<div dir="ltr">Hi Peter,<div><br></div><div>I think you are mixing up how DNScrypt in unbound work. By using:</div><div>```</div><div><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">interface: 0.0.0.0@443</span><br style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">interface: ::0@443</span><br style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">    </span><br></div><div><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">    ######DNSCRYPT############</span><br style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">    dnscrypt:</span><br style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">        dnscrypt-enable:yes</span><br style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">        dnscrypt-port:443</span><br style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">        dnscrypt-provider:</span><a href="http://2.dnscrypt-cert.cryptostorm.is/" target="_blank" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">2.dnscrypt-<wbr>cert.cryptostorm.is</a><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">.</span><br style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">        dnscrypt-secret-key:/usr/</span><wbr style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">local/etc/unbound/1.key</span><br style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">        dnscrypt-provider-cert:/usr/</span><wbr style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><span style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">local/etc/unbound/1.cert</span><br style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><br style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">    #############################<wbr>##</div></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">```</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><br></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">Unbound will create a DNSCrypt server that will listen on port 443. Its provider name will be <a href="http://2.dnscrypt-cert.cryptostorm.is/" target="_blank">2.dnscrypt-<wbr>cert.cryptostorm.is</a>. and it will use cert/key /usr/<wbr>local/etc/unbound/1.{cert,key} .</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><br></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">I am under the impression that you think it will connect to `5.101.137.251` over DNSCrypt. this is the role of DNSCrypt proxy instead.<br><br>When you add:</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">```</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">        forward-zone:<br>        name: "."<br>        forward-addr:5.101.137.251<br></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">```</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">to the config, unbound will forward request to 5.101.137.251 and will behave as a caching server. Because 5.101.137.251 also handles clear text DNS, this is working just fine and that IP is showing through the website you mentioned.</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><br></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">When you remove the forward-zone, unbound will behave as a recursive resolver and DNS queries will show up as coming from your DNS server to the outside world.</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><br></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">I think you are mis-understanding what role Unbound has in DNSCrypt setup. Essentially, the config you are providing is the one that <a href="http://cryptostorm.is">cryptostorm.is</a> would use if they were going to set up a DNSCrypt server (aside from the forward-zone bit).</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><br></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">TL;DR you want to install DNSCrypt proxy. The original author is working on a new version: <a href="https://github.com/jedisct1/dnscrypt-proxy">https://github.com/jedisct1/dnscrypt-proxy</a> .</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px"><br></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px">Manu</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 23, 2018 at 5:46 AM, peter.newey--- via Unbound-users <span dir="ltr"><<a href="mailto:unbound-users@unbound.net" target="_blank">unbound-users@unbound.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:16px"><div>Hello</div><div><br></div><div>I am using unbound from Git version: 1.6.9 and have compiled it  with  --enable-dnscrypt .</div><div>This is my unbound.conf setup;</div><div><br></div><div># unbound.conf for a local subnet.