Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

cs dnscrypt-proxy server TIMEOUT

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
cryptomon
Posts: 28
Joined: Fri Feb 23, 2018 7:32 am

cs dnscrypt-proxy server TIMEOUT

Post by cryptomon » Mon Nov 04, 2019 8:52 am

Been trying to work through an issue of dnscrypt-proxy not connecting to the cs resolver servers. I keep getting TIMEOUT on all servers.
Previously it was telling me "No useable certificate found", but this doesn't seem to be showing up now - only the TIMEOUT errors.

[...] dnscrypt-proxy[149367]: Source [/var/cache/dnscrypt-proxy/public-resolvers.md] loaded
[...] dnscrypt-proxy[149367]: Firefox workaround initialized
[...] dnscrypt-proxy[149367]: Now listening to 127.0.0.1:53 [UDP]
[...] dnscrypt-proxy[149367]: Now listening to 127.0.0.1:53 [TCP]
[...] dnscrypt-proxy[149367]: No useable certificate found
[...] dnscrypt-proxy[149367]: dnscrypt-proxy is waiting for at least one server to be reachable
[...] dnscrypt-proxy[149367]: [cs-fi] TIMEOUT
[...] dnscrypt-proxy[149367]: [cs-nl2] TIMEOUT
[...] dnscrypt-proxy[149367]: [cs-ca] TIMEOUT

Is there any known issues wtih these servers? Changing to some other servers that are not CS based seem to work okay. May be the anoymous relay servers offerred now are a better/equivalent option?

UPDATE: I just found this article
https://cryptostorm.is/blog/anondns
and
https://github.com/DNSCrypt/dnscrypt-pr ... ymized-DNS
https://twitter.com/cryptostorm_is
which seems to imply these servers are no longer available with the anon servers preferred?

So if anonymous servers are the future how should one configure the .toml file? i.e.
Before I had the list of "cs- " type servers listed after "server_names". Now this should remain commented?
Are the cs- resolvers still accessible from an anon-cs relay?


Topic Author
cryptomon
Posts: 28
Joined: Fri Feb 23, 2018 7:32 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by cryptomon » Mon Nov 04, 2019 10:36 am

I guess one has to now manually provide a list of routes for each resolver used or listed in the "server_names" list?

User avatar

df
Site Admin
Posts: 421
Joined: Thu Jan 01, 1970 5:00 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by df » Mon Nov 04, 2019 6:34 pm

The new setup is backwards compatible with the old setup, so no changes need to be made to the .toml file client-side.
Looks like the problem is that keys aren't rotating correctly, or maybe they're not rotating often enough like with the old setup.
I'll go through the code and see what the problem is, but everything should work correctly now, no more "No useable certificate found" or TIMEOUT errors.

EDIT:
Ah, there it is. The dnscrypt-proxy.toml that comes with our widget and the one on our GitHub does:
cert_refresh_delay = 240
which would refresh the cert every 4 hours (240 minutes), but the new encrypted-dns thing on the server does:
pub const DNSCRYPT_CERTS_RENEWAL: u32 = 28800;
which would refresh the cert every 8 hours (28800 seconds).
So we could change that server-side 28800 to 14400 seconds (4 hours), but I think instead we'll do a cron job that restarts the instance every 20 minutes (causing a certificate renewal too) since lower is better with that

User avatar

df
Site Admin
Posts: 421
Joined: Thu Jan 01, 1970 5:00 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by df » Tue Nov 05, 2019 4:39 am

There was another problem with the cron job we made earlier, it was trying to restart encrypted-dns before the last instance cleanly exited, which caused it to sometimes not run.
Should be good now.

EDIT:
https://github.com/jedisct1/encrypted-d ... er/pull/13
submitted a pull request so encrypted-dns-server's cert refresh is the same as dnscrypt-proxy's default of 4 hours.
our cron script seems to be doing the trick though.


