DNScrypt dnscrypt installer for asuswrt

[Kingp1n]

Yes, Set DNS privacy protocol=none
Install DNSCrypt-proxy thru amtm
List of servers (they are in the installer also)
When installed and you have your servers set, Also set Timezone and install RNG (haveged) from dnscrypt-proxy menu
If you want to use Anonymized dns look at this post
List of Relay servers (not in the installer and need to be manually set)

I apologize for the noob question but, what are the pro/cons in using DoT vs DNScrypt and will the list of Relay servers in future updates will be automated or will they always have to be manually set.

 

[Zastoff]

I apologize for the noob question but, what are the pro/cons in using DoT vs DNScrypt and will the list of Relay servers in future updates will be automated or will they always have to be manually set.

Here is some info https://dnscrypt.info/faq (DNSCrypt, DoH, DoT and so on) But keep in mind the info comes from DNSCrypt hompage so maybe it promotes DoH and DNSCrypt more since thats what is supported.
And some talk about what is a standard (IETF) and DoH,DoT provides more information than regular DNS to resolver operators in order to fingerprint clients..

Practical considerations
All the solutions above offer the same practical security level. Compatibility with existing tools and infrastructure is what makes an actual difference.

It comes down to what servers you want to use.
DoT included in Asuswrt-Merlin is a good option, SSH client and editing files should not be needed(more set and forget)
I use DNSCrypt-proxy, Gives good info in syslog and has many servers also have a lot of options built in for users wiki & features
For the new DoH Server/Firefox ESNI & Anonymized DNS (using Relays) the installer need to be updated/forked if we should able to set these options from DNSCrypt menu..
So until then it needs to be manually set in dnscrypt-proxy.toml at least once and relay randomization and failover will be implemented in future versions of DNSCrypt-proxy.

 

[Dragonzay]

Noob question, can I use dnscrypt with Asus stock firmware? Or maybe there are other similar tool for stock Asus?

 

[Zastoff]

Noob question, can I use dnscrypt with Asus stock firmware? Or maybe there are other similar tool for stock Asus?

Dont think stock firmware supports scripts as with Merlin firmware

Requirements:
- ARM or MIPSEL based ASUS routers
- asuswrt-merlin firmwares or compatible
- jffs support and script enabled

Here you have some options for different platforms

 

[Zastoff]

Version 2.0.35 Released
Update/install thru amtm

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router

 

[Treadler]

Here is some info https://dnscrypt.info/faq (DNSCrypt, DoH, DoT and so on) But keep in mind the info comes from DNSCrypt hompage so maybe it promotes DoH and DNSCrypt more since thats what is supported.
And some talk about what is a standard (IETF) and DoH,DoT provides more information than regular DNS to resolver operators in order to fingerprint clients..

It comes down to what servers you want to use.
DoT included in Asuswrt-Merlin is a good option, SSH client and editing files should not be needed(more set and forget)
I use DNSCrypt-proxy, Gives good info in syslog and has many servers also have a lot of options built in for users wiki & features
For the new DoH Server/Firefox ESNI & Anonymized DNS (using Relays) the installer need to be updated/forked if we should able to set these options from DNSCrypt menu..
So until then it needs to be manually set in dnscrypt-proxy.toml at least once and relay randomization and failover will be implemented in future versions of DNSCrypt-proxy.

This too is an interesting read.......

https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt

 

[Zastoff]

This too is an interesting read.......

https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt

More info is good. Read that one some time ago But i think they compare with dnscrypt v1 more then 35 releases since then and improvements have been made.

 

[Treadler]

More info is good. Read that one some time ago But i think they compare with dnscrypt v1 more then 35 releases since then and improvements have been made.

Something more recent, some interesting comments from Bill Woodcock of Quad9.....

https://www.reddit.com/r/privacy/comments/89pr15/dnsoverhttps_vs_dns_overtls_vs_dnscrypt/

 

[dave14305]

Something more recent, some interesting comments from Bill Woodcock of Quad9.....

https://www.reddit.com/r/privacy/comments/89pr15/dnsoverhttps_vs_dns_overtls_vs_dnscrypt/

I enjoy reading his posts. Whether he’s right or wrong, I can’t be sure, but I find him thought-provoking.

 

[Zastoff]

Something more recent, some interesting comments from Bill Woodcock of Quad9.....

https://www.reddit.com/r/privacy/comments/89pr15/dnsoverhttps_vs_dns_overtls_vs_dnscrypt/

Interesting Some good replies also from jedisct1(Frank Denis)
edit:
I really like DoT in Merlin Firmware, Tried it for a while and think it`s good.
Main reason for me using DNSCrypt is that my vpn-providers DNS servers use/supports dnscrypt v2, Also more fun to fiddle with and feels like i learn more about this stuff
It`s great that we can use DoT in Merlin and also have option to run DNSCrypt/DoH with this script if needed

 

[SomeWhereOverTheRainBow]

Interesting Some good replies also from jedisct1(Frank Denis)
edit:
I really like DoT in Merlin Firmware, Tried it for a while and think it`s good.
Main reason for me using DNSCrypt is that my vpn-providers DNS servers use/supports dnscrypt v2, Also more fun to fiddle with and feels like i learn more about this stuff
It`s great that we can use DoT in Merlin and also have option to run DNSCrypt/DoH with this script if needed

Yea I really like dnscrypt proxy and what it has to offer in the works, I would be more inclined to adapting to DoH once https becomes the full internet standard. I just can't find myself traversing http with my dns exposed; if I am relying on encryption, I prefer to have my dns encrypted which is why I stick with Dot for the time being. I must admit anonymized dnscrypt does sound nice.

