Posted: Mon Aug 14, 2017 20:29 Post subject: DNSCrypt results so far.
Playing with the different settings for DNSCrypt i have noticed a few things and i am just reporting what i have found so far, i am located in the Caribbean and using a wzr1750dhp/d so your results may vary.
Adguard DNS Family Protection 2 seems to work fine without any real issues. Some of the DNSCrypt choices introduce more latencey than others which is to be expected as they are in different locations and configurations. Some seem to be blocking online services like Netflix.
In the SYSLOG i find these that stand out because of the highleted color.
These are for Yandex's DNSCrypter:-
in yellow = user.info : - [yandex] does not support DNS Security Extensions
For SecureDNS Unsensored, No logging Amsterdam Netherlands:-
in red = user.warn : - [yandex] logs your activity - a different provider might be better a choice if privacy is a concern
in red = daemon.err dnscrypt-proxy[1857]: Unable to create a socket to the resolver
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Tue Aug 15, 2017 6:31 Post subject:
this are normal, some providers support DNSSEC some not,
all are different as well their quality and speed...
personally i use only those that support DNSSEC...
you have to find out for yourself... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 03 Jan 2017 Posts: 49 Location: Lindau, Germany
Posted: Tue Aug 15, 2017 7:06 Post subject: Re: DNSCrypt results so far.
Brimmy wrote:
In the SYSLOG i find these that stand out because of the highleted color.
These are for Yandex's DNSCrypter:-
in yellow = user.info : - [yandex] does not support DNS Security Extensions
For SecureDNS Unsensored, No logging Amsterdam Netherlands:-
in red = user.warn : - [yandex] logs your activity - a different provider might be better a choice if privacy is a concern
These two messages are warnings due to the properties of the chosen dnscrypt resolvers. If you take a look in the dnscrypt-resolvers.csv file (DD-WRT location is: /etc/dnscrypt/dnscrypt-resolv.csv, a comma seperated text file) you will find the following information (attached picture): Yandex and adguard does not support DNSSEC validation, Yandex keeps logs.
If logging or DNSSEC are a concern for you you should try other dnscrypt resolvers. The dnscrypt-resolv.csv may help to find the appropriate one for you (e.g. location Anycast) out of 111 possible resolvers. It might be faster then "Try and Error".
Quote:
in red = daemon.err dnscrypt-proxy[1857]: Unable to create a socket to the resolver
The chosen resolver seems not to work (temporarily?), you should try another one. Or there is another issue?
In my setup (KONG build 33010) securedns works and gives the following complete syslog (key and serial deleted):
Aug 15 08:37:32 R6300v2 user.info : + DNS Security Extensions are supported
Aug 15 08:37:32 R6300v2 user.info : + Provider supposedly doesn't keep logs
Aug 15 08:37:32 R6300v2 daemon.notice dnscrypt-proxy[23198]: Starting dnscrypt-proxy 1.9.5
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Generating a new session key pair
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Done
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Server certificate with serial #1...3 received
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: This certificate is valid
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Chosen certificate #1...3 is valid from [2017-06-29] to [2018-06-29]
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Server key fingerprint is xxx:xxx:xxx:....
Aug 15 08:37:32 R6300v2 daemon.notice dnscrypt-proxy[23198]: Proxying from 127.0.0.11:30 to 146.185.167.43:5353
Maybe I will give securedns a try regarding DNSSEC.
Posted: Wed Aug 16, 2017 12:10 Post subject: Re: DNSCrypt results so far.
r6300v2usr wrote:
Brimmy wrote:
In the SYSLOG i find these that stand out because of the highleted color.
These are for Yandex's DNSCrypter:-
in yellow = user.info : - [yandex] does not support DNS Security Extensions
For SecureDNS Unsensored, No logging Amsterdam Netherlands:-
in red = user.warn : - [yandex] logs your activity - a different provider might be better a choice if privacy is a concern
These two messages are warnings due to the properties of the chosen dnscrypt resolvers. If you take a look in the dnscrypt-resolvers.csv file (DD-WRT location is: /etc/dnscrypt/dnscrypt-resolv.csv, a comma seperated text file) you will find the following information (attached picture): Yandex and adguard does not support DNSSEC validation, Yandex keeps logs.
If logging or DNSSEC are a concern for you you should try other dnscrypt resolvers. The dnscrypt-resolv.csv may help to find the appropriate one for you (e.g. location Anycast) out of 111 possible resolvers. It might be faster then "Try and Error".
Quote:
in red = daemon.err dnscrypt-proxy[1857]: Unable to create a socket to the resolver
The chosen resolver seems not to work (temporarily?), you should try another one. Or there is another issue?
In my setup (KONG build 33010) securedns works and gives the following complete syslog (key and serial deleted):
Aug 15 08:37:32 R6300v2 user.info : + DNS Security Extensions are supported
Aug 15 08:37:32 R6300v2 user.info : + Provider supposedly doesn't keep logs
Aug 15 08:37:32 R6300v2 daemon.notice dnscrypt-proxy[23198]: Starting dnscrypt-proxy 1.9.5
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Generating a new session key pair
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Done
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Server certificate with serial #1...3 received
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: This certificate is valid
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Chosen certificate #1...3 is valid from [2017-06-29] to [2018-06-29]
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Server key fingerprint is xxx:xxx:xxx:....
Aug 15 08:37:32 R6300v2 daemon.notice dnscrypt-proxy[23198]: Proxying from 127.0.0.11:30 to 146.185.167.43:5353
Maybe I will give securedns a try regarding DNSSEC.
Thanks for the information. If you plan to use securedns try both and see if the non-ipv6 one has more latency and blocks or timeout netfilx, because it does for me. I am now using the ipv6 securedns and i have netflix loading with no issue and i have my normal internet speed.