Hi dev,

I'm the author of https://github.com/thuantran/dnscrypt-asuswrt-installer dnscrypt-proxy installer for asus routers running asuswrt-merlin.

I wonder from these two commits 6ca2697 and 8bcba92 if these assumptions are correct:

• Adding 'cert_ignore_timestamp = true' to config file will result in the same effect as -I in dnscrypt-proxy version 1.
• The flag will be automatically clear if dnscrypt-proxy v2 connects to a server with correct timestamp.

If they are true, it's more than awesome :).

Best regards,
thuan

Just wrote some from-scratch instructions to setup your own DNSCrypt server in less than 10 minutes:

https://github.com/jedisct1/dnscrypt-proxy/wiki/How-to-setup-your-own-DNSCrypt-server-in-less-than-10-minutes

There are other ways to do it, for example using dnsdist or unbound's built-in dnscrypt support.
But this is how I've been running my server for years, and it doesn't require any maintenance.

[FATAL] Missing stamp for the static [server-of-my-choice] definition

Can't run beta 9 without this error. No connection.

• [sources] settings doesn't matter - [sources.'legacy resolvers list for dnscrypt-proxy v1'] or [sources.'proxy v1 list from github']
• Lines for the server-of-my-choice are equal in the in both *.csv files - from the new and from the old URLs.

In beta10, change the configuration in dnscrypt-proxy.toml to

server_names = ['cisco']

and

# [servers]
    [servers.'cisco ']
   stamp='sdns://AQMAAAAAAAAAEjIxMi40Ny4yMjguMTM2OjQ0MyDoAbhOpga_sLrAzkNEW7FeumSwL6PEqjGuEGNqB5AyTR8yLmRuc2NyeXB0LWNlcnQuZnIuZG5zY3J5cHQub3Jn'

After, still can not use cisco, how can I do? Thank you!

A convenient thing to have on the website is a simple way to compute a stamp for unencrypted DNS, DNSCrypt and DoH servers.

The format is very simple (it's a base64 encoded sequence of length-prefixed blobs), and this is something I will document shortly.

So, having a Vue or React component that we could have in a corner of the website could be great, especially for people using server software that doesn't print DNS stamps yet.

The previous version of dnscrypt-proxy supported using systemd sockets instead of directly listening to the port. This allows for more versatility and, for example, makes it possible to run the program without root privileges (since it does not have to listen directly to a privileged port).

For DoH, we currently need a working DNS setup in order to resolve the hostname.

The IP is present in the stamp, so we could use it to connect, but the SNI name would be replaced by the IP, so certificate verification would fail.

That can apparently be done, in Go, using a custom dialer, and one Transport per SNI name.

Or maybe even easier/simpler/faster ways exist. I'm still very new to Go, so if you know how to do that and can help, that would be very appreciated.

A dedicated website would be great.

To explain what DNS is and why encrypted/authenticated DNS is not a bad idea.

And to list available specifications, implementations and public servers.

So, if you're familiar with static websites generators such as Gatsby and Nuxt, and if you can do something that looks great and has fascinating content to read, that would be awesome!

pls remove

Hi,

Thank you for all of your work on this project, its amazing how fast-paced the development is.

I would like to ask a few question around the newest change - stamps.

• What standard are stamps following?

We can see some stamps using the _ character which is invalid as per the original RFC and as a result, base64 will fail to decode the stamps. While there are variants allowing this, its certainly not the default option.

• Can we keep the previous format for static server declaration?

The configuration file should be human readable and manually defining provider_name, address and public_key is much simpler and straight-forward compared to stamp. It seems, that the stamp structure is more complex, and generating them manually (from the previously mentioned parameters) is a bit cumbersome.

• Do we need a uri (sdns://) prefix?

Its unlikely (due to the potential for adding rogue servers without the user knowing) that dnscrypt servers will end up as browser links, which you click, to add them to your static list. And it doesn't seem to serve any purpose during stamp processing either.

Having the ability to download and install the thing using a shell command such as

wget https://...
minisign -op ... | sh

would be convenient. Can you imaging if that even played well with systemd and didn't break your Linux distribution? That would be sweet.

I rarely use Linux, and when I do, the way I configure DNS is not something you want to hear about.

