Dnscrypt from opendns

[XIII]

Oh, if somebody could point me to a tutorial on how to build the standalone executables myself using Lance's script I would happily give that a try on my Ubuntu machine.

https://github.com/lancethepants/dnscrypt-mipsel-static

I did give it a try already without help, but got several compiler errors as my Entware toolchain setup is probably not OK (my first attempt at this).

 

[shooter40sw]

Hi guys, looks like there is a new version of Dnscrypt the 1.5, some resolvers have changed, My dncrypt stoped working today, on the NT66U, entware installed, I checked the dnscrypt.org and the resolvers of opendns, that are the ones I use, son I get the error dnscrypt-proxy[675]: No useable certificates found, have not changed to other dns resolver because I use those opendns and have some filters implemented, in the entware database is the going to be an update so the people having these issues can have the dnscrypt back? thanks!

 

[shooter40sw]

I reinstalled dnscrypt

------------------ I get this if I leave in the dnsmaq.con.add file the no-resolve and server lije this, does not work.... no internet
no-resolv
server=127.0.0.1#65053

ntp: start NTP update
Dec 31 19:40:56 dnscrypt-proxy[655]: Refetching server certificates
Dec 31 19:40:56 dnscrypt-proxy[655]: Server certificate #1435874751 received
Dec 31 19:40:56 dnscrypt-proxy[655]: This certificate has not been activated yet
Dec 31 19:40:56 dnscrypt-proxy[655]: No useable certificates found
Dec 31 19:41:12 watchdog: start ddns.
------------------


If I comment them
#no-resolv
#server=127.0.0.1#65053
it starts geting the ceritifcate and does not work, I have internet but no dnscrypt
Can you help me out? thanks!

6 06:26:35 dnscrypt-proxy[627]: Refetching server certificates
Jul 6 06:26:36 dnscrypt-proxy[627]: Server certificate #1435874751 received
Jul 6 06:26:36 dnscrypt-proxy[627]: This certificate looks valid
Jul 6 06:26:36 dnscrypt-proxy[627]: Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
Jul 6 06:26:36 dnscrypt-proxy[627]: Server key fingerprint is ED19:BFBA:FAFC:9257FDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
Jul 6 06:26:36 dnscrypt-proxy[627]: Proxying from 127.0.0.1:65053 to 208.67.220.220:53

 

[XIII]

I did give it a try already without help, but got several compiler errors as my Entware toolchain setup is probably not OK (my first attempt at this).

Turns out I missed one trivial part: putting the Entware toolchain bin folder in (front of) my PATH...

Compiles and runs now!

However, both dnscrypt-proxy and hostip are much larger than those provided by Lance (about twice as large). I'm not sure whether that's because I compare my dnscrypt-proxy 1.5.0 & libsodium 1.0.3 with his 1.4.3/1.0.2 combi, or something else (no time to try yet). The "strip" command does not reduce the size of my binaries.

Would it matter that dns-crypt is 600K now and that I run two instances?

 

[lancethepants]

I also compress the binaries using upx

upx --ultra-brute ./binary

 

[XIII]

I also compress the binaries using upx

upx --ultra-brute ./binary

Ah, thanks! I'll give that a try as well.

And thank you very much for providing that build script!

 

[XIII]

upx --ultra-brute ./binary

Reduced them both with more than 50%.

Seems to be working fine. Thanks!

 

[spalife]

Dnscrypt was not working after upgrade from 54 to 55.

It was getting the certificates but was not validating them.

The culprit in my case was NTP servers were not getting started in time, this issue was mentioned in this thread.

Undertook below steps and they are working now

opkg remove dnscrypt-proxy
opkg remove hostip

opkg install dnscrypt-proxy
opkg install hostip

and the rest of the scripts i.e., with a bit of tweaking in wan-start and post-mount to make sure ntp is successfully updated got Dnscrypt up and running again.

