Anonymized DNS not working for me

[khius]

./dnscrypt-proxy -version
2.1.1

./dnscrypt-proxy -check
[2021-10-27 10:02:01] [NOTICE] dnscrypt-proxy 2.1.1
[2021-10-27 10:02:01] [NOTICE] Source [public-resolvers] loaded
[2021-10-27 10:02:01] [NOTICE] Source [relays] loaded
[2021-10-27 10:02:01] [NOTICE] Anonymized DNS: routing everything via [anon-plan9-ns2 anon-plan9-dns anon-inconnu anon-resolver4.dns.openinternet.io anon-zackptg5-us-il-ipv4 anon-zackptg5-us-il-ipv6 anon-zackptg5-us-pit-ipv4 anon-zackptg5-us-pit-ipv6]
[2021-10-27 10:02:01] [NOTICE] Configuration successfully checked

./dnscrypt-proxy -resolve github.com
Resolving [github.com] using 127.0.0.1 port 53
Resolver : 149.56.14.159 (ca-bhs01.dn42.munsternet.eu.)
Canonical name: github.com.
IPv4 addresses: 140.82.121.4
IPv6 addresses: -
Name servers : ns-1283.awsdns-32.org., ns-1707.awsdns-21.co.uk., ns-421.awsdns-52.com., ns-520.awsdns-01.net., dns1.p08.nsone.net., dns2.p08.nsone.net., dns3.p08.nsone.net., dns4.p08.nsone.net.
DNSSEC signed : no
Mail servers : 5 mail servers found
HTTPS alias : -
HTTPS info : -
Host info : -
TXT records : MS=6BF03E6AF5CB689E315FB6199603BABF2C88D805, MS=ms44452932, MS=ms58704441, adobe-idp-site-verification=b92c9e999aef825edc36e0a3d847d2dbad5b2fc0e05c79ddd7a16139b48ecf4b, atlassian-domain-verification=jjgw98AKv2aeoYFxiL/VFaoyPkn3undEssTRuMg6C/3Fp/iqhkV4HVV7WjYlVeF8, docusign=087098e3-3d46-47b7-9b4e-8a23028154cd, stripe-verification=f88ef17321660a01bab1660454192e014defa29ba7b8de9633c69d6b4912217f, v=spf1 ip4:192.30.252.0/22 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com include:spf.protection.outlook.com include:mail.zendesk.com include:_spf.salesforce.com include:servers.mcsv.net ip4:166.78.69.169 ip4:1 66.78.69.170 ip4:166.78.71.131 ip4:167.89.101.2 ip4:167.89.101.192/28 ip4:192.254.112.60 ip4:192.254.112.98/31 ip4:192.254.113.10 ip4:192.254.113.101 ip4:192.254.114.176 ~all

What is affected by this bug?

To my understanding the Anonymized DNS configuration is not working

How do we replicate the issue?

When doing a DNS Leak Test here does not shows the relays I chose. It shows the servers but not the relays and it is leaking my real IP address.

Expected behavior (i.e. solution)

To my understanding the test must shows the IP address of the relays I chose and must not show my real IP address. Please clarify.

These are enable in my config:

