Windows Store and some Windows updates doesn't work through dnscrypt-proxy about dnscrypt-proxy HOT 17 CLOSED

I have good news, the problem is solved. It seems that with the v2 it's no longer necessary to specify the dnsserver in the network adapter. Leaving it in automatic works. With the v1 that didn't work, i was forced to configure it manually. Now the tests work as spected, and the Store and the Update works too:

C:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve update.microsoft.com
Resolving [update.microsoft.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: update.microsoft.com.nsatc.net.
IP addresses: 65.55.50.190, 65.55.50.157
TXT records:
Resolver IP: 77.66.84.233 (resolver2.dnscrypt.eu.)

C:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve download.windowsupdate.com
Resolving [download.windowsupdate.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: 2-01-3cf7-0009.cdx.cedexis.net.
IP addresses: 93.184.221.240
TXT records:
Resolver IP: 77.66.84.233 (resolver2.dnscrypt.eu.)

C:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve windowsupdate.microsoft.com
Resolving [windowsupdate.microsoft.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: windowsupdate.redir.update.microsoft.com.nsatc.net.
IP addresses: 157.56.77.153
TXT records:
Resolver IP: 77.66.84.233 (resolver2.dnscrypt.eu.)

C:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve windowsupdate.com
Resolving [windowsupdate.com]
Domain exists: yes, 5 name servers found
Canonical name: windowsupdate.com.
IP addresses: -
TXT records: -
Resolver IP: 77.66.84.233 (resolver2.dnscrypt.eu.)

C:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve wustat.windows.com
Resolving [wustat.windows.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: -
IP addresses: -
TXT records: -
Resolver IP: 77.66.84.233 (resolver2.dnscrypt.eu.)

C:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve ntservicepack.microsoft.com
Resolving [ntservicepack.microsoft.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: ntservicepack.microsoft.nsatc.net.
IP addresses: 207.46.22.245
TXT records:
Resolver IP: 77.66.84.233 (resolver2.dnscrypt.eu.)

C:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve office.microsoft.com
Resolving [office.microsoft.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: prod.ocsa.live.com.akadns.net.
IP addresses: 168.62.43.8
TXT records:
Resolver IP: 77.66.84.233 (resolver2.dnscrypt.eu.)

So, with the new .bats you have added in the last beta, its enough to deploy it correctly. It was my fault to assume that I could simply reuse my previous script from the v1 to make the v2 work.

I think you can close the thread now, and thanks everyone for the help! :D

from dnscrypt-proxy.

Looking at the commands you pasted, you have far more Windows expertise that I do, so I can hardly help you, that would rather be the other way round.

Is 208.67.220.220 your ISP DNS?

from dnscrypt-proxy.

Maybe what you can do is to enable logging and see what queries are being made when you run Windows Update.

What resolver are you using besides your ISP's?

from dnscrypt-proxy.

208.67.220.220 is the ip of OpenDns.

I have a list of some of the ips and domains that the Store and the Update try to connect, but adding them to the forwarding rules list doesn't seem to work. The only way is adding the secondary dnsserver to the ethernet conexion config.

from dnscrypt-proxy.

@Ainatar

1. Windows updates does work through dnscrypt-proxy. And worked always.

2. You have no need to set any other special priority for the dnscrypt-proxy. Never.

3. If you set regular OpenDNS as "Alternative DNS server", you set your alternative DNS "as usual DNS", without encryption. This is wrong. This is not relative to DNSCrypt technology.

4. Set your Primary and Alternative DNS settings as :

127.0.0.1
127.0.0.2

or better to:

127.0.XX1
127.0.XX2

5. Fill all your Network Adapter settings with known static values, if you don't need dynamic (automatic DNS). This is more fast/secure way instead of unsafe automatic/empty values.

6. Change the settings in the dnscrypt-proxy.toml config file correspondingly. Set the alnernative dnscrypt-proxy server also.

server_names = ['server-of-your-choice-1', 'server-of-your-choice-2']
listen_addresses = ['127.0.0.XX1:53', '127.0.0.XX2:53']

7. Check your Firewall/Brandmauer doesn't block dnscrypt-proxy.exe + Port: 53.

8. Your Wi-Fi must be in other subnetwork. It haven't to use DNSCrypt inside your Workgroup.
   This is your mistake also.

Set your Wi-Fi adapter with such regular settings:

Wi-Fi (Server)

192.168.137.1		(For clients set IPs as 192.168.137.2 /3/4 and so on)
255.255.255.0
    .   .   .		(Leave it empty on server, for all clients set 192.168.137.1)

192.168.137.1

from dnscrypt-proxy.

