What are the best DNS Servers for privacy use?

[opnsenseuser]

@mimugmail where can i set the dns servers i want to use ? in the forwarders tab from dnscrypt?
see (forwarders screenshot)

is my setting right i did in the nat forwarding? i want that all lan1 clients use this plugin
see my screenshot

and do i need this if i want to use unbound for local dns resolutions? or can i enter my local dns server in forwarder tab to use my local dns server for local resolutions on my lan?

Fixed Unbound Config

When you think your setup runs stable and you still need your Unbound cause of local overrides you can set BIND as your forwarder in Unbound. Just add this to yout custom options field:

do-not-query-localhost: no
forward-zone:
name: ,,."
forward-addr: 127.0.0.1@53530

are these settings correct? see result dns-leak-test screenshot?

regards
rené

[mimugmail]

The DNS servers are chosen randomly from this list:
https://dnscrypt.info/public-servers

If you set dont use server which are logging then the one from this list wont be used, same for ad blocking and dnssec. That's why you will always fail for these tests ...

Just do a tcpdump on your WAN and port 53 .. you wont see any traffic ..

With forwards you can set your internal domain and a DNS server, yes.

[opnsenseuser]

The DNS servers are chosen randomly from this list:
https://dnscrypt.info/public-servers

If you set dont use server which are logging then the one from this list wont be used, same for ad blocking and dnssec. That's why you will always fail for these tests ...

Just do a tcpdump on your WAN and port 53 .. you wont see any traffic ..

With forwards you can set your internal domain and a DNS server, yes.

thx very much for your support! :-)
igb0 = WAN interface

if i use

Code Select Expand

tcpdump -i igb0 port 53

sorry, there is traffic!

Code Select Expand

16:07:08.136458 IP ns-614.awsdns-12.net.domain > router.athome.net.30111: 54844*- 6/4/1 A 54.201.6.28, A 54.187.176.55, A 52.35.215.194, A 34.212.119.231, A 52.35.21.241, A 52.88.72.192 (284)
16:07:08.139108 IP router.athome.net.59771 > arin.authdns.ripe.net.domain: 17769% [1au] A? 35.52.in-addr.arpa. (47)
16:07:08.144573 IP ns-620.awsdns-13.net.domain > router.athome.net.62110: 42129*- 1/4/1 PTR ns-614.awsdns-12.net. (228)
16:07:08.190337 IP arin.authdns.ripe.net.domain > router.athome.net.59771: 17769- 0/7/1 (388)
16:07:08.190731 IP router.athome.net.46171 > pdns1.ultradns.net.domain: 27101% [1au] A? 215.35.52.in-addr.arpa. (51)
16:07:08.217986 IP pdns1.ultradns.net.domain > router.athome.net.46171: 27101*- 0/1/1 (122)
16:07:08.218357 IP router.athome.net.43279 > pdns1.ultradns.net.domain: 36089% [1au] A? 194.215.35.52.in-addr.arpa. (55)
16:07:08.244808 IP pdns1.ultradns.net.domain > router.athome.net.43279: 36089*- 0/1/1 (126)
16:07:08.245180 IP router.athome.net.11939 > pdns1.ultradns.net.domain: 28605% [1au] PTR? 194.215.35.52.in-addr.arpa. (55)
16:07:08.272499 IP pdns1.ultradns.net.domain > router.athome.net.11939: 28605*- 1/5/1 PTR ec2-52-35-215-194.us-west-2.compute.amazonaws.com. (231)
16:07:08.875087 IP router.athome.net.57795 > ns-1986.awsdns-56.co.uk.domain: 1369% [1au] A? shavar.prod.mozaws.net. (51)
16:07:08.876142 IP router.athome.net.13163 > ns-101.awsdns-12.com.domain: 19146% [1au] A? 194.199.251.205.in-addr.arpa. (57)
16:07:08.894535 IP ns-1986.awsdns-56.co.uk.domain > router.athome.net.57795: 1369*- 6/4/1 A 34.211.202.13, A 54.187.144.104, A 52.34.90.23, A 52.89.170.53, A 52.33.113.226, A 54.200.76.177 (284)
16:07:08.895002 IP router.athome.net.11432 > ns-614.awsdns-12.net.domain: 8910% [1au] AAAA? shavar.prod.mozaws.net. (51)
16:07:08.909744 IP ns-101.awsdns-12.com.domain > router.athome.net.13163: 19146*- 0/1/1 (138)
16:07:08.910122 IP router.athome.net.6396 > ns-1372.awsdns-43.org.domain: 37693% [1au] PTR? 194.199.251.205.in-addr.arpa. (57)
16:07:08.917137 IP ns-614.awsdns-12.net.domain > router.athome.net.11432: 8910*- 0/1/1 (136)
16:07:08.919158 IP ns-1372.awsdns-43.org.domain > router.athome.net.6396: 37693*- 1/4/1 PTR ns-1986.awsdns-56.co.uk. (229)
16:07:08.919453 IP router.athome.net.58240 > ns-1372.awsdns-43.org.domain: 43454% [1au] PTR? 194.199.251.205.in-addr.arpa. (57)
16:07:08.929974 IP ns-1372.awsdns-43.org.domain > router.athome.net.58240: 43454*- 1/4/1 PTR ns-1986.awsdns-56.co.uk. (229)


2. i´m using squid as an transparent proxy. is it correct to use the dnscrypt proxy field "Proxy" ?
i set this to 127.0.0.1:3130
this is the ICP Port

[mimugmail]

I have to think about transparent proxy ... sorry :(

[opnsenseuser]

I have to think about transparent proxy ... sorry :(

I made a Feature request on github!
https://github.com/opnsense/plugins/issues/1014

Regards rene

[opnsenseuser]

I have to think about transparent proxy ... sorry :(

one last question!

Before i installed dnscrypt, i created a rule on each of my lan nets that the dns port 53 to my router (192.168.1.1) explicitly allowes.
Can I leave the rule for dnscrypt like this? (see my screenshot)

[mimugmail]

When you do port forward it's not needed

[opnsenseuser]

When you do port forward it's not needed

only problem is, if i disable the rule i´m not able anymore to make an nslookup to my router.athome.net adress.
it says unknow. if i enable the rule everything is fine again!

regards, rené

[mimugmail]

Check the logs in etc folder of dnscrypt

[opnsenseuser]

Check the logs in etc folder of dnscrypt

query.log

Code Select Expand

[2018-11-23 23:59:28] 192.168.1.6 1.1.168.192.in-addr.arpa PTR NXDOMAIN
[2018-11-23 23:59:28] 192.168.1.6 1.1.168.192.in-addr.arpa PTR NXDOMAIN

dnscrypt-proxy.log
nothing relevant


nslookup windows cmd: (german)

Code Select Expand

C:\>nslookup 192.168.1.1
Server:  UnKnown
Address:  192.168.1.1

*** 192.168.1.1 wurde von UnKnown nicht gefunden: Non-existent domain.

[opnsenseuser]

i figured out that even if i enable the lan to 192.168.1.1 port 53 dns rule it´s not working.

it only works if i disable the nat rule from dnscrypt.

this is the nat rule (screenshot)