Hi Peter, I think you are mixing up how DNScrypt in unbound work. By using: ``` interface: 0.0.0.0@443 interface: ::0@443
######DNSCRYPT############ dnscrypt: dnscrypt-enable:yes dnscrypt-port:443 dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is. dnscrypt-secret-key:/usr/local/etc/unbound/1.key dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert ############################### ``` Unbound will create a DNSCrypt server that will listen on port 443. Its provider name will be 2.dnscrypt-cert.cryptostorm.is. and it will use cert/key /usr/local/etc/unbound/1.{cert,key} . I am under the impression that you think it will connect to `5.101.137.251` over DNSCrypt. this is the role of DNSCrypt proxy instead. When you add: ``` forward-zone: name: "." forward-addr:5.101.137.251 ``` to the config, unbound will forward request to 5.101.137.251 and will behave as a caching server. Because 5.101.137.251 also handles clear text DNS, this is working just fine and that IP is showing through the website you mentioned. When you remove the forward-zone, unbound will behave as a recursive resolver and DNS queries will show up as coming from your DNS server to the outside world. I think you are mis-understanding what role Unbound has in DNSCrypt setup. Essentially, the config you are providing is the one that cryptostorm.is would use if they were going to set up a DNSCrypt server (aside from the forward-zone bit). TL;DR you want to install DNSCrypt proxy. The original author is working on a new version: https://github.com/jedisct1/dnscrypt-proxy . Manu On Tue, Jan 23, 2018 at 5:46 AM, peter.newey--- via Unbound-users < unbound-users@unbound.net> wrote: > Hello > > I am using unbound from Git version: 1.6.9 and have compiled it with > --enable-dnscrypt . > This is my unbound.conf setup; > > # unbound.conf for a local subnet.# > server: > interface: 0.0.0.0 > interface: ::0 > access-control: 192.168.0.0/16 allow > access-control: ::1 allow > > # DNSCRYPT server: ####### > interface: 0.0.0.0@443 > interface: ::0@443 > > directory: "/usr/local/etc/unbound" > chroot: "" > username: "" > verbosity:0 > num-threads: 1 > prefetch:yes > prefetch-key:yes > use-syslog:no > do-ip6: no > so-reuseport: yes > module-config: "validator iterator" > > do-not-query-localhost: no > > # file to read root hints from. > #get one from ftp://FTP.INTERNIC.NET/domain/ > root-hints: "/usr/local/etc/unbound/named.cache" > ############################################################ > include: "/usr/local/etc/unbound/unbound_ad_servers" > #update the above file by using below command as root : > #curl -sS -L --compressed "http://pgl.yoyo.org/ > adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > > /usr/local/etc/unbound/unbound_ad_servers > > logfile: "/usr/local/etc/unbound/unbound.log" > > log-time-ascii:yes > > #################################################### > > #auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" > #root key file, automatically updated##### remove # only for DNSSEC capable > dns servers ########## > #################################################### > > #Remote control config section. > remote-control: > # Enable remote control with unbound-control(8) here. > # set up the keys and certificates with unbound-control-setup. > control-enable:yes > > ######DNSCRYPT############ > dnscrypt: > dnscrypt-enable:yes > dnscrypt-port:443 > dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is. > dnscrypt-secret-key:/usr/local/etc/unbound/1.key > dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert > > forward-zone: > name: "." > forward-addr:5.101.137.251 > > ############################### > > The only lines I see in my unbound.log where dnscrypt is mentioned is > this line that is repeated occasionally : > > Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment. > > If I use the above unbound.conf and look on website https://whoer.net/ > it shows my own ISP i.p address correctly and DNS 5.101.137.251 > correctly, which belongs to dnscrypt-provider:2.dnscrypt- > cert.cryptostorm.is. > > If I change it to : > #forward-zone: > # name: "." > #forward-addr:5.101.137.251 > > my DNS address then shows my own ISP DNS , but I presume it should show > 5.101.137.251 if dnscrypt was working correctly. > > > If I change it to : > > #dnscrypt: > # dnscrypt-enable:yes > #dnscrypt-port:443 > #dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is. > #dnscrypt-secret-key:/usr/local/etc/unbound/1.key > #dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert > > forward-zone: > name: "." > forward-addr: my DNS address then shows > > my DNS address then shows again as 5.101.137.251 . > > > Can I presume dnscrypt is not working correctly and is there any > suggestions as to how I can get it to work please ? > > > thanks > > Peter > > > > > > > > > > > > > > > > >