chigurh
February 19, 2019, 5:12am
1
System is unable to resolve various hosts. I’ve dnscrypt-proxy2 configured and running but the name resolution is failing. I can resolve names with cloudflare dns. How to fix this?
[Mon Feb 18 20:02:15 root@flux /home/flux]
# host smtp.gmail.com
;; connection timed out; no servers could be reached
[Mon Feb 18 20:02:30 root@flux /home/flux]
# host smtp.gmail.com 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:
smtp.gmail.com is an alias for gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com has address 74.125.200.108
gmail-smtp-msa.l.google.com has address 74.125.200.109
gmail-smtp-msa.l.google.com has IPv6 address 2404:6800:4003:c03::6d
resolv.conf -
nameserver 127.0.0.1
options edns0 single-request-reopen
dnscrypt-proxy status
# systemctl status dnscrypt-proxy
● dnscrypt-proxy.service - DNSCrypt-proxy client
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2019-02-18 18:46:07 PST; 1h 20min ago
Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki/systemd
Main PID: 1472 (dnscrypt-proxy)
Tasks: 12 (limit: 4915)
Memory: 47.8M
CGroup: /system.slice/dnscrypt-proxy.service
└─1472 /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Feb 18 18:46:17 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:17] [NOTICE] Loading the set of whitelisting rules from [/etc/dnscrypt-proxy/whitelist.txt]
Feb 18 18:46:17 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:17] [NOTICE] Loading the set of blocking rules from [/etc/dnscrypt-proxy/dnscrypt-blacklist-domains.txt]
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] Now listening to 127.0.0.1:53535 [UDP]
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] Now listening to 127.0.0.1:53535 [TCP]
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] Wiring systemd TCP socket #0, dnscrypt-proxy.socket, 127.0.0.1:5335
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] Wiring systemd UDP socket #1, dnscrypt-proxy.socket, 127.0.0.1:5335
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] [adguard-dns] OK (crypto v1) - rtt: 280ms
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] [cisco] OK (crypto v1) - rtt: 61ms
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] Server with the lowest initial latency: cisco (rtt: 61ms)
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] dnscrypt-proxy is ready - live servers: 2
I’ve disabled IPV6 and wish to disable IPV6 name resolution as well, please let me know how to do that.
Have you configured specific DNS resolvers, or is dnscrypt-proxy automatically selecting these?
https://wiki.archlinux.org/index.php/Dnscrypt-proxy#Select_resolver
I notice most are available as foo-dns and foo-dns-ipv6…https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md
chigurh
February 19, 2019, 8:05am
3
I’ve configured cloudflare, cisco, opennic, adguard, etc. There is a resolver.md file and the ones in use are picked from there.
tsu2
February 19, 2019, 11:09am
4
chigurh:
System is unable to resolve various hosts. I’ve dnscrypt-proxy2 configured and running but the name resolution is failing. I can resolve names with cloudflare dns. How to fix this?
[Mon Feb 18 20:02:15 root@flux /home/flux]
# host smtp.gmail.com
;; connection timed out; no servers could be reached
[Mon Feb 18 20:02:30 root@flux /home/flux]
# host smtp.gmail.com 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:
smtp.gmail.com is an alias for gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com has address 74.125.200.108
gmail-smtp-msa.l.google.com has address 74.125.200.109
gmail-smtp-msa.l.google.com has IPv6 address 2404:6800:4003:c03::6d
resolv.conf -
nameserver 127.0.0.1
options edns0 single-request-reopen
dnscrypt-proxy status
# systemctl status dnscrypt-proxy
● dnscrypt-proxy.service - DNSCrypt-proxy client
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2019-02-18 18:46:07 PST; 1h 20min ago
Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki/systemd
Main PID: 1472 (dnscrypt-proxy)
Tasks: 12 (limit: 4915)
Memory: 47.8M
CGroup: /system.slice/dnscrypt-proxy.service
└─1472 /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Feb 18 18:46:17 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:17] [NOTICE] Loading the set of whitelisting rules from [/etc/dnscrypt-proxy/whitelist.txt]
Feb 18 18:46:17 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:17] [NOTICE] Loading the set of blocking rules from [/etc/dnscrypt-proxy/dnscrypt-blacklist-domains.txt]
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] Now listening to 127.0.0.1:**53535** [UDP]
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] Now listening to 127.0.0.1:**53535** [TCP]
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] Wiring systemd TCP socket #0, dnscrypt-proxy.socket, 127.0.0.1:**5335**
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] Wiring systemd UDP socket #1, dnscrypt-proxy.socket, 127.0.0.1:**5335**
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] [adguard-dns] OK (crypto v1) - rtt: 280ms
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] [cisco] OK (crypto v1) - rtt: 61ms
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] Server with the lowest initial latency: cisco (rtt: 61ms)
Feb 18 18:46:18 flux dnscrypt-proxy[1472]: [2019-02-18 18:46:18] [NOTICE] dnscrypt-proxy is ready - live servers: 2
I’ve disabled IPV6 and wish to disable IPV6 name resolution as well, please let me know how to do that.
