Dnscrypt from opendns

[bberkey1]

Hello all,

I am interested in learning about setting up DNScrypt on my ASUS router, but I must say, I am not as well versed in wget or telnet commands. I'm not one to simply begin messing with hard/software before learning a little more about the hows and whats and was wondering if there any recommend links you might suggest to get started.

For instance, I went to the Entware github page and clicked on the "preparing the USB" and although the steps seem easy enough, I'm not sure exactly where to "Begin" Is there perhaps an in depth tutorial or a visual step by step guide available online?

Any info is greatly appreciated! Thank you very much

 

[bayern1975]

Hello all,

I am interested in learning about setting up DNScrypt on my ASUS router, but I must say, I am not as well versed in wget or telnet commands. I'm not one to simply begin messing with hard/software before learning a little more about the hows and whats and was wondering if there any recommend links you might suggest to get started.

For instance, I went to the Entware github page and clicked on the "preparing the USB" and although the steps seem easy enough, I'm not sure exactly where to "Begin" Is there perhaps an in depth tutorial or a visual step by step guide available online?

Any info is greatly appreciated! Thank you very much

first you need to flash your asus roter with merlin firmware and then format USB stick to EXT2, EXT3, EXT4.....i use Partition Wizard Professional Edition 9.0 Portable for format my USB stic to EXT4....
merlin firmware location is here:

http://asuswrt.lostrealm.ca/download

then you goes here to great tutorial how to install entware-ng to your formated USB.....

https://www.hqt.ro/how-to-install-new-generation-entware/

here you have tutorial how to install dnscrypt-proxy....

https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt

that is all important things.....here is also thread about installing dnscrypt-proxy and try to read.....
http://www.snbforums.com/threads/dnscrypt-from-opendns.11645/

 

[Veldkornet]

So the problem I'm having is this:

I chose the Cisco OpenDNS IPv6 server from the list when I setup dnscrypt-proxy; but after reboot my router doesn't get an IPv6 address anymore.... hence I assume because there's no IPv6 address, it can't resolve the DNS, hence nothing has internet...

 

[Ronv42]

So the problem I'm having is this:

I chose the Cisco OpenDNS IPv6 server from the list when I setup dnscrypt-proxy; but after reboot my router doesn't get an IPv6 address anymore.... hence I assume because there's no IPv6 address, it can't resolve the DNS, hence nothing has internet...

DNS isn't needed to bring up the IPv6 interface on the router. It all depends on your ISP implementation which is advertised to your router. I would work backwards in your case. Disable the dnscrypt-proxy and do a couple of reboots to see if your router is getting IPv6 reliably. If not then you need to resolve though the ISP.

I have had issues with OpenDNS/Cisco IPv6 using dnscrypt. Some times it took over 10 minutes before the certs would be delivered to me all during that time DNS queries were timing out. I had to write a script to use un-encrypted DNS until dnscypt came up which was just a buggy. Eventually I just went back to using IPv4 dnscrypt.

 

[Veldkornet]

As soon as I remove

/jffs/configs/dnsmasq.conf.add

Then internet at least starts working. After removing dnscrypt-proxy and then rebooting, I get my IPv6 address again. I get an IPv6 address every time on reboot until I have dnscrypt on...

I'll try with the IPv4 version though...

Can I have both IPv4 and IPv6 enabled?


Sent from my iPhone using Tapatalk

 

[bayern1975]

i have a same problem.....if i enabled both version then have just ipv4 encrypted....ipv6 still using DNS from my ISP....i think the we need different scripts and dnsmasq to working properly with both protocol at same time....today i disabled ipv6 protocol because it does not using dnscrypt-resolver.....

 

[bberkey1]

@bayern1975

Thank you very much, it is greatly appreciated. I look forward to learning as much as possible.

 

[bberkey1]

After reading over the excellent tutorial I have a few questions.

1. What advantages does running DNScrypt through the router have say over as a service such as DNScrypt-proxy?
2. If DNScrypt is set up via the router than I assume one should leave the DNS settings in windows (preferred and alternate found under IPV4 settings) alone?
3. The same question above, but in regards to the DNS settings via the router after setting up the DNScrypt as a service within windows?
4. As for the USB drive, is there a preferred size? USB3 oriented preferred or any drive will do.

Thanks for the information thus far!

 

[spalife]

Do go through this thread.

It will give you more information regarding dnscrypt protocol and its implementation dnscrypt-proxy for the router.

All your questions and some more were discussed prior and
it will help you in understanding the concept, steps and trouble-shooting.

 

[Chrysalis]

I did initially have a non opendns configured but dns lookups were noticebly slow, so thats now the backup dns and opendns primary again, opendns dnscrypt vs opendns plain is virtually no performance impact.

 

[Chrysalis]

little update, seems the dnscrypt.org fr and nl servers cache negative dns which is pretty annoying

So seems the only way to get

fast
no logging
dnssec
no neg dns caching

is via my own server, well I just have got it working now.

Also with cert rotation.

I may possibly may allow some others to use it if anyone is interested in a uk dnscrypt, dnssec, no negative cache server, it will be no logging also once I am sure everything is 100%.

The dutch server I had to stop using, lots of outages.

 

[RMerlin]

Negative caching time is part of a zone's SOA, as defined by RFC2308. For a DNS to ignore that field would probably be a break in compliance.

 

[Mikeyy]

Hi eneryone.
Managed to install entware and dnscrypt without problem, but on dnscrypt install, I didn't choose any DNS servers since my default (manually entered into router config) are from opennic and dnscrypt capable.
I thought if I don't choose 1-53 DNS server from install script, it will default to my "default" dns. But it didn't and I was left without internet.

So my question is, how do I use server that aren't on 1 to 53 list during installation?

