DNS leak test shows IP of my ISP DNS?

[bayern1975]

hello, i have tested about 10 different dnscrypt-proxy servers today but all shows IP of my DNS provider? i tested at dnsleaktest.com
what could be wrong? i have no errors in syslog my asus rt-ac68u.....is possible the dnsleaktest site do not shows properly? is there other solution to test if dnscrypt-proxy working ok or not?

here is my syslog, maybe someone will tell me if something missing there?

Feb 21 13:06:21 pppd[511]: System time change detected.
Feb 21 13:06:21 dnscrypt-proxy: + DNS Security Extensions are supported
Feb 21 13:06:21 dnscrypt-proxy: + Namecoin domains can be resolved
Feb 21 13:06:21 dnscrypt-proxy: + Provider supposedly doesn't keep logs
Feb 21 13:06:21 dnscrypt-proxy[783]: Starting dnscrypt-proxy 1.6.0
Feb 21 13:06:21 dnscrypt-proxy[783]: Generating a new session key pair
Feb 21 13:06:21 dnscrypt-proxy[783]: Done
Feb 21 13:06:21 admin: Started  from .
Feb 21 13:06:21 rc_service: hotplug 669:notify_rc restart_nasapps
Feb 21 13:06:21 kernel: Adding 523940k swap on /opt/swap.  Priority:-1 extents:86 across:706552k
Feb 21 13:06:22 rc_service: service 770:notify_rc restart_ntpc
Feb 21 13:06:22 rc_service: waitting "restart_nasapps" via hotplug ...
Feb 21 13:06:22 iTunes: daemon is stopped
Feb 21 13:06:22 FTP Server: daemon is stopped
Feb 21 13:06:23 Samba Server: smb daemon is stopped
Feb 21 13:06:23 kernel: gro disabled
Feb 21 13:06:23 Timemachine: daemon is stopped
Feb 21 13:06:23 kernel: gro enabled with interval 2
Feb 21 13:06:24 Samba Server: daemon is started
Feb 21 13:06:25 rc_service: zcip 809:notify_rc start_firewall
Feb 21 13:06:25 rc_service: waitting "restart_nasapps" via hotplug ...
Feb 21 13:06:26 rc_service: zcip 809:notify_rc stop_dnsmasq
Feb 21 13:06:26 rc_service: waitting "start_firewall" via zcip ...
Feb 21 13:06:27 start_nat_rules: apply the nat_rules(/tmp/nat_rules_ppp0_eth0)!
Feb 21 13:06:28 dnsmasq[440]: exiting on receipt of SIGTERM
Feb 21 13:06:29 rc_service: zcip 809:notify_rc start_dnsmasq
Feb 21 13:06:29 custom script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Feb 21 13:06:30 zcip client: configured 169.254.175.49
Feb 21 13:06:30 udpxy[841]: udpxy 1.0-Chipmunk (build 19) standard is starting
Feb 21 13:06:30 admin: AB-Solution added entries via dnsmasq.postconf
Feb 21 13:06:31 dnsmasq[853]: started, version 2.76-g41a8d9e cachesize 1500
Feb 21 13:06:31 dnsmasq[853]: DNSSEC validation enabled
Feb 21 13:06:31 dnsmasq[853]: DNSSEC signature timestamps not checked until first cache reload
Feb 21 13:06:31 dnsmasq[853]: warning: interface tun21 does not currently exist
Feb 21 13:06:31 dnsmasq[853]: warning: interface ppp1* does not currently exist
Feb 21 13:06:31 dnsmasq[853]: asynchronous logging enabled, queue limit is 5 messages
Feb 21 13:06:31 dnsmasq-dhcp[853]: DHCP, IP range 192.168.200.2 -- 192.168.200.254, lease time 1d
Feb 21 13:06:31 dnsmasq[853]: read /etc/hosts - 5 addresses
Feb 21 13:06:32 dnsmasq[853]: read /tmp/mnt/sda1/adblocking/blacklist.txt - 2 addresses
Feb 21 13:06:32 rc_service: ip-up 674:notify_rc start_dnsmasq
Feb 21 13:06:32 rc_service: waitting "stop_dnsmasq" via ip-up ...
Feb 21 13:06:33 custom script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Feb 21 13:06:34 admin: AB-Solution added entries via dnsmasq.postconf
Feb 21 13:06:34 wan: finish adding multi routes
Feb 21 13:06:34 rc_service: ip-up 674:notify_rc stop_upnp
Feb 21 13:06:34 rc_service: waitting "start_dnsmasq" via ip-up ...
Feb 21 13:06:34 ntp: start NTP update
Feb 21 13:06:34 dnsmasq[878]: started, version 2.76-g41a8d9e cachesize 1500
Feb 21 13:06:34 dnsmasq[878]: DNSSEC validation enabled
Feb 21 13:06:34 dnsmasq[878]: DNSSEC signature timestamps not checked until first cache reload
Feb 21 13:06:34 dnsmasq[878]: warning: interface tun21 does not currently exist
