# dnsCrypt-Proxy returns a supposedly impossible error:



## max21 (Aug 8, 2017)

Hello everyone … Why always me to see the crazy stuff?   I got dnsCrypt-Proxy and unbound working for the more popular dnscrypt.eu-dk and ipredator, but being an FreeBSD enthusiast, it don’t stop there.  So I tried the one that say  yes yes yes in the dnscrypt-resolvers.csv list and here is the server profile:


```
#   Addresses and port:
#   Name: dc1.soltysiak.com
#   IPv4: 178.216.201.222:2053
#   IPv6: [2001:470:70:4ff::2]:2053
#   Environment     Default value
#   LOCAL_IP        0.0.0.0
#   LOCAL_PORT      5353
#   RESOLVER_IP     178.216.201.222
#   RESOLVER_PORT   2053
#   PROVIDER_NAME   2.dnscrypt-cert.soltysiak.com[/SIZE]
#   PROVIDER_KEY 25C4:E188:2915:4697:8F9C:2BBD:B6A7:AFA4:01ED:A051:0508:5D53:03E7:1928:C066:8F21
```
Ok, here’s the problem(s):

This is the suggest way founded in the links below:

```
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_enable="YES"
# dnscrypt_proxy_resolver="soltysiak"                     # "dc1.soltysiak.com"
# dnscrypt-proxy --resolver-address=178.216.201.222:2053 --provider-name=2.dnscrypt-cert.soltysiak.com --provider-key=25C4:E188:2915:4697:8F9C:2BBD:B6A7:AFA4:01ED:A051:0508:5D53:03E7:1928:C066:8F21
# local_unbound_enable="YES"
```

And this with more dnscrypt_proxy_flags to lock in the provider DNS just like ipredator does:

```
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_enable="YES"
# dnscrypt_proxy_resolver="soltysiak"                     # "dc1.soltysiak.com"
# dnscrypt_proxy_flags="-a 127.0.0.2:2053 --provider-key=25C4:E188:2915:4697:8F9C:2BBD:B6A7:AFA4:01ED:A051:0508:5D53:03E7:1928:C066:8F21 --provider-name=2.dnscrypt-cert.soltysiak.com --resolver-address=178.216.201.222 -T -E -l /dev/null -d"
# local_unbound_enable="YES"
```

]TRUSTED - - LOCK- DOWN  Resolver address forced to [178.216.201.222] … is supposedly working.


```
Aug  8 00:30:30 k9 kernel: Starting dnscrypt_proxy.
Aug  8 00:30:31 k9 kernel: Tue Aug  8 00:30:31 2017 [INFO] + DNS Security Extensions are supported
Aug  8 00:30:31 k9 kernel: Tue Aug  8 00:30:31 2017 [INFO] + Namecoin domains can be resolved
Aug  8 00:30:31 k9 kernel: Tue Aug  8 00:30:31 2017 [INFO] + Provider supposedly doesn't keep logs
Aug  8 00:30:31 k9 kernel: Tue Aug  8 00:30:31 2017 [INFO] Resolver address forced to [178.216.201.222]
```

Both will return this in the dnscrypt-proxy.log:

```
(~) ee /var/log/dnscrypt-proxy.log:
Mon Aug  7 23:11:04 2017 [NOTICE] Starting dnscrypt-proxy 1.9.5
Mon Aug  7 23:11:04 2017 [INFO] Ephemeral keys enabled - generating a new seed
Mon Aug  7 23:11:04 2017 [INFO] Done
Mon Aug  7 23:11:04 2017 [INFO] Server certificate with serial #1502143201 received
Mon Aug  7 23:11:04 2017 [INFO] This certificate is valid
Mon Aug  7 23:11:04 2017 [INFO] Chosen certificate #1502143201 is valid from [2017-08-07] to [2017-08-08]
Mon Aug  7 23:11:04 2017 [INFO] Server key fingerprint is 1756:CF13:75E4:0932:41F3:ADC0:90B7:7E74:E26C:D33C:2251:077B:5960:9A7E:A6C2:BB70
Mon Aug  7 23:11:04 2017 [NOTICE] Proxying from 127.0.0.2:2053 to 178.216.201.222:443
```

