DNScrypt Dnscrypt Proxy Installer For Asuswrt-Merlin(Nov.)

[SomeWhereOverTheRainBow]

I cannot install DNSCrypt from the AMTM menu. After it displays the menu below, it goes back to the AMTM main menu. I am using RT-AC68U. Other scripts installed are: Skynet, Entware packages, conmon (fd and sw).




View attachment 40995

Use the install link then

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer

Also if you have stubby turned on amtm won't let you use the installer

 

[SomeWhereOverTheRainBow]

I cannot install DNSCrypt from the AMTM menu. After it displays the menu below, it goes back to the AMTM main menu. I am using RT-AC68U. Other scripts installed are: Skynet, Entware packages, conmon (fd and sw).




View attachment 40995

I wonder what could cause this maybe @thelonelycoder might be able to point me to the cause. I had no luck.

Edit:
Nevermind. It was a small fix on my end.

 

[dethknite]

I have been running dnscrypt-proxy installer since maybe December-ish. Mostly no issues... other than dns failing out every once in awhile and having to reboot the router. I will say that the latest update seems to perhaps cause the dns to failout more often, like after about 3 days of running... dns request timeout globally. I have Skynet running with 7 blocked country codes, and Diversion Standard. Not sure if it is the log just getting maxed, or what.

1. Redirect ALL DNS from network (y)
2. Redirect only SOME DNS from network (n)
2a. Do you want to run Dnsmasq as a local caching DNS service which includes sending the routers traffic to Dnscrypt-Proxy? (y)
3. DNS load balancing strategy (1) [p2 default]
4. Use load balancer estimator to adjust based on latency (y)
5. Select DNS servers (2) [manually]
6. Only use ODOH protocol? (n)
7. --- make selections 208, 209, n

8. Choose ODOH servers to enable? (n)
9. Add any static servers? (n)
10. Add relays for quad9-dnscrypt-ip4-nofilter-ecs-pri (anonymized relays)? (y)
11. Use wildcard relays (or select ones)? (n)
12. --- make selections 22, 23, 52, 53, 54, n

13. Add any static relays? (n)
14. Add relays for quad9-dnscrypt-ip4-nofilter-pri (anonymized relays)? (y)
15. Use wildcard relays (or select ones)? (n)
16. --- make selections 22, 23, 52, 53, 54, n
17. Add any static relays? (n)
18. Set DNS server for starting dnscrypt and services at boot (use default quad9/cloudflare)
9.9.9.9
1.1.1.1

19. Set log level (default is 2) [0-6] -- 0 is most verbose, 6 least? (2)

 

[SomeWhereOverTheRainBow]

I have been running dnscrypt-proxy installer since maybe December-ish. Mostly no issues... other than dns failing out every once in awhile and having to reboot the router. I will say that the latest update seems to perhaps cause the dns to failout more often, like after about 3 days of running... dns request timeout globally. I have Skynet running with 7 blocked country codes, and Diversion Standard. Not sure if it is the log just getting maxed, or what.

1. Redirect ALL DNS from network (y)
2. Redirect only SOME DNS from network (n)
2a. Do you want to run Dnsmasq as a local caching DNS service which includes sending the routers traffic to Dnscrypt-Proxy? (y)
3. DNS load balancing strategy (1) [p2 default]
4. Use load balancer estimator to adjust based on latency (y)
5. Select DNS servers (2) [manually]
6. Only use ODOH protocol? (n)
7. --- make selections 208, 209, n

8. Choose ODOH servers to enable? (n)
9. Add any static servers? (n)
10. Add relays for quad9-dnscrypt-ip4-nofilter-ecs-pri (anonymized relays)? (y)
11. Use wildcard relays (or select ones)? (n)
12. --- make selections 22, 23, 52, 53, 54, n

13. Add any static relays? (n)
14. Add relays for quad9-dnscrypt-ip4-nofilter-pri (anonymized relays)? (y)
15. Use wildcard relays (or select ones)? (n)
16. --- make selections 22, 23, 52, 53, 54, n
17. Add any static relays? (n)
18. Set DNS server for starting dnscrypt and services at boot (use default quad9/cloudflare)
9.9.9.9
1.1.1.1