Feb 21 13:06:34 dnsmasq[878]: warning: interface ppp1* does not currently exist
Feb 21 13:06:34 dnsmasq[878]: asynchronous logging enabled, queue limit is 5 messages
Feb 21 13:06:34 dnsmasq-dhcp[878]: DHCP, IP range 192.168.200.2 -- 192.168.200.254, lease time 1d
Feb 21 13:06:34 dnsmasq[878]: read /etc/hosts - 5 addresses
Feb 21 13:06:34 dnsmasq[878]: read /tmp/mnt/sda1/adblocking/blacklist.txt - 2 addresses
Feb 21 13:06:35 WAN Connection: WAN was restored.
Feb 21 13:06:35 rc_service: ip-up 674:notify_rc start_upnp
Feb 21 13:06:35 rc_service: waitting "stop_upnp" via ip-up ...
Feb 21 13:06:36 dnscrypt-proxy[783]: Unable to retrieve server certificates
Feb 21 13:06:36 ddns update: ez-ipupdate: starting...
Feb 21 13:06:37 dnscrypt-proxy[783]: Refetching server certificates
Feb 21 13:06:37 dnscrypt-proxy[783]: Server certificate #808464433 received
Feb 21 13:06:37 dnscrypt-proxy[783]: This certificate looks valid
Feb 21 13:06:37 dnscrypt-proxy[783]: Chosen certificate #808464433 is valid from [2016-02-22] to [2016-02-23]
Feb 21 13:06:37 dnscrypt-proxy[783]: Server key fingerprint is B572:F662:407C:4B19:A0E1:36DC:CACC:E17D:C88E:EB33:C857:E5A6:C7EC:94DC:92EE:FE68
Feb 21 13:06:37 dnscrypt-proxy[783]: Proxying from 127.0.0.1:65053 to 212.47.228.136:443
Feb 21 13:06:39 dnsmasq[878]: read /tmp/mnt/sda1/adblocking/hosts-adblock - 385307 addresses
Feb 21 13:06:40 dnsmasq[878]: using nameserver 95.176.233.13#53
Feb 21 13:06:40 dnsmasq[878]: using nameserver 193.189.160.13#53
Feb 21 13:08:27 ddns update: connected to dynupdate.no-ip.com (8.23.224.120) on port 80.
Feb 21 13:08:28 rc_service: ntp 835:notify_rc restart_upnp
Feb 21 13:08:28 ddns update: request successful
Feb 21 13:08:28 ddns update: asusddns_update: 0
Feb 21 13:08:29 udpxy[841]: udpxy 1.0-Chipmunk (build 19) standard is exiting with rc=[0]
Feb 21 13:08:29 rc_service: ntp 835:notify_rc restart_diskmon
Feb 21 13:08:29 dnsmasq[878]: now checking DNSSEC signature timestamps
Feb 21 13:08:29 disk_monitor: Finish
Feb 21 13:08:29 udpxy[892]: udpxy 1.0-Chipmunk (build 19) standard is starting
Feb 21 13:08:29 dnsmasq[878]: read /etc/hosts - 5 addresses
Feb 21 13:08:29 dnsmasq[878]: read /tmp/mnt/sda1/adblocking/blacklist.txt - 2 addresses
Feb 21 13:08:30 hour monitor: daemon is starting
Feb 21 13:08:30 ddns: ddns update ok
Feb 21 13:08:30 rc_service: ip-up 674:notify_rc start_vpnserver1
Feb 21 13:08:32 openvpn-routing: Refreshing policy rules for client 1
Feb 21 13:08:32 kernel: tun: Universal TUN/TAP device driver, 1.6
Feb 21 13:08:32 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Feb 21 13:08:32 openvpn-routing: Allow WAN access to all VPN clients
Feb 21 13:08:32 disk monitor: be idle
Feb 21 13:08:32 openvpn-routing: Refreshing policy rules for client 2
Feb 21 13:08:32 openvpn-routing: Allow WAN access to all VPN clients
Feb 21 13:08:32 openvpn-routing: Refreshing policy rules for client 3
Feb 21 13:08:32 openvpn-routing: Allow WAN access to all VPN clients
Feb 21 13:08:33 pppd[511]: System time change detected.
Feb 21 13:08:33 openvpn-routing: Refreshing policy rules for client 4
Feb 21 13:08:33 openvpn-routing: Allow WAN access to all VPN clients
Feb 21 13:08:33 openvpn-routing: Refreshing policy rules for client 5
Feb 21 13:08:33 openvpn-routing: Allow WAN access to all VPN clients
Feb 21 13:08:33 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Feb 21 13:08:33 kernel: device tun21 entered promiscuous mode
Feb 21 13:08:34 rc_service: service 1023:notify_rc restart_dnsmasq
Feb 21 13:08:34 rc_service: waitting "start_vpnserver1" via  ...
Feb 21 13:08:34 dnsmasq[878]: read /tmp/mnt/sda1/adblocking/hosts-adblock - 385307 addresses
Feb 21 13:08:34 dnsmasq[878]: using nameserver 95.176.233.13#53
Feb 21 13:08:34 dnsmasq[878]: using nameserver 193.189.160.13#53

