Acrylic DNS Proxy Frequently Asked Questions


What is the hit log and what is its format?
What is the format of the AcrylicCache.dat file?
What about Acrylic performance with large HOSTS files?
Is there a way to avoid ugly error pages for blocked contents?
Is it possible to use Acrylic as a DNS server for my home network?
Why the AcrylicCache.dat does not grow/change when I browse the Internet?
Is there any automation support for controlling the Acrylic DNS Proxy service?
My antivirus believes that one of Acrylic's files contains a threat. What should I do?
What are the most appropriate caching parameters for my network in the configuration file?
Why am I getting these ugly "TDnsResolver.Execute: Unexpected packet received from..." messages?
What is the difference between the Windows service version and the console version of Acrylic?
Is Acrylic affected by the DNS cache poisoning vulnerability CVE-2008-1447?
Is Acrylic affected by other DNS cache poisoning vulnerabilities?
Is it possible to use Acrylic together with DNSCrypt?
Is it possible to use Acrylic together with TOR?

What is the hit log and what is its format?


The hit log is a text file into which every incoming DNS request seen by Acrylic can be logged.

It is activated by specifying a value for the HitLogFileName configuration item and contains rows with the following fields separated by the TAB character:

  1. A timestamp in the format YYYY-MM-DD HH:MM:SS.FFF.
  2. The source IP address of the DNS request (the client's IP address, for BHCF treatment field codes) or response (the server's IP address, for RU treatments field codes).
  3. The treatment field code (how Acrylic treated it).
  4. The dissected DNS request (for BHCF treatment field codes) or response (for RU treatment field codes).

A dissected DNS request is similar to the following one:

Q[1]=p.adsymptotic.com;T[1]=A

Q[1]=p.adsymptotic.com means that DNS question 1 refers to the "p.adsymptotic.com" domain name.
T[1]=A means that DNS question 1 is of type A (IPv4).

A dissected DNS response (which happens to be the response to the DNS request seen above) is similar to the following one:

RC=0;QDC=1;ANC=2;Q[1]=p.adsymptotic.com;T[1]=CNAME;A[1]=p.adsymptotic.com>api-lb3-vip0.eu.adsymptotic.com;T[2]=A;A[2]=api-lb3-vip0.eu.adsymptotic.com>187.6.31.94

RC=0 means that the DNS response code (RCODE) is 0.
QDC=1 means that the number of questions (QDCOUNT) contained in the DNS response is 1.
ANC=2 means that the number of answers (ANCOUNT) contained in the DNS response is 2.
Q[1]=p.adsymptotic.com means that the DNS question 1 refers to the "p.adsymptotic.com" domain name.
T[1]=CNAME means that the DNS answer 1 is of type CNAME (canonical name).
A[1]=p.adsymptotic.com>api-lb3-vip0.eu.adsymptotic.com means that the DNS answer 1 (of type CNAME) referring to the "p.adsymptotic.com" domain name is "api-lb3-vip0.eu.adsymptotic.com".
T[2]=A means that the DNS answer 2 is of type A (IPv4).
A[2]=api-lb3-vip0.eu.adsymptotic.com>187.6.31.94 means that the DNS answer 2 (of type A) referring to the "api-lb3-vip0.eu.adsymptotic.com" domain name is "187.6.31.94".

For performance reasons the hit log is flushed to disk only when Acrylic is idle or when its buffer is full, therefore you might experience a delay of a few seconds between when a DNS request is made and when its details get written into the hit log.

What is the format of the AcrylicCache.dat file?


The AcrylicCache.dat file is not encrypted. If you are using the latest version it is a series of binary records whose fields are:

NoFieldSize & Format
1Hash of DNS Request8 bytes (UInt64)
2Arrival Time of DNS Response4 bytes (UInt32, number of minutes since January, 1 1980 00:00)
3Length of DNS Response4 bytes (UInt32)
4DNS Response Bytes(Length of DNS Response) bytes
5Is Negative Response1 byte (Boolean)

What about Acrylic performance with large HOSTS files?