19. Set log level (default is 2) [0-6] -- 0 is most verbose, 6 least? (2)

From what I can tell, it seems to be running fine on my end. The only thing I can do is look at your logs during the time it fails? odd that it should fail since it gets restarted any ways... maybe some logs would help understand what is going on around the time it fails. Particularly since it is a time related incident, meaning it seems to happen every 3 days. What else is occurring on your network connection around every 3 days? Do you get a new DHCP assignment from your ISP then? You also have to be careful when blocking countries with skynet, if a server is geolocated in a country skynet blocks, then you will definitely experience a failure of DNS service in that particular instance. This will extend also to any relays you are using. If they point to countries blocked by skynet, or lead to dns servers that are geolocated in a country skynet blocks, you will experience failures.


Also, what does your setup look like with diversion? are you using diversion standard, or are you using lite. What blocklist are you using? Since the router uses Diversion as a middle man to the dns configuration, maybe the issue could be caused by here. That is a factor that must be considered as well.

what router model are you running?

 

[dethknite]

No, my external IP only changes if I go dark (offline from their network for > 24 hours, so it has been the same for about a year. Business class ISP. I am okay gathering up some logs for review if you have any particular ones that you think might help. Will have to wait for it to happen again. It is weird when it does happen external dns goes out (but internal dns seems to stay fine even though I have everything going through dnscrypt in the installer). Thanks for any insight.. and thanks for all the work you put into dnscrypt-proxy installer.

 

[SomeWhereOverTheRainBow]

No, my external IP only changes if I go dark (offline from their network for > 24 hours, so it has been the same for about a year. Business class ISP. I am okay gathering up some logs for review if you have any particular ones that you think might help. Will have to wait for it to happen again. It is weird when it does happen external dns goes out (but internal dns seems to stay fine even though I have everything going through dnscrypt in the installer). Thanks for any insight.. and thanks for all the work you put into dnscrypt-proxy installer.

My first thought is you use anonymization, and you have countries blocked with skynet. It is hard to say what ramifications this might impose. I would recommend trying different servers with no anonymization for a few days. see if the symptoms change. it might simply be a bad combination of coincident finally catching up with one another at the three day mark. Yes, I don't mind taking a look at logs if you can narrow it down to an hour before, and after the incident, that would be great too. Particularly interested in syslog.

 

[dethknite]

My first thought is you use anonymization, and you have countries blocked with skynet. It is hard to say what ramifications this might impose. I would recommend trying different servers with no anonymization for a few days. see if the symptoms change. it might simply be a bad combination of coincident finally catching up with one another at the three day mark. Yes, I don't mind taking a look at logs if you can narrow it down to an hour before, and after the incident, that would be great too. Particularly interested in syslog.

Alright.. it just occurred again.. and I attempted to connect to a site (zoom) via app and then browser and capture the dnsmasq log entries..

dnsmasq.log
May 13 09:01:27 dnsmasq[15713]: query[A] zoom.us from 192.168.1.2
May 13 09:01:27 dnsmasq[15713]: dnssec retry to 127.0.1.1
May 13 09:01:29 dnsmasq[15713]: query[A] zoom.us from 192.168.1.2
May 13 09:01:29 dnsmasq[15713]: dnssec retry to 127.0.1.1
May 13 09:01:30 dnsmasq[15713]: query[A] www.google.com from 192.168.1.33
May 13 09:01:30 dnsmasq[15713]: cached www.google.com is 142.250.115.104


syslog (in that time window with ext ip replaced x.x.x.x)
46:c4:bf:cc:4c:71:d2:41:a8:52:bf:d3:80:ff:d8:36:65:7e:ed:5a from 192.168.1.2:63607
May 13 09:01:12 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=192.241.202.59 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=44912 DPT=27017 SEQ=1804932432 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
May 13 09:01:25 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=78.128.113.250 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=54422 PROTO=TCP SPT=57380 DPT=6085 SEQ=379285569 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May 13 09:01:58 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=92.118.160.25 DST=x.x.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=248 ID=8563 PROTO=TCP SPT=50955 DPT=37777 SEQ=1054015984 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)
May 13 09:01:59 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=162.142.125.253 DST=x.x.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=42 ID=59166 PROTO=TCP SPT=36743 DPT=52200 SEQ=1009283121 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)

I was able to run "service restart_dnscrypt-proxy", and then it began working after that...

