How to check if DNS is encrypted?

Solution 1:

You could check it with Wireshark by listening to your network card, just follow these steps:

  1. sudo apt-get install wireshark (paste it into a terminal)
  2. start it from a terminal with sudo wireshark (you need to be sudo to be able to listen to your network card.)
  3. then start listening and filter out everything but your own ip.

Now just check if the dns protocols are encrypted.

  1. use the filter to only show dns
  2. Stop the scan.
  3. click on a list item that says dns and comes from your ip.
  4. Now click on the transmission protocol to see if it's encrypted.

Solution 2:

If you are using OpenDNS as the dnscrypt supporting DNS server, a way to check if it's working is to use one of these commands:

drill txt debug.opendns.com

dig txt debug.opendns.com

The answer text should contain a line where it says "dnscrypt enabled":

;; ANSWER SECTION:
debug.opendns.com.  0   IN  TXT "server 11"
debug.opendns.com.  0   IN  TXT "flags 22 2 222 2"
debug.opendns.com.  0   IN  TXT "id 6666666"
debug.opendns.com.  0   IN  TXT "source 209.6.69.160:44444"
debug.opendns.com.  0   IN  TXT "dnscrypt enabled (...)"

Solution 3:

I installed dnscrypt 1.1 on Ubuntu 12.10.

I edited /etc/NetworkManager/NetworkManager.conf to comment out

dns=dnsmasq

Then add /etc/init/dnscrypt.conf and include in it the following:

 description "dnscrypt startup script"

 start on (local-filesystems and started dbus and stopped udevtrigger)
 stop on runlevel [016]

 script
         exec /usr/sbin/dnscrypt-proxy -a 127.0.0.1 -d
 end script

Next I changed my network settings to to use 127.0.0.1 for DNS:

Then I rebooted and made sure dnscrypt was running and that dnsmasq was not:

 ps aux | grep dns
 root      6581  0.0  0.0  16116   720 ?        Ss   04:47   0:00 /usr/sbin/dnscrypt-proxy -a 127.0.0.1 -d

Then I opened wireshark to verify that DNS was encrypted:

It appears it isn't.

Visiting http://www.opendns.com/welcome/ verifies I am using opendns.

]