So, your help would be welcome!

please add info what setting is saved, when dnscrypt start or restart

and thank you for v2 👍

Thought maybe this could help:

https://raw.githubusercontent.com/mastad0n/dnscrypt_resolvers/master/resolvers/v2/v2.md

No offence if it's not helpful 😄

What are the steps to do to use new dnscrypt-proxy for users using old 1.x version on High Sierra with brew?

1. When I launch any *.bat command, firstly I've got the message (translated to English):

There are no items in the list.

Below I see usual [NOTICE] messages as expected, without errors.

2. I don't have dnscrypt-proxy.exe in the "Task Manager" as background process in Windows any more. At the same time, dnscrypt-proxy has been really installed and existing as Service - DNSCrypt client proxy.

So, beta 11 doesn't work for me (no connection, no resolve).
I don't have errors, except There are no items in the list.
According to the launch messages, service was normally installed and started.
Strange...

P.S. I reconfigured *.toml to have running [static] public servers of my choice, not google (as purposed).

I am using using ipv4 and ipv6 via Cisco and Cisco-ipv6 only.
In beta 4, when I use ipleak.net to check my dns server used, I am able to see all the Cisco dns servers including ipv6 Cisco dns server.

However , now in beta 5, I am unable to see the ipv6 Cisco dns server.
There is no issue with resolving ipv6 domain and I am ipv6 ready, tested in ipv6-test.com and test-ipv6.com.

Small issue but just wanted to know why I can see ipv6 dns of Cisco in ipleak.net which I previously able to in beta 4 and below.

Very strange behaviour compared to the DNSCrypt v1.9.5 (same blocking list)

Legend:

[blacklist]
blacklist_file = 'C:\Program Files\dnscrypt-proxy\block\Blacklisted-Domains.txt'
log_file = 'C:\Program Files\dnscrypt-proxy\log\Restricted.log'

[query_log]
file = 'C:\Program Files\dnscrypt-proxy\log\DNS.log'

1. Blocking works only for the first entry from the list of "Blacklisted-Domains.txt". Seems like all other entries (one per line) doesn't work. All the same outputs in the "Restricted.log" :

tsg format:

[2018-01-18 23:04:03]	127.0.0.1		*my-some-rule-1*
[2018-01-18 23:04:03]	127.0.0.1		*my-some-rule-1*
[2018-01-18 23:04:03]	127.0.0.1		*my-some-rule-1*
[2018-01-18 23:04:03]	127.0.0.1		*my-some-rule-1*
...

ltsv format:

time:1516309968	host:127.0.0.1	qname:	message:*my-some-rule-1*
time:1516309968	host:127.0.0.1	qname:	message:*my-some-rule-1*
time:1516309968	host:127.0.0.1	qname:	message:*my-some-rule-1*
time:1516309968	host:127.0.0.1	qname:	message:*my-some-rule-1*
...

• All the same, only my first rule works, nothing more
• Missed any info about domain names
• What wrong with time in the ltsv format?

2. Very strange, weird DNSKEY outputs in the "DNS.log". For Example:

tsg format:

[2018-01-18 23:04:03]	127.0.0.1	github.com	A
...
[2018-01-18 23:04:03]	127.0.0.1		DNSKEY
[2018-01-18 23:04:03]	127.0.0.1		DNSKEY
[2018-01-18 23:04:03]	127.0.0.1		DNSKEY
[2018-01-18 23:04:03]	127.0.0.1		DNSKEY
...

ltsv format:

time:1516309755	host:127.0.0.1	message:www.google.com	type:A
...
time:1516309755	host:127.0.0.1	message:	type:DNSKEY
time:1516309755	host:127.0.0.1	message:	type:DNSKEY
time:1516309755	host:127.0.0.1	message:	type:DNSKEY
time:1516309755	host:127.0.0.1	message:	type:DNSKEY
...

• What are DNSKEY enties? Never seen them before...
• What's wrong with time: in the ltsv format?

3. Remember our talking about heavy multiple inputs in the DNS.log ?

Dear author

Can you add an option to skip Logs output for selective blocking entries? For example:

example1.com
- SkipLog: example2.com (per 100+ entries at once)
example3.com

Logs for "example2.com" will not be present in the DNS.log , but in the "Restricted.log" only.
(Per 100+ same unstoppable entries in "DNS.log" at once, so many garbage, hard to troubleshoot other entries, heavy Log-files, my eyes can't searching quickly and effectivly to shoot the new suspicious links)

About "example2.com" : I'm sure and I'm remember, that this domain will be blocked, and I don't wanna see his multiple entries in my "DNS.log" at all (Leave it in the "Restricted.log" only).
M-m-m... Hope, you understand, what I mean... My liveable English is in my future forever :(

Would implementing this feature with "GO" programming will look a bit easier?
Just asking... No pressure :)

4. Can you implement Logs auto-cleaning in the *.toml after some defined time, in hours? For example, 24h? Good software often have features like this, as well. Would be nice and useful.

