DNSCrypt / dnscrypt-proxy

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
https://dnscrypt.info
ISC License
11.43k stars 1.01k forks source link

[BAD BEHAVIOR] Can't reach domains names anymore #1198

Closed Kylvan-8 closed 4 years ago

Kylvan-8 commented 4 years ago

Subject

Description

After a brutal shutdown off the multiplug where was my raspberry pi and a restart i can't reach domains anymore with any DNSCrypt (tired with scalewayfr google and cloudflare) :

Ex:

pi@Raspberry:~ $ sudo /opt/dnscrypt-proxy/dnscrypt-proxy -resolve github.com Resolving [github.com]

Domain exists: probably not, or blocked by the proxy Canonical name: - IP addresses: - TXT records: -

This is my pi hole DNS configuration :

Annotation 2020-02-20 191924

This is my DNS parameter in dnscrypt-proxy.toml :

Annotation 2020-02-20 193505

All of this is setup on the same local network. And pi hole is listening on all interfaces.

Please can you help me to fix this asap and give me indications for this to not happen again ? Best regards

EDIT : This is the guide i've follow to my use for the setup https://www.derekseaman.com/2019/09/how-to-pi-hole-plus-dnscrypt-setup-on-raspberry-pi-4.html

jedisct1 commented 4 years ago

Maybe something is trying to start it twice?

This is a "how to use Linux" question rather than a question about dnscrypt-proxy, so you may have more success on forums about Linux.

Maybe reinstall the service with sudo ./dnscrypt-proxy -service stop followed by sudo ./dnscrypt-proxy -service start?

Please can you help me to fix this asap and give me indications for this to not happen again ?

...

Kylvan-8 commented 4 years ago

No it doesn't start twice as the process ID is the same in netstat, stop and start doesn't change anything. But there already have been issue with dnscrypt-proxy

https://github.com/DNSCrypt/dnscrypt-proxy/issues/876

Even if this doesn't help me much.

pi@Raspberry:~ $ sudo /opt/dnscrypt-proxy/dnscrypt-proxy -service stop
[2020-02-19 12:09:42] [NOTICE] Service stopped
pi@Raspberry:~ $ sudo netstat -a -n -o -p | grep 5392
pi@Raspberry:~ $ sudo /opt/dnscrypt-proxy/dnscrypt-proxy -service start
[2020-02-19 12:09:54] [NOTICE] dnscrypt-proxy 2.0.31
[2020-02-19 12:09:54] [NOTICE] Network connectivity detected
[2020-02-19 12:09:54] [NOTICE] Source [public-resolvers.md] loaded
[2020-02-19 12:09:54] [NOTICE] Source [relays.md] loaded
[2020-02-19 12:09:54] [NOTICE] Service started
pi@Raspberry:~ $ sudo netstat -a -n -o -p | grep 5392
tcp        0      0 127.0.0.1:5392          0.0.0.0:*               LISTEN      2818/dnscrypt-proxy  off (0.00/0/0)
udp        0      0 127.0.0.1:5392          0.0.0.0:*                           2818/dnscrypt-proxy  off (0.00/0/0)
pi@Raspberry:~ $ sudo /opt/dnscrypt-proxy/dnscrypt-proxy ?
[2020-02-19 12:10:06] [NOTICE] dnscrypt-proxy 2.0.31
[2020-02-19 12:10:06] [NOTICE] Network connectivity detected
[2020-02-19 12:10:06] [NOTICE] Source [public-resolvers.md] loaded
[2020-02-19 12:10:06] [NOTICE] Source [relays.md] loaded
[2020-02-19 12:10:06] [NOTICE] Firefox workaround initialized
[2020-02-19 12:10:06] [FATAL] listen udp 127.0.0.1:5392: bind: address already in use

EDIT : Can't reach domains Annotation 2020-02-20 201811

And the service seems to work fine : jxqjxjqjx

I've also try the solution there by @mibere but it doesn't work related to : https://github.com/DNSCrypt/dnscrypt-proxy/issues/398

mibere commented 4 years ago

Same here with v2.0.39

[FATAL] listen udp 127.11.11.3:7753: bind: address already in use

But that's not a bug. You run the command

sudo /opt/dnscrypt-proxy/dnscrypt-proxy ?

Whats your plan with the question mark at the end of that command? With your command you start dnscrypt-proxy a 2nd time, and that aborts correctly as it's already running (on port 5392)

Kylvan-8 commented 4 years ago

Same here with v2.0.39

[FATAL] listen udp 127.11.11.3:7753: bind: address already in use

But that's not a bug. You run the command

sudo /opt/dnscrypt-proxy/dnscrypt-proxy ?