listen_addresses = ['127.0.0.1:53', '[::1]:53']
max_clients = 250
ipv4_servers = true
ipv6_servers = true
dnscrypt_servers = true
doh_servers = false
odoh_servers = false
require_dnssec = true
require_nolog = true
require_nofilter = true
disabled_server_names = ['plan9-ns2', 'plan9-ns1', 'resolver4.dns.openinternet.io', 'zackptg5-us-il-ipv4', 'zackptg5-us-il-ipv6', 'zackptg5-us-pit-ipv4', 'zackptg5-us-pit-ipv6']
force_tcp = false
timeout = 5000
keepalive = 30
lb_strategy = 'p2'
lb_estimator = true
cert_refresh_delay = 240
bootstrap_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
ignore_system_dns = true
netprobe_timeout = 60
netprobe_address = '9.9.9.9:53'
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
block_ipv6 = false
block_unqualified = true
block_undelegated = true
reject_ttl = 10
cache = true
cache_size = 4096
cache_min_ttl = 2400
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
listen_addresses = ['127.0.0.1:3000']
path = '/dns-query'
cert_file = '/Applications/dnscrypt-proxy-macos_x86_64-2.1.0/localhost.pem'
cert_key_file = '/Applications/dnscrypt-proxy-macos_x86_64-2.1.0/localhost.pem'
file = '/Applications/dnscrypt-proxy-macos_x86_64-2.1.0/query.log'
format = 'tsv'
ignored_qtypes = ['DNSKEY', 'NS']
file = '/Applications/dnscrypt-proxy-macos_x86_64-2.1.0/nx.log'
format = 'tsv'
log_file = '/Applications/dnscrypt-proxy-macos_x86_64-2.1.0/blocked-names.log'
log_file = '/Applications/dnscrypt-proxy-macos_x86_64-2.1.0/blocked-ips.log'
log_file = '/Applications/dnscrypt-proxy-macos_x86_64-2.1.0/allowed-names.log'
log_file = '/Applications/dnscrypt-proxy-macos_x86_64-2.1.0/allowed-ips.log'
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
[sources.'relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
cache_file = 'relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
[anonymized_dns]
routes = [
{ server_name='*', via=['anon-plan9-ns2', 'anon-plan9-dns', 'anon-inconnu', 'anon-resolver4.dns.openinternet.io', 'anon-zackptg5-us-il-ipv4', 'anon-zackptg5-us-il-ipv6', 'anon-zackptg5-us-pit-ipv4', 'anon-zackptg5-us-pit-ipv6'] }
]
skip_incompatible = true

Am I doing something wrong?

I am not sure if this is related to the issue

[jedisct1]

Anonymized DNS works that way:

(you) <-> (relay) <-> (DNS resolver) <-> (website's DNS servers)

The relay knows your IP, but not your DNS query.
The DNS resolver gets the query from the relay, so it only knows the relay IP address, not yours.
The website's DNS servers get the query from the resolver. So they know the resolver IP, not what happened before.

That DNS leak test website is a regular website that works that way. The only reliable information it can display is the address of DNS servers.

Try using scaleway-fr or scaleway-ams as a resolver, and resolve my.ip. This is a special query that these resolvers support, that return the IP address they get. When not using a relay, it's your real IP. When using a relay, it's the relay IP.

[khius]

and resolve my.ip.

I am new to this and I am not sure how to run this my.ip command. Please provide me with instructions. Thank you for your help

[jedisct1]

dnscrypt-proxy -resolve my.ip

or

dig my.ip

[khius]

dnscrypt-proxy -resolve my.ip

I run the command without actually changing my config file to see what happens and this was the outcome:

Resolving [my.ip] using 127.0.0.1 port 53
Resolver : 51.15.122.250 (scaleway-ams.dnscrypt.info.)
Canonical name: my.ip.
IPv4 addresses: 173.199.126.35
IPv6 addresses: -
Name servers : name does not exist
DNSSEC signed : yes
Mail servers : no mail servers found
HTTPS alias : -
HTTPS info : -
Host info : -
TXT records : -

This 'IPv4 addresses: 173.199.126.35' is not my real IP address, I think it is the IP address of one of the relays I set 'anon-plan9-dns' in the config file. It seems that Anonymized DNS is actually working, right?

[jedisct1]

Yes!

[khius]

Awesome! Thank you!

[Kncuk]

I have the same problem, where the site is able to know my (roughly) IP location despite using the relay
I ran the my.ip test using the scaleway resolver, and it did return the address of the relays I chose.
I wonder if it's because my network is tether through my cellular, hence the dnsleak site located the ISP's location (it's a bit off from my actual location).
I don't think my browser (edge) is leaking the info because the correct dns resolver does show up.

If it is through my cellular then I find it weird that it located my ISP because I set my phone's DNS to Quad9 and they don't have location in that city.