Thanks!

I just downloaded the newest beta-11. I tested it and it works when started as sudo ./dnscryptproxy, but when started from the path (/usr/local/bin) as sudo dnscrypt-proxy it refuses to work correctly. That was very confusing for me :) Please find logs below

(ins)Kamal-MBP-7:dnscrypt-proxy-v2 kim0$ which dnscrypt-proxy
/usr/local/bin/dnscrypt-proxy
(ins)Kamal-MBP-7:dnscrypt-proxy-v2 kim0$ dnscrypt-proxy -version
2.0.0beta11
(ins)Kamal-MBP-7:dnscrypt-proxy-v2 kim0$ sudo dnscrypt-proxy -config  /usr/local/etc/dnscrypt-proxy-v2/dnscrypt-proxy.toml
[2018-01-28 13:49:57] [CRITICAL] Unable use source [public-resolvers]: [Get http://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md: dial tcp: lookup download.dnscrypt.info on 127.0.0.1:53: read udp 127.0.0.1:54319->127.0.0.1:53: read: connection refused]
[2018-01-28 13:49:57] [NOTICE] Starting dnscrypt-proxy 2.0.0beta11
[2018-01-28 13:49:57] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2018-01-28 13:49:57] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2018-01-28 13:49:57] [NOTICE] Now listening to [::1]:53 [UDP]
[2018-01-28 13:49:57] [NOTICE] Now listening to [::1]:53 [TCP]
[2018-01-28 13:49:59] [ERROR] Head https://dns.google.com/experimental: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[2018-01-28 13:49:59] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
^C[2018-01-28 13:50:12] [NOTICE] Stopped.
(ins)Kamal-MBP-7:dnscrypt-proxy-v2 kim0$
(ins)Kamal-MBP-7:dnscrypt-proxy-v2 kim0$
(ins)Kamal-MBP-7:dnscrypt-proxy-v2 kim0$ sudo ./dnscrypt-proxy -config  /usr/local/etc/dnscrypt-proxy-v2/dnscrypt-proxy.toml
[2018-01-28 13:50:16] [NOTICE] Source [http://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md] loaded
[2018-01-28 13:50:16] [NOTICE] Starting dnscrypt-proxy 2.0.0beta11
[2018-01-28 13:50:16] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2018-01-28 13:50:16] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2018-01-28 13:50:16] [NOTICE] Now listening to [::1]:53 [UDP]
[2018-01-28 13:50:16] [NOTICE] Now listening to [::1]:53 [TCP]
[2018-01-28 13:50:16] [NOTICE] [cs-fr] OK (crypto v1) - rtt: 191ms
[2018-01-28 13:50:17] [NOTICE] [cs-nl] OK (crypto v1) - rtt: 127ms
[2018-01-28 13:50:17] [NOTICE] [dnscrypt.eu-dk] OK (crypto v1) - rtt: 294ms
[2018-01-28 13:50:17] [NOTICE] [dnscrypt.nl-ns0] OK (crypto v1) - rtt: 160ms
[2018-01-28 13:50:17] [NOTICE] [scaleway-fr] OK (crypto v2) - rtt: 199ms
[2018-01-28 13:50:20] [NOTICE] Server with the lowest initial latency: cs-nl (rtt: 127ms)
[2018-01-28 13:50:20] [NOTICE] dnscrypt-proxy is ready - live servers: 5

dnscrypt-proxy-win32-2.0.0beta8

1、Modify server_names = ['cisco'] and [servers.'cisco ']

2、install service sc create dnscrypt-proxy binPath= "C:\Program Files\DNSCrypt\dnscrypt-proxy.exe"

3、Configure the service sc config dnscrypt-proxy start= AUTO

4、Turn on service net start dnscrypt-proxy

5、Use the web page https://www.dnsleaktest.com to detect Hostname Is 136-228-47-212.rev.cloud.scaleway.com

6、Open the web page https://welcome.opendns.com, suggesting You are not using OpenDNS yet. Let's fix that If you have not restarted your computer yet, please do that now.