Whats your plan with the question mark at the end of that command? With your command you start dnscrypt-proxy a 2nd time, and that aborts correctly as it's already running (on port 5392)

I can't reach domains as shown above so i try to get something to work and see from where it comes.

mibere commented 4 years ago
sudo systemctl stop dnscrypt-proxy.service
sudo systemctl start dnscrypt-proxy.service
/opt/dnscrypt-proxy/dnscrypt-proxy -resolve google.com

If the resolving doesn't work, did you try to choose different DNSCrypt server in /opt/dnscrypt-proxy/dnscrypt-proxy.toml?

Kylvan-8 commented 4 years ago
sudo systemctl stop dnscrypt-proxy.service
sudo systemctl start dnscrypt-proxy.service
/opt/dnscrypt-proxy/dnscrypt-proxy -resolve google.com

If the resolving doesn't work, did you try to choose different DNSCrypt server in /opt/dnscrypt-proxy/dnscrypt-proxy.toml?

Yes i've tried with cloudflare and google, before that i had set it up with scaleway fr but same issue.

mibere commented 4 years ago

Anything useful in the dnscrypt-proxy log if you set log_level = 0(very verbose) in dnscrypt-proxy.toml and then restart it?

ibksturm commented 4 years ago

try: ps -aux |grep dnscrypt

then you should get the $prozessid (or pid)

then kill -9 $prozessid

sudo service dnscrypt-proxy restart && tail -f [path-to-logfile]

b) what kind of linux or BSD do you use? /opt/... sounds like a router or a NAS

ibksturm commented 4 years ago

other question, coulf you ping 1.1.1.1 or ping 8.8.8.8

whats about dig google.com @127.0.0.1 -p 5392

Kylvan-8 commented 4 years ago

Anything useful in the dnscrypt-proxy log if you set log_level = 0(very verbose) in dnscrypt-proxy.toml and then restart it?

Where can i see the log once activated ?

EDIT: Nvm

pi@Raspberry:~ $ sudo cat /var/log/dnscrypt-proxy.log [2020-02-19 13:19:38] [NOTICE] dnscrypt-proxy 2.0.31 [2020-02-19 13:19:38] [NOTICE] Network connectivity detected [2020-02-19 13:19:38] [NOTICE] Source [public-resolvers.md] loaded [2020-02-19 13:19:38] [NOTICE] Source [relays.md] loaded [2020-02-19 13:19:38] [NOTICE] Firefox workaround initialized [2020-02-19 13:19:38] [NOTICE] Now listening to 127.0.0.1:5392 [UDP] [2020-02-19 13:19:38] [NOTICE] Now listening to 127.0.0.1:5392 [TCP] [2020-02-19 13:19:39] [INFO] [google] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 [2020-02-19 13:19:39] [NOTICE] [google] OK (DoH) - rtt: 204ms [2020-02-19 13:19:39] [NOTICE] Server with the lowest initial latency: google (rtt: 204ms) [2020-02-19 13:19:39] [NOTICE] dnscrypt-proxy is ready - live servers: 1

Kylvan-8 commented 4 years ago

try: ps -aux |grep dnscrypt

then you should get the $prozessid (or pid)

then kill -9 $prozessid

sudo service dnscrypt-proxy restart && tail -f [path-to-logfile]

b) what kind of linux or BSD do you use? /opt/... sounds like a router or a NAS

Command doesn't work

pi@Raspberry:~ $ sudo service dnscrypt-proxy restart && tail -f /home/pi/testlog.txt tail: impossible d'ouvrir '/home/pi/testlog.txt' en lecture: Aucun fichier ou dossier de ce type tail: aucun fichier restant

other question, coulf you ping 1.1.1.1 or ping 8.8.8.8

whats about dig google.com @127.0.0.1 -p 5392

Yes i can ping both ip.

pi@Raspberry:~ $ dig google.com @127.0.0.1 -p 5392

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> google.com @127.0.0.1 -p 5392 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6826 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;google.com. IN A

;; ANSWER SECTION: google.com. 87 IN A 216.58.201.238

;; Query time: 102 msec ;; SERVER: 127.0.0.1#5392(127.0.0.1) ;; WHEN: mer. fvr. 19 13:15:25 CET 2020 ;; MSG SIZE rcvd: 55

ibksturm commented 4 years ago

oke i startet laptop, my wife gonna kill me... but that's another problem, not yours...

oke, let's get the party start

a) Logging try

image

where log_file = '/var/log/dnscrypt-proxy-test.log' defineds the path to logfile

then in a second ssh session (in a second window) tail - f [path-to-logfile]

b) dig command dig and ping runs, so your raspi could communicate with the hole world

is the problem still there?

