DNSCrypt-proxy acting weird with OPNSense

[Giant850]

I've been running DNSCrypt-proxy on a RPi for 2+ years without issue, and is working great. However, I'm trying to migrate that functionality into OPNSense. My configured upstream resolver is NextDNS.io, and I have a SDNS stamp from them. I also disabled unbound on OPNSense, and have dnscrypt-proxy listing on port 53.

I setup OPNSense dnscrypt-proxy with my NextDNS stamp, and put that server in the server list. However, what is NOT working well are NextDNS blocks, which should return 0.0.0.0. If I login to my OPNSense instance and run:

dnscrypt-proxy -resolve app-measurement.com

I get a valid IP:

Code: [Select]

Resolving [app-measurement.com] using 10.13.2.1 port 53

Resolver      : 45.32.79.76 (dns.nextdns.io.)
Lying         : no
DNSSEC        : yes, the resolver supports DNSSEC

Canonical name: app-measurement.com.

IPv4 addresses: 172.217.14.110
IPv6 addresses: 2607:f8b0:4007:80e::200e

Name servers  : ns4.google.com., ns2.google.com., ns1.google.com., ns3.google.com.
DNSSEC signed : no
Mail servers  : no mail servers found

HTTPS alias   : -
HTTPS info    : -

Host info     : -
TXT records   : v=spf1 -all
As you can see, it appears to first hit the dns.nextdns.io server, but somehow it appears to also be using Google name servers and thus gets back a valid ip. However, when I run the EXACT same dnscrypt-proxy resolve command on my RPi, I see:

Code: [Select]

pi@raspberrypi1:/opt/dnscrypt-proxy $ ./dnscrypt-proxy -resolve app-measurement.com
Resolving [app-measurement.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: app-measurement.com.
IP addresses:   0.0.0.0, ::
TXT records:    -
Resolver IP:    45.32.79.76 (dns.nextdns.io.)
Which obvious IS working, since I got back 0.0.0.0.

I'm baffled why the OPNSense dnscrypt-proxy instance is resolving the hostname and apparently hitting google servers as well. Any ideas?

[mimugmail]

dig you try with dig and your local instance and check the dnscrypt logs?

[Giant850]

I used Drill on OPNSense and got this:

Code: [Select]

root@OPNsense:/usr/local/etc/dnscrypt-proxy # drill c.bing.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 40401
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; c.bing.com. IN A

;; ANSWER SECTION:
c.bing.com. 21598 IN CNAME c-bing-com.a-0001.a-msedge.net.
c-bing-com.a-0001.a-msedge.net. 58 IN CNAME dual-a-0001.a-msedge.net.
dual-a-0001.a-msedge.net. 58 IN A 13.107.21.200
dual-a-0001.a-msedge.net. 58 IN A 204.79.197.200

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 9 msec
;; SERVER: 1.1.1.1
;; WHEN: Tue Apr 13 08:42:17 2021
;; MSG SIZE  rcvd: 130
What is interesting is that the server response is from 1.1.1.1. DNSCrypt-Proxy isn't configured to use 1.1.1.1, however I DO have 1.1.1.1 configured in OPNSense under System/Setting/General. I did this, because if I left all those DNS server entries empty then wireguard would not properly start on reboot as it was trying to resolve my external WG hostname and fail. DNSCrypt-proxy starts AFTER Wireguard tries to initialize, when you reboot.

Any ideas on how I can best configure DNS/WireGuard/DNSCrypt-proxy so that all name resolution goes through DNSCrypt-proxy?

[Giant850]

I ran Dig from my laptop, which is pointed to OPNSense for DNS. It is querying 10.13.2.1 (where DNSCrypt-proxy is listening), but I still get back real IPs vs. 0.0.0.0 that NextDNS and my RPis correctly return.

Code: [Select]

dig c.bing.com       

; <<>> DiG 9.10.6 <<>> c.bing.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16634
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;c.bing.com. IN A

;; ANSWER SECTION:
c.bing.com. 394 IN CNAME c-bing-com.a-0001.a-msedge.net.
c-bing-com.a-0001.a-msedge.net. 394 IN CNAME dual-a-0001.a-msedge.net.
dual-a-0001.a-msedge.net. 394 IN A 204.79.197.200
dual-a-0001.a-msedge.net. 394 IN A 13.107.21.200

;; Query time: 55 msec
;; SERVER: 10.13.2.1#53(10.13.2.1)
;; WHEN: Tue Apr 13 09:25:57 PDT 2021
;; MSG SIZE  rcvd: 141


[Giant850]

Any ideas here? I'm kind of at a loss on what's going on with DNScrypt.

[mimugmail]

You need to tell the tool to explicitly ask dnscrypt. Also we need logs

[Giant850]

Since I was using DNSCrypt to forward queries to NextDNS, I fixed this problem via a config change. I directly installed NextDNS CLI on OPNsense and have it listening on port 53. Clients then point to OPNsense for DNS, and all queries are directed to NextDNS, bypassing the need for DNSCrypt.