7、How can I install correctly to use cisco?

Hi! First of all, thanks for your work, and sorry for my poor english and my lack of knowlegde of what i'm going to try to explain.

I have been using dnscrypt-proxy since 1.x versions, and now i'm testing with the 2.x betas. With both i have the same problem: the windows store doesn't load anything at all, and windows update only download drivers and windows defender definitions. I don't know why, but normal updates aren't downloaded. From what i understand, if you want some domains/ips to don't resolve through dnscrypt-proxy, you can use the forwarding rules, right? To resolve to a regular non-dnscrypt server. Well, i have tryed that and doesn't work.

I have a batch script to "install" dnscrypt-proxy, and the only way to make Store and Update to work is asigning a regular dns server to the conexion. This is my batch script:

:: Run dnscrypt-proxy in high prority
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dnscrypt-proxy.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "3" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dnscrypt-proxy.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "2" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dnscrypt-proxy.exe\PerfOptions" /v "PagePriority" /t REG_DWORD /d "5" /f

dnscrypt-proxy -service install

dnscrypt-proxy -service start

netsh int ipv4 add dnsserver name="Ethernet" addr=208.67.220.220 index=2
netsh int ipv4 add dnsserver name="Ethernet" addr=127.0.0.1 index=1

:: netsh int ipv4 add dnsserver name="Wi-Fi" addr=208.67.220.220 index=2
:: netsh int ipv4 add dnsserver name="Wi-Fi" addr=127.0.0.1 index=1

This way, the Store and Update dodge the 127.0.0.1, and use 208.67.220.220 instead.

I don't know if all of this have something to be with the program or not, so feel free to delete this message if you think it is appropriate.

Thanks in advance, and keep the good work! :D

The venerable dnscrypt-osclient hasn't received any updates for a while, and the interface would not work well for dnscrypt-proxy v2.

A new client for macOS is really needed.

Can anybody help?

1, I add server_names = ['cisco'] below # server_names = ['scaleway-fr', 'google', 'yandex'], unable to install the service, I do not know where is the error?

2, There is no google service in public-resolvers, how to use?

Thank you.

Do we have Google ipv6 stamp?
The stamp is not updated in the v2 list?

It could be nice with an option to rule out servers slower than x ms in lookups.

The list from where I am, is the following:

