Nam Nguyen writes:
> The main addition in 2.0.29 is anonymized DNS. "Routes are indirect ways
> to reach DNSCrypt servers. A route maps a server name ("server_name") to
> one or more relays that will be used to connect to that server."
>
> /var/dnscrypt-proxy/relays.md is now added to the port and is
> populated after an initial run of dnscrypt-proxy.
>
> In /etc/dnscrypt-proxy.toml, I have the following:
>
> server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
>
> routes = [
> { server_name='google', via=['anon-kama', 'anon-scaleway'] },
> { server_name='cloudflare', via=['anon-kama', 'anon-scaleway'] },
> ]
>
> However, I am not sure how to actually confirm that the anonymous DNS
> relays are used. If I enable query logging:
>
> [query_log]
> file = '/var/dnscrypt-proxy/query.log'
>
> $ touch /var/dnscrypt-proxy/query.log
> $ chown _dnscrypt-proxy /var/dnscrypt-proxy/query.log
>
> I see logged queries of the form:
>
> [2019-10-30 17:57:02] 127.0.0.1 openbsd.org A PASS 59ms
> cloudflare
>
> with no mention of the anonymous DNS relay used. It seems that logging
> the relay used is not yet implemented. Overall, I tested 2.0.30 on amd64
> and it works, unbreaking 2.0.29.
Correction: logging with the relay used is actually implemented.
After someone told me I could use tcpdump, I was able to investigate
this further.
/var/dnscrypt-proxy/query.log:
[2019-10-30 18:57:03] 127.0.0.1 104.238.153.46.vultr.com A PASS
225ms scaleway-fr
[2019-10-30 18:57:03] 127.0.0.1 104.238.153.46.vultr.com.my.domain
A NXDOMAIN 180ms scaleway-fr
/etc/dnscrypt-proxy.toml:
server_names = ['scaleway-fr']
routes = [
{ server_name='scaleway-fr', via=['anon-inconnu'] },
]
scaleway-fr is in France. anon-inconnu, the relay, is in Seattle, WA.
With routes turned off, I was using scaleway-fr.
# tcpdump -i re0
18:43:36.615199 192.168.1.5.18818 > scaleway-fr.dnscrypt.info.443: udp 512
With routes turned on, I was instead using anon-inconnu.
# tcpdump -i re0
18:59:00.926864 192.168.1.5.10477 > 104.238.153.46.vultr.com.443: udp 540
18:59:01.096732 104.238.153.46.vultr.com.443 > 192.168.1.5.10477: udp 304 [tos
0x20]
Finally, there is no DNS over HTTPS (DoH) relay yet
(https://github.com/DNSCrypt/dnscrypt-proxy/issues/993). This explains
the behavior in my original e-mail. Google and Cloudflare are DoH
servers, and tcpdump revealed that queries were sent directly to them.
# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true
# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = false
Anonymized DNS does not work with DoH servers and works with DNSCrypt
servers.