#<br>server: <br>        interface: 0.0.0.0<br>    interface: ::0<br>    access-control: <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> allow <br>    access-control: ::1 allow<br>    <br>    # DNSCRYPT server: #######<br>        interface: 0.0.0.0@443<br>        interface: ::0@443<br>    <br>    directory: "/usr/local/etc/unbound"<br>        chroot: "" <br>        username: ""<br>    verbosity:0  <br>    num-threads: 1<br>        prefetch:yes <br>    prefetch-key:yes<br>        use-syslog:no<br>        do-ip6: no  <br>    so-reuseport: yes<br>        module-config: "validator iterator"<br>       <br>        do-not-query-localhost: no<br>         <br>        # file to read root hints from.<br>        #get one from <a href="ftp://FTP.INTERNIC.NET/domain/" target="_blank">ftp://FTP.INTERNIC.NET/domain/</a><br>    root-hints: "/usr/local/etc/unbound/named.<wbr>cache"<br>    #############################<wbr>##############################<wbr>#<br>        include: "/usr/local/etc/unbound/<wbr>unbound_ad_servers" <br>        #update the above file by using below command as root  :<br>        #curl -sS -L --compressed "<a href="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" target="_blank">http://pgl.yoyo.org/<wbr>adservers/serverlist.php?<wbr>hostformat=unbound&showintro=<wbr>0&mimetype=plaintext</a>" > /usr/local/etc/unbound/<wbr>unbound_ad_servers<br>        <br>    logfile: "/usr/local/etc/unbound/<wbr>unbound.log"<br>        <br>    log-time-ascii:yes<br><br>         ##############################<wbr>######################<br><br>         #auto-trust-anchor-file: "/usr/local/etc/unbound/root.<wbr>key"  #root key file, automatically updated##### remove # only for DNSSEC capable dns servers ##########<br>         ##############################<wbr>######################        <br><br>        #Remote control config section. <br>        remote-control:<br>    # Enable remote control with unbound-control(8) here.<br>    # set up the keys and certificates with unbound-control-setup.<br>     control-enable:yes<br> <br>    ######DNSCRYPT############<br>    dnscrypt:<br>        dnscrypt-enable:yes<br>        dnscrypt-port:443<br>        dnscrypt-provider:<a href="http://2.dnscrypt-cert.cryptostorm.is" target="_blank">2.dnscrypt-<wbr>cert.cryptostorm.is</a>.<br>        dnscrypt-secret-key:/usr/<wbr>local/etc/unbound/1.key<br>        dnscrypt-provider-cert:/usr/<wbr>local/etc/unbound/1.cert<br>    <br>        forward-zone:<br>        name: "."<br>        forward-addr:5.101.137.251<br>     <br><div>    #############################<wbr>##</div><div><br></div><div>The only lines I see in my unbound.log  where dnscrypt is mentioned is this line that is repeated occasionally :</div><div><br></div><div>Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment.</div><div><br></div><div>If I use the above unbound.conf and look on website<a href="https://whoer.net/" target="_blank"> https://whoer.net/</a></div><div>it shows my own ISP i.p address correctly and DNS<span class="m_3607368948624507122ydp6c21d370cont m_3607368948624507122ydp6c21d370dns_br_ip m_3607368948624507122ydp6c21d370max_ip"> 5.101.137.251 correctly, which belongs to  dnscrypt-provider:<a href="http://2.dnscrypt-cert.cryptostorm.is" target="_blank">2.dnscrypt-<wbr>cert.cryptostorm.is</a>.</span></div><div><span class="m_3607368948624507122ydp6c21d370cont m_3607368948624507122ydp6c21d370dns_br_ip m_3607368948624507122ydp6c21d370max_ip"><br></span></div><div><span class="m_3607368948624507122ydp6c21d370cont m_3607368948624507122ydp6c21d370dns_br_ip m_3607368948624507122ydp6c21d370max_ip">If I change it to :<br></span></div><div><span class="m_3607368948624507122ydp6c21d370cont m_3607368948624507122ydp6c21d370dns_br_ip m_3607368948624507122ydp6c21d370max_ip"></span><div>#forward-zone:<br>      # name: "."<br><div>        #forward-addr:5.101.137.251</div><div><br></div><div>my DNS address then shows my own ISP DNS , but I presume it should show 5.101.137.251 if dnscrypt was working correctly.<br></div><div><br></div><div><br></div><div>If I change it to :</div><div><br></div><div>#dnscrypt:<br>       # dnscrypt-enable:yes<br>        #dnscrypt-port:443<br>        #dnscrypt-provider:<a href="http://2.dnscrypt-cert.cryptostorm.is" target="_blank">2.dnscrypt-<wbr>cert.cryptostorm.is</a>.<br>        #dnscrypt-secret-key:/usr/<wbr>local/etc/unbound/1.key<br>        #dnscrypt-provider-cert:/usr/<wbr>local/etc/unbound/1.cert<br></div></div></div><div><div><br></div><div>forward-zone:</div>        name: "."<br><div>        forward-addr: my DNS address then shows </div><div><br></div><div>my DNS address then shows again as 5.101.137.251 .</div><div><br></div><div><br></div><div>Can I presume dnscrypt is not working correctly and is there any suggestions as to how I can get it to work please ?<br></div><div><br></div><div><br></div><div>thanks</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Peter<br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></font></span></div><div><br></div><div><br></div><div><br></div></div></div></div></blockquote></div><br></div>