Curious where you installed your dnscrypt-proxy service from…
Note that your service isn’t listening on port 53 (see the **red **in the above)
The following is the documentation for configuring dnscrypt proxy 2 using systemd.
TSU
chigurh
February 19, 2019, 11:27am
5
Some additional info regarding dnsmasq and dnscrypt-proxy2
# systemctl status dnsmasq
**●** dnsmasq.service - DNS caching server.
Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
Drop-In: /run/systemd/generator/dnsmasq.service.d
└─50-insserv.conf-$named.conf
Active: **active (running)** since Tue 2019-02-19 02:05:10 PST; 4s ago
Process: 6519 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
Main PID: 6520 (dnsmasq)
Tasks: 1 (limit: 4915)
Memory: 1.0M
CGroup: /system.slice/dnsmasq.service
└─6520 /usr/sbin/dnsmasq --log-async --enable-dbus --keep-in-foreground
Feb 19 02:05:10 flux dnsmasq[6520]: compile time options: IPv6 GNU-getopt DBus i18n IDN2 DHCP DHCPv6 Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
Feb 19 02:05:10 flux dnsmasq[6519]: dnsmasq: syntax check OK.
Feb 19 02:05:10 flux systemd[1]: Started DNS caching server..
Feb 19 02:05:10 flux dnsmasq[6520]: DBus support enabled: connected to system bus
Feb 19 02:05:10 flux dnsmasq[6520]: DNSSEC validation enabled
Feb 19 02:05:10 flux dnsmasq[6520]: configured with trust anchor for <root> keytag 20326
Feb 19 02:05:10 flux dnsmasq[6520]: configured with trust anchor for <root> keytag 19036
Feb 19 02:05:10 flux dnsmasq[6520]: asynchronous logging enabled, queue limit is 5 messages
Feb 19 02:05:10 flux dnsmasq[6520]: using nameserver 127.0.0.1#5335
Feb 19 02:05:10 flux dnsmasq[6520]: read /etc/hosts - 6 addresses
# systemctl status dnscrypt-proxy
**●** dnscrypt-proxy.service - DNSCrypt-proxy client
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: disabled)
Active: **active (running)** since Tue 2019-02-19 02:18:40 PST; 2s ago
Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki/systemd
Main PID: 7611 (dnscrypt-proxy)
Tasks: 12 (limit: 4915)
Memory: 42.9M
CGroup: /system.slice/dnscrypt-proxy.service
└─7611 /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Feb 19 02:18:40 flux systemd[1]: Started DNSCrypt-proxy client.