 

[SomeWhereOverTheRainBow]

Alright.. it just occurred again.. and I attempted to connect to a site (zoom) via app and then browser and capture the dnsmasq log entries..

dnsmasq.log
May 13 09:01:27 dnsmasq[15713]: query[A] zoom.us from 192.168.1.2
May 13 09:01:27 dnsmasq[15713]: dnssec retry to 127.0.1.1
May 13 09:01:29 dnsmasq[15713]: query[A] zoom.us from 192.168.1.2
May 13 09:01:29 dnsmasq[15713]: dnssec retry to 127.0.1.1
May 13 09:01:30 dnsmasq[15713]: query[A] www.google.com from 192.168.1.33
May 13 09:01:30 dnsmasq[15713]: cached www.google.com is 142.250.115.104


syslog (in that time window with ext ip replaced x.x.x.x)
46:c4:bf:cc:4c:71:d2:41:a8:52:bf:d3:80:ff:d8:36:65:7e:ed:5a from 192.168.1.2:63607
May 13 09:01:12 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=192.241.202.59 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=44912 DPT=27017 SEQ=1804932432 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
May 13 09:01:25 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=78.128.113.250 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=54422 PROTO=TCP SPT=57380 DPT=6085 SEQ=379285569 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May 13 09:01:58 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=92.118.160.25 DST=x.x.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=248 ID=8563 PROTO=TCP SPT=50955 DPT=37777 SEQ=1054015984 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)
May 13 09:01:59 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=162.142.125.253 DST=x.x.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=42 ID=59166 PROTO=TCP SPT=36743 DPT=52200 SEQ=1009283121 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)

I was able to run "service restart_dnscrypt-proxy", and then it began working after that...

Yea you shouldn't have to run a service restart though because once the manager realizes there is no functioning dns (which should be almost instant.) It should be restarting itself.

One thing I am curious about is does dnssec failure at this point cause dnscrypt proxy to fail? Try disabling the guis dnssec. See if the issue goes away. It may be a problem with the queries being resolved over dnssec validation.

Also if you are country blocking ".us" that could also be causing your dns failure.

To me it looks like it is either dns failure for dnssec validation, or a skynet block. Maybe both.

During the next time this happens, you need to run the command

"pidof dnscrypt-proxy"

Inside the terminal. If it returns a number then your dnscrypt proxy is still active, thus it is either dnssec from dnsmasq failing to validate, or it is skynet blocking.( or both like your logs indicate.)

 

[SomeWhereOverTheRainBow]

Alright.. it just occurred again.. and I attempted to connect to a site (zoom) via app and then browser and capture the dnsmasq log entries..

dnsmasq.log
May 13 09:01:27 dnsmasq[15713]: query[A] zoom.us from 192.168.1.2
May 13 09:01:27 dnsmasq[15713]: dnssec retry to 127.0.1.1
May 13 09:01:29 dnsmasq[15713]: query[A] zoom.us from 192.168.1.2
May 13 09:01:29 dnsmasq[15713]: dnssec retry to 127.0.1.1
May 13 09:01:30 dnsmasq[15713]: query[A] www.google.com from 192.168.1.33
May 13 09:01:30 dnsmasq[15713]: cached www.google.com is 142.250.115.104


syslog (in that time window with ext ip replaced x.x.x.x)
46:c4:bf:cc:4c:71:d2:41:a8:52:bf:d3:80:ff:d8:36:65:7e:ed:5a from 192.168.1.2:63607
May 13 09:01:12 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=192.241.202.59 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=44912 DPT=27017 SEQ=1804932432 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
May 13 09:01:25 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=78.128.113.250 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=54422 PROTO=TCP SPT=57380 DPT=6085 SEQ=379285569 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
May 13 09:01:58 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=92.118.160.25 DST=x.x.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=248 ID=8563 PROTO=TCP SPT=50955 DPT=37777 SEQ=1054015984 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)
May 13 09:01:59 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=30:9c:23:2a:04:c1:f8:a7:3a:f0:18:19:08:00 SRC=162.142.125.253 DST=x.x.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=42 ID=59166 PROTO=TCP SPT=36743 DPT=52200 SEQ=1009283121 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)

