Dnscrypt from opendns

[mikecpt]

Is it really using dnscrypt?

I've installed the pkg on my asus router and follow the steps, dnscrypt is running and log shows if proxying, see log:

http://pastebin.com/raw.php?i=a6t7qn0p

However I've used tcpdump to capture all the traffic for a little bit and opened some sites like google and welcome.opendns.com (btw this one shows I'm not using it, but I'm not sure if it should work while using dnscrypt.eu-nl server).
In wireshark all I see is standard dns queries so it seems that the router is not using dnscrypt?

dnsmasq seem to be doing the job right (I think):
Jul 18 15:37:41 dnsmasq[963]: using nameserver 127.0.0.1#65053
Jul 18 15:37:41 dnsmasq[963]: read /etc/hosts - 6 addresses
Jul 18 15:37:41 dnsmasq[963]: read /etc/hosts.dnsmasq - 4 addresses
Jul 18 15:37:41 dnsmasq-dhcp[963]: read /etc/ethers - 4 addresses

what could I be doing wrong?

Thanks

[EDIT - UPDATE] acctually I confirmed in one of my laptops running freebsd and a local dnscrypt-proxy+local unbound, and welcome.opends.com + www.internetbadguys.com show the desired result, and I am using dnscrypt.eu too!

Also looking better I do see the https packets before the dns query, I was forgetting this server uses port 443. Still shouldn't I then get successful result on welcome.opendns.com just like I get in the laptop running dnscrypt?

 

[DoZZa]

Hello,

I have ben trying to get this to work for a couple of hours now with no luck.

I am following the guide on GitHub.

https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt

I am using RT-AC66U with 376.44 firmware.

It seems that DNSCrypt is installed and working.

But I cannot resolve any hosts.

My log file on the router shows the following:

Aug  6 14:12:32 dnscrypt-proxy[509]: Refetching server certificates
Aug  6 14:12:32 dnscrypt-proxy[509]: Unable to retrieve server certificates
Aug  6 15:12:39 crond[389]: time disparity of 1891571 minutes detected
Aug  6 14:12:53 dnscrypt-proxy[509]: Refetching server certificates
Aug  6 14:12:53 dnscrypt-proxy[509]: Unable to retrieve server certificates

What am I doing wrong?

Thanks

 

[DoZZa]

Forgot to at that I selected the server numbered 30 when a list of servers was shown in the terminal window.

 

[Deleted member 28123]

Aug  6 14:12:32 dnscrypt-proxy[509]: Refetching server certificates
Aug  6 14:12:32 dnscrypt-proxy[509]: Unable to retrieve server certificates
Aug  6 15:12:39 crond[389]: time disparity of 1891571 minutes detected
Aug  6 14:12:53 dnscrypt-proxy[509]: Refetching server certificates
Aug  6 14:12:53 dnscrypt-proxy[509]: Unable to retrieve server certificates

What am I doing wrong?

DNSCrypt is failing because ntp is not running properly.

Do the following:

1. Create a file named hosts.add on your attached usb storage and then create a symlink to that file in /jffs/configs ie.

ln -s /path/to/your/usbstorage/hosts.add hosts.add

2. Edit wan-start in /jffs/scripts/ and replace the contents of that file with the below code making sure to replace the bold text with the correct path

#!/bin/sh

# Wait up to 15 seconds to make sure /opt partition is mounted
i=0
while [ $i -le 15 ]
do
    if [ -d /opt/tmp ]
    then
        break
    fi
    sleep 1
    i=`expr $i + 1`
done

# Now resolve DNS name for NTP server
ntp_name=$(nvram get ntp_server0)
grep "$ntp_name" [B]/path/to/your/usbstorage/hosts.add[/B] > /dev/null 2>&1 || \
for ip in $(/opt/sbin/dnscrypt-proxy-hostip $ntp_name)
do
    echo $ip $ntp_name >>  [B]/path/to/your/usbstorage/hosts.add[/B]
done

service restart_dnsmasq && sleep 3

# NTP Reload
killall ntp && sleep 1
service restart_ntpc

3. Make the script executable (just in case you forgot)

chmod +x /jffs/scripts/wan-start

4. Reboot your router and visit https://dnsleaktest.com/ or http://ipleak.net/ to test for any DNS leaks (you should be seeing the ip address of opennic-ca-ns4-ipv6 which you selected when setting up dnscrypt).

I recommend https://dnscrypt.eu/ as it provides DNSSEC validation with servers in the EU (DK,NL)... You will need to reconfigure dnsmasq to enable dnssec validation.

 

[halex4u]

Can you provide the changes which I need in dnsmasq to enable dnssec? Thank you

 

[Domini0n]

Hi,

I've been trying to get this DNScrypt to work on my Asus RT-N66U running Merlin firmware v3.0.0.4_376.44_0. I've chosen DNScrypt.eu (14) when prompted after installing everything following this guide at GIT. When I test with DNSleak I see that it correctly sees the DNScrypt.eu.