 

[octopus]

From README-merlin file:

Spoiler: ** DNSFilter **

** DNSFilter **
Under Parental Control there is a tab called DNSFilter. On this
page you can force the use of a DNS service that provides
security/parental filtering. This can be done globally, or on a
per device basis. Each of them can have a different type of filtering
applied. For example, you can have your LAN use OpenDNS's server to
provide basic filtering, but force your children's devices to use
Yandex's family DNS server that filters out malicious and adult
content.

If using a global filter, then specific devices can be told to
bypass the global filter, by creating a client rule for these,
and setting it to "No Filtering".

DNSFilter also lets you define up to three custom nameservers, for
use in filtering rules. This will let you use any unsupported
filtering nameserver.

You can configure a filter rule to force your clients to
use whichever DNS is provided by the router's DHCP server (if
you changed it from the default value, otherwise it will be
the router's IP). Set the filtering rule to "Router" for this.

Note that DNSFilter will interfere with resolution of local
hostnames. This is a side effect of having devices forced to use
a specific external nameserver. If this is an issue for you, then set
the default filter to "None", and only filter out specific devices.

 

[Cake]

Do you see dnscrypt in your log like this every once in a while? or check if it is running using top?
I have 4 dnscrypt instances running, no leaks here whether using vpn, isp.
So if it is running what is your file /jffs/config/dnsmasq.conf.add say?
Also do you have:

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

Somewhere in a script - like /jffs/scripts/firewall-start ? (intercepting dns queries on 53)

Here is a example in my log that its running:

Feb 21 11:41:40 dnscrypt-proxy[1601]: Chosen certificate #808464433 is valid from [2015-10-11] to [2016-10-10]
Feb 21 11:41:40 dnscrypt-proxy[1601]: Server key fingerprint is 339F:30E5:1E00:0F3E:566F:84B9:236E:A0A7:04EF:D47C:8A6D:B983:09A7:F318:2089:EB79
Feb 21 11:42:09 dnscrypt-proxy[1572]: Refetching server certificates
Feb 21 11:42:09 dnscrypt-proxy[1572]: Server certificate #808464433 received
Feb 21 11:42:09 dnscrypt-proxy[1572]: This certificate looks valid
Feb 21 11:42:09 dnscrypt-proxy[1572]: Chosen certificate #808464433 is valid from [2016-01-24] to [2017-01-23]
Feb 21 11:42:09 dnscrypt-proxy[1572]: Server key fingerprint is CB51:0B61:7A1F:FCEB:27CE:26B5:8934:978A:04FF:D9E7:42A4:6A6B:0960:0F0F:F084:595C
Feb 21 11:42:11 dnscrypt-proxy[1559]: Refetching server certificates
Feb 21 11:42:11 dnscrypt-proxy[1559]: Server certificate #808464433 received
Feb 21 11:42:11 dnscrypt-proxy[1559]: This certificate looks valid
Feb 21 11:42:11 dnscrypt-proxy[1559]: Chosen certificate #808464433

 

[bayern1975]

Do you see dnscrypt in your log like this every once in a while? or check if it is running using top?
I have 4 dnscrypt instances running, no leaks here whether using vpn, isp.
So if it is running what is your file /jffs/config/dnsmasq.conf.add say?
Also do you have:

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

yes, this is missing....dnsmasq.conf.add....i forgot what should i insert there? i think i found it, it should be like this?

echo "no-resolv" > /jffs/configs/dnsmasq.conf.add
echo "server=127.0.0.1#65053" >> /jffs/configs/dnsmasq.conf.add

can i insert one more dnscrypt.proxy if firstly goes down and then the second goes up? is it possible?

how to configured this version?