[2018-01-25 10:28:50] [NOTICE] [adguard-dns-family] OK (crypto v1) - rtt: 18ms
[2018-01-25 10:28:50] [NOTICE] [adguard-dns] OK (crypto v1) - rtt: 18ms
[2018-01-25 10:28:50] [NOTICE] [bn-fr0] OK (crypto v1) - rtt: 26ms
[2018-01-25 10:28:50] [NOTICE] [bn-nl0] OK (crypto v1) - rtt: 22ms
[2018-01-25 10:28:52] [NOTICE] [captnemo-in] TIMEOUT
[2018-01-25 10:28:52] [NOTICE] [cpunks-ru] OK (crypto v1) - rtt: 49ms
[2018-01-25 10:28:52] [NOTICE] [cs-caeast] OK (crypto v1) - rtt: 105ms
[2018-01-25 10:28:52] [NOTICE] [cs-cawest] OK (crypto v1) - rtt: 262ms
[2018-01-25 10:28:52] [NOTICE] [cs-cfi] OK (crypto v1) - rtt: 29ms
[2018-01-25 10:28:52] [NOTICE] [cs-ch] OK (crypto v1) - rtt: 30ms
[2018-01-25 10:28:52] [NOTICE] [cs-de] OK (crypto v1) - rtt: 18ms
[2018-01-25 10:28:52] [NOTICE] [cs-de3] OK (crypto v1) - rtt: 29ms
[2018-01-25 10:28:52] [NOTICE] [cs-dk2] OK (crypto v1) - rtt: 6ms
[2018-01-25 10:28:52] [NOTICE] [cs-es] OK (crypto v1) - rtt: 63ms
[2018-01-25 10:28:52] [NOTICE] [cs-fi] OK (crypto v1) - rtt: 23ms
[2018-01-25 10:28:52] [NOTICE] [cs-fr] OK (crypto v1) - rtt: 28ms
[2018-01-25 10:28:52] [NOTICE] [cs-fr2] OK (crypto v1) - rtt: 28ms
[2018-01-25 10:28:52] [NOTICE] [cs-lv] OK (crypto v1) - rtt: 26ms
[2018-01-25 10:28:53] [NOTICE] [cs-md] OK (crypto v1) - rtt: 56ms
[2018-01-25 10:28:53] [NOTICE] [cs-nl] OK (crypto v1) - rtt: 20ms
[2018-01-25 10:28:53] [NOTICE] [cs-pl] OK (crypto v1) - rtt: 28ms
[2018-01-25 10:28:53] [NOTICE] [cs-pt] OK (crypto v1) - rtt: 55ms
[2018-01-25 10:28:53] [NOTICE] [cs-ro] OK (crypto v1) - rtt: 46ms
[2018-01-25 10:28:53] [NOTICE] [cs-rome] OK (crypto v1) - rtt: 27ms
[2018-01-25 10:28:53] [NOTICE] [cs-uk] OK (crypto v1) - rtt: 33ms
[2018-01-25 10:28:53] [NOTICE] [cs-useast2] OK (crypto v1) - rtt: 97ms
[2018-01-25 10:28:53] [NOTICE] [cs-usnorth] OK (crypto v1) - rtt: 116ms
[2018-01-25 10:28:53] [NOTICE] [cs-ussouth] OK (crypto v1) - rtt: 141ms
[2018-01-25 10:28:53] [NOTICE] [cs-ussouth2] OK (crypto v1) - rtt: 122ms
[2018-01-25 10:28:53] [NOTICE] [cs-uswest] OK (crypto v1) - rtt: 171ms
[2018-01-25 10:28:54] [NOTICE] [cs-uswest3] OK (crypto v1) - rtt: 180ms
[2018-01-25 10:28:54] [NOTICE] [cs-uswest5] OK (crypto v1) - rtt: 182ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-es-ns1] OK (crypto v1) - rtt: 53ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-fr-ns1] OK (crypto v1) - rtt: 21ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-gr-ns1] OK (crypto v1) - rtt: 21ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-is-ns1] OK (crypto v1) - rtt: 53ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-is-ns2] OK (crypto v1) - rtt: 53ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-lv-ns1] OK (crypto v1) - rtt: 26ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-lv-ns2] OK (crypto v1) - rtt: 26ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-mx-ns1] OK (crypto v1) - rtt: 181ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-nl-ns4] OK (crypto v1) - rtt: 27ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-se-ns1] OK (crypto v1) - rtt: 34ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-se-ns2] OK (crypto v1) - rtt: 23ms
[2018-01-25 10:28:54] [NOTICE] [d0wn-tz-ns1] OK (crypto v1) - rtt: 178ms
[2018-01-25 10:28:55] [NOTICE] [d0wn-us-ns4] OK (crypto v1) - rtt: 177ms
[2018-01-25 10:28:55] [NOTICE] [d0wn-za-ns1] OK (crypto v1) - rtt: 186ms
[2018-01-25 10:28:55] [NOTICE] [dnscrypt.ca-1] OK (crypto v1) - rtt: 103ms
[2018-01-25 10:28:55] [NOTICE] [dnscrypt.ca-2] OK (crypto v1) - rtt: 105ms
[2018-01-25 10:28:55] [NOTICE] [dnscrypt.ca-3] OK (crypto v1) - rtt: 119ms
[2018-01-25 10:28:55] [NOTICE] [dnscrypt.eu-dk] OK (crypto v1) - rtt: 6ms
[2018-01-25 10:28:55] [NOTICE] [dnscrypt.eu-nl] OK (crypto v1) - rtt: 19ms
[2018-01-25 10:28:55] [NOTICE] [dnscrypt.nl-ns0] OK (crypto v1) - rtt: 19ms
[2018-01-25 10:28:55] [NOTICE] [dnscrypt.org-fr] OK (crypto v1) - rtt: 37ms
[2018-01-25 10:28:55] [NOTICE] [dnscrypt.org-fr] OK (crypto v2) - rtt: 37ms
[2018-01-25 10:28:55] [NOTICE] [dns.btr.zone] OK (crypto v1) - rtt: 32ms
[2018-01-25 10:28:55] [NOTICE] [dns.btr.zone] OK (crypto v2) - rtt: 32ms
[2018-01-25 10:28:55] [NOTICE] [freetsa.org] OK (crypto v1) - rtt: 203ms
[2018-01-25 10:28:56] [NOTICE] [fvz-anyone] OK (crypto v1) - rtt: 21ms
[2018-01-25 10:28:56] [NOTICE] [fvz-anytwo] OK (crypto v1) - rtt: 20ms
[2018-01-25 10:28:56] [NOTICE] [ipredator] OK (crypto v1) - rtt: 18ms
[2018-01-25 10:28:56] [NOTICE] [okturtles] OK (crypto v1) - rtt: 175ms
[2018-01-25 10:28:56] [NOTICE] [opennic-famicoman] OK (crypto v1) - rtt: 18ms
[2018-01-25 10:28:56] [NOTICE] [opennic-tumabox] OK (crypto v1) - rtt: 20ms
[2018-01-25 10:28:56] [NOTICE] [securedns] OK (crypto v1) - rtt: 17ms
[2018-01-25 10:28:56] [NOTICE] [soltysiak] OK (crypto v1) - rtt: 20ms
[2018-01-25 10:28:56] [NOTICE] [ventricle.us] OK (crypto v1) - rtt: 98ms
[2018-01-25 10:28:56] [NOTICE] [scaleway-fr] OK (crypto v1) - rtt: 30ms
[2018-01-25 10:28:56] [NOTICE] [scaleway-fr] OK (crypto v2) - rtt: 30ms
[2018-01-25 10:28:56] [NOTICE] Server with the lowest initial latency: cs-dk2 (rtt: 6ms)
[2018-01-25 10:28:56] [NOTICE] dnscrypt-proxy is ready - live servers: 64