Windows like linux will choose the fastest dns server as priority. The idea is to route the queries via localhost:53 via dnscrypt-proxy.

from dnscrypt-proxy.

@Ainatar try this, remove 208.67.220.220, keep 127.0.0.1

Then create:

wu.txt:

update.microsoft.com
download.windowsupdate.com
windowsupdate.microsoft.com
windowsupdate.com
wustat.windows.com
ntservicepack.microsoft.com
office.microsoft.com

wu_test.bat:

@echo off
set OUTPUTFILE=output.txt
set lookup=wu.txt
FOR /F %%i in (%lookup%) do ( 
 FOR /F "skip=3 delims=: tokens=2" %%j in ('echo off(^|nslookup %%i') do @echo %%i %%j >> %OUTPUTFILE%
)

run in cmd prompt:

wu_test.bat >nul 2>&1

Then post output.txt here.

from dnscrypt-proxy.

I'm testing dnscrypt-proxy version 2 as well, but running it on my router with linux-arm binary. There's no problem with Windows Update, so I think the problem is with either the Windows binary and/or configuration on Windows.

from dnscrypt-proxy.

Just a wild guess — it may or may not have something to do with windows ability to circumvent "normal" ways of network control to "phone home". It was a thing a couple of years back, maybe it is still a thing. On the other hand, it could be the opposite of that — a tweak, which was supposed just to block windows telemetry services.
Anyway, it certainly looks too specific to be random. :)

from dnscrypt-proxy.

@iWARR I have tested your sections 4, 5 and 6, no luck. Respect to section 7, i always had dnscrypt allowed thorugh firewall. Respect to section 8, i don't have Wi-Fi adapter.

@MASTAD0N This is what i get:
update.microsoft.com www.update.microsoft.com.nsatc.net
update.microsoft.com 134.170.58.221
update.microsoft.com update.microsoft.com
download.windowsupdate.com a767.dspw65.akamai.net
download.windowsupdate.com 2a00
download.windowsupdate.com 801
download.windowsupdate.com download.windowsupdate.com
windowsupdate.microsoft.com redir.update.microsoft.com.nsatc.net
windowsupdate.microsoft.com 157.56.77.153
windowsupdate.microsoft.com windowsupdate.microsoft.com
windowsupdate.com windowsupdate.com
ntservicepack.microsoft.com ntservicepack.microsoft.nsatc.net
ntservicepack.microsoft.com 207.46.22.245
ntservicepack.microsoft.com ntservicepack.microsoft.com
office.microsoft.com osi-prod-weu01-ocsa.cloudapp.net
office.microsoft.com 2a01
office.microsoft.com office.microsoft.com

Thanks all for the indications, i don't want to cause headaches to anyone, promise!

from dnscrypt-proxy.

@Ainatar
My output.txt is different (by the way, Windows update works):

update.microsoft.com      www.update.microsoft.com.nsatc.net 
update.microsoft.com   65.55.50.157 
update.microsoft.com   update.microsoft.com 
download.windowsupdate.com      cs11.wpc.v0cdn.net 
download.windowsupdate.com   72.21.81.240 
download.windowsupdate.com   download.windowsupdate.com 
windowsupdate.microsoft.com      redir.update.microsoft.com.nsatc.net 
windowsupdate.microsoft.com   157.56.77.153 
windowsupdate.microsoft.com   windowsupdate.microsoft.com 
windowsupdate.com      windowsupdate.com 
ntservicepack.microsoft.com      ntservicepack.microsoft.nsatc.net 
ntservicepack.microsoft.com   207.46.22.245 
ntservicepack.microsoft.com   ntservicepack.microsoft.com 
office.microsoft.com      osi-prod-eus01-ocsa.cloudapp.net 
office.microsoft.com   168.62.43.8 
office.microsoft.com   office.microsoft.com

Check the hosts file in the C:\Windows\System32\drivers\etc folder.
It should not contain any extra lines, just something like these:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

from dnscrypt-proxy.

I don't know if nslookup resolves names the same way as the rest of the system. It's also known to be completely broken and unreliable on all platforms, and even its authors don't want you to use it any more.

Maybe you can use dnscrypt-proxy -resolve instead?

from dnscrypt-proxy.

@Ainatar you are not causing headaches! 😃

Yes I think @jedisct1 has a good idea.

