What's new

DNSCrypt Necessary or not?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

let me question

New Around Here
It is necessary to install DNSCrypt, if I have already configured the router in this way:

1. LAN -> DHCP Server -> Enable DNSSEC support: Yes
2. WAN -> Internet Connection -> Connect to DNS Server automatically: No
DNS Server1: 1.1.1.1
DNS Server2: 1.0.0.1

Or do I always have to install DNSCrypt because it encrypts the DNS?
 
Last edited:
It is necessary to install DNSCrypt, if I have already configured the router in this way:

1. LAN -> DHCP Server -> Enable DNSSEC support: Yes
2. WAN -> Internet Connection -> Connect to DNS Server automatically: No
DNS Server1: 1.1.1.1
DNS Server2: 1.0.0.1

Or do I always have to install DNSCrypt because it encrypts the DNS?
See https://dnscrypt.info/faq/

Explains the difference between dnssec & dnscrypt !!!
Worth reading all the information on the site not just the faq.
It is your choice what you implement to match your privacy needs :)

If not sure try implementing (Entware/AB-Solution/dnscrypt/dnsmasq/pixelserv/Skynet) as per the instructions and see how it performs for you. (All available via amtm script/menu)
You can switch off the bits you do not need BUT understand WHY you are doing it and the consequences.
i.e. read up on them all and understand what you are doing. :)
 
I don't know any of you know but, wikipedia is blocked in my country, both DNS level and IP level wikipedia.com is blocked.

Here is my comparison;

When DNSSEC is enabled;

When I send DNS requests that are asking wikipedia.com to 1.1.1.1 or any public DNS server I can't get any answer, my ISP can see my DNS queries and blocks them.

When I use DNSCrypt:

And send DNS requests that are asking wikipedia.com to 1.1.1.1 or any public DNS server I can get answer.

So; DNSCrypt >>> DNSSEC :)
 
It is necessary to install DNSCrypt, if I have already configured the router in this way:

1. LAN -> DHCP Server -> Enable DNSSEC support: Yes
2. WAN -> Internet Connection -> Connect to DNS Server automatically: No
DNS Server1: 1.1.1.1
DNS Server2: 1.0.0.1

Or do I always have to install DNSCrypt because it encrypts the DNS?

Depends on what you need. DNSSEC makes sure that DNSSEC signed domain request have not been tempered with. DNSCrypt encrypts all DNS traffic only between your PC and the DNS server you use, meaning nobody can eavesdrop on your requests.

The primary reason for DNSCrypt is privacy. The primary reason for DNSSEC is security against manipulation.

Some things to consider:
  • The owner of the DNS server can still see what you request. So you'd have to trust them when you're concerned about privacy. DNScrypt or not. Preferably, you select a server that does no logging.
  • DNScrypt does not guarantee the record hasn't been tempered with, it only encrypts the traffic between you and the DNS server. The DNS server gets its information from other DNS servers. That connection might be unencrypted and thus susceptible to manipulation anyway. It does of course decrease the chance of manipulation.
  • Keep in mind that DNSSEC only works if the website has DNSSEC configured, which is almost nobody. Not even the largest corporations and sites. It is therefore still fairly useless.
  • The servers you have selected, owned by Cloudflare, do not support DNSCrypt. However, the latest version of the DNSCrypt software supports DNS-over-HTTPS, which also provides DNS traffic encryption and is supported by the Cloudflare servers. Make sure the latest version is compatible with your router. It does not work on the older MIPS routers (N66U, AC66U).
 
I have Diversion and Skynet installed (Thank you @lonelycoder and @Adamm for these great programs) and planning to install DNSCrypt from the AMTM menu. I have done some reading about this program and tried to install it last night but I am not very clear with some of the installation steps.

I use NordVPN and have its servers IP addresses entered under the WAN tab of the GUI (Automatically connect to DNS servers=No).

I am also using “Strict” access configurations for both the VPN server settings and Policy rules and have added few extra DHCP commands under the Custom Configuration window of the VPN setup page to get the Diversion to work (per @Xentrk recommendations—Thank you!

https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/ ).

During the DNSCrypt installation from AMTM:

1. When I choose the Manual method for picking a server (say a DOH over HTTPS one) how many choices do I get to pick? More than one? The command question simply asks to “pick another one” or “quit”.

2. Could I manually enter both of my NordVPN DNS servers instead of the other servers displayed there?

If YES, then do I need to make any adjustments to the WAN section of the router’s GUI (see above) or leave everything as is?

If NO, and I pick a different server (or more than one), how will this affect my NordVPN server setup under the WAN tab of the GUI?


3. Lastly, I apologize if I missed this from the links provided by others on this thread and Diversion’s website but.....does anyone have a good guide that describes each DNSCrypt installation step from the AMTM menu to make it easier for everyone to understand what each option/sub option does?


Thank you!


Sent from my iPhone using Tapatalk
 
You can use Stubby in lieu of DNSCrypt. Stubby provides DoT which encrypts the request and if you add DNSSEC either with Stubby or in Merlin the requests will be verified. This is a very simple explanation of a complex process that works! I use Stubby on my RT-AC66U_B1 and on two RT-AC68U's running John's fork which has built in Stubby.
 