Could be nice, if you could set some sort of threshold to rule out servers slower than 50ms etc.

Encounter this error when load.
[2018-01-24 15:20:28] [CRITICAL] readlink /proc/self/exe: no such file or directory
[2018-01-24 15:20:28] [NOTICE] Source [https://download.dnscrypt.info/resolvers-list/v1/dnscrypt-resolvers.csv] loaded
[2018-01-24 15:20:28] [NOTICE] Starting dnscrypt-proxy 2.0.0beta9

The load was successfully and working just that readlink error.

1. It would be nice to combine some commands of the system service control.
   And make possible combinations:

dnscrypt-proxy -service --install --start
dnscrypt-proxy -service --stop --uninstall

Why?

• Much faster to troubleshoot and test
• Avoid troubles for the new users moving from v1

For example: If I will uninstall the service, it will be still active. Not too clear.
Next experiments may fail if you forgot stop the service.

2. Fix unnecessary (unclear) messages during executing dnscrypt-proxy commands

For example:

dnscrypt-proxy -service stop

[NOTICE] Starting dnscrypt-proxy 2.0.0beta4
[NOTICE] Service stopped

instead:

[NOTICE] dnscrypt-proxy 2.0.0 beta 4 : Service stopped

or

dnscrypt-proxy -service install

[NOTICE] Starting dnscrypt-proxy 2.0.0beta4

instead:

[NOTICE] dnscrypt-proxy 2.0.0 beta 4 : Service installed

... and so on

Current status:

• The proxy compiles without any changes using gomobile
• It also compiles and runs fine on Termux

This is fantastic, but not enough for most Android users to easily install and use it.

Since my knowledge of Android is fairly limited, help would be welcome!

After service-install.bat :

[CTITICAL] Unable use source [public-resolvers]: [Get http://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md.minisig: dial tcp: lookup download.dnscrypt.info: no such host]
[FATAL] No servers configured

Using your (new) standard [sources] section :

[sources]

  [sources.'public-resolvers']
  url = 'http://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'public-resolvers.md'
  format = 'v2'
  refresh_delay = 168
  prefix = ''

DNSCloak takes advantage of the DNS proxy provider system introduced in iOS 11 to bring the DNSCrypt protocol to Apple devices. Devices don't have to be jailbroken to install this software.

This is great, but it apparently uses code from dnscrypt-proxy v1, it is not opensource and lacks interesting features such as logging and filtering.

A similar, opensource application for iOS would be terrific!

It would nice to know which version of the proxy is running similar to other go executables.

Good news:

With new commented option # ignored_qtypes = now I can see the DS type, that was hided for me before.

Some examples from my main DNS.log :

[2018-01-20 16:44:59]	127.0.0.1	com	DS
[2018-01-20 16:44:59]	127.0.0.1	com	DS
[2018-01-20 16:44:59]	127.0.0.1	com	DS
...
[2018-01-20 16:44:59]	127.0.0.1	greasyfork.org	DS
[2018-01-20 16:44:59]	127.0.0.1	greasyfork.org	DS
[2018-01-20 16:44:59]	127.0.0.1	greasyfork.org	DS
...