 

[DonnyJohnny]

Yea I really like dnscrypt proxy and what it has to offer in the works, I would be more inclined to adapting to DoH once https becomes the full internet standard. I just can't find myself traversing http with my dns exposed; if I am relying on encryption, I prefer to have my dns encrypted which is why I stick with Dot for the time being. I must admit anonymized dnscrypt does sound nice.

I think both DOT and DOH had the dns query encrypted.
The advantage of current dnscrypt-proxy over stubby are Anonymized DNS relays and esni (for firefox).
Not sure how effective the esni is but it is definitely good to have since it do not need to use DOH of firefox and can work with DNScrypt dns over anonymized DNS relays.

 

[SomeWhereOverTheRainBow]

From my understanding is the encryption of Doh involves the https traffic if you are traversing http the encryption is absent. You may be right though, but who would want to risk it. I do think anonymized dnscrypt is a good way to go if relays chosen are reliable.

 

[Zastoff]

From my understanding is the encryption of Doh involves the https traffic if you are traversing http the encryption is absent. You may be right though, but who would want to risk it. I do think anonymized dnscrypt is a good way to go if relays chosen are reliable.

More old info on DNSCrypt protocol link

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks

Relay server info link
All well and working fine here with Anonymized DNSCrypt/DNSSEC/dnscrypt_ephemeral_keys = true (unique key for every single DNS query)

 

[DonnyJohnny]

From my understanding is the encryption of Doh involves the https traffic if you are traversing http the encryption is absent. You may be right though, but who would want to risk it. I do think anonymized dnscrypt is a good way to go if relays chosen are reliable.

Think u got it all wrong.
Dns encryption got nothing to do with whether u are surfing under http or https.

Dot/doh/dnscrypt are dns encryption protocols that encrypt your dns queries to prevent mitm hacking/sniffing. But these encryption don't really prevent ISP from knowing what site u go to as they may still be get them from SNI, if they want.

Anonymized dns relay is more to prevent fingerprinting and getting your surfing habit with your IP address.

Also according to DNScrypt-proxy owner, when using dnscrypt-proxy, your DNS queries is encrypted from point A to B to C when using anonymized relay. So at relay point (B) will not be able to see your dns queries (encrypted) but they will be able to see your IP address. After that they will forward the queries to DNS provider (C) (eg. Cloudflare) and cloudflare will only see the Relay (B) IP address. This will prevent DNS provider from collecting data about you. ( Purpose of anonymised relay)

 

[SomeWhereOverTheRainBow]

Dot/doh/dnscrypt are dns encryption protocols that encrypt your dns queries to prevent mitm hacking/sniffing. But these encryption don't really prevent ISP from knowing what site u go to as they may still be get them from SNI, if they want.

I understand this part --- obviously ISP gets to see more than we fully know, unless one is to use a VPN.
or like you propose

Anonymized dns relay is more to prevent fingerprinting and getting your surfing habit with your IP address.
Also according to DNScrypt-proxy owner, when using dnscrypt-proxy, your DNS queries is encrypted from point A to B to C when using anonymized relay. So at relay point (B) will not be able to see your dns queries (encrypted) but they will be able to see your IP address. After that they will forward the queries to DNS provider (C) (eg. Cloudflare) and cloudflare will only see the Relay (B) IP address. This will prevent DNS provider from collecting data about you. ( Purpose of anonymised relay)

Where I get lost at is the line of thought that DoH is suppose to encrypt your traffic within HTTPS traffic. If you are not using HTTPS traffic, how does this encryption actually occur then?

 

[Twiglets]

I understand this part --- obviously ISP gets to see more than we fully know, unless one is to use a VPN.
or like you propose



Where I get lost at is the line of thought that DoH is suppose to encrypt your traffic within HTTPS traffic. If you are not using HTTPS traffic, how does this encryption actually occur then?

SomeWhereOverTheRainBow,
Your confusion is because you are misunderstanding the fact that DoH is meant to 'look like HTTPS traffic' and is not part of the normal HTTPS data flow.
The DNS lookup is separate (and prior to) accessing a site via HTTP or HTTPS.

 

[Delusion]

2.0.36-beta.1
jedisct1 released this 5 hours ago

• New option: block_undelegated. When enabled, dnscrypt-proxy will directly respond to queries for locally-served zones (https://sk.tl/2QqB971U) and nonexistent zones that should have been kept local, but are frequently leaked. This reduces latency and improves privacy.
• Conformance: the DO bit is now set in synthetic responses if it was set in a question, and the AD bit is cleared.
• The miegkg/dns module was updated to version 1.1.25, that fixes a security issue affecting non-encrypted/non-authenticated DNS traffic. In dnscrypt-proxy, this only affects the forwarding feature.

There have also been quite a bit of internal changes, so please report any possible regression!

 

[SomeWhereOverTheRainBow]

okay so what is the benefit of the
"max_clients" option in the .toml file, the example has it set at 250 which would seem reasonable, why does the installer set it to max_clients = 1024?

 

[Zastoff]

2.0.36-beta.1
jedisct1 released this 5 hours ago

• New option: block_undelegated. When enabled, dnscrypt-proxy will directly respond to queries for locally-served zones (https://sk.tl/2QqB971U) and nonexistent zones that should have been kept local, but are frequently leaked. This reduces latency and improves privacy.
• Conformance: the DO bit is now set in synthetic responses if it was set in a question, and the AD bit is cleared.
• The miegkg/dns module was updated to version 1.1.25, that fixes a security issue affecting non-encrypted/non-authenticated DNS traffic. In dnscrypt-proxy, this only affects the forwarding feature.

There have also been quite a bit of internal changes, so please report any possible regression!

Over 6 hours on 2.0.36-beta.1 and seems stable so far

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router