DNScrypt dnscrypt installer for asuswrt

[bigeyes0x0]

No, any time your WAN address changes.

It's great to have you here. As a firmware dev, I have some questions for you regarding this. Do you think we can put these binaries I made into asuswrt forked firmwares like yours and merlin's? Personally I like to have these in firmware with nice UI instead of having to tinker around with scripts. Binaries alone is only 0.5MB or so and I can help with scripting for options as I plan to do that here anyway.

 

[Makaveli]

I would love to see this added to the GUI but if not even something that looks like AB solution currently does would be fine. Thanks for all the work so far I'm going to wait until it out of BETA status before I jump in but will be watching this thread.

 

[eighteen]

Hello @bigeyes0x0 does this solution work with ab solution and an openvpn connection configured on a router?

Can there be dns leak?

 

[john9527]

It's great to have you here. As a firmware dev, I have some questions for you regarding this. Do you think we can put these binaries I made into asuswrt forked firmwares like yours and merlin's? Personally I like to have these in firmware with nice UI instead of having to tinker around with scripts. Binaries alone is only 0.5MB or so and I can help with scripting for options as I plan to do that here anyway.

Seems like there is some renewed interest in dnscrypt....so I started playing a bit. I've got the build for the dnscrypt-proxy and libsodium libraries integrated into my fork. Then looked a bit further, and decided I'd give it a try to add it the firmware/gui. A couple of hurdles I need to figure out, so it may take a little while before I have something to try (sequencing to make sure I have a valid time set, new routine to parse the csv file and populate the gui...and some more I'm sure I haven't thought of yet )

EDIT: Next one....cross referencing with dnssec servers if dnssec is enabled....

 

[bigeyes0x0]

Hello @bigeyes0x0 does this solution work with ab solution and an openvpn connection configured on a router?

Can there be dns leak?

There's no such thing as privacy even with a vpn connection. It's like you're walking outside with a mask on, people will still see you one way or another. I made this mainly to setup a more reliable DNS and without censorship for my use. Still to answer your questions, it does work with ab solution according to its dev. For dns leak, as configuring dnscrypt required correct time on the router it, there's a small window at the start of router booting up that dnscrypt haven't started, albeit very short. After 1 or 2 sec after ntp updates the router time, dnscrypt will start.

 

[bigeyes0x0]

Seems like there is some renewed interest in dnscrypt....so I started playing a bit. I've got the build for the dnscrypt-proxy and libsodium libraries integrated into my fork. Then looked a bit further, and decided I'd give it a try to add it the firmware/gui. A couple of hurdles I need to figure out, so it may take a little while before I have something to try (sequencing to make sure I have a valid time set, new routine to parse the csv file and populate the gui...and some more I'm sure I haven't thought of yet )

EDIT: Next one....cross referencing with dnssec servers if dnssec is enabled....

Looks like I'll be out of business soon then. I've already started working on ability to select DNS server during installation so I hope that'll be of some use for you.

 

[eighteen]

Hello @bigeyes0x0 and thanks for your reply. Yes I worry about privacy because today we should take this care, technological evolution has been surprising for good and bad and what some companies do or can still do with the data they collect from our navigation On the network. What I really wanted was to get the best of 3 things that ensured me more privacy on the internet: VPN, Adblocking and dnscrypt. I am not a great specialist in networks or in routers I have some computer skills and networks but I like after work to take some time to learn how these things work.

From what I realized then, it is possible to have vpn and Adblock working along with dnscrypt but it needs a configuration on the router during the initialization in a short time is that?

What kind of configuration is it?

 

[bigeyes0x0]

As I said for privacy VPN services only give you a false sense of ataraxia. Still to answer your question, there's nothing to configure for you in this case. What I meant is even if you use this, there's still a very short window of 1 or 2 secs at boot up just after your internet connection has been established and dnscrypt got started due to it has to be started after your router has correct time from the internet.

EDIT: just as I read some news about VPN http://www.tomshardware.com/news/amd-radeon-crimson-relive-driver,33155.html

@john9527 Maybe I can do something if I know all the IPs the routers access at boot, I only know ntp server, and all the dynamic ip stuffs to add to dnsmasq.conf but that's not enough. With this config it's still takes around 1 more minute to boot, I think it's stuck on some other domains but it's hard for me to hunt these stuffs.

 

[sfx2000]

I'm trying to get my head around why folks are so interested in dnscrypt...

dnssec is pretty much the same, and... it's a lot less work - here's why

• DNSSEC allows a resolver to verify the records received from authoritative servers. It ensures that these records are identical to what whoever controls the zone actually configured.
• DNSCrypt allows a client to verify the records received from a resolver. It ensures that these records are identical to what the resolver sent.

DNSCrypt doesn't actually encrypt the request/response, it just signs it for a server/client pair that support that protocol - things are still in the clear - and dnssec is now supported by many public DNS providers...

I suppose the edge case would be the client workstation getting hijacked perhaps - and there, dnscrypt might help - one could do both.. belt and suspenders so to speak...

Both kind of do the same job, but these days, dnssec is good enough...

 

[john9527]

DNSCrypt doesn't actually encrypt the request/response, it just signs it for a server/client pair that support that protocol - things are still in the clear - and dnssec is now supported by many public DNS providers...

I thought DNSCrypt actually does encrypt the traffic.....
http://askubuntu.com/questions/105366/how-to-check-if-dns-is-encrypted

 

[sfx2000]

I thought DNSCrypt actually does encrypt the traffic.....
http://askubuntu.com/questions/105366/how-to-check-if-dns-is-encrypted

It signs it - at least in my experience tinkering about...and signing is good...

