Menu
What's new
By:
Filters
Better Search

Dnscrypt from opendns

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

no. just reboot and look at the actual timestamps of the logfile. They should be *close* to correct pretty early in the boot process.
 
Thanks so much for the extensive support, helping me to resolve this issue and add another page of discussion to this thread :oops: . AFAICT, my problem stems from the fake-hwclock not working correctly. Once I add the /jffs/configs/dnsmasq.conf.add script and reboot I don't have name resolution and the "date" command spits out the wrong date/time. I'll leave it at this until I figure out a way to fix the hwclock issue. Thanks again.
 
Try this for hwclock. This is the way I have it set up. If we get it working, i'll fix the wiki. This will move hwclock to /jffs and it will set the clock very early in the boot process. It will also save the time to disk once an hour and on shutdown.


Code: 
sed 's~FILE=.*$~FILE=/jffs/fake-hwclock.data~' /opt/bin/fake-hwclock > /jffs/fake-hwclock
chmod +x /jffs/fake-hwclock

/jffs/fake-hwclock

echo "/jffs/fake-hwclock load" >> /jffs/scripts/init-start
chmod +x /jffs/scripts/init-start

echo "/jffs/fake-hwclock save" >> /jffs/scripts/services-stop
chmod +x /jffs/scripts/services-stop

echo "sleep 2;/jffs/fake-hwclock save" >> /jffs/scripts/wan-start
chmod +x /jffs/scripts/wan-start
echo "cru a hwclock \"0 * * * * /jffs/fake-hwclock save\" >> /jffs/scripts/wan-start

opkg remove fake-hwclock
 
No luck with that either. It seems that the /opt directory, under which the writeable /jffs directory is mounted, doesn't get mounted until well after booting is completed; none of the partitions on the USB drive do. Therefore, the scripts might not get executed correctly in time; though, I'm just speculating according to my observations of post-boot syslogs/dmesg.

Let's add a test to the script so that we can check if it ran correctly or not. I saw something to that effect on the Wiki somewhere a long time ago, where the script creates a file; therefore, if the file doesn't exist, the script didn't run.
 
NOTE: you're example failed to include a "shebang" in the init-start and wan-start scripts.

To test if the scripts started I added some lines taken from the Wiki:

Code: 
:/tmp/home/root# cat /jffs/scripts/init-start
#!/bin/sh

touch /tmp/000initstartted

/jffs/fake-hwclock load
and
Code: 
:/tmp/home/root# cat /jffs/scripts/wan-start
#!/bin/sh

touch /tmp/001wanscriptstarted

sleep 2; /jffs/fake-hwclock save
cru a hwclock "0 * * * * /jffs/fake-hwclock save"

After I added the missing shebangs to the scripts and rebooted the scripts executed correctly, creating the respective files in the /tmp directory. Additionally, when I execute
Code: 
# cru l
I see the listing of the cron job. Sadly, though, dnscrypt-proxy still doesn't work.
 
Last edited:
I'm rather delinquent with posting here, but the post by ASAT, #249, is spot on. If you're running an ARM based unit, be sure to get the binaries from lancethepants. With Merlins .55 build, I have this running with great success and stability. On an AC3200 at home, and on an AC68U I brought to my in-laws in Europe (still there for another week, hence my delay in posting).

Sent from my LG-D850 using Tapatalk
 
ILMostro said:
No luck with that either. It seems that the /opt directory, under which the writeable /jffs directory is mounted, doesn't get mounted until well after booting is completed; none of the partitions on the USB drive do. Therefore, the scripts might not get executed correctly in time; though, I'm just speculating according to my observations of post-boot syslogs/dmesg.

Let's add a test to the script so that we can check if it ran correctly or not. I saw something to that effect on the Wiki somewhere a long time ago, where the script creates a file; therefore, if the file doesn't exist, the script didn't run.
Click to expand...
jffs gets mounted very early. I run this setup. Add a "touch /jffs/touched" to /jffs/init-start.
 
ILMostro said:
NOTE: you're example failed to include a "shebang" in the init-start and wan-start scripts.