176.56.237.171 	resolver1.dnscrypt.eu 	RouteLabel V.O.F.

However when I make a TCPDump on my Asus router while I visit multiple sites on my main PC and then analyze the dump with Wireshark I don't see encrypted DNS messages but plain text URL's. I should be seeing something like malformed packages to confirm it's encrypted. So it does seem to be using the DNScrypt DNS, but it does not encrypt. I made a dump of the ETH0 device as this one is holding the external IP.

tcpdump -i eth0 -n -s 0 -vvv -w dump.pcap

So I went and checked if I could see that the dnscrypt-proxy is started correctly and that it is actually able to exchange certs. This seems to be going OK, yet encryption doesn't work.

Jan  1 01:00:12 rc_service: hotplug 420:notify_rc restart_nasapps
Aug 10 12:10:55 dnscrypt-proxy[668]: Starting dnscrypt-proxy 1.4.0
Aug 10 12:10:55 dnscrypt-proxy[668]: Initializing libsodium for optimal performance
Aug 10 12:10:55 dnscrypt-proxy[668]: Generating a new key pair
Aug 10 12:10:55 dnscrypt-proxy[668]: Done
Aug 10 12:10:55 dnscrypt-proxy[668]: Server certificate #808464433 received
Aug 10 12:10:55 dnscrypt-proxy[668]: This certificate looks valid
Aug 10 12:10:55 dnscrypt-proxy[668]: Chosen certificate #808464433 is valid from [2013-12-27] to [2014-12-27]
Aug 10 12:10:55 dnscrypt-proxy[668]: Server key fingerprint is 6231:4AFE:4AA3:7E6F:9B8C:DAA6:6F6E:E8A5:F84B:10A8:6DB1:C5CB:D264:77CA:7F03:0D5C
Aug 10 12:10:55 dnscrypt-proxy[668]: Proxying from 127.0.0.1:65053 to 176.56.237.171:443

Any clues as to what I can do to get this working?

P.S. @AtAM1
I to would like to know what you did to enable DNSsec as that is interesting combining encryption with validation would be even better.

 

[hulltech]

can this be done on the Asus RT-AC68W wireless router.

I would like to use dnscrypt and privoxy on a usb drive then plug it into my router. I know nothing of Linux so how hard is this and can it be done. I know I have to use optware but that is the extent of it.will a open source widget written in pearl for windows work on a usb stick for vpn. I like it because it allows me to choose from the various servers quickly. I also like the idea that it is portable . I would need to learn to be able to access the usb to activate, deactivate or change things. like I said I know nothing of programming, but I will talk your ear off about plumbing.
anything is helpful,

Thanks!
hultech

 

[netmik3]

I would like to use dnscrypt and privoxy on a usb drive then plug it into my router. I know nothing of Linux so how hard is this and can it be done. I know I have to use optware but that is the extent of it.will a open source widget written in pearl for windows work on a usb stick for vpn. I like it because it allows me to choose from the various servers quickly. I also like the idea that it is portable . I would need to learn to be able to access the usb to activate, deactivate or change things. like I said I know nothing of programming, but I will talk your ear off about plumbing.
anything is helpful,

Thanks!
hultech

I think you should boot your computer into tails

 

[mikecpt]

I've installed the pkg on my asus router and follow the steps, dnscrypt is running and log shows if proxying, see log:

http://pastebin.com/raw.php?i=a6t7qn0p

However I've used tcpdump to capture all the traffic for a little bit and opened some sites like google and welcome.opendns.com (btw this one shows I'm not using it, but I'm not sure if it should work while using dnscrypt.eu-nl server).
In wireshark all I see is standard dns queries so it seems that the router is not using dnscrypt?

dnsmasq seem to be doing the job right (I think):
Jul 18 15:37:41 dnsmasq[963]: using nameserver 127.0.0.1#65053
Jul 18 15:37:41 dnsmasq[963]: read /etc/hosts - 6 addresses
Jul 18 15:37:41 dnsmasq[963]: read /etc/hosts.dnsmasq - 4 addresses
Jul 18 15:37:41 dnsmasq-dhcp[963]: read /etc/ethers - 4 addresses

what could I be doing wrong?

Thanks

[EDIT - UPDATE] acctually I confirmed in one of my laptops running freebsd and a local dnscrypt-proxy+local unbound, and welcome.opends.com + www.internetbadguys.com show the desired result, and I am using dnscrypt.eu too!

Also looking better I do see the https packets before the dns query, I was forgetting this server uses port 443. Still shouldn't I then get successful result on welcome.opendns.com just like I get in the laptop running dnscrypt?

