Acrylic DNS Proxy FAQ


Is it possible to use Acrylic with TOR?
Is it possible to use Acrylic with DNSCrypt?
Is it possible to use Acrylic with DNS-over-HTTPS?
What about Acrylic performance with large HOSTS files?
Is it possible to use Acrylic as a DNS server for my home network?
Why the AcrylicCache.dat does not grow/change when I browse the Internet?
What is the difference between the Windows service version and the console version of Acrylic?
Why am I getting "Binding to ... failed with Windows Sockets error code 10048" messages from Acrylic?
Why am I getting "Unexpected packet received from..." messages from Acrylic?
Is Acrylic affected by the DNS cache poisoning vulnerability CVE-2008-1447?
Is Acrylic affected by other DNS cache poisoning vulnerabilities?

Is it possible to use Acrylic with TOR?


TOR is an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

With the proper configuration Acrylic can be used together with TOR to reap the benefits of the TOR network at the DNS level.

You should start by adding the following line to your "torrc" file, which enables the TOR's builtin DNS resolver:

DNSPort 127.0.0.1:40

Then Acrylic must be configured to use TOR's builtin DNS resolver, like in the example shown below:

PrimaryServerAddress=127.0.0.1
PrimaryServerPort=40
PrimaryServerProtocol=UDP
PrimaryServerQueryTypeAffinityMask=A;AAAA;PTR

Do not configure other DNS servers in Acrylic (e.g. secondary, tertiary, etc.), if you don't want to risk leaking informations to them.

For more informations about TOR please refer to the TOR Project official page.

Is it possible to use Acrylic with DNSCrypt?


DNSCrypt encrypts all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.

With the proper configuration Acrylic can be used together with DNSCrypt to provide both increased security and increased speed.

First the dnscrypt-proxy application for Windows must be instructed to listen to a nonstandard port, like in the example shown below:

dnscrypt-proxy.exe --resolver-name=opendns --local-address=127.0.0.1:40

Then Acrylic must be configured to forward its DNS requests to the same nonstandard port opened by dnscrypt-proxy, like in the example shown below:

PrimaryServerAddress=127.0.0.1
PrimaryServerPort=40
PrimaryServerProtocol=UDP
PrimaryServerQueryTypeAffinityMask=A;AAAA;PTR

Do not configure other DNS servers in Acrylic (e.g. secondary, tertiary, etc.), if you don't want to risk leaking informations to them.

For more informations about dnscrypt-proxy please refer to the DNSCrypt Project official page.

Is it possible to use Acrylic with DNS-over-HTTPS?


DNS-over-HTTPS (DoH) is a protocol for performing DNS resolution via the HTTPS protocol, with the goal to increase user privacy and security by preventing eavesdropping and man-in-the-middle attacks.

With the proper configuration Acrylic can be used together with DNS-over-HTTPS resolvers to provide both increased security and increased speed.

Here is a known good DNS-over-HTTPS configuration for the Google Public DNS server:

PrimaryServerAddress=8.8.8.8
PrimaryServerPort=443
PrimaryServerProtocol=DOH
PrimaryServerDoHProtocolPath=dns-query
PrimaryServerDoHProtocolHost=dns.google

Here is a known good DNS-over-HTTPS configuration for the Cloudflare Public DNS server:

PrimaryServerAddress=1.1.1.1
PrimaryServerPort=443
PrimaryServerProtocol=DOH
PrimaryServerDoHProtocolPath=dns-query
PrimaryServerDoHProtocolHost=cloudflare-dns.com

Here is a known good DNS-over-HTTPS configuration for the Quad9 Public DNS server:

PrimaryServerAddress=9.9.9.9
PrimaryServerPort=443
PrimaryServerProtocol=DOH
PrimaryServerDoHProtocolPath=dns-query
PrimaryServerDoHProtocolHost=dns.quad9.net

For more informations about the DNS-over-HTTPS protocol please refer to its Wikipedia official page.

What about Acrylic performance with large HOSTS files?