Also I see AAAA, A, TLSA, DNSKEY
Then I will choose, what I want to exclude from my main DNS.log. Thanks!

Bad news - almost same ISSUE with Blocking:

Blocking still not working for me as expected.
This time some another one rule was suddenly choosen from the middle of my blocking (300+ rules) list.

After service restart/clearing logs/clering dns cache/clearing browser cache, exactly only this (one, same, suddenly chosen) rule appears again in logs...

My blocking log is completely empty now.
Reinstallation of dnscrypt-proxy or rebooting PC doesn't help. Seems like new option logged_qtypes doesn't matter too.

First time I install beta 4, some info was appeared in the log (one time). But it was very strange lines.
Same like in the previous ISSUE: #7
But this time only the 2-nd entry from my list of "Blacklisted-Domains.txt" was applied.
Same-type outputs in the "Restricted.log" (I dont have this log, but it was smth. like that):

[2018-01-20 03:20:58]	127.0.0.1	.	*my-some-rule-2*
[2018-01-20 03:20:58]	127.0.0.1	.	*my-some-rule-2*
[2018-01-20 03:20:58]	127.0.0.1	.	*my-some-rule-2*
[2018-01-20 03:20:58]	127.0.0.1	.	*my-some-rule-2*
...

And dots. instead of domain names example.com

Then, I can't make blocking to work any more. My log is always empty... :(

A quick question, I see dns over https while googling but I don’t see much about dns over http2.

Other than that, I am trying to see which public resolver is supporting dns over http2 / https. I can only see Google. Where can we find the list of resolvers that support that like the one we have in csv.

bash: ./dnscrypt-proxy: cannot execute binary file: Exec format error

I don't know what system info will help, so here's my (Fedora) kernel version:

$ uname -r
4.14.13-300.fc27.x86_64

i cant help but notice there is a sdns:// on the toml file. where should i look for that for another servers?
also, is there any update for the resolver list used on the sources?

it seems that windows client( i am using windows 10 x64) must use / as the path separator. also, it would be nice if the default path is the same as the executable(just like the toml file)
as for mine, i use D:/Program Files/dnscrypt-proxy-win64-2.0.0beta2/win64/ as the path, and it works fine.

How do I let it start on port 53 on every boot.(init.d)
Thanks in advance!

i tried to use the command dnscrypt-proxy.exe -version on binary version beta 9 and beta 8, while currently running beta 8, it only return the current exe version. not the currently running (as service) one.

D:\Program Files\dnscrypt-proxy-win64-2.0.0beta8\win64>dnscrypt-proxy.exe -version
2.0.0beta8

D:\Program Files\dnscrypt-proxy-win64-2.0.0beta9\win64>dnscrypt-proxy.exe -version
2.0.0beta9

Not really an issue, and maybe I'm overlooking it, but could you include a minimal changelog in the archive, so I can keep track of the changes? I just posted @ snbforums.com about how well beta 4 runs on my Asuswrt-Merlin powered router (not as a service btw, the installer messes up our folder structure, but running the executable from one of startup scripts works greay), only to find out that I'm already 4 releases behind. Keeping up with your pace and keeping track of the changes is a bit of a challenge, so something of a changelog would be much appreciated. Keep up the good work!

i tried(most likely forgot. haha) to uninstall the service without stopping the service first, but the service still running(must be stopped)

D:\Program Files\dnscrypt-proxy-win64-2.0.0beta9\win64>dnscrypt-proxy.exe -service uninstall
[2018-01-25 16:48:03] [NOTICE] Starting dnscrypt-proxy 2.0.0beta9
[2018-01-25 16:48:03] [NOTICE] Service uninstalled

D:\Program Files\dnscrypt-proxy-win64-2.0.0beta9\win64>dnscrypt-proxy.exe -service install
[2018-01-25 16:48:11] [NOTICE] Source [https://download.dnscrypt.info/resolvers-list/v1/dnscrypt-resolvers.csv] loaded
[2018-01-25 16:48:11] [NOTICE] Starting dnscrypt-proxy 2.0.0beta9
[2018-01-25 16:48:11] [FATAL] Failed to install DNSCrypt client proxy: service dnscrypt-proxy already exists

if possible, maybe when using -service uninstall the service must be stopped first automatically

systemd_linux.go:6:2: cannot find package "github.com/coreos/go-systemd/activation" in any of: /tmp/yaourt-tmp-****/aur-dnscrypt-proxy-go-git/src/gopath/src/github.com/jedisct1/dnscrypt-proxy/vendor/github.com/coreos/go-systemd/activation (vendor tree)

I did it in my repo, but not sure how to do pull requests, also my repo is a mess.

