issue if i set dns 127.0.0.1

[Pina1924]

setting in my network ipv4 options manually as per yr guide dns:
127.0.0.1
9.9.9.9
if i run this control:
https://dnscheck.tools/

i got this..:

this is my proxy log

dnscrypt-proxy.log.txt

thxs in advance
cheers

[jedisct1]

dnscrypt-proxy looks like it is working correctly: it is listening on 127.0.0.1:53 and it can reach upstream resolvers without errors.

The likely problem is your network DNS setup:

• 127.0.0.1
• 9.9.9.9

If 9.9.9.9 is set as a secondary DNS server, your system can sometimes use it directly as a fallback, which bypasses dnscrypt-proxy.

To test properly, set:

• IPv4 DNS: only 127.0.0.1
• IPv6 DNS: only ::1 if IPv6 is enabled
• no public DNS like 9.9.9.9 in the adapter settings

Also check that your browser’s Secure DNS / DoH is disabled, or it may bypass the system DNS too.

So this does not look like a dnscrypt-proxy bug — it looks more like DNS fallback/bypass from the OS or browser.

[Pina1924]

first thxs so much
but i read on the installation guide of dnscrypt to set also the secondary dns...

[jedisct1]

Thanks, you’re right: the guide does mention a secondary DNS as an optional fallback.

The downside is that if a public resolver like 9.9.9.9 is configured there, some queries may bypass dnscrypt-proxy and go there directly.

So:

• use only 127.0.0.1 if you want all DNS traffic to go through dnscrypt-proxy
• use a secondary DNS only if you want fallback behavior, knowing that those fallback queries won’t be protected by the proxy

[concetta41]

@jedisct1 : done...but not solve....:

thxs again
cheers

[Pina1924]

thanks @concetta41 for yr testimony, glad to know i'm not the only one,hoping that this could be solved! Cheers! 👍

[lifenjoiner]

I think a lot of people are freaked out of the term "DNS leak", without correctly understand it. It only occurs with the context that users are using a VPN or encrypted proxy.
Ref: https://en.wikipedia.org/wiki/DNS_leak

The domain host will always know which DNS server resolves the specific subdomain you are connecting to, because it has only provided that information to that server.

Related discussions: https://github.com/DNSCrypt/dnscrypt-proxy/discussions?discussions_q=%22DNS+leak%22

[Pina1924]

@lifenjoiner thanks for yr reply so you say that these results on https://dnscheck.tools/ are not valid?
apologize my hard understanding but i do not have understood if you say that only using a vpn it is possible to pass that test?
so this is way we are not authenticated with dnssec?
apologize for my simply and silly question but i'd like to understand
thanks again for yr attention
cheers

[lifenjoiner]

I mean, if you're not using a VPN, it's no big deal if they detect your DNS servers, it should not be called a leak. The "leak" for Non-VPN scenario is that ISP and/or others in the DNS chain peek your plain DNS queries.
Fundamental factors: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Checking#dns-leak-traps

For DNSSEC:

1. turn on the following
   

   dnscrypt-proxy/dnscrypt-proxy/example-dnscrypt-proxy.toml

   Lines 80 to 81 in 64edfa3

   	# Server must support DNS security extensions (DNSSEC)
   	require_dnssec = false

2. maybe you also need to pick servers carefully, making sure the servers work as they claim
   

   dnscrypt-proxy/dnscrypt-proxy/example-dnscrypt-proxy.toml

   Line 30 in 64edfa3

   # server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']

[Pina1924]

Hi, first thxs so much for yr kind attention:
i've set that line to -true- and i take a look to what servers claim and how they work...but...i still fail the dnssec test...:

why?
thxs again indeed in advance
cheers

[lifenjoiner]

The settings make sure the selected servers support DNSSEC, but dnscrypt-proxy doesn't adopt it automatically. It just forwards its client's requests.
Don't forget to turn on DNSSEC for your OS (Windows).

[Pina1924]

hi and thxs...so it is not enough to have set the 79 parametre from -false- to -true-..??
how to turn on DNSSEC in windows 10 home 64?
thxs again for yr kind attention and helping
cheers

[lifenjoiner]

Unfortunately:
It seems that all Windows do not support DNSSEC and cannot validate DNSSEC themselves.
They use a "security-aware" stub resolver that is able to differentiate between secure and non-secure responses by a recursive name server.
So, Windows can only work together with a trusted DNS server that is using DNSSEC to get DNSSEC capability.
Even Windows Server 2012, it can support DNSSEC only acting as a server, but not a client.
Ref: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Tools

Based on my testing, plan9 servers do not use DNSSEC by default, but only when you request. After excluding them, the DNSSEC tests passed. There may be others, which are not valid on my end.

disabled_server_names = ['plan9dns-fl', 'plan9dns-fl-ipv6', 'plan9dns-mx', 'plan9dns-mx-ipv6', 'plan9dns-nj', 'plan9dns-nj.ipv6', 'plan9dns-fl-doh', 'plan9dns-fl-doh-ipv6', 'plan9dns-mx-doh', 'plan9dns-mx-doh-ipv6', 'plan9dns-nj-doh', 'plan9dns-nj-doh-ipv6']

[Pina1924]

