-
Notifications
You must be signed in to change notification settings - Fork 1k
Checking
Once everything has been setup, if you want to verify that your DNS traffic is actually encrypted and authenticated, here are a couple things you can try:
On Unix systems the following commands will pause the proxy:
pkill -STOP dnscrypt-proxy
If applications cannot resolve anything now (e.g. no website is available and/or reachable), it probably means that all your DNS traffic was going through the proxy, and was therefore encrypted and authenticated.
To resume execution, use the following command:
pkill -CONT dnscrypt-proxy
Alternatively, on Linux, you can completely stop - now DNSCrypt-Proxy shouldn't resolve anything - and start service again using e.g. systemd systemctl(1)
utility (which is the service manager found in distributions, that have made the switch to systemd) or service(8)
command (which works even for distributions, that have migrated to systemd). Here are examples:
sudo systemctl stop dnscrypt-proxy
sudo systemctl start dnscrypt-proxy
sudo service dnscrypt-proxy stop
sudo service dnscrypt-proxy start
On Windows systems, User can achieve similar results, simply by closing and start application again. There is popular "Task Manager" (to open, press Ctrl+Alt+Delete
and click "Task Manager" on the screen or just press Ctrl+Shift+Esc
) where User can close application and then start it again etc.
Add a filter to block a name that is very likely to resolve under normal circumstances.
If you can't access it any more, it means that your DNS traffic is using the proxy, and is therefore encrypted. If you still do, then make sure to flush your DNS cache and restart dnscrypt-proxy service.
Enable query logging, use your device normally, and check that the log file gets filled by queries you just made.
The command-line tool tcpdump
can be used to see if there is outgoing non-encrypted traffic:
sudo tcpdump -n dst port 53 and \
'not dst net (::1 or 10 or 127 or 172.16/12 or 192.168/16)'
Another way to check and verify if DNSCrypt-Proxy works correctly, is to perform simple DNS Leak test, which can be done - for example - on dnsleaktest.com website. Differences between Standard and Extended tests are - in short - related with the number of rounds and queries etc. Additional informations, that should help User to decide, which test is better, can be found here: Standard vs Extended.
Below, there is an example of the Extended test, with two resolvers configured via server_names
option (cf. dnscrypt-proxy.toml
configuration file). Used resolvers: scaleway-fr (DNSCrypt server donated by Scaleway.com; hosted in Paris, France) and switch (Public DoH service provided by SWITCH, Switzerland).
,----------------------------------------------------------------------------------------------------------------.
| IP | Hostname | ISP | Country |
'----------------------------------------------------------------------------------------------------------------'
| 212.47.228.136 scaleway-fr.dnscrypt.info. Scaleway France |
| 130.59.118.147 kirby.switch.ch. Swiss Education and Research Network Zurich, Switzerland |
`----------------------------------------------------------------------------------------------------------------'
The result should contain informations about server or servers configured by the User (as in above example) or choosed by DNSCrypt-Proxy itself (based on configuration using various filters and/or options available in dnscrypt-proxy.toml
configuration file). As we can see above, everything is okay - the result is compliant with User configuration.
If DNS Leak test and other methods - described above (vide "Block a domain", "Enable query logging" sections etc.) works and shows a proper results, then DNSCrypt-Proxy probably works correctly. However, if DNS Leak tests shows a different IP address (e.g. your ISP) there is a high probability of leaking the DNS data to your Internet Service Provider. In short: DNS Leak is a privacy/security vulnerability.
NOTE: It seems to be a good idea to redo DNS Leak test, especially after software (e.g. related with networking), system or web browser updates. We cannot be one hundred percent sure, that if today there isn't a DNS Leak, there won't be one tomorrow.
In somecases if you want to run dnscrypt-proxy as a non-root user you'll get the error "[FATAL] listen udp 0.0.0.0:53: bind: permission denied"
to solve this problem you can run the following command and allow dnscrypt to have access to a low level port :
sudo setcap cap_net_bind_service=+ep $(which dnscrypt-proxy)
- Home
- Installation
- Configuration
- Checking that your DNS traffic is encrypted
- Automatic Updates
- Server sources
- Combining blocklists
- Public Blocklist and other configuration files
- Building from source
- Run your own DNSCrypt server in under 10 minutes
- DNS stamps specifications
- Windows Tips
- dnscrypt-proxy in the media
- Planned Features