I have no knowledge about programming. But I believe that golang should be about to do pre-resolve of domain name in order for dnscrypt-proxy to work properly?
https://golang.org/src/net/net.go

change [sources."proxy v1 list from github"] to [sources."proxy-v1-list-from-github"] then restart the service
fixes the problem: [CRITICAL] Unable use source [proxy v1 list from github]: [Get https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v1/dnscrypt-resolvers.csv: dial tcp: lookup raw.githubusercontent.com: no such host]

The way the blacklist works now, it makes the client fallback to the secondary DNS.
Instead of blocking, all queries to blacklisted hosts should be answered to a blackhole ip, like 0.0.0.0, or maybe 127.0.0.1 or an user-configured ip.
This way, these queries would actually be blocked, since the client received an answer it can use.
Whois ads.adsite.com? 0.0.0.0! :)

Edit: Ok, I'll keep using dnsmasq for that.

dnscrypt-proxy2 is still very new, and in beta, but the current goal is to release a stable version 2.0.0.

If features requests keep coming, this cannot happen, and it will remain in beta forever.

So, it's probably better to focus only on bugs and system-specific issues for now.

Thanks!

Every 30 min cert refresh, it refresh twice. Is this normal?
I am listening to 2 local socket instead of one.
When switch to one socket, the refresh is one time only.

May I also know if there is any significant advantage for listening more than one port? What is the purpose?

I am using beta9 linux-arm.

When I configure "# server_names = ['scaleway-fr']" and "[servers.'scaleway-fr ']" as "server_names = [' cisco ']" and "[servers.'cisco']" respectively Can not use cisco configuration.

I do not know if it is related to the stamp?

If I want to use cisco, how to configure stamp?

How can a single dns server be used?
Where should I set it?

Very slow or remote servers are set up.
Central Europe is quick to OpenDNS, google dns (or opennic).
I mostly like OpenDNS.
Sorry google translate.
Thx!

Now I've changed absolutely ALL double quotes " to single quotes ' in my *.toml config, same as in your config file.

Questions:

1. Didn't change servers of my choice to your example 'scaleway-fr' yet.
   And left my server_names = parameter active as it was for some time.

-- Can I use parameters and syntax, like in previous betas? Or you recommend change [servers] parameters to the new format? How I can use it?
-- Don't understand parameter stamp =
-- Why I don't see 'scaleway-fr' server in the dnscrypt-resolvers.csv ?

2. How I can play with prefix = '' parameter? What does it mean? How to use it?

ISSUE (beta 6) - Blocking logs are empty (blocking still doesn't work?)

Deleted all logs. After service has been started, all logs-files was created (except nx.log), and all of them are empty. After some long time I've found some new lines in main DNS.log (Stuck again?)
Then I've cleared DNS.log again, but nothing new was appeared.

(For the test I opening different web-pages intensivly and running software I want restrict access to some domains). My logs are empty.

Olny dnscrypt-proxy.log (Connections) always works perfect...

First of all, good news for beta 4:

• "Chicken-and-egg problem" is gone
• dnscrypt-resolvers.csv.minisig created automatically
• Fast service installation
• dnscrypt-proxy.log (or mine Connections.log) with log_level = 1 healthy and nice
(To all: Don't keep this file on the disk for your safety. This one only for troubleshooting)

Problem:

I can't test logged_qtypes deeper, because it works by "exception principle": if I'll turn it on and miss some type of the record, I'll never see this set of domain names in my log.

I mean, everybody must to know all possible record types to have possibility of their control.
'AAAA', 'A', 'MX', 'NS', 'TLSA', 'DNSKEY', ... how about anorher ones???
And, of course, clear description for the each one.

Better way is change the logic:

We will write here all the records we want to exclude:

unlogged_qtypes = ['DNSKEY']

This is more clear and safe way. Yeah? :)
(If I see unwanted record type - I exclude it)

P.S. Ideally, I want such option for the blocklist RULES: *my.blocking.rule* to exclude all corresponding inputs from the main DNS.log
May be some time, in the future...