What's new

Dnscrypt from opendns

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hello everyone and many thanks for such a magnificent thread!

I have setup my RT-87U router to run three instances of dnscrypt-proxy with all-servers flag in dnsmasq.conf.add file. First I installed Entware and then copied dnscrypt-proxy from /opt/sbin/ into /jffs/bin in order not to be dependent on USB stick.

In my syslog I see the following:

Nov 13 19:14:01 dnscrypt-proxy[804]: Starting dnscrypt-proxy 1.7.0
Nov 13 19:14:01 dnscrypt-proxy[806]: Starting dnscrypt-proxy 1.7.0
Nov 13 19:14:01 dnscrypt-proxy[808]: Starting dnscrypt-proxy 1.7.0
Nov 13 19:14:01 dnscrypt-proxy[804]: Proxying from 127.0.0.1:60053 to 176.56.237.171:443
Nov 13 19:14:01 dnscrypt-proxy[806]: Proxying from 127.0.0.1:60055 to 178.216.201.222:2053
Nov 13 19:14:01 rc_service: udhcpc 681:notify_rc start_upnp
Nov 13 19:14:01 rc_service: waitting "stop_upnp" via udhcpc ...
Nov 13 19:14:01 miniupnpd[527]: shutting down MiniUPnPd
Nov 13 19:14:01 dnscrypt-proxy[808]: Proxying from 127.0.0.1:60057 to 113.20.8.17:443

It seems ok, however I do not see any certificates, etc. Another issue is that after I tested it on two different machines on dnsleaktest.com and ipleak.net, on both machines I got OpenDNS result....wait, I did not setup OpenDNS on my router. Any ideas why is OpenDNS popping up?
 
Last edited:
I assume you picked the Cisco dnscrypt option which is OpenDNS. If not, which dnscrypt servers did you pick?
 
Here is what I did. I installed dnscrypt via Entware and during the selection I opted for dnscrypt.eu-nl, then I removed the script from /opt/etc/init.d and in wan-start I wrote the following:

12200909.jpg


So, as you can see, I use three servers: dnscrypt.eu-nl, soltysiak and cloudns-syd. In my dnsmasq.conf.add I have the following:

no-resolv
server=127.0.0.1#60053
server=127.0.0.1#60055
server=127.0.0.1#60057
all-servers
 
Oh my goodness! I found the reason! It turned out that in AiProtection section there was a DNS filtering, which used OpenDNS, this is why I was constantly getting this in the results. Hope it will be useful for anyone in the same boat.
 
with the new UK snooping bill very close to been law, dnscrypt is about to get very popular in the UK.
 
with the new UK snooping bill very close to been law, dnscrypt is about to get very popular in the UK.
Do not forget that DNS leak is only one possible leak and there are other methods to collect information. Plus, dns crypt is not intended to hide your identity or even your ip address.
 
Guys, another interesting question. I have been playing with OpenVPN and noticed that once I connect my router through any VPN - I loose my internet connection. The configuration is correct, I set it up using ovpn file.

Could this be cause by the dnscrypt script?
 
I have been playing with OpenVPN and noticed that once I connect my router through any VPN - I loose my internet connection. The configuration is correct, I set it up using ovpn file.

Could this be cause by the dnscrypt script?
Hi,

I run OpenVPN and DNScrypt in parallel: OpenVPN traffic is routed to one of the guest WLANs and DNScrypt is used for all internet traffic - works like a charm in parallel. :)

Maybe you need to make
- "policy routing" in the VPN config and/or
- dnsmasq.conf settings
your friend...? :rolleyes:
 
Last edited:
Maybe you need to make
- "policy routing" in the VPN config and/or
- dnsmasq.conf settings
your friend...? :rolleyes:

Hi there,

I got the following in the logs - openvpn-routing: Skipping, client 2 not in routing policy mode, so I guess the problem is routing policy. How do I enable it in the VPN config?
 
Hi there,

I got the following in the logs - openvpn-routing: Skipping, client 2 not in routing policy mode, so I guess the problem is routing policy. How do I enable it in the VPN config?
It's under the Advanced Settings->Redirect Internet Traffic option.
 