I've done some performance tests on Acrylic from which these conclusions can be drawn:

  1. Because it forwards DNS requests in parallel, Acrylic allows a 25% reduction (your mileage may vary) on the time it takes to resolve a domain name.
  2. On an average computer Acrylic takes about half a millisecond to resolve a cached domain name, even when using a custom HOSTS file with a very large number of domain names in it.
  3. Putting a large number of patterns or regular expressions inside the AcrylicHosts.txt file may cause Acrylic to slow down significantly. From a purely performance perspective it is better to use a large list of domain names rather than a lot of patterns and regexes. Patterns and regexes should be used to ease the manual maintenance of the AcrylicHosts.txt file when the full list of domain names is either unknown or too variable. A domain name is free, a pattern is relatively cheap and a regular expression is rather expensive.

All tests have been performed on a computer with Windows 10 Pro x64, an Intel Core i3 CPU and 8 GB of DDR3 RAM. Here are the raw test results:

DescriptionAverage (ms)
Direct access to Google public DNS servers56.550 ± 4.650
Using Acrylic DNS Proxy (uncached query)42.450 ± 1.950
Using Acrylic DNS Proxy (cached query)0.504 ± 0.005
Using Acrylic DNS Proxy with 750k IPv4 domain names (cached query)0.523 ± 0.004
Using Acrylic DNS Proxy with 750k IPv4 domain names and 50k IPv4 patterns (cached query)5.230 ± 0.010
Using Acrylic DNS Proxy with 750k IPv4 domain names and 50k IPv4 regexes (cached query)20.641 ± 0.016

Is it possible to use Acrylic as a DNS server for my home network?


Yes, you can specify in the AllowedAddressesSection section of the AcrylicConfiguration.ini file a list of IP addresses and ranges whose DNS requests Acrylic is allowed to handle.

You must also create a firewall rule to allow incoming traffic directed to the two Acrylic executables: AcrylicService.exe and AcrylicConsole.exe.

For more informations please refer to the comments contained in the AcrylicConfiguration.ini file.

Why the AcrylicCache.dat does not grow/change when I browse the Internet?


To minimize disk activity the cache is flushed from memory to disk only when the Acrylic DNS Proxy service is stopped or the system is shut down.

What is the difference between the Windows service version and the console version of Acrylic?


The console version (AcrylicConsole.exe) and the Windows service version of Acrylic (AcrylicService.exe) are functionally identical, as they share the same code.

You may want to use the console version if you don't want to install anything on your computer (in this case I suppose you chose the portable version of Acrylic, didn't you?) or if you are experimenting with Acrylic and you don't want to restart the Windows service every time you change something in the configuration.

You cannot have both versions running at the same time because they will try to listen from the same UDP port. In case this happens you might see an error message like this in the debug log (in the case of the Windows service version) or on the console (in the case of the console version):

Binding to IPv4 address 0.0.0.0 and port 53 failed with Windows Sockets error code 10048.

Note: It is best to terminate the console version of Acrylic by pressing ENTER at the Command Prompt, rather than by closing its associated window.

Why am I getting "Binding to ... failed with Windows Sockets error code 10048" messages from Acrylic?


This typically occurs when there's another DNS server on your computer listening on the same UDP port as Acrylic, like one of these:


Why am I getting "Unexpected packet received from..." messages from Acrylic?


If you are trying to use Acrylic as a DNS server for your home network you have to configure the AllowAddressesSection section of the AcrylicConfiguration.ini file properly.

You must also create a firewall rule to allow incoming traffic directed to the two Acrylic executables: AcrylicService.exe and AcrylicConsole.exe.

For more informations please refer to the comments contained in the AcrylicConfiguration.ini file.

Is Acrylic affected by the DNS cache poisoning vulnerability CVE-2008-1447?


No, Acrylic is not affected because it does not support recursive queries thus ignoring any authoritative resource record contained in responses forged by an attacker (in affected systems they would overwrite valid entries.)

More technical details about the vulnerability and attack strategy, exposed by Dan Kaminsky at Black Hat 2008, can be found on the Black Hat website.

Is Acrylic affected by other DNS cache poisoning vulnerabilities?


Yes, there are flaws in the way the DNS protocol has been designed as it does not enforce a strong authentication mechanism and has very low entropy (allowing a relatively high rate of success in forging responses.) No matter how carefully has been written any DNS resolver which does not rely on custom protocol extensions (like DNSSEC) or on alternative transport mechanisms (like DNS-over-HTTPS) is vulnerable to cache poisoning to a certain extent depending on how much entropy it is able to shove into the protocol.