I use my vpn provider dns servers in dnscrypt-proxy added them myself at the bottom of the .toml file and manually set them at the beginning of the same file.
There is an example with a Google dns server if I remember correctly at the bottom of that file
https://dnscrypt.info/stamps
There you can create the sdns
The info needed you can get from your vpn/dns provider support like ip adress and provider public key and provider name.
Make sure the dns servers support dnscrypt v1/v2 or DoH
Dnscrypt-proxy will ignore/override gui dns settings
Additional information ;)
https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/
 
Last edited:
I use my vpn provider dns servers in dnscrypt-proxy added them myself at the bottom of the .toml file and manually set them at the beginning of the same file.
There is an example with a Google dns server if I remember correctly at the bottom of that file
https://dnscrypt.info/stamps
There you can create the sdns
The info needed you can get from your vpn/dns provider support like ip adress and provider public key and provider name.
Make sure the dns servers support dnscrypt v1/v2 or DoH
Dnscrypt-proxy will ignore/override gui dns settings
Additional information ;)
https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/
Thank you!!
 
You can use Stubby in lieu of DNSCrypt. Stubby provides DoT which encrypts the request and if you add DNSSEC either with Stubby or in Merlin the requests will be verified. This is a very simple explanation of a complex process that works! I use Stubby on my RT-AC66U_B1 and on two RT-AC68U's running John's fork which has built in Stubby.
I don't think I can use Stubby.....I am using an RT-AC86U router....I think I may have read somewhere that there is no support for it yet but I may be wrong.
 
I don't think I can use Stubby.....I am using an RT-AC86U router....I think I may have read somewhere that there is no support for it yet but I may be wrong.

TL DR use doh at home.

I would say that if you’re just a typical family guy on a home lan it’s fine to stick with DNSCrypt to use it’s DoH dns over https. It can’t be blocked by ISP in future. Cloudflare likes DoH because it uses the same port as standard web traffic, so it’s difficult for an ISP or network administrator to monitor/block/censor without outright blocking all web traffic for the user. On the other hand, DoT is favored by ISP or anyone managing large networks because it uses a dedicated port which makes it easy to identify when a person is encrypting their DNS, to which server it’s being sent, and to block it. Bad luck for the user and they can be forced to use the network admins logged censored DNS.

May as well go for DoH at home, but ultimately it doesn’t matter.
 
TL DR use doh at home.

I would say that if you’re just a typical family guy on a home lan it’s fine to stick with DNSCrypt to use it’s DoH dns over https. It can’t be blocked by ISP in future. Cloudflare likes DoH because it uses the same port as standard web traffic, so it’s difficult for an ISP or network administrator to monitor/block/censor without outright blocking all web traffic for the user. On the other hand, DoT is favored by ISP or anyone managing large networks because it uses a dedicated port which makes it easy to identify when a person is encrypting their DNS, to which server it’s being sent, and to block it. Bad luck for the user and they can be forced to use the network admins logged censored DNS.

May as well go for DoH at home, but ultimately it doesn’t matter.

You can also identify to which DoH server you are connecting, and these could be blocked.
 
You can also identify to which DoH server you are connecting, and these could be blocked.

That is also true. Net admins could simply block the ip addresses of known DNS servers. Good luck to cloudflare solving that problem. With their growing influence I’m sure they could make it impractical and undesirable to block their IPs without the admin crippling other internet services for the user.
 
Any thoughts how to pick the best/closest servers via manual DNScrypt setup (from the AMTM menu)? Looking at the list of servers, I am not always able to tell that some of them are in US or not. Or, do you think the “automatic” server setup would be better?


Sent from my iPhone using Tapatalk
 
OpenDNS is a good choice if you want to keep your own DNS logs (last 14 days logs are at no cost, for more you have to pay). It is customizable, it can block adware websites or act as child protection. It also blocks malware/phishing, though it is not the best in doing that.

For malware/phishing protection, the choice is between CleanBrowsing (gold) and Quad9 (silver).

Against ads there is AdGuard. It also blocks malware/phishing, though it is not the best in doing that.

OpenDNS and Quad9 have geographically diverse servers, so they are best for optimized content delivery (CDN).
 
Last edited:
I have Diversion and Skynet installed (Thank you @lonelycoder and @Adamm for these great programs) and planning to install DNSCrypt from the AMTM menu. I have done some reading about this program and tried to install it last night but I am not very clear with some of the installation steps.

I use NordVPN and have its servers IP addresses entered under the WAN tab of the GUI (Automatically connect to DNS servers=No).

I am also using “Strict” access configurations for both the VPN server settings and Policy rules and have added few extra DHCP commands under the Custom Configuration window of the VPN setup page to get the Diversion to work (per @Xentrk recommendations—Thank you!

https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/ ).

During the DNSCrypt installation from AMTM:

1. When I choose the Manual method for picking a server (say a DOH over HTTPS one) how many choices do I get to pick? More than one? The command question simply asks to “pick another one” or “quit”.

2. Could I manually enter both of my NordVPN DNS servers instead of the other servers displayed there?

If YES, then do I need to make any adjustments to the WAN section of the router’s GUI (see above) or leave everything as is?

If NO, and I pick a different server (or more than one), how will this affect my NordVPN server setup under the WAN tab of the GUI?


3. Lastly, I apologize if I missed this from the links provided by others on this thread and Diversion’s website but.....does anyone have a good guide that describes each DNSCrypt installation step from the AMTM menu to make it easier for everyone to understand what each option/sub option does?


Thank you!


Sent from my iPhone using Tapatalk
DNSCrypt was never approved as a standard. I recommend reading the history of securing dns queries and latest developments at https://dnsprivacy.org.

If interested in Stubby, see the post
https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/
 
Thank you @Xentrk

I was under the impression that Stubby has no support for RT-AC86U unless that has recently changed.
 
Thank you @Xentrk

I was under the impression that Stubby has no support for RT-AC86U unless that has recently changed.
You are correct. I spaced out on that. Not enough coffee! A few people also reported issues with DNSCrypt not working on the 86U.
 
Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top