OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: tiermutter on January 14, 2022, 07:43:45 pm
-
Hi everyone,
on a freshly installed system DNScryptProxy is not working.
The service is starting fine but is not responding to DNS requests. All service logs in GUI are empty, even if all severeties are selected.
Log via CLI looks fine so far:
# vi /var/log/dnscrypt-proxy/dnscrypt-proxy.log
[2022-01-14 19:10:24] [NOTICE] dnscrypt-proxy 2.0.45
[2022-01-14 19:10:24] [NOTICE] Network connectivity detected
[2022-01-14 19:10:24] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2022-01-14 19:10:24] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2022-01-14 19:10:24] [NOTICE] Now listening to [::1]:5353 [UDP]
[2022-01-14 19:10:24] [NOTICE] Now listening to [::1]:5353 [TCP]
[2022-01-14 19:10:24] [NOTICE] Now listening to :53 [UDP]
[2022-01-14 19:10:24] [NOTICE] Now listening to :53 [TCP]
[2022-01-14 19:10:24] [NOTICE] Source [public-resolvers] loaded
[2022-01-14 19:10:24] [NOTICE] Loading the set of whitelisting rules from [whitelist.txt]
[2022-01-14 19:10:24] [NOTICE] Firefox workaround initialized
[2022-01-14 19:10:24] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2022-01-14 19:10:24] [NOTICE] Loading the set of cloaking rules from [cloaking-rules.txt]
[2022-01-14 19:10:24] [NOTICE] Loading the set of forwarding rules from [forwarding-rules.txt]
[2022-01-14 19:10:27] [NOTICE] [dnscrypt.be] OK (DNSCrypt) - rtt: 21ms
[2022-01-14 19:10:29] [NOTICE] [dnscrypt.eu-nl] OK (DNSCrypt) - rtt: 17ms
[2022-01-14 19:10:29] [NOTICE] [quad9-doh-ip6-port443-filter-pri] OK (DoH) - rtt: 10ms
[2022-01-14 19:10:29] [NOTICE] [quad9-dnscrypt-ip4-filter-pri] OK (DNSCrypt) - rtt: 8ms
[2022-01-14 19:10:29] [NOTICE] [quad9-dnscrypt-ip4-filter-pri] OK (DNSCrypt) - rtt: 8ms - additional certificate
[2022-01-14 19:10:29] [NOTICE] [quad9-doh-ip4-port443-filter-ecs-pri] OK (DoH) - rtt: 13ms
[2022-01-14 19:10:32] [NOTICE] [quad9-doh-ip6-port5053-filter-pri] OK (DoH) - rtt: 17ms
[2022-01-14 19:10:32] [NOTICE] [dns.digitale-gesellschaft.ch] OK (DoH) - rtt: 19ms
[2022-01-14 19:10:32] [NOTICE] [dns.digitale-gesellschaft.ch-2] OK (DoH) - rtt: 19ms
[2022-01-14 19:10:32] [NOTICE] [dnscrypt.eu-nl-ipv6] TIMEOUT
[2022-01-14 19:10:32] [NOTICE] Sorted latencies:
[2022-01-14 19:10:32] [NOTICE] - 8ms quad9-dnscrypt-ip4-filter-pri
[2022-01-14 19:10:32] [NOTICE] - 10ms quad9-doh-ip6-port443-filter-pri
[2022-01-14 19:10:32] [NOTICE] - 13ms quad9-doh-ip4-port443-filter-ecs-pri
[2022-01-14 19:10:32] [NOTICE] - 17ms dnscrypt.eu-nl
[2022-01-14 19:10:32] [NOTICE] - 17ms quad9-doh-ip6-port5053-filter-pri
[2022-01-14 19:10:32] [NOTICE] - 19ms dns.digitale-gesellschaft.ch
[2022-01-14 19:10:32] [NOTICE] - 19ms dns.digitale-gesellschaft.ch-2
[2022-01-14 19:10:32] [NOTICE] - 21ms dnscrypt.be
[2022-01-14 19:10:32] [NOTICE] Server with the lowest initial latency: quad9-dnscrypt-ip4-filter-pri (rtt: 8ms)
[2022-01-14 19:10:32] [NOTICE] dnscrypt-proxy is ready - live servers: 8
Reinstalled service without success and tried again where I deleted all obviously related service-files via CLI; after reinstalling the service, all previous configs were restored.
=> how to completly remove all related service files?
May this be a config-fault? (Did the same config as on my 21.7 system; same hardware)
I'll be happy to send you any additional information you need...
-
You're probably going to need to provide more details. Did you test from the terminal on opnsense itself?
root@opnsense:~ # dig example.com @127.0.0.1
Any messages in the other dnscrypt-proxy logs? Timeouts? Or it's not even getting the request?
-
dig is not available, used drill instead:
# drill wetter.de @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 59500
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; wetter.de. IN A
;; ANSWER SECTION:
wetter.de. 599 IN A 194.36.43.54
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 10048 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Jan 15 12:05:33 2022
;; MSG SIZE rcvd: 43
Now i realized that resolving is working, but very slow until the IP is cached.
/var/log/dnscryptproxy/dnscrypt-proxy.log looks pretty fine and shows regulary checks for best servers as described above.
/var/log/dnscryptproxy/query.log is largely empty and shows only about one minute (yesterday) where it seems to have worked correctly.
Logs in /var/log/dnscrypt-proxy shows the same.
Sorry i didn't mention it, it looked like it wasn't responsible for the problem:
Im using AdguardHome (installed on the sense) for DNS filtering which uses the DNScryptProxy as resolver. Disabling Adguard, DNS resolution works fine but still no logs at DNScryptProxy.