 

[Chrysalis]

Negative caching time is part of a zone's SOA, as defined by RFC2308. For a DNS to ignore that field would probably be a break in compliance.

correct, but thats the decision I have made.

Incidently I have configured a reverse dns TTL limit, but its just very low.
As it turns out my dnscrypt-wrapper went down yesterday due to an error in my cert generation script, but hopefully this issue is now resolved and I am good going forward, during the time the french server took over things were slower and I was routed to a youtube server 300ms away instead of in the uk.

The dutch dnscrypt.org server is pretty fast but I had repeated outages. Also it seems the french server is ipv4 only (not sure on the dutch).

So my server
15 sec negative dns ttl limit
ipv4/ipv6
recommended google optimisations applied for performance
dnssec activated
uk based, with no cdn routing issues
rfc1035 compliant
no outages as of yet other than when my cert cycling failed
no logging
only open to my static ip and local requests for recursive queries (may add more on request if people request to use)

I am only hosting this on a cheap vps but thats enough since a dns server is not particularly cpu or i/o dependent. Just needs a good quality network connection.

--edit--

Also dont be concerned about my negative cachign policy, you did the same thing on your dnsmasq.conf template, you prevent all negative dns caching
no-negcache

 

[Mikeyy]

So my question is, how do I use server that aren't on 1 to 53 list during installation?

Since noone helped, had to go trough all entware folders until I understood how to make it.

1. Install script as said in Merlin wiki and choose any server offered.
2. Go to

vi /opt/share/dnscrypt-proxy/dnscrypt-resolvers.csv

Go to last line, last character, and type *o to edit in new line mode
Enter everything needed for server to work, in same order as above servers. My guess only important fields are field 1 (name), field 11 (resolver address), field 12 (provider name) and field 12 (provider public key).
It should look something like this:

name,"Full name","Description","Location","Coordinates","URL",Version,"DNSSEC validation","No logs","Namecoin",IPaddress,provider_name,public_key,public_key_txt_records

You can probably skip some entrys like this:

open.nic.server,"Any long name",,,,,1,no,yes,yes,123.456.789.123,something.some.thing.com,PU12:BL34:IC56:KE78,^M

Press ESC, then exit vi with :x to save changes.
Then go

vi /opt/etc/init.d/S09dnscrypt-proxy

and edit line that starts with ARGS= to look something like this

ARGS="--local-address=127.0.0.1:65053 --daemonize -R open.nic.server"

Where open.nic.server = name you gave to your server.

Stop and start dnscrypt and everything should work.

And now for dnscrypt pros.
Question 1: How to set first and second dnscrypt resolver, so it has backup if first fails?
Here are some instructions, but I really don't understand them.

Question 2: Where to change DNS port?

 

[bmn1]

Hello,

I'm using DNScrypt with 2 resolvers. I hoped it would use the first one only until it is down, but it's toggling around both all the time (checked with www.dnsleaktest.com and www.whoer.net).
I'm getting latency peaks because of that (some packages are getting lost via ping, while the resolver is changed).

My config is following:

/jffs/scripts/wan-start

/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:60053 --resolver-address=185.115.241.3:443 --resolver-name=2.dnscrypt-cert.fvz-rec-fr-par-01.dnsrec.meo.ws --resolver-key=B645:DC89:0C1D:2A2F:CB03:4EB4:F432:1F90:7A78:6D15:074E:72E4:8216:BC47:9E0A:4B7C --daemonize
/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:60054 --resolver-address=51.254.68.187:443 --resolver-name=2.dnscrypt-cert.fvz-rec-fr-sxb-01.dnsrec.meo.ws --resolver-key=53E7:3A2C:7EB2:C574:0C2B:8826:56EF:13CF:FA3F:1B3F:A902:7773:E0F1:A9D2:0CD7:E037 --daemonize

/jffs/configs/dnsmasq.conf.add

no-resolv
server=127.0.0.1#60053 # dnscrypt
server=127.0.0.1#60054 # dnscrypt

How will my router only use the first resolver #60053 only, until it gets down and change to #60054?

 

[ryzhov_al]

How will my router only use the first resolver #60053 only, until it gets down and change to #60054?

--strict-order
By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

 

[bmn1]

Thanks, changed it to:

no-resolv
strict-order
server=127.0.0.1#60053 # dnscrypt
server=127.0.0.1#60054 # dnscrypt

But it's only using the second resolver #60054 now, not the first one.

Any idea?

 

[Veldkornet]

I've been trying to get simultaneous IPv4/IPv6 working, and I see in the logs that the default IPv6 DNS servers are still use, in addition to the DNSCrypt. Any idea how to fix this?

Apr 12 21:36:30 dnsmasq[891]: using nameserver 2620:0:ccd::2#53
Apr 12 21:36:30 dnsmasq[891]: using nameserver 2620:0:ccc::2#53
Apr 12 21:36:30 dnsmasq[891]: using nameserver ::1#65054
Apr 12 21:36:30 dnsmasq[891]: using nameserver 127.0.0.1#65053

Configs below:

/jffs/configs/dnsmasq.conf.add:

no-resolv
server=127.0.0.1#65053
server=::1#65054

/opt/etc/init.d/S08dnscrypt-proxy:

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--ephemeral-keys --local-address='[::1]:65054' --daemonize -R cisco-ipv6"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

/opt/etc/init.d/S09dnscrypt-proxy:

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--ephemeral-keys --local-address=127.0.0.1:65053 --daemonize -R cisco"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

 

[Chrysalis]

Thanks, changed it to:

no-resolv
strict-order
server=127.0.0.1#60053 # dnscrypt
server=127.0.0.1#60054 # dnscrypt

But it's only using the second resolver #60054 now, not the first one.

Any idea?

the order is reversed, so last in config is the first server used.