DNScrypt dnscrypt installer for asuswrt

[skeal]

Well that just sucks.

The only right thing to do is abandon dnscrypt myself. It is now uninstalled on both of my routers. I don't enjoy unsupported software.

 

[thelonelycoder]

We need another dns solution!

@Jack Yaz requested to include the successor in Entware:
https://github.com/Entware-ng/Entware-ng/issues/841

 

[skeal]

@Jack Yaz requested to include the successor in Entware:
https://github.com/Entware-ng/Entware-ng/issues/841

I like it!!

 

[Jack Yaz]

@Jack Yaz requested to include the successor in Entware:
https://github.com/Entware-ng/Entware-ng/issues/841

Ah, my lurking on this thread has been spotted! If I had the knowhow I'd put something together for the router's busybox environment.

The only right thing to do is abandon dnscrypt myself. It is now uninstalled on both of my routers. I don't enjoy unsupported software.

It might not be being maintained but the resolvers still work, so its not a reason to suddenly open yourself up to DNS MITM attacks again....unless you're using a VPN for all your traffic.

 

[john9527]

I don't think it's necessary to totally abandon it just yet.....from the new site

While this sounds all very new and exciting to us, at Dyne.org we already rely on DNSCrypt-proxy for our project Dowse.eu and are intentioned to maintain this software unless a viable and mature alternative arises, supporting our application of it in Dowse.

We intend to maintain the DNSCrypt-proxy codebase without the intention of adding any new features, just patch bugs.

In fact, the resolvers csv was updated just yesterday.

 

[DonnyJohnny]

I don't think it's necessary to totally abandon it just yet.....from the new site


In fact, the resolvers csv was updated just yesterday.

Nah.. not really updated, just mitigation over... but as the new owner say, they are not improving the program but they are willing to do bug/security patching if any. And as of now, I am using DNSCrypt together with DNSSEC. I feel safer.. lol...

 

[thelonelycoder]

Ah, my lurking on this thread has been spotted!

I'm watching the Entware-ng repo, one never knows what goodies get added.

 

[skeal]

I'm watching the Entware-ng repo, one never knows what goodies get added.

I hope something comes up soon. I'm using my VPN providers USA DNS.

 

[Fitz Mutch]

Archived package sources for dnscrypt-proxy can be gotten from the Debian repo, here:
http://http.debian.net/debian/pool/main/d/dnscrypt-proxy/dnscrypt-proxy_1.9.5.orig.tar.gz

 

[bigeyes0x0]

Wow a lot of discussions here, as usual with many, I have been busy with stuffs thus the silence. Putting that aside, there are some tidbits about dnscrypt-proxy v2 from me:
- version 2 has gone to beta phase and I have been using it on my router, an AC56U, for a while and working well, simply as a proxy. I'm gonna test it as a recursive caching dns server soon to see how it performs.
- For now beta 1 version 2 does not have the -i option, so it's a problem to start it early in the process of the router boot. I will try to contact the author on this, this also causes problem with downloading the resolver list file. The author said he's working on a solution for this, so the whole thing needs to wait.
- It does uses a lot more RAM than my static compiled version 1, around nearly 5MB, but for all the benefits and as the old one is abandoned, going with it seems to be a good choice.

The other stuffs I need to consider is how the v2 precompiles work for MIPS and ARMv8 router such as the AC66U, AC86U, AC88U... Interested in your experiences, please do share as I intend to support the exact architecture binaries as well.

 

[GoNz0]

It would seem this is broken on the latest merlin 382.2_beta2 as reinstalling still returns

nslookup -type=txt debug.opendns.com
Server:  Router
Address:  192.168.1.1

*** Router can't find debug.opendns.com: Non-existent domain

C:\Windows\system32>

 

[heysoundude]

I'm watching the Entware-ng repo, one never knows what goodies get added.

perhaps mentioning @ryzhov_al in this thread as the entware-ng person will help this along

 

[skeal]

We are so close!