--> dig resolves dns names in ip adresses by a specific @server -p PORT

ibksturm commented 4 years ago

c) if dig google.com @127.0.0.1 -p 5392 run's the problem is bettwen piholen <-> dnscrypt and NOT in dnscrypt

Kylvan-8 commented 4 years ago

oke i startet laptop, my wife gonna kill me... but that's another problem, not yours...

oke, let's get the party start

a) Logging try

image

where log_file = '/var/log/dnscrypt-proxy-test.log' defineds the path to logfile

then in a second ssh session (in a second window) tail - f [path-to-logfile]

b) dig command dig and ping runs, so your raspi could communicate with the hole world

is the problem still there?

After applying your settings

pi@Raspberry:~ $ sudo cat /var/lo local/ lock/ log/ pi@Raspberry:~ $ sudo cat /var/log/dnscrypt-proxy.log [2020-02-19 13:19:38] [NOTICE] dnscrypt-proxy 2.0.31 [2020-02-19 13:19:38] [NOTICE] Network connectivity detected [2020-02-19 13:19:38] [NOTICE] Source [public-resolvers.md] loaded [2020-02-19 13:19:38] [NOTICE] Source [relays.md] loaded [2020-02-19 13:19:38] [NOTICE] Firefox workaround initialized [2020-02-19 13:19:38] [NOTICE] Now listening to 127.0.0.1:5392 [UDP] [2020-02-19 13:19:38] [NOTICE] Now listening to 127.0.0.1:5392 [TCP] [2020-02-19 13:19:39] [INFO] [google] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 [2020-02-19 13:19:39] [NOTICE] [google] OK (DoH) - rtt: 204ms [2020-02-19 13:19:39] [NOTICE] Server with the lowest initial latency: google (rtt: 204ms) [2020-02-19 13:19:39] [NOTICE] dnscrypt-proxy is ready - live servers: 1 [2020-02-19 13:28:44] [NOTICE] Stopped. [2020-02-19 13:28:52] [NOTICE] dnscrypt-proxy 2.0.31 [2020-02-19 13:28:52] [NOTICE] Network connectivity detected [2020-02-19 13:28:52] [NOTICE] Source [relays.md] loaded [2020-02-19 13:28:52] [NOTICE] Source [public-resolvers.md] loaded [2020-02-19 13:28:52] [NOTICE] Firefox workaround initialized [2020-02-19 13:28:52] [NOTICE] Now listening to 127.0.0.1:5392 [UDP] [2020-02-19 13:28:52] [NOTICE] Now listening to 127.0.0.1:5392 [TCP] [2020-02-19 13:28:53] [INFO] [google] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 [2020-02-19 13:28:53] [NOTICE] [google] OK (DoH) - rtt: 91ms [2020-02-19 13:28:53] [NOTICE] Server with the lowest initial latency: google (rtt: 91ms) [2020-02-19 13:28:53] [NOTICE] dnscrypt-proxy is ready - live servers: 1

pi@Raspberry:~ $ sudo service dnscrypt-proxy stop pi@Raspberry:~ $ sudo service dnscrypt-proxy start pi@Raspberry:~ $ sudo /opt/dnscrypt-proxy/dnscrypt-proxy -resolve github.com Resolving [github.com]

Domain exists: probably not, or blocked by the proxy Canonical name: - IP addresses: - TXT records: -

c) if dig google.com @127.0.0.1 -p 5392 run's the problem is bettwen piholen <-> dnscrypt and NOT in dnscrypt

So what should i do ? I don't have error in pi hole diagnosis with 'pihole -p' command

oke i startet laptop, my wife gonna kill me... but that's another problem, not yours...

oke, let's get the party start

Thanks for taking risks for helping me out of this mess xD

ibksturm commented 4 years ago

[2020-02-19 13:28:53] [INFO] [google] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 [2020-02-19 13:28:53] [NOTICE] [google] OK (DoH) - rtt: 91ms [2020-02-19 13:28:53] [NOTICE] Server with the lowest initial latency: google (rtt: 91ms) [2020-02-19 13:28:53] [NOTICE] dnscrypt-proxy is ready - live servers: 1

--> that means dnscrypt is running & if you dig google.com @127.0.0.1 -p 5392 also and it work's everything is good

pi@Raspberry:~ $ sudo /opt/dnscrypt-proxy/dnscrypt-proxy -resolve github.com

:) nice nooby failer (sorry about smiling here, i do this fail also from time to time) explanation short: you should do sudo /opt/dnscrypt-proxy/dnscrypt-proxy -config dnscrypt-proxy.toml -resolve google.com then it works for TESTING! so you forgot to tell DNSC where's the config file

explanation long: by service dnscrypt-proxy start the init programm runs DNSC with your config file. it looks good because 1. theres a logging file that tells me 2. you could dig something. so if you start another instance by sudo /opt/dnscrypt-proxy/dnscrypt-proxy -config dnscrypt-proxy.toml -resolve google.com it HAS to get an error. that's not a bug that's... so you try to drill a second hole in your still opened beercan. you could do that but it makes no sense :) (better open a second beer later). So when i'm in this situation i just use the dig command.

ibksturm commented 4 years ago

Thanks for taking risks for helping me out of this mess xD

yeah my wife told me........... other words than thank you...