As you see, the Server key fingerprint does not match the server key posted at these sites belows:

The real provider key: 25C4:E188:2915:4697:8F9C:2BBD:B6A7:AFA4:01ED:A051:0508:5D53:03E7:1928:C066:8F21

https://dnscrypt.pl/
https://hub.docker.com/r/gists/dnscrypt-proxy/
https://notepad.patheticcockroach.com/4050/how-to-install-dnscrypt-dnscrypt-proxy-on-opensuse/

I tried both pkg and ports installs and ensured that all dependences were up-to-date especially doing my first and final port-version installation; for both dnscrypt-proxy and unbound.  This is what I end-up with for each installation, using the same original profile for soltysiak ….

```
The correct Holland key found.
Holland ........  using pkg install dnscrypt-proxy-1.8.1
67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
UNKNOWN ....  using pkg  install dnscrypt-proxy-1.9.1_2
1756:CF13:75E4:0932:41F3:ADC0:90B7:7E74:E26C:D33C:2251:077B:5960:9A7E:A6C2:BB70
UNKNOWN ....  using port version /usr/ports/dns/dnscrypt-proxy-1.9.1_2
C161:0452:61E6:0A65:A9DD:1014:42E3:AF5D:87F7:49A8:8283:41B3:C589:40E8:B487:0D0B
```
All keys do not match, but the IP does???

If you see a big gin it must be some kind of automactic code flaw for the D or some kind of easter-egg sequence created by the owner of the key or program.  It was not inserted by me.  Here are the real numbers that seem to want to hide . . . E 2 6 C  |  D 3 3 C
I’ll post the unbound result latter because unbound has absolutely nothing to do with this.

1) Could anyone explain what’s going on here and how to get it to work?
2) Is this the way it's suppose to work?
3) How are we suppose to know?
4) Are these keys somehow ok?
5) Is Holland in Poland?  The other 2 are not even in the cvs list or found by google.
I hope I'm not the only one to have tried yes yes yes.  But then again there's only one.


----------



## max21 (Aug 9, 2017)

Nervermind.  I read we are suppose to receive a server fingerprint based of the provider server key.  They would and should be difference, if valid.   And the key may rotate .  But in my experience with ipredator it say


> The key rotation period for this server may exceed the recommended value


... however, I always receive the exact same fingerprint, each and everyday; it never rotated ... so what am I'm to expect form others?   Then soltysiak or a man-in-the-middle actually does rotate the keys. .. And I do receive difference fingerprints.  WoW!

If I have a valid connection, it’s on and popping  Mr. Maciej Soltysiak, and speed will not be an issue.  For now, I don’t know what to believe.  I can only guest or trust what I read… maybe that is why I received difference keys for difference versions of installs I done.  The first one I checked against

https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

and it matched up with Holland.  It came as the provider key inside my dnscrypt-proxy.log as a server fingerprint.  I did not type in any freaking body else but  soltysiak.  I had no reason to.  I live in the USA, but I know that Poland has the the greatest c and asm coders in the world, and I don't like wooden shoes. just kidding about the shoes. ha ha

I might be slow at times but I don’t make them kind of mistakes, and I’m not going to waste anyone time trying to prove it.  Maybe that's what a real leak is for the dns providers.  Maybe I had remote-control and did not know it.  Well, sorry it’s gone now.  But I’ll never ever forget it.  Maybe I peeped some cracker or provider hole-card.  Maybe that’s all it was, unless it was a dream, but I don't dream. Anyway, I seen it all.  Now I'll know to use max-security, to gain sercurity.


----------

