Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

DNS configuration / usage

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
cryptomon
Posts: 20
Joined: Fri Feb 23, 2018 7:32 am

DNS configuration / usage

Postby cryptomon » Fri Feb 23, 2018 11:46 am

DNS settings - I have questions (sorry for the length and basic context).

I use Linux with openVPN that is configured with systemd and firewall UFW.

1. Does it matter whether one uses openDNS (e.g. 208.67.222.222, 208.67.220.220) or the VPN entry IP address? (I use the openDNS IPs because they seemed on occasion to be more reliable i.e. when VPN drops at least I still have DNS resolution)

2. Entry point IPs are listed here
https://github.com/cryptostorm/cstorm_d ... olvers.csv
which gives a "Resolver Address" for example as: Vilnius, Lithuania 93.115.30.154

Are these forever fixed for the life of the list?

3. However, when one from the command-line does say:
$ nslookup linux-lithuania.cryptostorm.net
Non-authoritative answer:
Name: linux-lithuania.cryptostorm.net
Address: 93.115.30.155

Should I always use the Resolver Address of 93.115.30.154?

4. Is there a way to get this Resolver Address of linux-lithuania.cryptostorm.net without the need to lookup the Resolver List. i.e. using some command line query like nslookup?

5. Should my firewall UFW in this example allow outbound access to both 93.115.30.154 and 93.115.30.155?

6. If I run nslookup on the IP addresses listed in

$ nslookup linux-balancer.cryptostorm.net

In my lithuania example this gives:

$ nslookup 93.115.30.155

155.30.115.93.in-addr.arpa name = hst-93-115-30-155.balticservers.eu.
Authoritative answers can be found from:

but in some cases one sees e.g.:
** server can't find 76.95.208.173.in-addr.arpa: NXDOMAIN

Does this mean the server is down. If so, how does balancer compensate? (e.g. Does it just move on to the next)

7. Should I be using DNScrypt? I assume it is a different setup to what I discussed above? (Haven't quite worked it out or found a good resource to explain its benefits or usage)

User avatar

parityboy
Site Admin
Posts: 1256
Joined: Wed Feb 05, 2014 3:47 am

Re: DNS configuration / usage

Postby parityboy » Fri Feb 23, 2018 6:24 pm

@OP

1. For DNS resolution of public Internet addresses, you can use whichever DNS server you wish, including any of the ones in Cryptostorm's dnscrypt-resolvers.csv file However, for transparent access to the Tor and I2P networks - i.e. not having to install extra software - you will need to use the DNS server of the exit node you are connected to.

2. The addresses are fairly stable, but if a node has to be taken out of service the chances are that a new set of IPs will be issued for it. This doesn't happen very often though.

3. See point 1.

4. I'm not sure. I tried dnstracer and dig, but I think the issue is that none of the DNS resolvers sitting on the exit nodes are authoritative for their own fully qualified domain name, i.e. there is an authority server for the cryptostorm.net domain but not for the domain names of individual exit nodes. I think the resolvers sitting on the exit nodes are simply forwarders.

5. Yes. The addresses in dnscrypt-resolvers.csv are publicly contactable outside of the VPN tunnel, so using one to resolve the domain name of an exit node is a sensible idea.

6. No. Most of the DNS entries on the Internet are forward entries i.e. domain->IP mappings. What you're seeing there is the effect of a missing reverse entry, i.e. IP->domain mapping.

7. If you're concerned about your ISP knowing that you are using Cryptostorm (which they can find out anyway if they can be bothered) or your setup has some things going outside of the VPN tunnel then yes, other than that it's not an issue either way.

Hope this helps. :)


Topic Author
cryptomon
Posts: 20
Joined: Fri Feb 23, 2018 7:32 am

Re: DNS configuration / usage

Postby cryptomon » Mon Feb 26, 2018 9:09 am

That does help, thank you. It seems as long as I look at this stuff I never seem to fully conquer it, but I think I'm getting there. I do find it all very intriguing despite the learning curve. I created bash scripts to automate the install and configuration and corresponding UFW settings, so life is easier. I also created a systemd service notification to tell me if a connection is down with where the issue might lie. Not seamless yet but it helps.

On item 7, I have now looked into DNSCrypt now I better understand its benefit (inc caching) and looks like something relatively straight forward to setup using dnscrypt-proxy v2
https://github.com/jedisct1/dnscrypt-proxy
also mentioned here: viewtopic.php?f=51&t=9515

I note that the new v2 setup is a bit different to v1 and manual modification of the resolv.conf file is not required. It is automatically updated with
nameserver 127.0.0.1

I modified the configuration file /etc/dnscrypt-proxy/dnscrypt-proxy.toml
to only have Cryptostorm Names e.g. cs-pt from the resolver list under setting: server_names = [cs-pt,....etc.]
https://github.com/cryptostorm/cstorm_d ... olvers.csv
Couldn't work out how it scrapes this data in the background whether directly from the CS github site or otherwise, with the interest of knowing whether the latest resoler IP update had filtered through yet. Can anyone enlighten?