Installed drill from opkg and doing:
drill txt debug.opendns.com @127.0.0.1 -p 65053

Doesn't seem to be using dnscrypt!
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 54315
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; debug.opendns.com. IN TXT

;; ANSWER SECTION:

;; AUTHORITY SECTION:
opendns.com. 8153 IN SOA auth1.opendns.com. hostmaster.opendns.com. 1409158342 16384 2048 1048576 2560

;; ADDITIONAL SECTION:

;; Query time: 45 msec
;; EDNS: version 0; flags: ; udp: 4096
;; SERVER: 127.0.0.1
;; WHEN: Wed Aug 27 18:57:31 2014
;; MSG SIZE rcvd: 99

I've remove dnscrypt-proxy and reinstalled made sure dnscrypt.eu-nl was selected and still no joy!

Also, should I also change the WAN dns on the Web GUI, although I don't think we can use 127.0.0.1 there much less specify the port!

 

[user2k10]

I have optware installed on my RT-AC68U (ARM) via the external USB drive and wanted to install DNScrypt the correct way, so i tried the following:

ipkg update
ipkg install dnscrypt
ipkg install dnscrypt-proxy

Both give a package not found error

I then tried

ipkg list | grep dnscrypt

Again nothing

Is it possible to install it via ipkg?

Thanks

 

[XIII]

Today DNSCrypt.eu Resolver 1 was down most of the day. As a result I had "no internet" on all my devices until I changed the DNS server.

1) Is there a way to use more than 1 resolver? (2nd as fallback)

I also noticed that now that the resolver is back up, dnsleaktest.com reports resolver1.dnscrypt.eu on all devices (as I expect). However, when I log into the router and perform a nslookup, it seems that OpenDNS (without DNSCrypt) instead of DNSCrypt.eu is used:

> nslookup forums.smallnetbuilder.com
Server:    208.67.222.222
Address 1: 208.67.222.222 resolver1.opendns.com

Name:      forums.smallnetbuilder.com
Address 1: 216.14.113.203

2) Is this correct?

 

[antdes45]

For anyone interested, the "dnscrypt-proxy-hostip" package was renamed "hostip" when using opkg.

 

[owine]

For anyone interested, the "dnscrypt-proxy-hostip" package was renamed "hostip" when using opkg.

Thanks for the heads up.

If you remove the old package and replace it with the new package, you will have to modify your wan-start script to use /opt/bin/hostip to get the NTP addresses. Failure to do this left me wondering why my NTP would not work (and thus no DNS connectivity), but this change fixed it.

 

[antdes45]

Of course,
New opkg install:

opkg install dnscrypt-proxy hostip

New "/jffs/scripts/wan-start" script:

#!/bin/sh

# Wait up to 15 seconds to make sure /opt partition is mounted
i=0
while [ $i -le 15 ]
do
    if [ -d /opt/tmp ]
    then
        break
    fi
    sleep 1
    i=`expr $i + 1`
done

# Now resolve DNS name for NTP server
ntp_name=$(nvram get ntp_server0)
grep "$ntp_name" /etc/hosts > /dev/null 2>&1 || \
for ip in $(/opt/bin/hostip $ntp_name)
do
    echo $ip $ntp_name >>  /etc/hosts
done

# and restart NTP client to eliminate 4-5 mins delay
killall ntp && sleep 1
service restart_ntpc
/opt/etc/init.d/rc.unslung start

 

[gA2ZZCnZz]

Today DNSCrypt.eu Resolver 1 was down most of the day. As a result I had "no internet" on all my devices until I changed the DNS server.

1) Is there a way to use more than 1 resolver? (2nd as fallback)

I would also like to know if there is any way to configure a second resolver as a fallback???

 

[ryzhov_al]

I would also like to know if there is any way to configure a second resolver as a fallback???

You may run a second dnscrypt-proxy instance with different settings.

 

[XIII]

You may run a second dnscrypt-proxy instance with different settings.

Can you give an example of what settings need to be changed?

(I would guess something like the local port address and resolver address in a second dnscrypt-proxy entry in wna-start and an extra server entry in dnsmasq.conf.add?)

 

[ryzhov_al]

Can you give an example of what settings need to be changed?

I just updated first post to reflect new changes in dnscrypt package. And added an example with two resolvers.

 

[XIII]

I just updated first post to reflect new changes in dnscrypt package. And added an example with two resolvers.

Thank you. I will try that later this week with my non-Entware setup.

 

[gA2ZZCnZz]

I just updated first post to reflect new changes in dnscrypt package. And added an example with two resolvers.

I am using the entware version. I tried to use two resolvers as in your post, but the second instance of dnscrypt-proxy does not seem to be starting on reboot. Do I need to call this in a script?