DNScrypt + Merlin?

[bugmenotplz]

Hello,

is this firmware able to let me use DNScrypt with OpenDNS?

Thanks in advance.

 

[ryzhov_al]

As an additional package.

 

[dbt78]

DNScrypt-Entware with other servers Opendns

Hello,

I use DNScrypt with OpenDNS , since ryzhov_al gave us a great tutorial !
with revelations of Snowden I would use a European server.
I saw that other dns servers now accept dnscrypt - ex: https://dnscrypt.eu/

I tried to launch dnscrypt with the parameters of this tutorial: http://www.linksysinfo.org/index.php?threads/dnscrypt-preview.37031/
but the Entware version seems old and pre-configured for "OpenDNS", and some parameters are not accepted

Will there be a plan for dnscrypt-entware works with the new servers ?

thank's

 

[ryzhov_al]

but the Entware version seems old and pre-configured for "OpenDNS", and some parameters are not accepted

Will there be a plan for dnscrypt-entware works with the new servers ?

Which parameters are not accepted? I've tried to run dnscrypt-proxy with default (OpenDNS) remote server:

May 29 15:00:26 dnscrypt-proxy[5969]: Initializing libsodium for optimal performance
May 29 15:00:26 dnscrypt-proxy[5969]: Generating a new key pair
May 29 15:00:26 admin: Started dnscrypt-proxy from .
May 29 15:00:26 dnscrypt-proxy[5969]: Done
May 29 15:00:26 dnscrypt-proxy[5969]: Server certificate #808464433 received
May 29 15:00:26 dnscrypt-proxy[5969]: This certificate looks valid
May 29 15:00:26 dnscrypt-proxy[5969]: Chosen certificate #808464433 is valid from [2014-01-12] to [2015-01-12]
May 29 15:00:26 dnscrypt-proxy[5969]: Server key fingerprint is C863:1F2D:C621:3FE8:CD02:C65A:6DB6:DDD6:08BA:49EA:5962:AF4C:B063:6568:5A4C:9925
May 29 15:00:26 dnscrypt-proxy[5969]: Proxying from 127.0.0.1:65053 to 77.66.84.233:443

and with dnscrypt.eu:

May 29 15:02:34 dnscrypt-proxy[6221]: Initializing libsodium for optimal performance
May 29 15:02:34 dnscrypt-proxy[6221]: Generating a new key pair
May 29 15:02:34 dnscrypt-proxy[6221]: Done
May 29 15:02:34 admin: Started dnscrypt-proxy from .
May 29 15:02:34 dnscrypt-proxy[6221]: Server certificate #1380734687 received
May 29 15:02:34 dnscrypt-proxy[6221]: This certificate looks valid
May 29 15:02:34 dnscrypt-proxy[6221]: Chosen certificate #1380734687 is valid from [2013-10-03] to [2014-10-03]
May 29 15:02:34 dnscrypt-proxy[6221]: Server key fingerprint is 227C:86C7:7574:81AB:6AE2:402B:4627:6E18:CFBB:60FA:DF92:652F:D694:01E8:EBF2:B007
May 29 15:02:34 dnscrypt-proxy[6221]: Proxying from 127.0.0.1:65053 to 208.67.220.220:443

Both works good. What I'm doing wrong?

 

[krabs]

Hello,

Will there be a plan for dnscrypt-entware works with the new servers ?

thank's

checkout the dnscrypt-github page
usage

I'm using the two dnscrypt servers in case one goes down for maintenance on dnscrypt.eu.

Here's mine
You probably want to remove the "--user=dnscrypt" part out of it or use the user and group configs scripts https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files to create one and change permissions.

If the owner module extension get's added to merlins firmware then you can limit dnscrypt-proxy outbound access to ex: port 443 UDP or compile yourself if you want this )

iptables -A OUTPUT -m owner --uid-owner dnscrypt -p udp  --dport 443 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner dnscrypt -j DROP

So for the first dnscrypt.eu server change to this one:

# cat S09dnscrypt-proxy

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--daemonize (--user=dnscrypt) --local-address=127.0.0.1:65053 --resolver-address=176.56.237.171:443 --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66"
PREARGS=""
DESC="$PROCS(1)"
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

(Everything under this IS Optional)
Second one you must create this one if you want to run a failover one.

# cat S10dnscrypt-proxy

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--daemonize (--user=dnscrypt) --local-address=127.0.0.1:65054 --resolver-address=77.66.84.233:443 --provider-name=2.dnscrypt-cert.resolver2.dnscrypt.eu --provider-key=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A:9955"
PREARGS=""
DESC="$PROCS(2)"
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Change also line 21 in /opt/etc/init.d/rc.func

- if [ -n "`pidof $PROC`" ]; then
+ if [ -n "`pidof $PROC`" -a "$PROC" != "dnscrypt-proxy" ]; then

So in case of dnscrypt-proxy, let entware start two or more as it's not limited anymore.

Also add the second nameserver in /jffs/configs/dnsmasq.conf.add

dhcp-option=252,"\n"
no-resolv
server=127.0.0.1#65053
server=127.0.0.1#65054
(server=/pandora.com/50.116.28.138)

That's it

 

[dbt78]

@ krabs : Thank you for your explanations will surely help me and others. The second use of DNS is very interesting.
@ ryzhov_al : thank you for taking the time to try. (I confess that I am not a linux guru). I'll try following step by step explanations of krabs

 

[ryzhov_al]

@ ryzhov_al : thank you for taking the time to try. (I confess that I am not a linux guru). I'll try following step by step explanations of krabs

I've wrote a simple script to switch between DNSCrypt servers.

 

[dbt78]

I've wrote a simple script to switch between DNSCrypt servers.

.. it's just terrible! .. thank you

 

[krabs]

I've wrote a simple script to switch between DNSCrypt servers.

A suggestion:

Could it be an option to allow (add) two dnscrypt processes at the same time in your script ? As example when the ramnode server from dnscrypt.eu goes down in the netherlands you doesn't have to switch $(ARGS1) line, you don't have to anything as the the second resolver which also is running take over automatically.

 

[ryzhov_al]

Change also line 21 in /opt/etc/init.d/rc.func

If it possible, it's better to avoid to change system-wide files. You can make symlink for dnscrypt-proxy daemon binary.

Could it be an option to allow (add) two dnscrypt processes at the same time in your script ? As example when the ramnode server from dnscrypt.eu goes down in the netherlands you doesn't have to switch $(ARGS1) line, you don't have to anything as the the second resolver which also is running take over automatically.

Done.

 

[prp2]

Is it possible to also modify this for use with IPv6 as well as v4? A little bit back, I tried modifying it with some sample scripts I saw online, as dnscrypt does support IPv6, but it wouldn't launch correctly for me.