I’m attempting to configure an anonymized DNS service using dnscrypt-proxy2, routed through the Tor network. I believe I have everything needed for it to work, but that does not seem to be the case. The DNS resolution is fine, but it’s not being proxied through Tor as desired.
services.resolved.enable = false;
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = config.networking.enableIPv6;
block_ipv6 = !(config.networking.enableIPv6);
listen_addresses = ["127.0.0.1:53" "[::1]:53"];
force_tcp = true;
use_syslog = false;
odoh_servers = true;
require_dnssec = true;
require_nolog = false;
require_nofilter = true;
anonymized_dns = {
routes = [
{
server_name = "*";
via = ["anon-plan9-dns" "anon-v.dnscrypt.up-ipv4"];
}
];
skip_incompatible = true;
};
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
block_unqualified = true;
block_undelegated = true;
proxy = "socks5://127.0.0.1:9050";
};
};
systemd.services.dnscrypt-proxy2.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
useDHCP = false;
enableIPv6 = true;
nameservers = [
"127.0.0.1"
"::1"
];
networkmanager.enable = true;
networkmanager.dns = "none";
services.tor = {
enable = true;
enableGeoIP = false;
torsocks.enable = true;
client = {
enable = true;
};
};
sequenceDiagram Computer->>+Nameserver: Where's wikipedia.org Nameserver-->>-Computer: 185.15.59.224 Computer->>+Wikipedia: GET / Wikipedia-->>-Computer: return /
Here is the simplified sequence diagram
As you can see the request to wikipedia itself does not go through a nameserver, only the DNS request does. It’s the entire reason Firefox has the option to proxy DNS queries over the proxy: to avoid DNS leaks
Right now, all that should be happening is DNS requests being proxied, not the rest of your traffic.
To me that indicates the DNS proxy through TOR isn’t actually working with your dnscrypt setup 🤔 However it’s difficult to debug from here. It’s possible the DNS query is slow, but because the actual HTTP request is going through your standard internet with no proxy it’s fast, and when you do turn on the proxy for HTTP/S requests, you observe actually using TOR for everything and thus the latency.
Could you run these commands please
# Find which process is running the local DNS server sudo ss -plant | grep ":53 " # alternatively sudo netstat -plant | grep ":53 " # Check your DNS resolver config # You can share it or not, but 127.0.0.1 MUST be in it, otherwise your DNS queries aren't being encrypted/proxied cat /etc/resolv.conf # Measure how long it takes to query a new domain name time dig techhub.hpe.com time dig bash.org time dig element.io
If you feel comfortable with it, you share the logs of dnscrypt (I don’t know what kind of information is in there, so you might have to clean it).
journalctl -u dnscrypt-proxy2
or justsystemctl status dnscrypt-proxy2
. Either here or PMed. Here are encrypted pastebin alternatives.Anti Commercial-AI license
The simplified sequence diagram really helps to picture it. I’ll PM you with the logs.