1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DNSCrypt Necessary or not?

Discussion in 'Asuswrt-Merlin' started by let me question, May 28, 2018.

  1. let me question

    let me question New Around Here

    Joined:
    May 25, 2018
    Messages:
    6
    It is necessary to install DNSCrypt, if I have already configured the router in this way:

    1. LAN -> DHCP Server -> Enable DNSSEC support: Yes
    2. WAN -> Internet Connection -> Connect to DNS Server automatically: No
    DNS Server1: 1.1.1.1
    DNS Server2: 1.0.0.1

    Or do I always have to install DNSCrypt because it encrypts the DNS?
     
    Last edited: May 28, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Twiglets

    Twiglets Regular Contributor

    Joined:
    Aug 15, 2014
    Messages:
    149
    See https://dnscrypt.info/faq/

    Explains the difference between dnssec & dnscrypt !!!
    Worth reading all the information on the site not just the faq.
    It is your choice what you implement to match your privacy needs :)

    If not sure try implementing (Entware/AB-Solution/dnscrypt/dnsmasq/pixelserv/Skynet) as per the instructions and see how it performs for you. (All available via amtm script/menu)
    You can switch off the bits you do not need BUT understand WHY you are doing it and the consequences.
    i.e. read up on them all and understand what you are doing. :)
     
  4. pattiri

    pattiri Senior Member

    Joined:
    Dec 27, 2016
    Messages:
    233
    Location:
    Istanbul, Turkey
    I don't know any of you know but, wikipedia is blocked in my country, both DNS level and IP level wikipedia.com is blocked.

    Here is my comparison;

    When DNSSEC is enabled;

    When I send DNS requests that are asking wikipedia.com to 1.1.1.1 or any public DNS server I can't get any answer, my ISP can see my DNS queries and blocks them.

    When I use DNSCrypt:

    And send DNS requests that are asking wikipedia.com to 1.1.1.1 or any public DNS server I can get answer.

    So; DNSCrypt >>> DNSSEC :)
     
  5. reerden

    reerden Regular Contributor

    Joined:
    Nov 10, 2014
    Messages:
    88
    Depends on what you need. DNSSEC makes sure that DNSSEC signed domain request have not been tempered with. DNSCrypt encrypts all DNS traffic only between your PC and the DNS server you use, meaning nobody can eavesdrop on your requests.

    The primary reason for DNSCrypt is privacy. The primary reason for DNSSEC is security against manipulation.

    Some things to consider:
    • The owner of the DNS server can still see what you request. So you'd have to trust them when you're concerned about privacy. DNScrypt or not. Preferably, you select a server that does no logging.
    • DNScrypt does not guarantee the record hasn't been tempered with, it only encrypts the traffic between you and the DNS server. The DNS server gets its information from other DNS servers. That connection might be unencrypted and thus susceptible to manipulation anyway. It does of course decrease the chance of manipulation.
    • Keep in mind that DNSSEC only works if the website has DNSSEC configured, which is almost nobody. Not even the largest corporations and sites. It is therefore still fairly useless.
    • The servers you have selected, owned by Cloudflare, do not support DNSCrypt. However, the latest version of the DNSCrypt software supports DNS-over-HTTPS, which also provides DNS traffic encryption and is supported by the Cloudflare servers. Make sure the latest version is compatible with your router. It does not work on the older MIPS routers (N66U, AC66U).
     
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    DNSSec and DNSCrypt are both complementary, they are not competitive. They both address different security aspects.
     
    Zastoff, Makaveli and let me question like this.
  7. Marin

    Marin Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    236
    I have Diversion and Skynet installed (Thank you @lonelycoder and @Adamm for these great programs) and planning to install DNSCrypt from the AMTM menu. I have done some reading about this program and tried to install it last night but I am not very clear with some of the installation steps.

    I use NordVPN and have its servers IP addresses entered under the WAN tab of the GUI (Automatically connect to DNS servers=No).

    I am also using “Strict” access configurations for both the VPN server settings and Policy rules and have added few extra DHCP commands under the Custom Configuration window of the VPN setup page to get the Diversion to work (per @Xentrk recommendations—Thank you!

    https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/ ).

    During the DNSCrypt installation from AMTM:

    1. When I choose the Manual method for picking a server (say a DOH over HTTPS one) how many choices do I get to pick? More than one? The command question simply asks to “pick another one” or “quit”.

    2. Could I manually enter both of my NordVPN DNS servers instead of the other servers displayed there?

    If YES, then do I need to make any adjustments to the WAN section of the router’s GUI (see above) or leave everything as is?

    If NO, and I pick a different server (or more than one), how will this affect my NordVPN server setup under the WAN tab of the GUI?


    3. Lastly, I apologize if I missed this from the links provided by others on this thread and Diversion’s website but.....does anyone have a good guide that describes each DNSCrypt installation step from the AMTM menu to make it easier for everyone to understand what each option/sub option does?