So what should i do ? I don't have error in pi hole diagnosis with 'pihole -p' command

go to next gasoline store / late night store / liquore store what ever-you-want, buy a sixpack and drink one on me

oke, back to business, let us analyse

if point 4 works, than stand up and have fun ^^

Kylvan-8 commented 4 years ago

[2020-02-19 13:28:53] [INFO] [google] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 [2020-02-19 13:28:53] [NOTICE] [google] OK (DoH) - rtt: 91ms [2020-02-19 13:28:53] [NOTICE] Server with the lowest initial latency: google (rtt: 91ms) [2020-02-19 13:28:53] [NOTICE] dnscrypt-proxy is ready - live servers: 1

--> that means dnscrypt is running & if you dig google.com @127.0.0.1 -p 5392 also and it work's everything is good

pi@Raspberry:~ $ sudo /opt/dnscrypt-proxy/dnscrypt-proxy -resolve github.com

:) nice nooby failer (sorry about smiling here, i do this fail also from time to time) explanation short: you should do sudo /opt/dnscrypt-proxy/dnscrypt-proxy -config dnscrypt-proxy.toml -resolve google.com then it works for TESTING! so you forgot to tell DNSC where's the config file

explanation long: by service dnscrypt-proxy start the init programm runs DNSC with your config file. it looks good because 1. theres a logging file that tells me 2. you could dig something. so if you start another instance by sudo /opt/dnscrypt-proxy/dnscrypt-proxy -config dnscrypt-proxy.toml -resolve google.com it HAS to get an error. that's not a bug that's... so you try to drill a second hole in your still opened beercan. you could do that but it makes no sense :) (better open a second beer later). So when i'm in this situation i just use the dig command.

pi@Raspberry:~ $ sudo /opt/dnscrypt-proxy/dnscrypt-proxy -config /opt/dnscrypt-proxy/dnscrypt-proxy.toml -resolve google.com Resolving [google.com]

Domain exists: probably not, or blocked by the proxy Canonical name: - IP addresses: - TXT records: -

Doesn't seems to work ><

Kylvan-8 commented 4 years ago

Thanks for taking risks for helping me out of this mess xD

yeah my wife told me........... other words than thank you...

So what should i do ? I don't have error in pi hole diagnosis with 'pihole -p' command

go to next gasoline store / late night store / liquore store what ever-you-want, buy a sixpack and drink one on me

oke, back to business, let us analyse

* [x]  `service dnscrypt-proxy restart`

* [x]  `sudo cat /var/log/dnscrypt-proxy.log`

* [x]  `dig google.com @127.0.0.1 -p 5392` (dnscrypt port)

* [ ]  `dig google.com @127.0.0.1 -p 53` (dns standart port -> pihole)

if point 4 works, than stand up and have fun ^^

Last one didn't work

pi@Raspberry:~ $ dig google.com @127.0.0.1 -p 53

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> google.com @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12795 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;google.com. IN A

;; Query time: 192 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: mer. fvr. 19 13:51:52 CET 2020 ;; MSG SIZE rcvd: 39

ibksturm commented 4 years ago

don't worry

use the DIG command as i wrote above, forgott the sudo /opt/dnscrypt-proxy/dnscrypt-proxy -config /opt/dnscrypt-proxy/dnscrypt-proxy.toml -resolve google.com command ;)

ibksturm commented 4 years ago

could you print me out

sudo cat /var/log/dnscrypt-proxy.log dig google.com @127.0.0.1 -p 5392 dig google.com @127.0.0.1

b) what's going on, if you change dns server to 9.9.9.9 or 8.8.8.8 in pihole?

i'm thinking theres a problem in communication way pihole <> dnsc

Kylvan-8 commented 4 years ago

could you print me out

sudo cat /var/log/dnscrypt-proxy.log dig google.com @127.0.0.1 -p 5392 dig google.com @127.0.0.1

b) what's going on, if you change dns server to 9.9.9.9 or 8.8.8.8 in pihole?

