Using Portmaster along with Dnscrypt

[AlbusPercivalDumbledore]

When using Anonymized DNS with Dnscrypt, Portmaster displays generic identifiers like 'Internet Peer to Peer', 'LAN Peer to Peer', 'LAN incoming', etc, instead of domain name, for any network connection.

Can Portmaster be made to show actual domains, instead of these generic identifiers, when used alongside Dnscrypt?

[ppacher]

Hi @AlbusPercivalDumbledore ,

thanks for reaching out to us!

If dnscrypt is the first one receiving the DNS queries there is no way for the Portmaster to know the requested domains. Which operating system do you run? It would be great if you could attach the debug data from the settings page in the Portmaster UI as I suspect something went wrong when starting the DNS resolver. The Portmaster should actually complain about Dhscrypt running and listening on the same ports.

However, using dnscrypt together with the Portmaster is redundant because the Portmaster already uses encrypted communication with the configured dot:// resolvers. Thus, as far as I understand, dnscrypt does not add much additional security here.

[AlbusPercivalDumbledore]

@ppacher I'm on Windows 10 LTSC 2019. I've uploaded the debug log here: http://controlc.com/483504f3. Indeed, portmaster throws up errors when dnscrypt service is started.

I've been using DNSCrypt-proxy, since it can be configured to use Anonymized DNS (https://github.com/dnscrypt/dnscrypt-proxy/wiki/Anonymized-DNS), which to my limited understanding, adds an extra layer of security.

[ppacher]

Hi @AlbusPercivalDumbledore,

thanks for your answer! I'll check the debug log as soon as I find time.

I wasn't aware of the Anonymized DNS feature of DNSCrypt. That's a really cool thing! Compared to the Portmaster this actually adds an additional layer of security as the Portmaster alone only does encrypted DNS but it does not do anonymized routing. This is what our other product, the SPN is capable of doing with all outgoing connections.

Maybe @dhaavi would like to chim in here as well.

If you want to run both in parallel the order of which they should receive the DNS queries is: client :arrow_right: Portmaster :arrow_right: ' DNSCrypt.

You should be able to get this to run by configuring DNSCrypt to listen on a different port (like using listen_addresses = ['127.0.0.1:53000', '[::1]:53000'] in your DNSCrypt configuration) and then configure the Portmaster to use DNSCrypt as the upstream server by adding dns://127.0.01:53000 into the DNS Server configuration. The Portmaster will fallback to the other DNS server entries if the first one fails so you might want to delete all other entries to make sure you're not leaking DNS queries in case DNScrypt goes down.

[AlbusPercivalDumbledore]

@ppacher Configuring Portmaster to use DNSCrypt worked wonderfully. Thanks a lot!

I hadn't looked into SPN as yet; would surely give it a shot.

[ppacher]

Nice to hear! I guess the issue is resolved now so I'm closing it. Feel free to re-open this one or create a new one if something else doesn't work.

@davegson : maybe we should add DNScrypt to the compatibility list with a reference to this issue. Adding docs-pending for that.

[jonsnow231]

Will Portmaster implement anonymized relays in the future? As an example, YogaDNS does it, so you don't have to set it up yourself.