Feb 19 02:18:40 flux dnscrypt-proxy[7611]: [2019-02-19 02:18:40] [NOTICE] Source [/var/lib/dnscrypt-proxy/public-resolvers.md] loaded
Feb 19 02:18:40 flux dnscrypt-proxy[7611]: [2019-02-19 02:18:40] [NOTICE] dnscrypt-proxy 2.0.19
Feb 19 02:18:40 flux dnscrypt-proxy[7611]: [2019-02-19 02:18:40] [NOTICE] Loading the set of whitelisting rules from [/etc/dnscrypt-proxy/whitelist.txt]
Feb 19 02:18:40 flux dnscrypt-proxy[7611]: [2019-02-19 02:18:40] [NOTICE] Loading the set of blocking rules from [/etc/dnscrypt-proxy/dnscrypt-blacklist-domains.txt]
Feb 19 02:18:40 flux dnscrypt-proxy[7611]: [2019-02-19 02:18:40] [NOTICE] Wiring systemd TCP socket #0, dnscrypt-proxy.socket, 127.0.0.1:5335
Feb 19 02:18:40 flux dnscrypt-proxy[7611]: [2019-02-19 02:18:40] [NOTICE] Wiring systemd UDP socket #1, dnscrypt-proxy.socket, 127.0.0.1:5335
Feb 19 02:18:41 flux dnscrypt-proxy[7611]: [2019-02-19 02:18:41] [NOTICE] [adguard-dns] OK (crypto v1) - rtt: 275ms
Feb 19 02:18:41 flux dnscrypt-proxy[7611]: [2019-02-19 02:18:41] [NOTICE] [cisco] OK (crypto v1) - rtt: 64ms
Configuration files are as such -
cat /etc/dnsmasq.conf
port=5353
domain-needed
bogus-priv
conf-file=/etc/dnsmasq.d/trust-anchors.conf
dnssec
dnssec-check-unsigned
no-resolv
listen-address=127.0.0.1
# cat /etc/dnscrypt-proxy/dnscrypt-proxy.toml
server_names = 'cloudflare', 'cisco', 'adguard-dns', 'fv-anyone', 'fvz-anytwo']
listen_addresses = ]
max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
require_dnssec = false
require_nolog = true
require_nofilter = true
force_tcp = true
proxy = "socks5://127.0.0.1:9050"
timeout = 2500
keepalive = 30
log_level = 2
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
cert_refresh_delay = 240
fallback_resolver = '9.9.9.9:53'
ignore_system_dns = false
netprobe_timeout = 60
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
block_ipv6 = true
cache = true
cache_size = 512
cache_min_ttl = 600
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
[query_log]
file = '/var/log/dnscrypt-proxy/query.log'
format = 'tsv'
ignored_qtypes = 'DNSKEY', 'NS']
[nx_log]
format = 'tsv'
[blacklist]
blacklist_file = '/etc/dnscrypt-proxy/dnscrypt-blacklist-domains.txt'
[ip_blacklist]
[whitelist]
whitelist_file = '/etc/dnscrypt-proxy/whitelist.txt'
log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
log_format = 'tsv'
[schedules]
[sources]
[sources.'public-resolvers']
urls = 'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
cache_file = '/var/lib/dnscrypt-proxy/public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
[static]
[static.'google']
stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'
This is driving me crazy, I spent 4 days building the workstation but don’t understand why this doesn’t work.
chigurh
February 19, 2019, 11:32am
6
tsu2:
Curious where you installed your dnscrypt-proxy service from…
Note that your service isn’t listening on port 53 (see the **red **in the above)
The following is the documentation for configuring dnscrypt proxy 2 using systemd.
systemd · DNSCrypt/dnscrypt-proxy Wiki · GitHub
TSU
There is a socket file under systemd and the contents of it are logical.
# cat /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service
[Unit]
Description=DNSCrypt-proxy client
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki/systemd
## adapted for openSUSE Leap 42.2 with systemd 228
Requires=dnscrypt-proxy.socket
Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
RuntimeDirectory=dnscrypt-proxy
WorkingDirectory=~
Group=dnscrypt-proxy
User=dnscrypt-proxy
[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target
# systemctl status dnscrypt-proxy.socket
**●** dnscrypt-proxy.socket - DNSCrypt-proxy socket
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.socket; enabled; vendor preset: disabled)
Active: **active (running)** since Tue 2019-02-19 01:04:31 PST; 1h 26min ago
Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki/systemd
Listen: 127.0.0.1:5335 (Stream)
127.0.0.1:5335 (Datagram)
Tasks: 0 (limit: 4915)
Memory: 12.0K
CGroup: /system.slice/dnscrypt-proxy.socket
Feb 19 01:04:31 flux systemd[1]: Listening on DNSCrypt-proxy socket.
chigurh
February 19, 2019, 12:23pm
7
Some additional detail - dnscrypt-proxy can’t resolve addresses
dnscrypt-proxy -resolve opensuse.org
Resolving [opensuse.org]
Domain exists: probably not, or blocked by the proxy
Canonical name: -
IP addresses: -
TXT records: -
chigurh
February 19, 2019, 2:00pm
8
I’ve fixed this issue. Configured wildcard address in dnsmasq as bind-interfaces