i'm thinking theres a problem in communication way pihole <> dnsc

pi@Raspberry:~ $ sudo cat /var/log/dnscrypt-proxy.log dig google.com @127.0.0.1 -p 5392 dig google.com @127.0.0.1[2020-02-19 13:19:38] [NOTICE] dnscrypt-proxy 2.0.31 [2020-02-19 13:19:38] [NOTICE] Network connectivity detected [2020-02-19 13:19:38] [NOTICE] Source [public-resolvers.md] loaded [2020-02-19 13:19:38] [NOTICE] Source [relays.md] loaded [2020-02-19 13:19:38] [NOTICE] Firefox workaround initialized [2020-02-19 13:19:38] [NOTICE] Now listening to 127.0.0.1:5392 [UDP] [2020-02-19 13:19:38] [NOTICE] Now listening to 127.0.0.1:5392 [TCP] [2020-02-19 13:19:39] [INFO] [google] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 [2020-02-19 13:19:39] [NOTICE] [google] OK (DoH) - rtt: 204ms [2020-02-19 13:19:39] [NOTICE] Server with the lowest initial latency: google (rtt: 204ms) [2020-02-19 13:19:39] [NOTICE] dnscrypt-proxy is ready - live servers: 1 [2020-02-19 13:28:44] [NOTICE] Stopped. [2020-02-19 13:28:52] [NOTICE] dnscrypt-proxy 2.0.31 [2020-02-19 13:28:52] [NOTICE] Network connectivity detected [2020-02-19 13:28:52] [NOTICE] Source [relays.md] loaded [2020-02-19 13:28:52] [NOTICE] Source [public-resolvers.md] loaded [2020-02-19 13:28:52] [NOTICE] Firefox workaround initialized [2020-02-19 13:28:52] [NOTICE] Now listening to 127.0.0.1:5392 [UDP] [2020-02-19 13:28:52] [NOTICE] Now listening to 127.0.0.1:5392 [TCP] [2020-02-19 13:28:53] [INFO] [google] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 [2020-02-19 13:28:53] [NOTICE] [google] OK (DoH) - rtt: 91ms [2020-02-19 13:28:53] [NOTICE] Server with the lowest initial latency: google (rtt: 91ms) [2020-02-19 13:28:53] [NOTICE] dnscrypt-proxy is ready - live servers: 1 [2020-02-19 13:50:02] [NOTICE] dnscrypt-proxy 2.0.31 [2020-02-19 13:50:02] [NOTICE] Network connectivity detected [2020-02-19 13:50:02] [NOTICE] Source [public-resolvers.md] loaded [2020-02-19 13:50:02] [NOTICE] Source [relays.md] loaded [2020-02-19 13:50:02] [NOTICE] Firefox workaround initialized [2020-02-19 13:50:02] [FATAL] listen udp 127.0.0.1:5392: bind: address already in use [2020-02-19 13:51:22] [NOTICE] Stopped. [2020-02-19 13:51:22] [NOTICE] dnscrypt-proxy 2.0.31 [2020-02-19 13:51:22] [NOTICE] Network connectivity detected [2020-02-19 13:51:22] [NOTICE] Source [public-resolvers.md] loaded [2020-02-19 13:51:22] [NOTICE] Source [relays.md] loaded [2020-02-19 13:51:22] [NOTICE] Firefox workaround initialized [2020-02-19 13:51:22] [NOTICE] Now listening to 127.0.0.1:5392 [UDP] [2020-02-19 13:51:22] [NOTICE] Now listening to 127.0.0.1:5392 [TCP] [2020-02-19 13:51:23] [INFO] [google] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 [2020-02-19 13:51:23] [NOTICE] [google] OK (DoH) - rtt: 86ms [2020-02-19 13:51:24] [NOTICE] Server with the lowest initial latency: google (rtt: 86ms) [2020-02-19 13:51:24] [NOTICE] dnscrypt-proxy is ready - live servers: 1 pi@Raspberry:~ $ dig google.com @127.0.0.1 -p 5392

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> google.com @127.0.0.1 -p 5392 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17955 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;google.com. IN A

;; ANSWER SECTION: google.com. 54 IN A 216.58.209.238

;; Query time: 97 msec ;; SERVER: 127.0.0.1#5392(127.0.0.1) ;; WHEN: mer. fvr. 19 14:00:32 CET 2020 ;; MSG SIZE rcvd: 55

pi@Raspberry:~ $ dig google.com @127.0.0.1

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> google.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1915 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;google.com. IN A

;; Query time: 188 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: mer. fvr. 19 14:00:36 CET 2020 ;; MSG SIZE rcvd: 39

My dns server is not 9.9.9.9 in pi hole or 8.8.8.8 it's 127.0.0.1#5392

ibksturm commented 4 years ago

My dns server is not 9.9.9.9 in pi hole or 8.8.8.8 it's 127.0.0.1#5392

i understand, but now just for testing please change to 8.8.8.8, so we have to figure out where's the problem (DNSC coudn't be, as it do dig)

and please, after all, update to 2.0.39 https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.39/dnscrypt-proxy-linux_arm-2.0.39.tar.gz

aaaa and just forgott, 2 years ago i run also a raspi as pihole server in homenetwork, the true is, that the little microsd fucked up (sorry about that word) after 5...6 months because of the 24/7 read/write prozesses. so at the moment i use since a year a thinkerboard S (16GB emmc storage on board). on it, theres all my private dns services (AdGuardHome, DNS), BOINC-Client and a tor relay, running 24/7/365. Just for your information. think about that if you wanna use pihole a longer time

