-
Notifications
You must be signed in to change notification settings - Fork 1k
Checking
Once everything has been setup, if you want to verify that your DNS traffic is actually encrypted and authenticated, here are a couple things you can try:
On Unix systems, the following command will pause the proxy:
pkill -STOP dnscrypt-proxy
If applications cannot resolve anything now (e.g. no website is available and/or reachable), it probably means that all your DNS traffic was going through the proxy, and was therefore encrypted and authenticated.
To resume execution, use the following command:
pkill -CONT dnscrypt-proxy
Alternatively, you can completely stop and restart it (e.g. using systemd systemctl(1)
utility or service(8)
command etc).
On Windows systems, you can stop/start the service.
Add a filter to block a name that is very likely to resolve under normal circumstances.
If you can't access it any more, it means that your DNS traffic is using the proxy, and is therefore encrypted. If you still do, then make sure to flush your DNS cache and restart dnscrypt-proxy service.
Enable query logging, use your device normally, and check that the log file gets filled by queries you just made.
The command-line tool tcpdump
can be used to see if there is outgoing non-encrypted traffic:
sudo tcpdump -n dst port 53 and \
'not dst net (::1 or 10 or 127 or 172.16/12 or 192.168/16)'
Another thing User can do, to verify if DNSCrypt-Proxy works is to perform simple DNS Leak test. It can be done by using dnsleaktest.com website. Differences between Standard and Extended tests can be found here: Standard vs Extended.
Below is an example output of an extended DNS Leak test, with three servers configured via server_names
option found in dnscrypt-proxy.toml
file. Here they are: meganerd (DNSCrypt server by MegaNerd.nl, hosted in Amsterdam), scaleway-fr (DNSCrypt servers donated by Scaleway.com, maintained by Frank Denis) and doh-fi-snopyta (DoH Server in Finland, run by Noah Seefried).
,-------------------------------------------------------------------------------------------------.
| IP | Hostname | ISP | Country |
'-------------------------------------------------------------------------------------------------'
| 209.250.241.25 | jarjar.meganerd.nl. | Choopa, LLC | Amsterdam, Netherlands |
| 212.47.228.136 | scaleway-fr.dnscrypt.info. | Scaleway | France |
| 95.216.24.230 | 95.216.24.230. | Hetzner Online GmbH | Helsinki, Finland |
`-------------------------------------------------------------------------------------------------'
The output should contain informations about server or servers configured by User (as in above example) or choosed by DNSCrypt-Proxy itself (based on configuration via available filters in dnscrypt-proxy.toml
file, such as require_{dnssec,nolog,nofilter}
, and {doh,dnscrypt}_servers
options etc.)
If DNS Leak test shows/points to configured servers and methods mentioned above (vide Block a domain or Enable query logging) works as described and have expected results then DNSCrypt-Proxy probably runs okay. (However, if DNS Leak test shows different IP address/server - e.g. of your ISP, it - probably - means, that there is a leak and something is wrong).
In somecases if you want to run dnscrypt-proxy as a non-root user you'll get the error "[FATAL] listen udp 0.0.0.0:53: bind: permission denied"
to solve this problem you can run the following command and allow dnscrypt to have access to a low level port :
sudo setcap cap_net_bind_service=+ep $(which dnscrypt-proxy)
- Home
- Installation
- Configuration
- Checking that your DNS traffic is encrypted
- Automatic Updates
- Server sources
- Combining blocklists
- Public Blocklist and other configuration files
- Building from source
- Run your own DNSCrypt server in under 10 minutes
- DNS stamps specifications
- Windows Tips
- dnscrypt-proxy in the media
- Planned Features