I've done some performance tests on Acrylic version 0.9.34 from which these conclusions can be drawn:


All tests have been performed on a computer with Windows 10 Pro x64, an Intel Core i3 540 @ 3.06 Ghz CPU and 8 GB of DDR3 RAM @ 1333 Mhz. Here are the raw test results:

DescriptionAverage (milliseconds)
Direct access to Google public DNS servers56.550 ± 4.650
Using Acrylic DNS Proxy out of the box (uncached query)42.450 ± 1.950
Using Acrylic DNS Proxy out of the box (cached query)0.504 ± 0.005
Using Acrylic DNS Proxy out of the box with a hosts file containing 750k IPv4 domain names (cached query)0.523 ± 0.004
Using Acrylic DNS Proxy out of the box with a hosts file containing 750k IPv4 domain names and 50k IPv4 patterns (cached query)5.230 ± 0.010
Using Acrylic DNS Proxy out of the box with a hosts file containing 750k IPv4 domain names and 50k IPv4 regexes (cached query)20.641 ± 0.016

Is there a way to avoid ugly error pages for blocked contents?


With the proper configuration Acrylic allows you to "block" websites by redirecting traffic to your computer instead of the intended server. A problem with this approach is that your browser may put an error page in the place of the blocked contents. A way to avoid these ugly error pages is by enabling the Acrylic HTTP server, which is able to provide some default content to your browser when a domain name is resolved through the AcrylicHosts.txt file as localhost.

For more informations about enabling the Acrylic HTTP server please refer to the Acrylic Configuration page.

Is it possible to use Acrylic as a DNS server for my home network?


Yes.

You can specify in the AllowedAddressesSection section of the AcrylicConfiguration.ini file a list of IP addresses and ranges whose DNS requests Acrylic is allowed to handle.

For more informations please refer to the Acrylic Configuration page.

Why the AcrylicCache.dat does not grow/change when I browse the Internet?


To minimize disk activity the cache is flushed from memory to disk only when the Acrylic DNS Proxy service is stopped or the system is shut down.

Thus you won't see anything change in the AcrylicCache.dat file until you stop the Acrylic DNS Proxy service or shut down the system.

Is there any automation support for controlling the Acrylic DNS Proxy service?


The AcrylicController.exe console application, which supports the command line parameters shown below, can be useful in some automation scenarios:

AboutAcrylic
Shows Acrylic version and release date.
InstallAcrylicService
Registers the Acrylic DNS Proxy service.
UninstallAcrylicService
Unregisters the Acrylic DNS Proxy service.
PurgeAcrylicCacheData, PurgeAcrylicCacheDataSilently
Purges all Acrylic's cached DNS entries from the system and restarts the Acrylic DNS Proxy service. The silent version does not show any dialog box.
StartAcrylicService, StartAcrylicServiceSilently
Starts (or restarts) the Acrylic DNS Proxy service. The silent version does not show any dialog box.
StopAcrylicService, StopAcrylicServiceSilently
Stops the Acrylic DNS Proxy service. The silent version does not show any dialog box.
EditAcrylicHostsFile
Opens the AcrylicHosts.txt file using the default text editor.
EditAcrylicConfigurationFile
Opens the AcrylicConfiguration.ini file using the default text editor.
ActivateAcrylicDebugLog, ActivateAcrylicDebugLogSilently
Activates the Acrylic debug log for the Acrylic DNS Proxy service. The silent version does not show any dialog box.
DeactivateAcrylicDebugLog, DeactivateAcrylicDebugLogSilently
Deactivates the Acrylic debug log for the Acrylic DNS Proxy service. The silent version does not show any dialog box.
OpenCurrentAcrylicDebugLog
Opens the Acrylic debug log file using the default text editor.

Aside from the command line parameters shown above the Acrylic DNS Proxy service can always be controlled using the net and sc commands.

My antivirus believes that one of Acrylic's files contains a threat. What should I do?


Just before every release Acrylic packages are checked with a series of antivirus engines using the Metadefender online service and in case a threat is found the release is suspended until the problem is solved (either by reporting a false alarm to the antivirus authors or by rebuilding my development machine from scratch).

So if you are getting alarms from your antivirus the possibilities are:


What are the most appropriate caching parameters for my network in the configuration file?