Kylvan-8 commented 4 years ago

My dns server is not 9.9.9.9 in pi hole or 8.8.8.8 it's 127.0.0.1#5392

i understand, but now just for testing please change to 8.8.8.8, so we have to figure out where's the problem (DNSC coudn't be, as it do dig)

and please, after all, update to 2.0.39 https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.39/dnscrypt-proxy-linux_arm-2.0.39.tar.gz

I need to put 8.8.8.8 everywhere in my rasp then ? To make the test

ibksturm commented 4 years ago

only where you write bevor 127.0.0.1#5392

other question, are piholeservice still running? what does pihole status

Kylvan-8 commented 4 years ago

only where you write bevor 127.0.0.1#5392

other question, are piholeservice still running? what does pihole status

pi@Raspberry:~ $ sudo cat /etc/resolv.conf Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1

Do i touch this one ?

pihole

pi@Raspberry:~ $ pihole status [✓] DNS service is running [✓] Pi-hole blocking is Enabled

EDIT : So i setup toml with this ?

List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. listen_addresses = ['127.0.0.1:53']

On my pi it's : 8.8.8.8:53 now

ibksturm commented 4 years ago

nope, /etc/resolv.conf looks good, only change in pihole

ibksturm commented 4 years ago

what's about

service pihole-FTL status

Kylvan-8 commented 4 years ago

service pihole-FTL status

pi@Raspberry:~ $ service pihole-FTL status

fvr. 19 14:09:52 Raspberry.Pi systemd[1]: Starting LSB: pihole-FTL daemon... fvr. 19 14:09:52 Raspberry.Pi pihole-FTL[307]: Not running fvr. 19 14:10:04 Raspberry.Pi su[519]: (to pihole) root on none fvr. 19 14:10:04 Raspberry.Pi su[519]: pam_unix(su:session): session opened for user pihole by (uid=0) fvr. 19 14:10:07 Raspberry.Pi pihole-FTL[307]: FTL started! fvr. 19 14:10:07 Raspberry.Pi systemd[1]: Started LSB: pihole-FTL daemon.

ibksturm commented 4 years ago

a) nope, don't change everything on your dnscrypt configuration, it's now running and not the problem. please let i still on 127.0.0.1:5392

ibksturm commented 4 years ago

On my pi it's : 8.8.8.8:53 now

good, what does dig say?

Kylvan-8 commented 4 years ago

On my pi it's : 8.8.8.8:53 now

good, what does dig say?

Same thing :'(

pi@Raspberry:~ $ dig google.com @127.0.0.1

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> google.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51451 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;google.com. IN A

;; Query time: 165 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: mer. fvr. 19 14:26:56 CET 2020 ;; MSG SIZE rcvd: 39

ibksturm commented 4 years ago

only dig google.com

and dig google.com @127.0.0.1 -p 5392 is still working?

Kylvan-8 commented 4 years ago

AAAA

It's setup like this now (to be sure i'm not messing somewhere)

Kylvan-8 commented 4 years ago

only dig google.com

and dig google.com @127.0.0.1 -p 5392 is still working?

pi@Raspberry:~ $ dig google.com

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26742 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;google.com. IN A

;; Query time: 187 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: mer. fvr. 19 14:29:01 CET 2020 ;; MSG SIZE rcvd: 39

It's seems it's still working

pi@Raspberry:~ $ dig google.com @127.0.0.1 -p 5392

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> google.com @127.0.0.1 -p 5392 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22198 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;google.com. IN A

;; ANSWER SECTION: google.com. 276 IN A 172.217.19.238

;; Query time: 329 msec ;; SERVER: 127.0.0.1#5392(127.0.0.1) ;; WHEN: mer. fvr. 19 14:29:36 CET 2020 ;; MSG SIZE rcvd: 55

ibksturm commented 4 years ago

oke i see the problem...

first at all, don't touch at now DNSC, ok? Dig shows, that DNSC is still running

second, on pihole, remove the flag on DNSSEC

Kylvan-8 commented 4 years ago

oke i see the problem...

first at all, don't touch at now DNSC, ok? Dig shows, that DNSC is still running

second, on pihole, remove the flag on DNSSEC

Ok done.

It's working now !

Can we know configuring it through scaleway fr with relays and make sure this won't happen again even with a restart ?

ibksturm commented 4 years ago

oke i see the problem... first at all, don't touch at now DNSC, ok? Dig shows, that DNSC is still running second, on pihole, remove the flag on DNSSEC

Ok done

dig result?

