Can't set my preferred server_names

[ghost]

Hello, thank you for this awesome tool!

I figured out how to use this on Void Linux which has Runit and other peculiarities. Though, it seems that dnscrypt-proxy use all available servers, I don't understand why.

In the .toml file I have set this: server_names = ['quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-filter-alt'] No effect.

Thanks for your help.

[jedisct1]

Double check that it is loading the configuration file you edited.

Put some random garbage in the configuration file. If the proxy still starts, this is not the right file :)

[TraderStf]

You are perhaps having the same problem than mine. Stop/Start/Restart sometimes work without problem. Sometimes not.

-deleted, was my fault sorry-

[TraderStf]

I just noticed that there is a difference between a start and a restart...

/d -service start /d -service stop [NOTICE] dnscrypt-proxy 2.0.25 [NOTICE] Service stopped

/d -service restart /d -service stop [NOTICE] dnscrypt-proxy 2.0.25 [FATAL] Failed to stop DNSCrypt client proxy: "launchctl" failed with stderr: /Library/LaunchDaemons/dnscrypt-proxy.plist: Could not find specified service

[ghost]

@jedisct1 It's ok, the Runit service is executed with exec dnscrypt-proxy -config /etc/dnscrypt-proxy.toml. I tried to write random stuff inside and when I do this the service doesn't launch so the config file is correctly read.

@TraderStf Thanks but no I don't have any issue with starting/stopping the service, everything works but it doesn't pick the custom servers.

---

I tried to disable my firewall too (UFW), nothing changed.

EDIT: if I put "google" or "cloudflare" it works! But according to this page TLS isn't enabled... And then why quad9 doesn't work?

[jedisct1]

What does dnscrypt-proxy -list show?

If you stop the proxy, does DNS resolution stop?

What does your /etc/resolv.conf file look like?

[ghost]

If I stop the proxy (its runit service), DNS resolution stops and I can't load web pages anymore.

---

$ dnscrypt-proxy -config /etc/dnscrypt-proxy.toml -list
[2019-06-16 14:08:50] [NOTICE] Network connectivity detected
[2019-06-16 14:08:50] [NOTICE] Source [public-resolvers.md] loaded
quad9-dnscrypt-ip4-filter-pri
quad9-dnscrypt-ip4-filter-alt

---

/etc/resolvconf.conf

# Configuration for resolvconf(8)
# See resolvconf.conf(5) for details

resolv_conf=/etc/resolv.conf

If you run a local name server, you should uncomment the below line and

configure your subscribers configuration files below.

name_servers=127.0.0.1 resolv_conf_options=edns0

- - -

> /etc/resolv.conf

Generated by resolvconf

nameserver 127.0.0.1 options edns0

- - -

Source of the Void package:
https://github.com/void-linux/void-packages/tree/master/srcpkgs/dnscrypt-proxy

[jedisct1]

$ dnscrypt-proxy -config /etc/dnscrypt-proxy.toml -list
[2019-06-16 14:08:50] [NOTICE] Network connectivity detected
[2019-06-16 14:08:50] [NOTICE] Source [public-resolvers.md] loaded
quad9-dnscrypt-ip4-filter-pri
quad9-dnscrypt-ip4-filter-alt

Looking good. Only these two are being used.

What makes you think that all other resolvers are being used?

Does dnscrypt-proxy -resolve example.com return IP addresses that are not quad9's?

[ghost]

If I set the 'quad9-xxx' names other random resolvers are used instead. If I put 'cloudflare' or 'google' then those ones are correctly used. I see it with the -resolve command and by checking with https://tenta.com/test/.

Btw, I've added myself to the dnscrypt_proxy group created by the package, but nothing changed (after logout/login of course).

[jedisct1]

What resolvers does the -resolve command return?

[ghost]

Ok I don't know why, I rebooted again and now Quad9 works (WoodyNet UK).

Now, I still have the problem that TLS seems disabled.

Please can you tell me if you see "TLS Enabled" on "true" here with your own config? Maybe it's just their website that doesn't work.

EDIT: or I misunderstood something and DNScrypt doesn't enable DoT? I found your project because it was recommended in a documentation to have DoT, maybe it was misleading...

[jedisct1]

A reboot fixes everything :)

Don't trust that Tenta page too much, especially when it comes to DNS. TLS usage cannot be detected that way. I guess they print "TLS enabled" only if you use their product.

There are different protocols to make DNS queries. DoT is a terrible fit to secure traffic between stub resolvers and resolvers. It was intentionally not implemented in dnscrypt-proxy, especially since DoH now exists as a more serious alternative.

dnscrypt-proxy only implements the DNSCrypt protocol which is faster and more secure, as well as the DoH protocol that works when port 443 only allows HTTPS traffic.

Anyway, glad to see that you finally got it working!

[ghost]

Ok, sorry :) Yeah a reboot fixes everything but I already tried that, don't know why it took so long to work... And sorry for not understanding what DNSCrypt was for, but I keep it of course!

Do you recommend that I use the Quad9-DoH or standard is ok?

[jedisct1]

Your current configuration is totally fine :)