DNSCrypt Dig Output Confusion

kars85 · Jan 22, 2015, 2:47 AM

So I "think" I have DNSCrypt successfully implemented, but I'm not sure it's really working. At least, based on the guide here, I should have output saying "dnscrypt enabled" when running just the -t option.https://docs.google.com/document/d/1BgvDY8haswQd2BgBP8ctEriy9QRX1CikdbaFqr7yaOQ/edit#heading=h.k73hwctbjm3k

The problem is, when I run:

dig -p 40 -t txt debug.opendns.com @127.0.0.1

I get the intended output of:

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7426
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.		IN	TXT

;; ANSWER SECTION:
debug.opendns.com.	0	IN	TXT	"server 9.chi"
debug.opendns.com.	0	IN	TXT	"flags 20 0 2F6 0"
debug.opendns.com.	0	IN	TXT	"originid 2122843"
debug.opendns.com.	0	IN	TXT	"actype 2"
debug.opendns.com.	0	IN	TXT	"bundle 1347128"
debug.opendns.com.	0	IN	TXT	"source X.X.X.X:22227"
debug.opendns.com.	0	IN	TXT	"dnscrypt enabled (71447764594D3377)"

;; Query time: 18 msec
;; SERVER: 127.0.0.1#40(127.0.0.1)
;; WHEN: Wed Jan 21 20:39:00 2015
;; MSG SIZE  rcvd: 264

The confusion begins when I run the final step in the guide I posted. I simply don't get the same return saying "dnscrypt enabled".


[2.1.5-RELEASE][admin@pfsense.localdomain]/usr/local/etc/rc.d(19): dig -t txt debug.opendns.com @192.168.1.1

; <<>> DiG 9.6.-ESV-R5-P1 <<>> -t txt debug.opendns.com @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62639
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;debug.opendns.com.		IN	TXT

;; ANSWER SECTION:
debug.opendns.com.	0	IN	TXT	"server 9.chi"
debug.opendns.com.	0	IN	TXT	"flags 20 0 2F6 0"
debug.opendns.com.	0	IN	TXT	"originid 2122843"
debug.opendns.com.	0	IN	TXT	"actype 2"
debug.opendns.com.	0	IN	TXT	"bundle 1347128"
debug.opendns.com.	0	IN	TXT	"source X.X.X.X:42321"

;; Query time: 22 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jan 21 20:44:54 2015
;; MSG SIZE  rcvd: 205

I also found it important to load the amd64 build of dnscrypt instead of the referenced x86 arch linked in the tutorial. DAMHIK. The URL I used is:
http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.4-release/dns/dnscrypt-proxy-1.2.1.tbz

fsansfil · Jan 22, 2015, 12:23 PM

The safest way to check if its working is to start packet capture on WAN. Sniff some traffic and see if your DNS Queries are in plain text or not…

Cheers.

F.

kars85 · Jan 22, 2015, 3:25 PM

@fsansfil:

The safest way to check if its working is to start packet capture on WAN. Sniff some traffic and see if your DNS Queries are in plain text or not…

Cheers.

F.

OK, thanks for the confirmation :) - I had ran a tcpdump my WAN interface, specifically on port 53 in/out, and they were absolutely readable. Every webpage I loaded returned cleartext DNS lookups. I've since deleted the package and reverted to normal means - just wasn't comfortable with how it worked/implemented and overall lack of buzz on here about it to reference.

fsansfil · Jan 22, 2015, 6:01 PM

Well its not an official pfSense package, so you wont get much support.

When using dnscrypt, you should create a quick block (floating rule) on WAN of inbound and outbound UDP/TCP port 53. The main reason to use dnscrypt is to reduce the dns poisoning/sniffing risk. So after that, with packet capture on WAN, you should see no DNS traffic on 53 and only encrypted dns trafic on 443 UDP.

F.