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

what must i add here if i use this over firewall-start?

 

[Cake]

Copy and paste those lines one at a time in the shell prompt. It will make the file and pastes parts of the line in automatically to the file.

If you don't have firewall-start file you need to make one. Can you use vi editor to make one?, put a shebang at the top, paste those 2 lines in then type chmod a+x /jffs/scripts/firewall-start in the terminal.
You can run more then one instance but I had to change some stuff on sdcard. I can help you with that tomorrow if nowbody else does before then if you want.

 

[bayern1975]

ok, now i solved with insert this lines over putty and now dnsleaktest shows that i am using dnscrypt.proxy.....

echo "no-resolv" > /jffs/configs/dnsmasq.conf.add
echo "server=127.0.0.1#65053" >> /jffs/configs/dnsmasq.conf.add

@Cake, ok i will wait if you can teach me the second version over iptables....i do not know how to do so i will wait....

 

[Cake]

ok, now i solved with insert this lines over putty and now dnsleaktest shows that i am using dnscrypt.proxy.....

echo "no-resolv" > /jffs/configs/dnsmasq.conf.add
echo "server=127.0.0.1#65053" >> /jffs/configs/dnsmasq.conf.add

@Cake, ok i will wait if you can teach me the second version over iptables....i do not know how to do so i will wait....

My skill are mostly copy, cut, paste
If your linux kungfoo skills are better just ignore my explanations.
I got most of my setup from this thread and tutorial. Big thanx to Ryzhov and Rmerlin.
This is to run multiple instances of dnscrypt (incase 1 or more dnscrypt servers go down) I might be over doing it a bit with 4.
Here is my firewall-start located in /jffs/scripts/

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

I believe that intercepts dns requests from devices on your network and forces them to use what you specified in a file named dnsmasq.conf.add located in /jffs/configs/
Here is what mine looks like:

no-resolv
server=127.0.0.1#65053
server=127.0.0.1#65054
server=127.0.0.1#65055
server=127.0.0.1#65056

It was mention in the referenced thread about trying IP address for ntp, unless you have something running inside your network as ntdp 24/7 you can use one from this list. Put the IP in on your routers gui or use the nvram method. Otherwise after you reboot the router it will try and querie ntp server for time and fail, because dnscrypt will not work with wrong time set.
Here is the changes I had to make to Entware on sdcard.
Make multiple copies of dnscrypt-proxy in /tmp/mnt/sda1/entware/sbin/
You can try this navigate to the folder and try this-
cp dnscrypt-proxy dnscrypt-proxy1
cp dnscrypt-proxy dnscrypt-proxy2
cp dnscrypt-proxy dnscrypt-proxy3
etc..
navigate to folder#cd /tmp/mnt/sda1/entware/etc/init.d
edit S09dnscrypt-proxy
#vi S09dnscrypt-proxy
here is what mine looks like:

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R ipredator"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Then make 3 more copies of that file and edit them after that.
#cp S09dnscrypt-proxy S09dnscrypt-proxy1
#cp S09dnscrypt-proxy S09dnscrypt-proxy2
#cp S09dnscrypt-proxy S09dnscrypt-proxy3
#vi S09dnscrypt-proxy1

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy1
ARGS="--local-address=127.0.0.1:65054 --daemonize -R okturtles"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

You can see the pattern, just change PROCS=, port number and name of dnscrypt provider.
Make sure to chmod a+x all your new files created.
Cross your fingers and reboot.
If you can't get back to the internet, try removing those 2 lines in firewall-start, reboot, and set dns to 8.8.8.8 in your computers network interface, just to quick get to internet to troubleshoot.

 

[bayern1975]

ok, i done something.....this is what i put in /jffs/config/dnsmasq.conf.add

here is what i put in /jffs/scripts/firewall-start

and here is what i put in /mnt/sda1/entware-ng.arm/etc/init.d

here is fresh syslog after reboot....internet working but i do not know if this all correct or not?

http://pastebin.com/0vHQdNbx

 

[Cake]

Oh nice
Check this web site out to test
https://ipleak.net/
You may or may not need to clear your browser cache.

 

[bayern1975]

Oh nice
Check this web site out to test
https://ipleak.net/
You may or may not need to clear your browser cache.

if i goes to this site then DNS address detection shows IP of dnscrypt-proxy which i am using and connected right now.....i think that is ok and working well....if yes then i solved my problem....thank you

sent from Kodi 17 Krypton

 

[bayern1975]

today goes first provider down and then the second provider didn`t connect automaticly? so i still have to manualy change ranking over ssh to get internet back....