How to check if DNS is encrypted?

Question

I have installed DNSCrypt , its OpenDNS encrypted DNS patch for Ubuntu & other Linux users & it's working fine.

How do I know if my DNS is encrypted? I have googled but didn't find anything.

Status

one@onezero:~$ status dnscrypt 
dnscrypt start/running, process 1013
one@onezero:~$ sudo netstat -atnlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.2:53            0.0.0.0:*               LISTEN      1013/dnscrypt-proxy

Updated

Wireshark

@Alvar

without DNSCrypt

Answer 1

You could check it with Wireshark by listening to your network card, just follow these steps:

1. sudo apt-get install wireshark (paste it into a terminal)
2. start it from a terminal with sudo wireshark (you need to be sudo to be able to listen to your network card.)
3. then start listening and filter out everything but your own ip.

Now just check if the dns protocols are encrypted.

1. use the filter to only show dns
2. Stop the scan.
3. click on a list item that says dns and comes from your ip.
4. Now click on the transmission protocol to see if it's encrypted.

Answer 2

If you are using OpenDNS as the dnscrypt supporting DNS server, a way to check if it's working is to use one of these commands:

drill txt debug.opendns.com

dig txt debug.opendns.com

The answer text should contain a line where it says "dnscrypt enabled":

;; ANSWER SECTION:
debug.opendns.com.  0   IN  TXT "server 11"
debug.opendns.com.  0   IN  TXT "flags 22 2 222 2"
debug.opendns.com.  0   IN  TXT "id 6666666"
debug.opendns.com.  0   IN  TXT "source 209.6.69.160:44444"
debug.opendns.com.  0   IN  TXT "dnscrypt enabled (...)"

Answer 3

I installed dnscrypt 1.1 on Ubuntu 12.10.

I edited /etc/NetworkManager/NetworkManager.conf to comment out

dns=dnsmasq

Then add /etc/init/dnscrypt.conf and include in it the following:

 description "dnscrypt startup script"

 start on (local-filesystems and started dbus and stopped udevtrigger)
 stop on runlevel [016]

 script
         exec /usr/sbin/dnscrypt-proxy -a 127.0.0.1 -d
 end script

Next I changed my network settings to to use 127.0.0.1 for DNS:

Then I rebooted and made sure dnscrypt was running and that dnsmasq was not:

 ps aux | grep dns
 root      6581  0.0  0.0  16116   720 ?        Ss   04:47   0:00 /usr/sbin/dnscrypt-proxy -a 127.0.0.1 -d

Then I opened wireshark to verify that DNS was encrypted:

It appears it isn't.

Visiting http://www.opendns.com/welcome/ verifies I am using opendns.

Answer 4

You go to OpenDNS Welcome page and you should see something like "Welcome to OpenDNS! Your Internet is safer, faster, and smarter because you're using OpenDNS." This means you're using OpenDNS as your DNS provider and if you haven't configured OpenDNS without dnscrypt your DNS requests should be encrypted.

Another way would be to snoop the DNS traffic using wireshark, tcpdump, etc and see if it's indeed encrypted but that's more convoluted and requires some in-depth knowledge.

Answer 5

OK, I've got it!

Run dnscrypt-proxy --deamonize (it should already be running)

1. Go to the Network icon at the top and go down to Network Settings.
2. Go to your current connection and click Configure...
3. Go to IPv4 Settings tab.
4. Under DNS Servers and Search Domains fields enter: 127.0.0.1
5. Head to http://opendns.com/welcome

If you get redirected to http://opendns.com/welcome/oops then it's not setup properly.

Sorry about that. I didn't want to go to the pain to set it all up, but it was remarkably easy! Well, hope you learned something. I sure did!

Answer 6

dnscrypt-proxy accepts DNS requests, encrypts and signs them using  * dnscrypt *  and forwards them to a remote dnscrypt-enabled resolver

Replies from the resolver are expected also to be encrypted and signed.

The proxy verifies the signature of replies, decrypts them, and trans‐parently forwards them to the local stub resolver.

dnscrypt-proxy listens to 127.0.0.1 / port 53 by default.