Topic Author
cryptomon
Posts: 20
Joined: Fri Feb 23, 2018 7:32 am

Re: DNS configuration / usage

Postby cryptomon » Fri Mar 02, 2018 11:18 am

cryptomon wrote:I note that the new v2 setup is a bit different to v1 and manual modification of the resolv.conf file is not required. It is automatically updated with
nameserver 127.0.0.1


Sorry my mistake, this is not correct. I use dhcpcd service so to make the DNS (127.0.0.1) listed in resolv.conf file persistent I chose to add 127.0.0.1 as the first DNS server in my dhcpcd.conf file.


Topic Author
cryptomon
Posts: 20
Joined: Fri Feb 23, 2018 7:32 am

Re: DNS configuration / usage

Postby cryptomon » Tue Mar 27, 2018 8:45 am

parityboy wrote:5. Yes. The addresses in dnscrypt-resolvers.csv are publicly contactable outside of the VPN tunnel, so using one to resolve the domain name of an exit node is a sensible idea.


Not sure you mean one only ever, or one of the many to choose from in a random sense...

So having set up dnscrypt2 (https://github.com/jedisct1/dnscrypt-proxy), I have set my list of "server names =" inside dnscrypt-proxy.toml to be the list provided by (https://github.com/cryptostorm/cstorm_deepDNS) dnscrypt-resolvers.csv i.e.:
server_names = [
'cs-fr',
'cs-fr2',
'cs-cfi',
'cs-de',
'cs-pt',
'cs-uk',
'cs-ch',
'cs-cawest',
'cs-caeast',
'cs-rome',
'cs-dk',
'cs-ro',
'cs-lv',
'cs-nl',
'cs-es',
'cs-pl',
'cs-fi',
'cs-lt',
'cs-de3',
'cs-nl',
'cs-uswest',
'cs-uswest3',
'cs-uswest5',
'cs-useast',
'cs-useast2',
'cs-ussouth',
'cs-ussouth2',
'cs-usnorth'
]
and I've set
fallback_resolver = '109.71.42.228:53'

Is that an acceptable approach given I may be using only one exit node? i.e. it doesn't matter which resolver/s is/are used? (I've read elsewhere others saying you should use only one resolver from the exit node location, but the lists are not always 1-1 matching e.g. Denmark or Netherlands each have 2 server locations)

Thinking aloud here, if one was using the balancer exit node there are no specific resolvers for that so it seems that any should do, without leakage being an issue? After all if I understand this, the resolver merely finds the exit node's IP address after which your DNS requests then go through the tunnel, correct?

User avatar

parityboy
Site Admin
Posts: 1256
Joined: Wed Feb 05, 2014 3:47 am

Re: DNS configuration / usage

Postby parityboy » Wed Mar 28, 2018 8:12 pm

Is that an acceptable approach given I may be using only one exit node?


It is. However, names such as 'cs-caeast' are resolved where? Is dnscrypt-proxy given a local copy of the resolvers.csv file so that it can pull the actual IP addresses of the DNS servers? I've not installed DNScrypt on my router yet so I'm not familiar with it.

EDIT:
I just saw this, so I have a better understanding of where it gets the DNS server IP addresses from (I think, lol).

After all if I understand this, the resolver merely finds the exit node's IP address after which your DNS requests then go through the tunnel, correct?


This is correct. Once you are connected to the exit node, the exit node will push its associated DNS server's IP address down the tunnel to the client. This allows it to resolve not only clearnet addresses, but also altnet addresses such as Tor and I2P.


Topic Author
cryptomon
Posts: 20
Joined: Fri Feb 23, 2018 7:32 am

Re: DNS configuration / usage

Postby cryptomon » Thu Mar 29, 2018 7:34 am

parityboy wrote:EDIT:
I just saw this, so I have a better understanding of where it gets the DNS server IP addresses from (I think, lol).


Yeah, so I noticed that the list of resolvers from that web page you gave contain the same list as provided by CS dnscrypt-resolvers.csv. By entering this list into the dnscrypt-proxy.toml config file it limits the lookup addresses to one of those CS addresses, so as not to use one of the other available resolvers that might want to log the requests.

It seems a nicely written 'go' program. I've been able to script some things such as strip out these names (like the ones in the list I gave above) from the first column of the dnscrypt-resolvers.csv file and insert them into the dnscrypt-proxy.toml config file and place it into the require directory (/etc/dnscrypt-proxy), along with an IP blacklist file. Then I've automated the setup of the UFW firewall with the resolver and exit node IP addresses created from the host-names stripped from the CS config files. I then monitor my connection to check whether the vpn is still active and connected and firewall is up. When things go down on the occasion it is nice to see what my options are at a glance.


Return to “member support & tech assistance”

Who is online

Users browsing this forum: blurb, df, Google [Bot], parityboy and 20 guests

cron

Login