 

[DonnyJohnny]

One could also take note that shabby coming into entware-Ng soon.. I hope... hahaha
https://github.com/Entware-ng/Entware-ng/issues/841

Also not that @bigeyes0x0 will be looking into an upgrade of installer.. https://www.snbforums.com/threads/dnscrypt-is-reborn.43869/page-4#post-374230

Another exciting info is about the new dnscrypt-proxy v2 is in near future we will see it coming along with DOH supposingly a successor of dns over tls?
https://github.com/jedisct1/dnscrypt-proxy

True privacy coming... haha

 

[thelonelycoder]

Wow a lot of discussions here, as usual with many, I have been busy with stuffs thus the silence. Putting that aside, there are some tidbits about dnscrypt-proxy v2 from me: (...)

Thanks, that's good news.
Let me know when your are ready so I can include it in amtm. Preferably the installer URL stays the same, even for future updates.

 

[bigeyes0x0]

Thanks, that's good news.
Let me know when your are ready so I can include it in amtm. Preferably the installer URL stays the same, even for future updates.

The installer link will stay the same. I will move the current branch to dnscrypt-proxy-v1 branch as I start to work on the new version.

 

[skeal]

The installer link will stay the same. I will move the current branch to dnscrypt-proxy-v1 branch as I start to work on the new version.

Nice to hear from you again @bigeyes0x0 !!

 

[M@rco]

- For now beta 1 version 2 does not have the -i option, so it's a problem to start it early in the process of the router boot. I will try to contact the author on this, this also causes problem with downloading the resolver list file. The author said he's working on a solution for this, so the whole thing needs to wait.

Even though this is not as it meant to work, as a workaround, it can easily be solved by adding:

no-resolv
server=127.0.0.1#65053
server=/pool.ntp.org/208.67.220.220
server=/raw.githubusercontent.com/208.67.220.220

to /jffs/configs/dnsmasq.conf.add

This way dnscrypt-proxy is always able to download its list of resolvers, although it's using an unencrypted query to do so.

The pool.ntp.org entry is because I'm starting dnscrypt-proxy from the end of firewall-start and SkyNet needs a accurately synced time as well as dnscrypt-proxy for validating certificates. Otherwise startup will stall or fail completely. You can use any dns server you like to resolve these addresses (these are OpenDNS/Cisco) and add more lines if there are other addresses you need to have resolved prior to dnscrypt-proxy started succesfully.

With the current beta I have installed (v4, I believe) no additional parameters need to be given anymore when launched as all options are configurable in dnscrypt-proxy.toml (config file), like logging to syslog, loglevel etcetera. It is recommend though to edit the full path to the cache file. I don't run it in daemon mode until a start, restart, stop function has been implemented (which doesn't destroy folder hierarchy on our devices, as it currently does with the folder structure on our routers, as reported by another user).

I've found out that it works best to have the 'server_names' line at the beginning of the config file hashed out on first run. After that you can remove the hash and specify the servers you want to use like this:

##################################
#         Global settings        #
##################################

## List of servers to use
## If this line is commented, all registered servers will be used

server_names = ['cisco','cisco-familyshield']

If you keep the hash in place it will periodically (at the frequency you've set to re-check the keys, 30 minutes by default) for the dns-server with the lowest latency. It will do so anyway, but the hash makes the difference between 64 dnscrypt supporting servers in the resource list, or just the ones you specified.

Edit: I just saw on github Beta 8 has been released so the info above might have changed in the mean time. This project evolves so rapidly, so I'll need to do some catching up to see what has changed. Since yesterday, that is.

 

[DonnyJohnny]

syslog was implement in beta 4.
Option is -syslog
Can see dnscrypt-proxy -h

However my timestamp is having problem. Router time and system time seem different.

 

[bigeyes0x0]

ignore timestamp has been implemented in beta8, so it's nearly enough for all the stuffs we need. I am starting to work on it. I will be supporting ARMv7 router first as that's the only router I use. Also I'm gonna work on this on my free time, please don't ask for an ETA.

P.S. I checked the commits and the new ignore timestamp feature might even be more awesome than thought https://github.com/jedisct1/dnscrypt-proxy/issues/20