I was able to run "service restart_dnscrypt-proxy", and then it began working after that...

Notice after it fails to resolve zoom.us, it still shows dnscrypt-proxy is working , it has no problem resolving www.google.com one second after the dnssec failure. this tells me dnscrypt proxy was running fine. Notice during the same instance zoom.us fails to load, skynet blocks traffic from an IP coming from the same client source. This means that either skynet blocked it, or the dnssec failure in the log caused the issue. Either way your internet traffic to that client is either hindered by skynet block and dnsmasq dnssec failures, and not dnscrypt proxy (at least not from what the logs suggest).

 

[dethknite]

Notice after it fails to resolve zoom.us, it still shows dnscrypt-proxy is working , it has no problem resolving www.google.com one second after the dnssec failure. this tells me dnscrypt proxy was running fine. Notice during the same instance zoom.us fails to load, skynet blocks traffic from an IP coming from the same client source. This means that either skynet blocked it, or the dnssec failure in the log caused the issue. Either way your internet traffic to that client is either hindered by skynet block and dnsmasq dnssec failures, and not dnscrypt proxy (at least not from what the logs suggest).

I will try running the command if it occurs again. It said it resolved google from the cache in the log.. not sure if that matters though.

The country code blocks are: #vn ir th id eg kp sa pk af

 

[SomeWhereOverTheRainBow]

I will try running the command if it occurs again. It said it resolved google from the cache in the log.. not sure if that matters though.

The country code blocks are: #vn ir th id eg kp sa pk af

The problem I am having right here is

May 13 09:01:27 dnsmasq[15713]: query[A] zoom.us from 192.168.1.2
May 13 09:01:27 dnsmasq[15713]: dnssec retry to 127.0.1.1
May 13 09:01:29 dnsmasq[15713]: query[A] zoom.us from 192.168.1.2
May 13 09:01:29 dnsmasq[15713]: dnssec retry to 127.0.1.1

this is clearly indicating dnssec is failing. Also, try disabling dnssec on the GUI and see if the issue just goes away. Here is an old reported bug on such instances with dnsmasq maybe it will help you understand what is actually going on here.

[Dnsmasq-discuss] DNSSEC Retry causes SEGFAULT

Dethknite, what is happening with your client 192.168.1.2 is that dnsmasq is not satisfied with the dnssec response and continues to retry. Subsequently, it will keep doing this until it no longer recieves the request for zoom.us. You may have to look at dnsmasq manpage to either mark this domain to always be insecure meaning it doesnt attempt dnssec on it, or you need to disable dnssec in general as it is creating this conflict. It is no wonder why your issue goes away once you restart dnscrypt-proxy which breaks the chain of request.

 

[dethknite]

Well, I wanted to give things time to settle before responding with updates. I disabled dnssec in the GUI, and that seemed better for the most part. Had an issue occur that could still be related, but I never got through a deep dive of the logs. I have updated the Dnscrypt Proxy Installer twice in this time, and reconfigured it all again about two weeks ago. Haven't had a single occurance since. Hard to say what was at play... but likely it was the dnssec. Thanks for all your help.

