NCSI Windows 10 (Internet probing over dns) does not work, specifically with dnscrypt-proxy

bitlog2 commented 3 years ago

Who is the bug affecting?

Windows 10 users of dnscrypt-proxy

I am running Windows 10 2020H2 update, version "Version 10.0.19042.746" is shown in cmd.exe when it starts up.

What is affected by this bug?

Windows 10 NSCI fails to detect network connectivity. This means that Microsoft store apps, and Microsoft apps such as office cannot connect to the internet and function properly.

When does this occur?

When 1) dnscrypt-proxy is running on 127.0.0.1 and 2) windows dns settings for your network adapter are set to "127.0.0.1" with NO secondary set

Where does it happen?

See above. It happens on Windows 10 computers running dnscrypt-proxy without fallback DNS provider set up.

How do we replicate the issue?

Start following installation instructions for windows here: https://github.com/dnscrypt/dnscrypt-proxy/wiki/Installation-Windows

Download dnscrypt-proxy-win64-*.zip > unzip it
Copy "example-dnscrypt-proxy.toml" to "dnscrypt-proxy.toml"
run .\dnscrypt-proxy from an admin powershell window . You will see DNS queries working
Now go to "network connections" > right click main network adapter > properties > go to IPv4 > go to properties > Set DNS settings to 127.0.0.1 as primary, with NO secondary set
Kill .\dnscrypt-proxy . Then restart it
Disable your network adapter, then re-enable to re-trigger NSCI check. Do this in "network connections" > right click adapter > disable > wait a second > then enable
After network adapter is re-enabled, windows NSCI will show as disabled. Wait another minute, it will stay disabled. THIS is the bug.

Workaround:

Go to "network connections" > right click adapter > IPv4 > properties > add a secondary DNS server, like 1.1.1.1 > hit okay to save
Disable and re-enable network adapter, and NSCI check will work now

Expected behavior (i.e. solution)

dnscrypt-proxy should work with ONLY a primary dns provider set. Having to set a secondary is an extra step, one more thing to get wrong.

Other Comments

It took me months to find the cause of this bug. I had 2 issues actually, one with dnscrypt-proxy and one with another piece of software, DisableWinTracking. DisableWinTracking was blocking msftncsi from dns in the hosts file. After fixing this, I narrowed the last issue down to Simple DNSCrypt, which is built on top of dnscrypt-proxy. Both have the same issue, both require a secondary DNS server to be set on windows 10.

For anyone running DisableWinTracking, make sure you edit C:\Windows\System32\drivers\etc\hosts and add # before "0.0.0.0 msftncsi.com" and "0.0.0.0 www.msftncsi.com" . And then don't forget to add a secondary DNS provider like 1.1.1.1 in your network adapter > IPv4 dns settings if you're running dnscrypt-proxy or SimpleDnsCrypt. Users of SimpleDnsCrypt actually have to go one step further than this and unclick your network adapter in the SimpleDnsCrypt interface to get windows NCSI to work. You're welcome googlers :p.

This bug is very similar to the existing bug below, except I confirmed it specifically affects dnscrypt-proxy. Related bug: NCSI Windows 10 (Internet probing over dns) doses not work #1342 https://github.com/DNSCrypt/dnscrypt-proxy/issues/1342

I also cross-posted this bug to SimpleDnsCrypt, with some additional buggy behaviors on their end. Maybe this thread will help. https://github.com/bitbeans/SimpleDnsCrypt/issues/533

keywords for googlers: nslookup dns.msftncsi.com www.msftncsi.com/ncsi.txt windows 10 no internet connection

lifenjoiner commented 3 years ago

Actualy, dnscrypt-proxy v2.0.45 has solved this problem already. You will find it, if you take more explorations ... https://github.com/DNSCrypt/dnscrypt-proxy/blob/5d6b35213cd6983e98fcb98fba444bf01eb76107/dnscrypt-proxy/example-dnscrypt-proxy.toml#L388-L398

The reason you still have it is: SimpleDnsCrypt hasn't used the latest dnscrypt-proxy backend nor configured this feature. It's still v2.0.42: https://github.com/bitbeans/SimpleDnsCrypt/tree/master/SimpleDnsCrypt/dnscrypt-proxy

There are 2 ways for you to solve this problem:

Wait SimpleDnsCrypt to update it's shipped backend and configuration.
As you have DIY spirit, update the backend and configure it yourself.

ghost commented 3 years ago

That's not a bug but the intentional documented Windows 10 behaviour: NCSI by default restricts DNS lookups to the interface it is currently probing on. However there's a group policy/registry key specifically designed to handle a DNS server running on localhost. The following disables interface binding when doing DNS lookups in NCSI:

Computer Configuration -> Administrative Templates -> Network -> Network Connectivity Status Indicator -> Specify global DNS

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator
Value Name:    UseGlobalDns
Value Type:    REG_DWORD
Default Value:   0
True Value:      1
False Value:     0

jedisct1 commented 3 years ago

It's also documented: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Windows-NCSI

DNSCrypt / dnscrypt-proxy