Maybe try these:

dnscrypt-proxy -resolve update.microsoft.com
dnscrypt-proxy -resolve download.windowsupdate.com
dnscrypt-proxy -resolve windowsupdate.microsoft.com
dnscrypt-proxy -resolve windowsupdate.com
dnscrypt-proxy -resolve wustat.windows.com
dnscrypt-proxy -resolve ntservicepack.microsoft.com
dnscrypt-proxy -resolve office.microsoft.com

@bezdupel Thank you, I wonder why yours are different. Maybe @Ainatar is resolving ipv6 in some of them? Strange.

from dnscrypt-proxy.

@iWARR @bezdupel Test with hosts file empty:

c:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve update.microsoft.com
Resolving [update.microsoft.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: update.microsoft.com.nsatc.net.
IP addresses: 65.55.50.157, 65.55.50.158
TXT records:
Resolver IP: 94.130.67.138 (deka.btr.zone.)

c:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve download.windowsupdate.com
Resolving [download.windowsupdate.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: 2-01-3cf7-0009.cdx.cedexis.net.
IP addresses: 2.22.48.48, 2.22.48.33
TXT records:
Resolver IP: 74.125.80.81

c:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve windowsupdate.microsoft.com
Resolving [windowsupdate.microsoft.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: windowsupdate.redir.update.microsoft.com.nsatc.net.
IP addresses: 157.56.77.153
TXT records:
Resolver IP: 74.125.80.81

c:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve windowsupdate.com
Resolving [windowsupdate.com]
Domain exists: yes, 5 name servers found
Canonical name: windowsupdate.com.
IP addresses: -
TXT records: -
Resolver IP: 74.125.80.81

c:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve wustat.windows.com
Resolving [wustat.windows.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: -
IP addresses: -
TXT records: -
Resolver IP: 74.125.80.81

c:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve ntservicepack.microsoft.com
Resolving [ntservicepack.microsoft.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: ntservicepack.microsoft.nsatc.net.
IP addresses: 207.46.22.245
TXT records:
Resolver IP: 74.125.80.81

c:\dnscrypt-proxy-win64>dnscrypt-proxy -resolve office.microsoft.com
Resolving [office.microsoft.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: prod.ocsa.live.com.akadns.net.
IP addresses: 168.62.43.8
TXT records:
Resolver IP: 74.125.80.81

from dnscrypt-proxy.

@Ainatar Were there any other lines in the hosts file? And now the update is working?

My test results:

Resolving [update.microsoft.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: update.microsoft.com.nsatc.net.
IP addresses:   65.55.50.158, 157.55.240.94
TXT records:    
Resolver IP:    176.56.237.171 (resolver1.dnscrypt.eu.)

Resolving [download.windowsupdate.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: 2-01-3cf7-0009.cdx.cedexis.net.
IP addresses:   2.21.69.42, 2.21.69.40
TXT records:    
Resolver IP:    176.56.237.171 (resolver1.dnscrypt.eu.)

Resolving [windowsupdate.microsoft.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: windowsupdate.redir.update.microsoft.com.nsatc.net.
IP addresses:   157.56.77.153
TXT records:    
Resolver IP:    176.56.237.171 (resolver1.dnscrypt.eu.)

Resolving [windowsupdate.com]

Domain exists:  yes, 4 name servers found
Canonical name: windowsupdate.com.
IP addresses:   -
TXT records:    -
Resolver IP:    176.56.237.171 (resolver1.dnscrypt.eu.)

Resolving [wustat.windows.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: -
IP addresses:   -
TXT records:    -
Resolver IP:    176.56.237.171 (resolver1.dnscrypt.eu.)

Resolving [ntservicepack.microsoft.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: ntservicepack.microsoft.nsatc.net.
IP addresses:   207.46.22.245
TXT records:    
Resolver IP:    176.56.237.171 (resolver1.dnscrypt.eu.)

Resolving [office.microsoft.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: prod.ocsa.live.com.akadns.net.
IP addresses:   168.63.29.74
TXT records:    
Resolver IP:    176.56.237.171 (resolver1.dnscrypt.eu.)

from dnscrypt-proxy.

@Ainatar 74.125.80.81 is Google DNS, not a DNSCrypt server.

There is something funny going on with your configuration... your queries are going to Google, not to the DNS proxy...

from dnscrypt-proxy.

From what I see, it could be due to the router have some dns filtering or pre set with Google dns. Asus router have those dns filtering.

from dnscrypt-proxy.