    Thank you!


    Sent from my iPhone using Tapatalk
     
  8. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    601
    Location:
    Pennsylvania USA
    You can use Stubby in lieu of DNSCrypt. Stubby provides DoT which encrypts the request and if you add DNSSEC either with Stubby or in Merlin the requests will be verified. This is a very simple explanation of a complex process that works! I use Stubby on my RT-AC66U_B1 and on two RT-AC68U's running John's fork which has built in Stubby.
     
  9. Zastoff

    Zastoff Regular Contributor

    Joined:
    Nov 21, 2017
    Messages:
    126
    Location:
    Sweden
    I use my vpn provider dns servers in dnscrypt-proxy added them myself at the bottom of the .toml file and manually set them at the beginning of the same file.
    There is an example with a Google dns server if I remember correctly at the bottom of that file
    https://dnscrypt.info/stamps
    There you can create the sdns
    The info needed you can get from your vpn/dns provider support like ip adress and provider public key and provider name.
    Make sure the dns servers support dnscrypt v1/v2 or DoH
    Dnscrypt-proxy will ignore/override gui dns settings
    Additional information ;)
    https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/
     
    Last edited: Nov 10, 2018
    Marin likes this.
  10. Marin

    Marin Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    236
    Thank you!!
     
  11. Marin

    Marin Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    236
    I don't think I can use Stubby.....I am using an RT-AC86U router....I think I may have read somewhere that there is no support for it yet but I may be wrong.
     
  12. Zonkd

    Zonkd Regular Contributor

    Joined:
    Oct 19, 2014
    Messages:
    134
    TL DR use doh at home.

    I would say that if you’re just a typical family guy on a home lan it’s fine to stick with DNSCrypt to use it’s DoH dns over https. It can’t be blocked by ISP in future. Cloudflare likes DoH because it uses the same port as standard web traffic, so it’s difficult for an ISP or network administrator to monitor/block/censor without outright blocking all web traffic for the user. On the other hand, DoT is favored by ISP or anyone managing large networks because it uses a dedicated port which makes it easy to identify when a person is encrypting their DNS, to which server it’s being sent, and to block it. Bad luck for the user and they can be forced to use the network admins logged censored DNS.

    May as well go for DoH at home, but ultimately it doesn’t matter.
     
  13. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    You can also identify to which DoH server you are connecting, and these could be blocked.
     
  14. Zonkd

    Zonkd Regular Contributor

    Joined:
    Oct 19, 2014
    Messages:
    134
    That is also true. Net admins could simply block the ip addresses of known DNS servers. Good luck to cloudflare solving that problem. With their growing influence I’m sure they could make it impractical and undesirable to block their IPs without the admin crippling other internet services for the user.
     
  15. Marin

    Marin Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    236
    Any thoughts how to pick the best/closest servers via manual DNScrypt setup (from the AMTM menu)? Looking at the list of servers, I am not always able to tell that some of them are in US or not. Or, do you think the “automatic” server setup would be better?


    Sent from my iPhone using Tapatalk
     
  16. slobodan

    slobodan Regular Contributor

    Joined:
    Jul 30, 2015
    Messages:
    125
    OpenDNS is a good choice if you want to keep your own DNS logs (last 14 days logs are at no cost, for more you have to pay). It is customizable, it can block adware websites or act as child protection. It also blocks malware/phishing, though it is not the best in doing that.

    For malware/phishing protection, the choice is between CleanBrowsing (gold) and Quad9 (silver).

    Against ads there is AdGuard. It also blocks malware/phishing, though it is not the best in doing that.

    OpenDNS and Quad9 have geographically diverse servers, so they are best for optimized content delivery (CDN).
     
    Zonkd likes this.
  17. Zonkd

    Zonkd Regular Contributor

    Joined:
    Oct 19, 2014
    Messages:
    134
    My vote is for cloudflare. Speediest overall and secure.
     
    SMS786 likes this.
  18. Zastoff

    Zastoff Regular Contributor

    Joined:
    Nov 21, 2017
    Messages:
    126
    Location:
    Sweden
    At the moment i use only DNSCrypt v2+DNSSec servers(no logging) since thats what my vpn provider supports but i am trying to follow the stubby installer thread for some info on DoT and maybe change servers in the future ;)
    Tried Cloudflare once with DoH but the online test failed so removed it
    [Release] dnscrypt installer for asuswrt
     
    Last edited: Nov 13, 2018 at 12:26 PM
  19. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    DNSCrypt was never approved as a standard. I recommend reading the history of securing dns queries and latest developments at https://dnsprivacy.org.

    If interested in Stubby, see the post
    https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/
     
  20. Marin

    Marin Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    236
    Thank you @Xentrk

    I was under the impression that Stubby has no support for RT-AC86U unless that has recently changed.
     
  21. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    You are correct. I spaced out on that. Not enough coffee! A few people also reported issues with DNSCrypt not working on the 86U.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!