Kylvan-8 commented 4 years ago

oke i see the problem... first at all, don't touch at now DNSC, ok? Dig shows, that DNSC is still running second, on pihole, remove the flag on DNSSEC

Ok done

dig result?

pi@Raspberry:~ $ dig google.com

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8762 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;google.com. IN A

;; ANSWER SECTION: google.com. 201 IN A 216.58.198.206

;; Query time: 86 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: jeu. fvr. 20 22:24:38 CET 2020 ;; MSG SIZE rcvd: 55

pi@Raspberry:~ $ sudo /opt/dnscrypt-proxy/dnscrypt-proxy -config /opt/dnscrypt-proxy/dnscrypt-proxy.toml -resolve google.com Resolving [google.com]

Domain exists: yes, 4 name servers found Canonical name: google.com. IP addresses: 216.58.198.206, 2a00:1450:4007:80a::200e TXT records: docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8= v=spf1 include:_spf.google.com ~all facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95 docusign=1b0a6754-49b1-4db5-8540-d2c12664b289 Resolver IP: 74.125.47.10

ibksturm commented 4 years ago

oke i see the problem... first at all, don't touch at now DNSC, ok? Dig shows, that DNSC is still running second, on pihole, remove the flag on DNSSEC

Ok done.

It's working now !

Can we know configuring it through scaleway fr with relays and make sure this won't happen again even with a restart ?

oke boy, the problem is the follow (take popcorn, it's a long story)

a) long years ago there is a dns-server called dnsmasq. the people of pihole modify dnsmasq in certain ways (caching and performance boost). so when i talking about dnsmasq, that's the same think at the moment as pihole backend, oki? it' makes thinks more eaysier to complain. and you find more results on google b) to check dnssec, dnsmasq has to downlaod the current key's from iana server. or you have to put it manualy in the config files (example /etc/dnsmasq.d/*.conf or /etc/dnsmasq.conf). THAT'S very very important, no key, no dnssec, no resolving

do you understand this? that was the problem you had to fight with it

ibksturm commented 4 years ago

Can we know configuring it through scaleway fr with relays and make sure this won't happen again even with a restart ?

give me 2 minutes, i'll write you a config file

Kylvan-8 commented 4 years ago

oke i see the problem... first at all, don't touch at now DNSC, ok? Dig shows, that DNSC is still running second, on pihole, remove the flag on DNSSEC

Ok done. It's working now ! Can we know configuring it through scaleway fr with relays and make sure this won't happen again even with a restart ?

oke boy, the problem is the follow (take popcorn, it's a long story)

a) long years ago there is a dns-server called dnsmasq. the people of pihole modify dnsmasq in certain ways (caching and performance boost). so when i talking about dnsmasq, that's the same think at the moment as pihole backend, oki? it' makes thinks more eaysier to complain. and you find more results on google b) to check dnssec, dnsmasq has to downlaod the current key's from iana server. or you have to put it manualy in the config files (example /etc/dnsmasq.d/*.conf or /etc/dnsmasq.conf). THAT'S very very important, no key, no dnssec, no resolving

do you understand this? that was the problem you had to fight with it

I didn't see anything about that in their tutorials... Where i can even find this key ? When i've made the install everything was working well even on 127.0.0.1#5392 as dns for pi hole :/

So i can't even check DNSSEC and the other options on pi hole ?

ibksturm commented 4 years ago
# server_names=['scaleway-fr','doh-crypto-sx','scaleway-ams','cloudflare','google']

### my opinion is to let server_names empty. DNSC should manage itself which resolver it tooks. thats way better to privace

listen_addresses = ['127.0.0.1:5392', '[::1]:5392']

max_clients = 250

ipv4_servers = true

ipv6_servers = true

dnscrypt_servers = true

doh_servers = true

require_dnssec = true

require_nolog = true

require_nofilter = true

lb_strategy = 'ph'

lb_estimator = true

force_tcp = false

timeout = 250

keepalive = 30

log_level = 1

log_file = '/var/log/dnscrypt-proxy.log'

cert_refresh_delay = 60

tls_cipher_suite = [52392, 49199,4865, 4867]

fallback_resolver = '9.9.9.9:53'

ignore_system_dns = true

netprobe_timeout = 60

netprobe_address = "9.9.9.9:53"

log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1

block_ipv6 = false

cache = true

#cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'
[query_log]
format = 'tsv'

[nx_log]
format = 'tsv'
 [blacklist]

#blacklist_file='/etc/dnscrypt-proxy/blacklist.txt'

[ip_blacklist]

[whitelist]

[schedules]

[sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 24
  prefix = ''

[anonymized_dns]

## Define one or more routes, i.e. indirect ways to reach servers.
## A set of possible relay servers is assigned to each DNS resolver.
## A relay can be specified as a DNS Stamp (either a relay stamp, or a
## DNSCrypt stamp), an IP:port, a hostname:port, or a server name, if
## the server is in the servers_list.