Disabling DNScryptProxy, no resolution is possible, so the service seems generally to be working, but without logs.
I´ll start digging at Adguard which is not working correctly / very slow, even when using other DNS servers.
-
Good...about logging...there's an option to disable logs on the config tab (template), toward the bottom "enable query logs", maybe you have that unchecked.
In the event you feel adventurous, a couple of us manually upgraded to dnscrypt-proxy 2.1.1. I documented how to do this, but wouldn't recommend unless you're comfortable with the terminal and CLI. You can find the discussion here:
https://forum.opnsense.org/index.php?topic=24297.0
This requires manually setting the options in the toml (config file) since the template is not updated to support 2.1.1. The change log is here: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/ChangeLog . According to franco, that plugin is on hold pending larger changes...no ETA I'm aware of. I particularly like this utility because the cache (min TTL) can be set to whatever you want and I prefer 24 hours minimizing dns traffic and removing a bit of latency. Cheers.
-
Follow-up: Just migrated to RC1 and yep...logs are not displayed in the UI but are in the directory I noted above.
-
Can you please tell me which directory/ file you mean?
I couldnt find other logs than those stored in /var/log/dnscrypt-proxy and /var/log/dnscryptproxy, but as mantioned they are empty (Apart from the fact that a minute was logged yesterday).
Query logging is still enabled.
-
Hmm, you looked in the right place, maybe logging is disabled. The only way to be sure is to look at the toml/config file. If no log file is specified in the config for each of nx, query, etc, that by default would disable them. If there is a location specified, that's where should be. The default is /var/log/dnscrypt-proxy/query.log.
That file is located at /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml.
-
Shame about me :-\
Logfiles looks pretty good, I dumbass didnt scroll (Page_Down) ::)
I am probably not used to it because I usually dont look at multipaged files... you see... I am not very comfortable with CLI ;)
Thanks for helping in this confusing situation!
-
I just upgraded from 19.7.7 to 22.1 and encountered the same error. When i check the logs in cli , it seems dnscrypt-proxy is working perfectly fine, is resolving names and does what it supposed to do. Also the logs are populated in the related logfiles. Only problems is that nothing, no logs, are showing in the gui for dnscrypt-proxy.
btw, i followed this howto to get dnscrypt-proxy working with unbound:
https://forum.opnsense.org/index.php?topic=10670.msg118634#msg118634
Can this be fixed?
-
Same issue here: no logs in GUI after update to 22.1. Any ideas / plans to fix this? :-[
-
With 22.1 there are severity filters in the logs (upper right). Did you select "multiselect" and select all severeties?
I no longer use DNScryptProxy (not due to this little issue), so I dont know if this will work now as it does in some other logs where the problem existed too in RC1.
-
Thanks, it works for unbound, but not for DNScryptProxy :-\ The status remains as "No results found".
-
Thanks, it works for unbound, but not for DNScryptProxy :-\ The status remains as "No results found".
Same exact issue here. Logs appear in unbound after altering the severity level, but not in dnscrypt-proxy.
-
Same for me. No Dnscryptproxy in GUI.
Actual logging in files are working fine (tested by tail -f /var/log/dnscrypt-proxy/query.log)
-
Blacklist and Logs in GUI currently not working, I'm on it
-
Blacklist and Logs in GUI currently not working, I'm on it
Great, thank you! :D
FreeRADIUS logs in the GUI appear to be broken as well :-\
-
You have to deselect all severities, then they should work again
-
Confirming for DnsCryptProxy logs.
Enabled "Multiselect" for "Severity", unselected all levels. Logs are visible.
Thanks for a quick workaround.
-
"Disabled Servers List" works only if it has a single item only.
The fix: https://github.com/opnsense/plugins/pull/2788
-
You have to deselect all severities, then they should work again
Thanks :D This workaround also does the trick for FreeRadius.
-
You have to deselect all severities, then they should work again
This works for me too. Should be nice if this isnt necessary on the next release. can this be fixed?
-
Yep, next version
-
Yep, next version
Thank you! As your profile states, you're actually a "hero" :D
-
What's the latest news with the new DNSCrypt plugin please?
Holding off installing 22.1 until this plugin is fully supported in the gui i.e. nothing is wiped everytime OPNSense is upgraded, such as anonymization settings, which IMHO is the main feature of DNSCrypt over using others.
-
I wonder what the random posts at the end of a solved thread are supposed to achieve.
Cheers,
Franco
-
Meow, its supposed to be a genuine question probably not worthy of its own thread and I didn't see owt that said it was 'fixed' so to speak!
Further, I dont want to commit changes every time OPNSense gets an update that breaks things. Simples. If I did that in SQL Server i'd be shot :o :)
So get of ur high horse, don't like comments then don't do it, we all have taken the decision to be in I.T. That's me done here
-
Well this escalated quickly.
The following post, "Re: DNScryptProxy not working? (Logs in GUI not working) " by franco has been reported by pugs on a board you moderate:
The reporter has made the following comment:
Being a dick
Just trying to moderate as a moderator... What I can suggest is when seeing people have had issues with a particular release wait for the next (21.1.1), take a deep breath and look at the release notes if your issues are addressed. If yes update, if not kindly ask for clarification on the release notes or a particular issue.
I get that not everyone can follow GitHub commits, but then again you really don't have to when you wait for the next best thing which is a release. :)
Cheers,
Franco
-
"Disabled Servers List" works only if it has a single item only.
The fix: https://github.com/opnsense/plugins/pull/2788
Many thanks, i was facing same question, now can see logs :-)