Configuring DNSCrypt Server for Anonymized DNS

Question

Configuring DNSCrypt Server for Anonymized DNS

LJG5000 opened this issue 4 years ago · comments

I apologize if this is not the correct forum to address this question/issue. I recently installed a docker image/DNSCrypt Server. The server is operational and resolving addresses. I want to be able to use this server in conjunction with a DNSCrypt Proxy, configuring both the server and proxy to support anonymized DNS. I am aware of how to configure the dnscrypt proxy c to access the new server as well as available relays world-wide.

However, I am unclear on how to configure the server to support anonymized DNS using the docker container. Using the container I am unclear, for example on how to edit the encrypted-dns.toml file to allow for anonymized DNS and I am also unclear if using the -A parameter with the init command to create the docker container would render my server a relay and/or allow it to be configured with anonymized DNS capabilities.

Frank Denis · Answer 1 · Thu Sep 10 2020 04:48:16 GMT+0800 (China Standard Time)

Hi,

Adding -A to the docker run command enables support for anonymized DNS. When the container starts, both the stamp of the server and the stamp of the relay will be printed.

There is no need to edit the encrypted-dns.toml file.

LJG5000 · Answer 2 · Thu Sep 10 2020 07:30:50 GMT+0800 (China Standard Time)

Well I put a new container in place using the -A init parameter:

docker run --name=dnscrypt-server -p 443:443/udp -p 443:443/tcp --net=host \
--ulimit nofile=90000:90000 --restart=unless-stopped \
-v /etc/dnscrypt-server/keys:/opt/encrypted-dns/etc/keys \
jedisct1/dnscrypt-server init -A -N XXXX.net -E XXX.XX.XX.XX:443

It did generate the stamp for both the relay and server and the container is running successfully and the server is resolving with a static stamp entry:

[static]
  # [static.'myserver']
  # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'

But when I try to enable anonymized DNS by:

Updating the proxy server toml file with the new server/provider name (start of dnscrypt-proxy.toml file):

server_names= [2.dnscrypt-cert.XXXX.net]

And add the provider name to the Anonymized DNS route section:

routes = [
    { server_name='2.dnscrypt-cert.XXXX.net', via=['anon-example-1', 'anon-example-2'] },
#    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
 ]

And disable the static entry.

Dnscrypt-proxy is unable to start. My first guess is that the server must be on the Dnscrypt public directory- which this one isn't (I am still learning)- since I believe the server names section, except when there is a static entry reads off of the public list. But right now I want to enable anonymized DNS and keep the server private.

I wish I was in Paris now :-)

Frank Denis · Answer 3 · Thu Sep 10 2020 07:55:39 GMT+0800 (China Standard Time)

Well I put a new container in place using the -A init parameter:
docker run --name=dnscrypt-server -p 443:443/udp -p 443:443/tcp --net=host \
--ulimit nofile=90000:90000 --restart=unless-stopped \
-v /etc/dnscrypt-server/keys:/opt/encrypted-dns/etc/keys \
jedisct1/dnscrypt-server init -A -N XXXX.net -E XXX.XX.XX.XX:443
It did generate the stamp for both the relay and server and the container is running successfully and the server is resolving with a static stamp entry:
```toml
server_names= [2.dnscrypt-cert.XXXX.net]

Server names need to be within quotes, or else the configuration file is invalid.

And add the provider name to the Anonymized DNS route section:

routes = [
    { server_name='2.dnscrypt-cert.XXXX.net', via=['anon-example-1', 'anon-example-2'] },
#    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
 ]

Remove the , since this is now the last entry. I don't think TOML accepts trailing comas when there is no content afterwards.

I wish I was in Paris now :-)

Not me. With COVID cases higher than ever and a new big wave of protests about to start, Paris is not a place to be right now.

Frank Denis · Answer 4 · Thu Sep 10 2020 07:57:20 GMT+0800 (China Standard Time)

My first guess is that the server must be on the Dnscrypt public directory

I don't think so. If it is in the [static] section, you can use its name in relay routes.

LJG5000 · Answer 5 · Thu Sep 10 2020 10:54:41 GMT+0800 (China Standard Time)

Well- I actually had the server (provider) name already in quotes. However I used the 2.dnscrypt-cert.XXXX.net provider name in the server name section , set the route as you indicated and commented out the static section. I also removed the unnecessary comma in the route section.

The proxy service did not start

Then I un-commented the static section - and the the message 2.dnscrypt-cert.XXXX.net is incompatible with anonymization came up., but the proxy started and there was a notice for anonymized DNS routing.

Fires are raging in Southern California and the skies are dark.... As for Covid 19- some are taking precautions and others don't seem to care...

LJG5000 · Answer 6 · Thu Sep 10 2020 10:57:59 GMT+0800 (China Standard Time)

Sep 09 19:44:52 Atlantis dnscrypt-proxy[3625]: [2020-09-09 19:44:52] [NOTICE] Now listening to [::1]:5350 [UDP]
Sep 09 19:44:52 Atlantis dnscrypt-proxy[3625]: [2020-09-09 19:44:52] [NOTICE] Now listening to [::1]:5350 [TCP]
Sep 09 19:44:52 Atlantis dnscrypt-proxy[3625]: [2020-09-09 19:44:52] [NOTICE] Source [public-resolvers] loaded
Sep 09 19:44:52 Atlantis dnscrypt-proxy[3625]: [2020-09-09 19:44:52] [NOTICE] Source [relays] loaded
Sep 09 19:44:52 Atlantis dnscrypt-proxy[3625]: [2020-09-09 19:44:52] [NOTICE] Anonymized DNS: routing [2.dnscrypt-cert.xxx.net] via [anon-cs-usca anon-cs-usor]
Sep 09 19:44:52 Atlantis dnscrypt-proxy[3625]: [2020-09-09 19:44:52] [NOTICE] Firefox workaround initialized
Sep 09 19:44:57 Atlantis dnscrypt-proxy[3625]: [2020-09-09 19:44:57] [NOTICE] [2.dnscrypt-cert.xxx.net] OK (DNSCrypt) - rtt: 63ms
Sep 09 19:44:57 Atlantis dnscrypt-proxy[3625]: [2020-09-09 19:44:57] [WARNING] [2.dnscrypt-cert.xxx.net] is incompatible with anonymization
Sep 09 19:44:57 Atlantis dnscrypt-proxy[3625]: [2020-09-09 19:44:57] [NOTICE] Server with the lowest initial latency: 2.dnscrypt-cert.xxx.net (rtt: 63ms)
Sep 09 19:44:57 Atlantis dnscrypt-proxy[3625]: [2020-09-09 19:44:57] [NOTICE] dnscrypt-proxy is ready - live servers: 1

LJG5000 · Answer 7 · Thu Sep 10 2020 11:33:47 GMT+0800 (China Standard Time)

Probably coincidence- but before I setup my own server, I was using Adguard-dns- and did not receive the warning regarding anonymized DNS server compatibility- a couple of weeks later I did. Both their server and mine are hosted on vultr.com.

LJG5000 · Answer 8 · Fri Sep 11 2020 21:09:23 GMT+0800 (China Standard Time)

One other thing I thought of. I have my ASUS/Merlin router setup as a VPN client. The device running dnscrypt-proxy is also utilizing the VPN and running Pi Hole. Perhaps the issue with anonymization relates to the DNS requests/relays going over a VPN. I did try to exempt the dnscrypt-proxy/Pi Hole device from using the VPN connection- but the router did not (probably correctly) apply my changes.