In any event - if one is trying to avoid NSA/GHCQ or other lettered agencies - encryption at this level is a folly if one is trying to hide - dnssec/dnscrypt do afford a level of trust however with requests/responses... which is good.

And this is based on years of dealing with SMTP and spf/dkim/demarc - which impacts DNS... in a good way in that a lifting tide lifts all boats there..

 

[sfx2000]

And there - dnssec is more than good enough...

As the lead engineer working on a carrier grade infra supporting 7M users - I'm ok with dnssec - it scales...

 

[RacerRon]

Just curious. Will this install survive a firmware update or will a reinstall be needed ?

Sent from my Nexus 5X using Tapatalk

 

[john9527]

Well, DNSCrypt is now fully integrated into my fork (someone remind me not to do something like this again ....it took about 500 lines of new code excluding the dnscrypt code....and I had to debug a problem in dnscrypt).

Look for a beta refresh in the next few days.

Dec 10 11:53:14 syslog: dnscrypt-proxy-ipv4: - [cisco] does not support DNS Security Extensions
Dec 10 11:53:14 syslog: dnscrypt-proxy-ipv4: - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Starting dnscrypt-proxy 1.7.0
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Generating a new session key pair
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Done
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Server certificate with serial #1463092899 received
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: This certificate is valid
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Chosen certificate #1463092899 is valid from [2016-05-12] to [2017-05-12]
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Server key fingerprint is ABA1:F000:D394:8045:672D:73E0:EAE6:F181:19D0:2A62:3791:EFAD:B04E:40B7:B6F9:C40B
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Proxying from 127.0.0.1:65053 to 208.67.220.220:443

 

[tomsk]

Well, DNSCrypt is now fully integrated into my fork (someone remind me not to do something like this again ....it took about 500 lines of new code excluding the dnscrypt code....and I had to debug a problem in dnscrypt).

Look for a beta refresh in the next few days.

Dec 10 11:53:14 syslog: dnscrypt-proxy-ipv4: - [cisco] does not support DNS Security Extensions
Dec 10 11:53:14 syslog: dnscrypt-proxy-ipv4: - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Starting dnscrypt-proxy 1.7.0
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Generating a new session key pair
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Done
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Server certificate with serial #1463092899 received
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: This certificate is valid
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Chosen certificate #1463092899 is valid from [2016-05-12] to [2017-05-12]
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Server key fingerprint is ABA1:F000:D394:8045:672D:73E0:EAE6:F181:19D0:2A62:3791:EFAD:B04E:40B7:B6F9:C40B
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Proxying from 127.0.0.1:65053 to 208.67.220.220:443

View attachment 7957 View attachment 7958 View attachment 7959

Dont do that again...... nah just kidding....excellent work! Are you nocturnal or something like that?...where do you find the time?

How does the DNScrypt option work in the advanced VPN config?..... the DNS request go through the tunnel but to the DNScrypt resolver and ignore the VPN provider DNS?

 

[john9527]

Dont do that again...... nah just kidding....excellent work! Are you nocturnal or something like that?...where do you find the time?

Damned if I know. This became sort of a 'quest' to see if I could get it running.

How does the DNScrypt option work in the advanced VPN config?..... the DNS request go through the tunnel but to the DNScrypt resolver and ignore the VPN provider DNS?

Good question....I THINK
-Bypasses the tunnel and goes direct to the DNSCrypt resolver if you exclude the router from the VPN
- Goes thru the tunnel to the DNSCrypt resolver if the router is part of the VPN

Maybe someone can help test it and figure it out. I do know that the DNSLeak test only shows the DNScrypt resolver in either case.

 

[john9527]

I just found something interesting in my testing.....if you use OpenDNS for your DNSCrypt DNS over your VPN, it blocks AAAA DNS records. So it also closes IPv6 leaks over the VPN in a dual stack setup. (I had thought I needed to load a dnscrypt plugin to do this)

 

[sfx2000]

I just found something interesting in my testing.....if you use OpenDNS for your DNSCrypt DNS over your VPN, it blocks AAAA DNS records. So it also closes IPv6 leaks over the VPN in a dual stack setup. (I had thought I needed to load a dnscrypt plugin to do this)

How are they treating the AAAA requests from clients?

NXDOMAIN?

I'm feeling some vague discomfort here - can't quite put my finger on what it is at the moment (it's early in the day, and I'm still working on my first cup of coffee)

 

[cybrnook]

Well, DNSCrypt is now fully integrated into my fork (someone remind me not to do something like this again ....it took about 500 lines of new code excluding the dnscrypt code....and I had to debug a problem in dnscrypt).

Look for a beta refresh in the next few days.

Dec 10 11:53:14 syslog: dnscrypt-proxy-ipv4: - [cisco] does not support DNS Security Extensions
Dec 10 11:53:14 syslog: dnscrypt-proxy-ipv4: - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Starting dnscrypt-proxy 1.7.0
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Generating a new session key pair
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Done
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Server certificate with serial #1463092899 received
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: This certificate is valid
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Chosen certificate #1463092899 is valid from [2016-05-12] to [2017-05-12]
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Server key fingerprint is ABA1:F000:D394:8045:672D:73E0:EAE6:F181:19D0:2A62:3791:EFAD:B04E:40B7:B6F9:C40B
Dec 10 11:53:14 dnscrypt-proxy[12617]: dnscrypt-proxy-ipv4: Proxying from 127.0.0.1:65053 to 208.67.220.220:443

View attachment 7957 View attachment 7958 View attachment 7959

Is this in the latest BETA, no, right?

 

[john9527]

Is this in the latest BETA, no, right?

Not yet.....still running some tests and tweaking a few things......soon