Based on my testing, plan9 servers do not use DNSSEC by default, but only when you request. After excluding them, the DNSSEC tests passed. There may be others, which are not valid on my end.

disabled_server_names = ['plan9dns-fl', 'plan9dns-fl-ipv6', 'plan9dns-mx', 'plan9dns-mx-ipv6', 'plan9dns-nj', 'plan9dns-nj.ipv6', 'plan9dns-fl-doh', 'plan9dns-fl-doh-ipv6', 'plan9dns-mx-doh', 'plan9dns-mx-doh-ipv6', 'plan9dns-nj-doh', 'plan9dns-nj-doh-ipv6']

hi and thxs so much again!
where should i have to put yr code:
disabled_server_names = ['plan9dns-fl', 'plan9dns-fl-ipv6', 'plan9dns-mx', 'plan9dns-mx-ipv6', 'plan9dns-nj', 'plan9dns-nj.ipv6', 'plan9dns-fl-doh', 'plan9dns-fl-doh-ipv6', 'plan9dns-mx-doh', 'plan9dns-mx-doh-ipv6', 'plan9dns-nj-doh', 'plan9dns-nj-doh-ipv6']

in which part of the .toml file?

thxs so much again indeed for yr kind attn.
cheers

[lifenjoiner]

I've organized them into a wiki page: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Windows-DNSSEC

[Pina1924]

I've organized them into a wiki page: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Windows-DNSSEC

Hi @lifenjoiner first thxs so much for having created the wiki page
i've followed it from beginning to:
server_names = ['quad9-doh-ip4-port443-filter-pri', 'cloudflare', 'cloudflare-security', 'meganerd-doh-ipv4', 'uncensoreddns-ipv4']

disabled_server_names = ['plan9dns-fl', 'plan9dns-fl-ipv6', 'plan9dns-mx', 'plan9dns-mx-ipv6', 'plan9dns-nj', 'plan9dns-nj.ipv6', 'plan9dns-fl-doh', 'plan9dns-fl-doh-ipv6', 'plan9dns-mx-doh', 'plan9dns-mx-doh-ipv6', 'plan9dns-nj-doh', 'plan9dns-nj-doh-ipv6']

and i've the query log turned on:

Log client queries to a file

[query_log]

Path to the query log file (absolute, or relative to the same directory as the config file)

Can be set to /dev/stdout in order to log to the standard output.

file = 'query.log'

Query log format (currently supported: tsv and ltsv)

format = 'tsv'

Do not log these query types, to reduce verbosity. Keep empty to log everything.

ignored_qtypes = ['DNSKEY', 'NS']

but here i stopped...i've no idea of which way i could go on...
you say:
"then check the logs, to make sure:

Queries for the first row passes. There must be 1 query passes for each column.
And other rows all fails. Disable those servers passed but should fail."

i'v e checked the query log but i'm not able to identify what you indicate
could you pls help me
thxs so much in adv
cheers

[Pina1924]

i create a discussion:
#3168 (comment)
@lifenjoiner pls show a .toml file for example to be able to pass dnssec check
thxs so much
cheers

[lifenjoiner]

server_names = ['quad9-doh-ip4-port443-filter-pri', 'cloudflare', 'cloudflare-security', 'meganerd-doh-ipv4', 'uncensoreddns-ipv4']

Only uncensoreddns-ipv4 is available on my end. And it works.

Check your query.log file to ensure it meets the test requirements. For example:

[]   ::1     12345678.test-alg13.dnscheck.tools      A       PASS    263ms   uncensoreddns-ipv4       -
[]   ::1     badsig-12345678.test-alg13.dnscheck.tools       A       SERVFAIL        262ms   uncensoreddns-ipv4      -

PASS means the query passed, while other statuses mean the query failed.

[BrigsLabs]

@Pina1924 , i'm agree with last comment @lifenjoiner above. the problem is your windows. you need more advance tool to proxying secure dns queries. I'm using SDC tool in bridge for my windows client and you can find tool here :

https://github.com/msasanmh/DNSveil

[Pina1924]

hi @BrigsLabs :
unable to navigate if in te section Share+bypassDPI i start proxy and set proxy to system...
pratically the only way i can navigate is to go to youtube site
the problem is that very very few sites are compatible in my personal experience...
so everytime i enter a site and i'm not able to navigate it
how do you do...?
is there a trick?
which?
thxs so much in adv
cheers

[lifenjoiner]

DNSSEC just ensures the response is not modified. But the record can still be plaintext. It is designed for plaintext DNS, I think.

dnscrypt-proxy encrypts the whole request and response records.

[Pina1924]

hi @lifenjoiner : first thxs so much again
i found the point to add yr code:
'plan9dns-fl', 'plan9dns-fl-ipv6', 'plan9dns-mx', 'plan9dns-mx-ipv6', 'plan9dns-nj', 'plan9dns-nj.ipv6', 'plan9dns-fl-doh', 'plan9dns-fl-doh-ipv6', 'plan9dns-mx-doh', 'plan9dns-mx-doh-ipv6', 'plan9dns-nj-doh', 'plan9dns-nj-doh-ipv6'
is where there is:
`Server names to avoid even if they match all criteria
disabled_server_names = []
i changed that field as per yr instructions
but the test still fails...
we am i wrong?
where is my fault?
apologize my few skills
thxs so much again
cheers