It would be nice to get the updated Dnscrypt.
The current version still available in opkg is still 1.4.3-1

As per
http://dnscrypt.org/#dnscrypt-routers the current versions are

Current stable DNSCrypt client version: 1.6.0
Current stable DNSCrypt server version: 0.1.17

 

[ryzhov_al]

Entware synced with OpenWrt SVN trunk and I just checked dnscrypt-proxy, it's working:

admin@RT-N66U:/tmp/home/root# dnscrypt-proxy --local-address=127.0.0.1:99 --loglevel=999 -R opendns
[INFO] - [opendns] does not support DNS Security Extensions
[INFO] - [opendns] does not support Namecoin domains
[WARNING] - [opendns] logs your activity - a different provider might be better a choice if privacy is a concern
[NOTICE] Starting dnscrypt-proxy 1.5.0
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #1435874751 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
[INFO] Server key fingerprint is ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
[NOTICE] Proxying from 127.0.0.1:99 to 208.67.220.220:443

 

[GoNz0]

I tried it again and got a lot of certificate not in use yet errors using opendns before it finally worked, the 2nd resolver script refused to work though. If I used other resolvers the opendns page said I wasn't using it.

 

[spalife]

yep,
it takes a while and multiple attempts in my case about 4 odd before dnscrypt validates the certificates.

The thing holding it back from validating the server certificate earlier was due to NTP not updating.

It might be the case with you too.

Its a quirk of OpenDNS, if you use resolvers other than opendns such as opendns-eu.dk etc., in the resolvers list, it says you are not on opendns.

We do have to note that dnscrypt is not from opendns but from another seperate individuals/organization supported by opendns through infrastructure and resolvers hosted by other parties.

2nd resolvers might not be necessary.
I have hardly seen their servers go down and might be an unnecessary activity on the router resources.

 

[spalife]

moderator / ryzhov_al when would the dnscrypt 1.6 be available for Asus routers ?

 

[ryzhov_al]

I'm not going to update static builds anymore.

moderator / ryzhov_al when would the dnscrypt 1.6 be available for Asus routers ?

As for Entware, dnscrypt-proxy 1.6 will be available after next sync with OpenWrt trunk in September.

 

[lancethepants]

I maintain a set of static binaries for arm and mipsel that can be used while waiting for the entware sync.
http://files.lancethepants.com/Binaries/dnscrypt-proxy/
You may have remind me to update them if they become out of date.

 

[XIII]

I maintain a set of static binaries for arm and mipsel that can be used while waiting for the entware sync.
http://files.lancethepants.com/Binaries/dnscrypt-proxy/
You may have remind me to update them if they become out of date.

Thanks for the update! (saves me some time of building them myself)

 

[shooter40sw]

I maintain a set of static binaries for arm and mipsel that can be used while waiting for the entware sync.
http://files.lancethepants.com/Binaries/dnscrypt-proxy/
You may have remind me to update them if they become out of date.

Hi!, I just updated entware, but how do I use your binaries so I can get the most updated dnscrypt? Thanks

 

[lancethepants]

Hi!, I just updated entware, but how do I use your binaries so I can get the most updated dnscrypt? Thanks

Just download the binary to wherever you want, make it executable (chmod +x ./binary) and run it like you would from entware.

 

[spalife]

ryzhov_al thanks for the update on Dnscrypt 1.6 september sync.

I was hours ahead of you on Tuesday i.e., 20/21 before your entware trunk sync and I got the Dnscrypt 1.4.3-1.

After your post I upgraded & updated entware and now am on Dnscrypt 1.5.

I can also confirm that it is working without any issue so far.

 

[amigohd]

I am running dnscrypt and most is working well so far.
But since I activated dnycrypt I got a problem with my office laptop (which uses a vpn to connect to the office network). after some minutes I do lose connection to that vpn. If i shutdown dnscrypt all is working fine. so I guess my office's vpn doesn't like the encrypted dns queries in some way, even the vpn is done on layer 2.
is there a way to exclude a single dhcp ip from running trough dnscrypt and using my normal dns by my isp?
how can that be done? by a PREROUTING rule? or via dnsmaq config? any thoughts?

log:
Jul 28 11:12:37 dnsmasq[25985]: using nameserver 212.60.63.246#53 for domain local
Jul 28 11:12:37 dnsmasq[25985]: using nameserver 212.60.63.246#53 for domain dyn.cable.fcom.ch
Jul 28 11:12:37 dnsmasq[25985]: using nameserver 212.60.61.246#53 for domain local
Jul 28 11:12:37 dnsmasq[25985]: using nameserver 212.60.61.246#53 for domain dyn.cable.fcom.ch
Jul 28 11:12:37 dnsmasq[25985]: using nameserver 127.0.0.1#65053

 

[spalife]

Take a look @
http://www.snbforums.com/threads/adding-unblock-us-dns-using-dnsmasq.8266/page-5

The suggestions / solutions discussed in that thread may be useful to your issue