt}_servers options etc.) As we can see above, everything is okay - the result is compliant with User configuration.

If DNS Leak test shows the configured servers and other methods (see above - "Block a domain" or "Enable query logging") are working as described and have an expected results, DNSCrypt-Proxy probably runs good. (However, if DNS Leak test shows different IP address/server - e.g. of your ISP, it - probably - means, that there is a leak and something is wrong).

NOTE: It seems to be a good idea, to redo DNS Leak test, especially after software (e.g. related with networking etc.), system or web browser updates. We cannot be one hundred percent sure, that if today there isn't a DNS Leak, there won't be one tomorrow.

Clone this wiki locally