The most appropriate parameters depend on what problem you are trying to solve with Acrylic.

A more detailed description of Acrylic's multiple layers of caching and a few suggestions can be found in the Acrylic Configuration page.

Why am I getting these ugly "TDnsResolver.Execute: Unexpected packet received from..." messages?


If you are trying to make Acrylic resolve requests coming from other computers in your LAN you have to configure the AllowAddressesSection section of the AcrylicConfiguration.ini file properly.

For more informations please refer to the Acrylic Configuration page.

What is the difference between the Windows service version and the console version of Acrylic?


The console version (AcrylicConsole.exe) and the Windows service version of Acrylic (AcrylicService.exe) are functionally identical, as they share the same code.

You may want to use the console version if you don't want to install anything on your computer (in this case I suppose you chose the portable version of Acrylic, didn't you?) or if you are experimenting with Acrylic and you don't want to restart the Windows service every time you change something in the configuration.

You cannot have both versions running at the same time because they will try to listen from the same UDP or TCP ports and this can't happen. In this case you might see an error message similar to the following one written into the AcrylicDebug.txt file (in the case of the Windows service version) or written to the standard output (in the case of the console version):

TDnsResolver.Execute: TDualUdpCommunicationChannel.Bind: Binding to IPv4 address 0.0.0.0 and port 53 failed with Windows Sockets error code 10048.

The console version of Acrylic currently understands the following command line options:

/NoBanner
Avoids writing Acrylic's banner to the standard output
/NoLog
Avoids writing Acrylic's log messages to the standard output

Is Acrylic affected by the DNS cache poisoning vulnerability CVE-2008-1447?


No.

Acrylic is not affected because it does not support recursive queries thus ignoring any authoritative resource record contained in responses forged by an attacker (in affected systems they would overwrite valid entries.)

More technical details about the vulnerability and attack strategy, exposed by Dan Kaminsky at Black Hat 2008, can be found on the Black Hat Web Site.

Is Acrylic affected by other DNS cache poisoning vulnerabilities?


Yes.

There are flaws in the way the DNS protocol has been designed as it does not enforce a strong authentication mechanism and has very low entropy (allowing a relatively high rate of success in forging responses.) No matter how carefully has been written any DNS resolver which does not rely on custom protocol extensions (like DNSSEC) is vulnerable to cache poisoning to a certain extent depending on how much entropy it is able to shove into the protocol.

Is it possible to use Acrylic together with DNSCrypt?


DNSCrypt encrypts all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.

With the proper configuration Acrylic can be used together with DNSCrypt to provide both increased security and increased speed.

First the dnscrypt-proxy application for Windows must be instructed to listen to a nonstandard port, like in the example shown below:

dnscrypt-proxy.exe --resolver-name=opendns --local-address=127.0.0.1:40

Then Acrylic must be configured to forward its DNS requests to the same nonstandard port opened by dnscrypt-proxy, like in the example shown below:

PrimaryServerAddress=127.0.0.1
PrimaryServerPort=40

By properly setting the PrimaryServerDomainNameAffinityMask and PrimaryServerQueryTypeAffinityMask configuration parameters you can also choose to forward to dnscrypt-proxy only a subset of your DNS requests.

For more informations about dnscrypt-proxy please refer to the DNSCrypt Project official page.

Is it possible to use Acrylic together with TOR?


TOR is an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

With the proper configuration Acrylic can be used together with TOR to reap the benefits of the TOR network at the DNS level.

First the TOR Browser, which includes a SOCKS 5 proxy listening on port 9150, must be running and then Acrylic must be configured to channel all its DNS requests through the SOCKS 5 proxy mentioned before, like in the example shown below:

PrimaryServerAddress=8.8.8.8
PrimaryServerPort=53
PrimaryServerProtocol=SOCKS5
PrimaryServerProxyAddress=127.0.0.1
PrimaryServerProxyPort=9150
SecondaryServerAddress=8.8.4.4
SecondaryServerPort=53
SecondaryServerProtocol=SOCKS5
SecondaryServerProxyAddress=127.0.0.1
SecondaryServerProxyPort=9150

For more informations about TOR please refer to the TOR Project official page.

Go back to the Acrylic Home page.