 routes = [
    { server_name='*', via=['sdns://gRE1MS4xNTguMTA2LjQyOjQ0Mw','sdns://gRE1MS4xNS4xMDYuMTc2OjQ0Mw','sdns://gRIxMzkuOTkuMjIyLjcyOjg0NDM','sdns://gR5bMmEwMzpiMGMwOjE6ZTA6OjJlMzplMDAxXTo0NDM','sdns://gRI4OS4xNjMuMjE0LjE3NDo0NDM','sdns://gRE>
 ]

[static]
ibksturm commented 4 years ago

So i can't even check DNSSEC and the other options on pi hole ?

https://www.supertechcrew.com/dnsmasq-caching-dnssec/

try sudo nano /etc/dnsmasq.conf

Kylvan-8 commented 4 years ago

sudo nano /etc/dnsmasq.conf

pi@Raspberry:~ $ sudo nano /etc/dnsmasq.d/0 01-pihole.conf 02-lan.conf

I need to setup both of them ?

A1

ibksturm commented 4 years ago

aaah ok, good

try sudo nano 03-dnssec.conf

so create a third file, if it' sucks, you could only delete it without distruct something

Kylvan-8 commented 4 years ago

sudo nano 03-dnssec.conf

https://data.iana.org/root-anchors/root-anchors.xml

It's outdated i think

From the tutorial this is my 03-dnssec.conf

resolv-file=/etc/resolv.dnsmasq.conf domain-needed bogus-priv strict-orderstrict-order nameserver 127.0.0.1 conf-file=/usr/share/dnsmasq/trust-anchors.conf dnssec dnssec-check-unsigned

ibksturm commented 4 years ago

sudo nano /etc/dnsmasq.d/03-dnssec.conf

########file 03-dnssec.conf#####

# DNSSEC setup
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec-check-unsigned

#proxy-dnssec ##alternative solution

service pihole-FTL restart && service pihole-FTL status

dig sigok.verteiltesysteme.net

dig sigfail.verteiltesysteme.net

or dnssec testing: https://dnssec.vs.uni-due.de/

ibksturm commented 4 years ago

sudo nano 03-dnssec.conf

https://data.iana.org/root-anchors/root-anchors.xml

It's outdated i think

From the tutorial this is my 03-dnssec.conf

i wrote you still a conf file ;)

Kylvan-8 commented 4 years ago

sudo nano 03-dnssec.conf

https://data.iana.org/root-anchors/root-anchors.xml It's outdated i think From the tutorial this is my 03-dnssec.conf

i wrote you still a conf file ;)

pi@Raspberry:~ $ sudo nano /etc/dnsmasq.d/03-dnssec.conf pi@Raspberry:~ $ pi@Raspberry:~ $ service pihole-FTL restart && service pihole-FTL status ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === [Invalid UTF-8] Authenticating as: root Password: pi@Raspberry:~ $ sudo service pihole-Fusage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [] usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ... TLpi@Raspberry:~ $ sudo service pihole-FTL restart && service pihole-FTL status

  • pihole-FTL.service - LSB: pihole-FTL daemon Loaded: loaded (/etc/init.d/pihole-FTL; generated) Active: active (exited) since Thu 2020-02-20 23:03:47 CET; 164ms ago Docs: man:systemd-sysv-generator(8) Process: 11143 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)

fvr. 20 23:03:46 Raspberry.Pi systemd[1]: Starting LSB: pihole-FTL daemon... fvr. 20 23:03:46 Raspberry.Pi pihole-FTL[11143]: Not running fvr. 20 23:03:46 Raspberry.Pi su[11187]: (to pihole) root on none fvr. 20 23:03:46 Raspberry.Pi su[11187]: pam_unix(su:session): session opened for user pihole by (uid=0) fvr. 20 23:03:47 Raspberry.Pi pihole-FTL[11143]: FTL started! fvr. 20 23:03:47 Raspberry.Pi su[11187]: pam_unix(su:session): session closed for user pihole fvr. 20 23:03:47 Raspberry.Pi systemd[1]: Started LSB: pihole-FTL daemon. pi@Raspberry:~ $ dig sigok.verteiltesysteme.net

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> sigok.verteiltesysteme.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64331 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1220 ;; QUESTION SECTION: ;sigok.verteiltesysteme.net. IN A

;; ANSWER SECTION: sigok.verteiltesysteme.net. 60 IN A 134.91.78.139

;; Query time: 1780 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: jeu. fvr. 20 23:04:11 CET 2020 ;; MSG SIZE rcvd: 71

pi@Raspberry:~ $ dig sigfail.verteiltesysteme.net

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> sigfail.verteiltesysteme.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38853 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1220 ;; QUESTION SECTION: ;sigfail.verteiltesysteme.net. IN A

;; Query time: 996 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: jeu. fvr. 20 23:04:24 CET 2020 ;; MSG SIZE rcvd: 57

Kylvan-8 commented 4 years ago

A2