Acrylic DNS Proxy Frequently Asked Questions


Is it possible to use Acrylic with TOR?
Is it possible to use Acrylic with DNSCrypt?
What about Acrylic performance with large HOSTS files?
Is it possible to use Acrylic as a DNS server for my home network?
Why the AcrylicCache.dat does not grow/change when I browse the Internet?
What is the difference between the Windows service version and the console version of Acrylic?
Why am I getting these ugly "TDnsResolver.Execute: Unexpected packet received from..." messages?
Is Acrylic affected by the DNS cache poisoning vulnerability CVE-2008-1447?
Is Acrylic affected by other DNS cache poisoning vulnerabilities?

Is it possible to use Acrylic with TOR?


TOR is an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

With the proper configuration Acrylic can be used together with TOR to reap the benefits of the TOR network at the DNS level.

First the TOR Browser, which includes a SOCKS 5 proxy listening on port 9150, must be running and then Acrylic must be configured to channel all its DNS requests through it, like in the example shown below:

PrimaryServerAddress=8.8.8.8
PrimaryServerPort=53
PrimaryServerProtocol=SOCKS5
PrimaryServerProxyAddress=127.0.0.1
PrimaryServerProxyPort=9150
SecondaryServerAddress=8.8.4.4
SecondaryServerPort=53
SecondaryServerProtocol=SOCKS5
SecondaryServerProxyAddress=127.0.0.1
SecondaryServerProxyPort=9150

For more informations about TOR please refer to the TOR Project official page.

Is it possible to use Acrylic with DNSCrypt?


DNSCrypt encrypts all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.

With the proper configuration Acrylic can be used together with DNSCrypt to provide both increased security and increased speed.

First the dnscrypt-proxy application for Windows must be instructed to listen to a nonstandard port, like in the example shown below:

dnscrypt-proxy.exe --resolver-name=opendns --local-address=127.0.0.1:40

Then Acrylic must be configured to forward its DNS requests to the same nonstandard port opened by dnscrypt-proxy, like in the example shown below:

PrimaryServerAddress=127.0.0.1
PrimaryServerPort=40

By properly setting the PrimaryServerDomainNameAffinityMask and PrimaryServerQueryTypeAffinityMask configuration parameters you can also choose to forward to dnscrypt-proxy only a subset of your DNS requests.

For more informations about dnscrypt-proxy please refer to the DNSCrypt Project official page.

What about Acrylic performance with large HOSTS files?


I've done some performance tests on Acrylic from which these conclusions can be drawn:


All tests have been performed on a computer with Windows 10 Pro x64, an Intel Core i3 540 @ 3.06 Ghz CPU and 8 GB of DDR3 RAM @ 1333 Mhz. Here are the raw test results:

DescriptionAverage (milliseconds)
Direct access to Google public DNS servers56.550 ± 4.650
Using Acrylic DNS Proxy out of the box (uncached query)42.450 ± 1.950
Using Acrylic DNS Proxy out of the box (cached query)0.504 ± 0.005
Using Acrylic DNS Proxy out of the box with a hosts file containing 750k IPv4 domain names (cached query)0.523 ± 0.004
Using Acrylic DNS Proxy out of the box with a hosts file containing 750k IPv4 domain names and 50k IPv4 patterns (cached query)5.230 ± 0.010
Using Acrylic DNS Proxy out of the box with a hosts file containing 750k IPv4 domain names and 50k IPv4 regexes (cached query)20.641 ± 0.016

Is it possible to use Acrylic as a DNS server for my home network?


Yes, you can specify in the AllowedAddressesSection section of the AcrylicConfiguration.ini file a list of IP addresses and ranges whose DNS requests Acrylic is allowed to handle.

For more informations please refer to the Acrylic Configuration page.

Why the AcrylicCache.dat does not grow/change when I browse the Internet?


To minimize disk activity the cache is flushed from memory to disk only when the Acrylic DNS Proxy service is stopped or the system is shut down.

Thus you won't see anything change in the AcrylicCache.dat file until you stop the Acrylic DNS Proxy service or shut down the system.

What is the difference between the Windows service version and the console version of Acrylic?


The console version (AcrylicConsole.exe) and the Windows service version of Acrylic (AcrylicService.exe) are functionally identical, as they share the same code.

You may want to use the console version if you don't want to install anything on your computer (in this case I suppose you chose the portable version of Acrylic, didn't you?) or if you are experimenting with Acrylic and you don't want to restart the Windows service every time you change something in the configuration.

You cannot have both versions running at the same time because they will try to listen from the same UDP or TCP ports and this can't happen. In this case you might see an error message similar to the following one written into the AcrylicDebug.txt file (in the case of the Windows service version) or written to the standard output (in the case of the console version):

TDnsResolver.Execute: TDualUdpCommunicationChannel.Bind: Binding to IPv4 address 0.0.0.0 and port 53 failed with Windows Sockets error code 10048.

Why am I getting these ugly "TDnsResolver.Execute: Unexpected packet received from..." messages?


If you are trying to make Acrylic resolve requests coming from other computers in your LAN you have to configure the AllowAddressesSection section of the AcrylicConfiguration.ini file properly.

For more informations please refer to the Acrylic Configuration page.

Is Acrylic affected by the DNS cache poisoning vulnerability CVE-2008-1447?


No, Acrylic is not affected because it does not support recursive queries thus ignoring any authoritative resource record contained in responses forged by an attacker (in affected systems they would overwrite valid entries.)

More technical details about the vulnerability and attack strategy, exposed by Dan Kaminsky at Black Hat 2008, can be found on the Black Hat Web Site.

Is Acrylic affected by other DNS cache poisoning vulnerabilities?


Yes, there are flaws in the way the DNS protocol has been designed as it does not enforce a strong authentication mechanism and has very low entropy (allowing a relatively high rate of success in forging responses.) No matter how carefully has been written any DNS resolver which does not rely on custom protocol extensions (like DNSSEC) is vulnerable to cache poisoning to a certain extent depending on how much entropy it is able to shove into the protocol.

Go back to the Acrylic Home page.