Guys, another question from me. I am constantly getting [ERROR] Unable to retrieve server certificates...it seems to still work but I am a bit confused with this. On android I am also getting it. Is there any fix to it?

P.S. The fix is simple - you need to update dnscrypt-resolvers.csv
 
Last edited:
ok, after I updated dnscrypt-resolvers.csv, my Internet connection started to play around...it was very very slow, some website were unavailable. Also, dnscrypt on my laptop was triggering kernel panic every time the laptop was connected to the router, so I removed dnscrypt from the laptop (I had it in case of travelling somewhere with the laptop). At the moment my connection is still slow and nothing works at all unless I manually change DNS to one of dnscrypt servers.

So, I decided to erase jffs and start from scratch following this manual - https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt

Now, it works fine again but I am constantly getting the following:

dnscrypt-proxy[804]: No useable certificates found

Any idea what may cause it?
 
Hi,

ASUS RT-AC87U Merlin 380.64

Total noob. Sorry.

I followed the instruction found here: https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt

I have installed everything correctly.

During setup I selected the OpenDNS Family DNS server.

I also turned off DNS filtering on the ASUS RT-AC87U.

Now when I type in sex.com into the url in firefox I receive an OpenDNS message telling me the site has been blocked, this is good, its what I wanted.

However, when I turn on one of my OpenVPN Clients and connect I can view any pornographic site, so OpenVPN disables DNScrypt? Is it possible for both DNScrypt and OpenVPN to work together?

Also, does Entware, and DNScrypt update automatically, if not how do I update them?

And. how do I change DNScrypt servers if I want to?

Any reply is appreciate, cheers. :)
 
Last edited:
Hi,

I run OpenVPN and DNScrypt in parallel: OpenVPN traffic is routed to one of the guest WLANs and DNScrypt is used for all internet traffic - works like a charm in parallel. :)

Maybe you need to make
- "policy routing" in the VPN config and/or
- dnsmasq.conf settings
your friend...? :rolleyes:

I also have this problem.

How do I make a "policy routing" in the VPN config and/or dnsmasq.conf settings?

I have a RT-AC87U Merlin 380.64 Firmware.
 
A couple of questions:

1. What happens when the DNS-server specified in DNScrypt goes down? Is there a "kill switch" built in or will it go back to my ISPs DNS server?
Assuming that you've configured it to route only data through DNScrypt your DNS requests won't resolve.
One option for you is to add in a second DNScrypt server.

2. How would one "uninstall" DNScrypt after following this guide? Asking just in case I decide it's not worth it. https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt

To just remove dnscrypt won't reset things for you as you'll also need to remove the dnsmasq.conf.add entries. The command to remove dnscrypt is:
Code:
opkg remove dnscrypt-proxy
 
hi,

I'm using dnscrypt on an Asus RT-68U with the following config:

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
#ARGS="/jffs/configs/dnscrypt-proxy.conf"
#ARGS="--local-address=127.0.0.1:65053 --daemonize -R dnscrypt.eu-dk"
ARGS="--local-address=127.0.0.1:65053 --ephemeral-keys --daemonize -R cisco-familyshield"
#ARGS="--local-address=127.0.0.1:65053 --daemonize -R ipredator"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/u

. /opt/etc/init.d/rc.func

As you can see, i've played about with different providers, but also trying to get the proxy to work with a configuration file. Does the config file not work? I get the following error when i try to start the proxy manually with the conf file located in /jffs/configs:

/opt/etc/init.d/S09dnscrypt-proxy start

[ERROR] Support for plugins hasn't been compiled in

If it's not possible to use a conf file, how do I pass the arguments "BlockIPV6 yes" and "BlackList domains:"/jffs/configs/dnscrypt-blacklist-domains.txt" on the ARGS command line? My goal is to get the blacklist function working, because the routers ability to blacklist very large lists of domains does not work with dnsmasq.conf.add and ciscos familyshield doesn't have nologging, and I want the best of both worlds (child friendly blacklists and nologging)
 
@finite9

- config files will work as long as you are at version 1.8.0 or newer (definitely recommend a newer version)
- BlockIPV6 requires a plugin (a separately compiled program). The version you are using was compiled without plugin support.
- AFAIK, all the Cisco dnscrypt servers are logging servers (the are marked as such in the resolvers csv)
 
Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top