Topic Author
cryptomon
Posts: 28
Joined: Fri Feb 23, 2018 7:32 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by cryptomon » Tue Nov 05, 2019 7:30 am

I seem to be having more success now.

So I have a full list of "cs- " type servers listed after "server_names", as before.
It seems to actually make each of these dns servers accessible only via an anon relay I have to manually create the "route" list for each item under server_names. One is okay, but for a long list it becomes more tedious. Might have to automate that in some way myself with some criteria say of differing country of anon relay to dns server country.


Topic Author
cryptomon
Posts: 28
Joined: Fri Feb 23, 2018 7:32 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by cryptomon » Tue Nov 05, 2019 9:14 am

Strangely at the same time I have having trouble resolving the Balancer vpn option. No issue if I change to Switzerland for example.

User avatar

df
Site Admin
Posts: 421
Joined: Thu Jan 01, 1970 5:00 am

Re: cs dnscrypt-proxy server TIMEOUT

Post by df » Wed Nov 06, 2019 5:53 am

works for me

Code: Select all

[root@b ~]# host switzerland.cstorm.is
switzerland.cstorm.is has address 81.17.31.49
switzerland.cstorm.is has address 81.17.31.51
switzerland.cstorm.is has address 81.17.31.39
switzerland.cstorm.is has address 81.17.31.58
switzerland.cstorm.is has address 81.17.31.52
switzerland.cstorm.is has address 81.17.31.42
switzerland.cstorm.is has address 81.17.31.40
switzerland.cstorm.is has address 81.17.31.50
switzerland.cstorm.is has address 81.17.31.44
switzerland.cstorm.is has address 81.17.31.55
switzerland.cstorm.is has address 81.17.31.43
switzerland.cstorm.is has address 81.17.31.62
switzerland.cstorm.is has address 81.17.31.36
switzerland.cstorm.is has address 81.17.31.47
switzerland.cstorm.is has address 81.17.31.54
switzerland.cstorm.is has address 81.17.31.59
switzerland.cstorm.is has address 81.17.31.61
switzerland.cstorm.is has address 81.17.31.48
switzerland.cstorm.is has address 81.17.31.60
switzerland.cstorm.is has address 81.17.31.53
switzerland.cstorm.is has address 81.17.31.56
switzerland.cstorm.is has address 81.17.31.41
switzerland.cstorm.is has address 81.17.31.57
switzerland.cstorm.is has address 81.17.31.46
switzerland.cstorm.is has address 81.17.31.45
[root@b ~]# host balancer.cstorm.is
balancer.cstorm.is has address 5.104.108.10
balancer.cstorm.is has address 185.117.118.23
balancer.cstorm.is has address 64.42.181.228
balancer.cstorm.is has address 109.71.42.231
balancer.cstorm.is has address 192.158.232.98
balancer.cstorm.is has address 5.133.8.131
balancer.cstorm.is has address 213.163.64.200
balancer.cstorm.is has address 185.94.193.237
balancer.cstorm.is has address 108.62.5.173
balancer.cstorm.is has address 167.114.84.135
balancer.cstorm.is has address 142.234.200.148
balancer.cstorm.is has address 162.221.207.74
balancer.cstorm.is has address 128.127.104.109
balancer.cstorm.is has address 178.175.139.213
balancer.cstorm.is has address 82.163.72.124
balancer.cstorm.is has address 104.152.222.6
balancer.cstorm.is has address 174.34.157.65
balancer.cstorm.is has address 109.248.149.131
balancer.cstorm.is has address 185.107.80.85
balancer.cstorm.is has address 173.208.77.65
balancer.cstorm.is has address 5.254.96.226
balancer.cstorm.is has address 212.83.189.89
balancer.cstorm.is has address 162.210.192.210
balancer.cstorm.is has address 185.212.169.142
balancer.cstorm.is has address 209.58.147.37
balancer.cstorm.is has address 84.16.240.40
balancer.cstorm.is has address 81.17.31.35
balancer.cstorm.is has address 37.120.147.4

Post Reply