Multiple dns can cause any leak ? dnscrypprx giving 22

Installing and Using OpenWrt
1

Hi so by testing out the dnscrypt-prx2 the setting : lb_strategy can be used to set to used only the 2 first dns of the detected and tested server. But, if you set to
= 'ph' you got a selection among the list, but when you do test out the dnsleak : i also got a 13dns server total, while some test site give 22. So about security, was it better to have a spread number of server instead of just 1 or 2 ?

Like if you set to used unbound with only 2 fix TLS server.. it could be the same as to just fit a custom list into dnscrypt-prx2. The later is far superior, but givin the number or dns.. 1-3-6.. is make any difference ? Or is many dns present can somehow be less secure and prone to a way to get our main ip ..?

And no, the isp is not present in the list, the dns leak definition is not there.
thanks

2

Can you clarify your sentences?

It seems as if you have a DNS leak...but you failed to explain why you think that.

  • What 13 - 22?
  • Are they servers ran by who you entered the IP of?

Is another DNS configured somewhere else?

1 Like
3

it<s with the ph option. by default it's p2 and give only 2 dns. the ph give 22 dns result in dnsleaktest. if set the option to single , i got just 1 dns server result.
So having 22 server.. what the impact is ?

4

???

:confused:

I'm confused...

If you're referring to the p2 option in dnscrypt, it picks random servers.

## Load-balancing strategy: 'p2' (default), 'ph', 'p<n>', 'first' or 'random'
## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency.
## The response quality still depends on the server itself.

# lb_strategy = 'p2'

## Set to `true` to constantly try to estimate the latency of all the resolvers
## and adjust the load-balancing parameters accordingly, or to `false` to disable.
## Default is `true` that makes 'p2' `lb_strategy` work well.

~ from: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml

Correct, it seems you're describing the setting's normal behavior.

You tell us, it seems you configured it that way. In other DNS revolver software, the first reply (i.e. the fastest response) is used anyway - I assume it's the same with dnscrypt (per the documentation above). So I ask again:

And what DNS server(s) did you configure? :thinking:

(If I'm misunderstanding, apologies - please clarify using full sentences.)

1 Like
5

Collect the diagnostics:

head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
uci show dhcp; \
grep -v -e "^\s*#" -e "^\s*$" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml

Also run a DNS leak test and report which resolvers you want to exclude and why.

1 Like
6

So here is the setting , but quite normal and no server added. I got 21 server reported in dnsleak.com and 6 at perfectprivacy, as their setting are different.
In sysLog, dnscrypt detect 68 live server.

uci show dhcp

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='0'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].server='127.0.0.53#53'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].localuse='1'
dhcp.@dnsmasq[0].cachesize='0'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'

----=-=-=-=-

root# head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv./

==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface lan
nameserver 89.233.43.71
# Interface wan
nameserver 89.233.43.71
head: /tmp/resolv.*/*: No such file or directory

-=-=-=-=-=-=- While the resolv.conf.auto show something, it's also set to ignore by the dnscrypt setup. Ntwk/Dhcp/Resolv and host - Ignore resolve file : check

root:~# grep -v -e "^\s*#" -e "^\s*$" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml

listen_addresses = ['127.0.0.53:53']
max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = true
disabled_server_names = ['cloudflare']
force_tcp = false
timeout = 5000
keepalive = 30
cert_refresh_delay = 240
fallback_resolvers = ['89.233.43.71:53', '185.213.26.187:53']
ignore_system_dns = true
netprobe_timeout = 60
netprobe_address = '9.9.9.9:53'
log_files_max_size = 10
log_files_max_age = 2
log_files_max_backups = 1
block_ipv6 = false
block_unqualified = true
block_undelegated = true
reject_ttl = 600
cache = true
cache_size = 4096
cache_min_ttl = 2400
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
[local_doh]
[query_log]
  format = 'tsv'
[nx_log]
  format = 'tsv'
[blacklist]
blacklist_file = 'dnscrypt-proxy.blacklist.txt'
[ip_blacklist]
[whitelist]
[schedules]
[sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucxxxxxxxxxx'
  prefix = ''
  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucxxxxxxxxxx'
  refresh_delay = 72
  prefix = ''
[broken_implementations]
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
[doh_client_x509_auth]
[anonymized_dns]
skip_incompatible = true
[dns64]
[static]
root@OWrtHop:~#

thanks again.

1 Like
7

With noresolv=1 the contents of the resolver files don't matter.

Looks like you have not explicitly configured server_names.
This means you are using different resolvers more or less randomly.

The total number of resolvers may vary depending on your settings.

1 Like