Sadly, though, dnscrypt-proxy still doesn't work.
Click to expand...

i'll correct them before I put on wiki. What error is in your /tmp/syslog.log?

grep dnscrypt /tmp/syslog.log

If there are no entries at all, It sounds like entware is not starting properly (which would also make sense as to why hwclock wasn't starting).
 
if I use
iptables -A OUTPUT -p tcp --dport 53 -j DROP
in
/jffs/scripts/firewall-start
my router can't connect to members.dyndns.org to update dyndns, nor can I ping any site nor does opkg update works.
All my connected devices do run without any problems, so I am guessing dnscrpyt is working fine.
But I would love to disable outgoing dpt 53 and still getting my router to connect to the outside.
How to solve?
 
amigohd said:
if I use
iptables -A OUTPUT -p tcp --dport 53 -j DROP
in
/jffs/scripts/firewall-start
my router can't connect to members.dyndns.org to update dyndns, nor can I ping any site nor does opkg update works.
All my connected devices do run without any problems, so I am guessing dnscrpyt is working fine.
But I would love to disable outgoing dpt 53 and still getting my router to connect to the outside.
How to solve?
Click to expand...

redirect. Don't block.
Code: 
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
 
But why does blocking dpt 53 not work? i thought dnscrypt is proxing dns requests from spt 53 to dpt 443 of the dnscrypt provider?
how may i check (without the need to sniff the network) if dns requests from clients are really encrypted now?
 
Calisro said:
i'll correct them before I put on wiki. What error is in your /tmp/syslog.log?

grep dnscrypt /tmp/syslog.log

If there are no entries at all, It sounds like entware is not starting properly (which would also make sense as to why hwclock wasn't starting).
Click to expand...
There are no entries pertaining to dnscrypt at all. Maybe I need to reinstall entware?
 
amigohd said:
But why does blocking dpt 53 not work? i thought dnscrypt is proxing dns requests from spt 53 to dpt 443 of the dnscrypt provider?
how may i check (without the need to sniff the network) if dns requests from clients are really encrypted now?
Click to expand...

This has nothing to do with dnscrypt. I'm guessing you have your dns on whatever device it is failing on to use some other dns server and you've told it to block that. Ir sounds like your dns server settings are not set to use your router ON your router.

My commands will simply hijack those calls and direct them to the router rather than drop them.

same for clients. If someone on your network puts 8.8.8.8 in their dns, the iptables will allow that and just hijack it and send it the router (through dnscrypt) instead.
 
Code: 
:/# cat /opt/etc/init.d/S09dnscrypt-proxy
#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R opendns"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func
 
ILMostro said:
Code: 
:/# cat /opt/etc/init.d/S09dnscrypt-proxy
#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R opendns"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func
Click to expand...
Looks right but entware isn't starting stuff. That's your problem... You'd see entries in syslog if it was.
 
Please note, default "opendns" resolver doesn't exist anymore, that's because Cisco bought OpenDNS company. Please update Entware package by:
Code: 
opkg update
opkg upgrade
New default resolver is called (surprise! surprise!) "cisco".

Calisro said:
i'll correct them before I put on wiki. What error is in your /tmp/syslog.log?

grep dnscrypt /tmp/syslog.log

If there are no entries at all, It sounds like entware is not starting properly (which would also make sense as to why hwclock wasn't starting).
Click to expand...
Did I messed up with wiki? Tested twice on clean installation with no issues.

PS I have to add postinst script of fake-hwclock package to save current time after it was installed.
PPS Wait, I've done that before:) No need to run fake-hwclock right after installation.
 
Thanks for breaking the news, ryzhov_al. Good for OpenDNS. Btw, it's amazing sometimes when ppl need a package, boom, it's in Entware already.

On dnscrypt-proxy, this thread need an asterisk. OpenDNS resolvers can be used just like google dns in its plain old fashion.

Dnscrypt in its current incarnation has little value to users. Are ppl paranoid that they use it to stop ISP from spying on their port 53 activities? Or I miss something else..
 
You must log in or register to reply here.

Similar threads

S
Guide Wireguard-portforwarding
Replies
13
Views
1K
ZebMcKayhan
Z
elrengo
Moving from RT-AC3100 to RT-AX88U Pro
Replies
13
Views
423
ColinTaylor
C
H
DNScrypt cant start/uninstall dnscrypt
Replies
7
Views
778
SomeWhereOverTheRainBow
SomeWhereOverTheRainBow
G
Asus xt9 google safesearch
Replies
4
Views
243
Gm2000
G
B
GT-AX11000E - Random DNS Resolution Errors on Wireless Devices - Where Should I Look at? DNSCrypt or DNSMasq or Else?
Replies
1
Views
944
bloomwow
B
Similar threads
Thread starter Title Forum Replies Date
B (solved) Dnscrypt blocked-names.txt automatically deleted upon modification Asuswrt-Merlin 4

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 745 (members: 19, guests: 726)
Top