I’m attempting to configure an anonymized DNS service using dnscrypt-proxy2, routed through the Tor network. I believe I have everything needed for it to work, but that does not seem to be the case. The DNS resolution is fine, but it’s not being proxied through Tor as desired.

 services.resolved.enable = false;
 services.dnscrypt-proxy2 = {
   enable = true;
   settings = {
     ipv6_servers = config.networking.enableIPv6;
     block_ipv6 = !(config.networking.enableIPv6);
     listen_addresses = ["127.0.0.1:53" "[::1]:53"];
     force_tcp = true;

     use_syslog = false;
     odoh_servers = true;
     require_dnssec = true;
     require_nolog = false;
     require_nofilter = true;

     anonymized_dns = {
       routes = [
         {
           server_name = "*";
           via = ["anon-plan9-dns" "anon-v.dnscrypt.up-ipv4"];
         }
       ];
       skip_incompatible = true;
     };

     sources.public-resolvers = {
       urls = [
         "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
         "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
       ];
       cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
       minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
     };

     block_unqualified = true;
     block_undelegated = true;
     proxy = "socks5://127.0.0.1:9050";
   };
 };

 systemd.services.dnscrypt-proxy2.serviceConfig = {
   StateDirectory = "dnscrypt-proxy";
 };
    useDHCP = false;
    enableIPv6 = true;
    nameservers = [
      "127.0.0.1"
      "::1"
    ];
    networkmanager.enable = true;
    networkmanager.dns = "none";
  services.tor = {
    enable = true;
    enableGeoIP = false;
    torsocks.enable = true;
    client = {
      enable = true;
    };
  };
  • @[email protected]
    link
    fedilink
    English
    -3
    edit-2
    5 months ago
    sequenceDiagram
        Computer->>+Nameserver: Where's wikipedia.org
        Nameserver-->>-Computer: 185.15.59.224
        Computer->>+Wikipedia: GET /
        Wikipedia-->>-Computer: return /
    

    Here is the simplified sequence diagram

    As you can see the request to wikipedia itself does not go through a nameserver, only the DNS request does. It’s the entire reason Firefox has the option to proxy DNS queries over the proxy: to avoid DNS leaks

    Right now, all that should be happening is DNS requests being proxied, not the rest of your traffic.

    There’s a huge difference when I enter https://one.one.one.one/help/ normally with "Use system proxy settings" in my browser and when I enter it with a "Manual proxy configuration" with the SOCKS Host set up and "Proxy DNS when using SOCKS v5" checked on.

    To me that indicates the DNS proxy through TOR isn’t actually working with your dnscrypt setup 🤔 However it’s difficult to debug from here. It’s possible the DNS query is slow, but because the actual HTTP request is going through your standard internet with no proxy it’s fast, and when you do turn on the proxy for HTTP/S requests, you observe actually using TOR for everything and thus the latency.

    Could you run these commands please

    # Find which process is running the local DNS server
    sudo ss -plant | grep ":53 " # alternatively sudo netstat -plant | grep ":53 "
    
    # Check your DNS resolver config
    # You can share it or not, but 127.0.0.1 MUST be in it, otherwise your DNS queries aren't being encrypted/proxied
    cat /etc/resolv.conf
    
    # Measure how long it takes to query a new domain name
    time dig techhub.hpe.com
    time dig bash.org
    time dig element.io
    

    If you feel comfortable with it, you share the logs of dnscrypt (I don’t know what kind of information is in there, so you might have to clean it).

    journalctl -u dnscrypt-proxy2 or just systemctl status dnscrypt-proxy2. Either here or PMed. Here are encrypted pastebin alternatives.

    Anti Commercial-AI license

    • @TeaTasticOP
      link
      English
      25 months ago

      The simplified sequence diagram really helps to picture it. I’ll PM you with the logs.