 

[SomeWhereOverTheRainBow]

Well, I wanted to give things time to settle before responding with updates. I disabled dnssec in the GUI, and that seemed better for the most part. Had an issue occur that could still be related, but I never got through a deep dive of the logs. I have updated the Dnscrypt Proxy Installer twice in this time, and reconfigured it all again about two weeks ago. Haven't had a single occurance since. Hard to say what was at play... but likely it was the dnssec. Thanks for all your help.

dnscrypt proxy already does the dnssec part from servers that support it, if you still want dnsmasq to pick up the message you can proxy-dnssec to dnsmasq.conf.add in /jffs/configs. However it is completely a cosmetic option. (or you could enable dnssec option inside the GUI, but leave check unsigned replies unchecked.)

Both options will allow dnsmasq to only observe the already varified replies from dnscrypt-proxy without having to try to double verify.

 

[dethknite]

Aww snap! That explains a lot. Thank you so much for clarifying all this. I was under the belief that to use a dnssec-enabled server in dnscrypt, I had to also enable dnssec in the gui (all or nothing kind of deal). Much easier to configure understanding this.

 

[SomeWhereOverTheRainBow]

Aww snap! That explains a lot. Thank you so much for clarifying all this. I was under the belief that to use a dnssec-enabled server in dnscrypt, I had to also enable dnssec in the gui (all or nothing kind of deal). Much easier to configure understanding this.

It is only specifically when using dnscrypt proxy. The routers stubby is different since the built in stubby dnssec is not enabled by default, it only passes unverified replies to dnsmasq.

 

[rgnldo]

Both options will allow dnsmasq to only observe the already varified replies from dnscrypt-proxy without having to try to double verify.

I prefer not to use DNSSEC and disable in DNSCrypt-proxy the option to require DNSSEC servers, there will be more availability of upstream servers
The DNSCrypt-proxy solution is very robust in terms of certificates.


I am liking Frank Denis' doh-proxy project written with Rust

https://crates.io/crates/rust-doh-proxy

 

[SomeWhereOverTheRainBow]

I prefer not to use DNSSEC and disable in DNSCrypt-proxy the option to require DNSSEC servers, there will be more availability of upstream servers
The DNSCrypt-proxy solution is very robust in terms of certificates.


I am liking Frank Denis' doh-proxy project written with Rust

https://crates.io/crates/rust-doh-proxy

I agree if you don't need the extra dnssec latency. It is just one more layer of latency to worry about. I also like the rust-doh-proxy. I am already running it from two rpi with nginx serving as front end.

 

[rgnldo]

I also like the rust-doh-proxy. I am already running it from two rpi with nginx serving as front end.

Nice! You do a good job with DNSCrypt-proxy for AMTM and Asus routers. I noticed that the ephemeral key and TTL´s options are fine-tuned for Odoh relays.

I agree if you don't need the extra dnssec latency.

I don't really understand DNSSEC being necessary in applications such as Stubby and DNSCrypt-proxy.

 

[SomeWhereOverTheRainBow]

Nice! You do a good job with DNSCrypt-proxy for AMTM and Asus routers. I noticed that the ephemeral key and TTL´s options are fine-tuned for Odoh relays.

I don't really understand DNSSEC being necessary in applications such as Stubby and DNSCrypt-proxy.

The only time I see it necessary is if we are talking about the traffic reaching a point of unencrytion (i.e. not within someone's local network.) and there is a point where we want to establish some sort of chain of trust. But in all honesty for a home network, this is just unecessary latency.

 

[Zastoff]

DNSCrypt-proxy version 2.1.2 is now available
Tested it and recommend to wait to update until installer is updated for this new version, IMPORTANT---> Suggest to use the dnscrypt installer backup function or from router gui backup JFFS before/if updating anyway.
Changelog:

Spoiler: New in 2.1.2

• Support for DoH over HTTP/3 (DoH3, HTTP over QUIC) has been added. Compatible servers will automatically use it. Note that QUIC uses UDP (usually over port 443, like DNSCrypt) instead of TCP.
• In previous versions, memory usage kept growing due to channels not being properly closed, causing goroutines to pile up. This was fixed,
  resulting in an important reduction of memory usage. Thanks to @lifenjoiner for investigating and fixing this!
• DNS64: CNAME records are now translated like other responses. Thanks to @ignoramous for this!
• A relay whose name has been configured, but doesn't exist in the list of available relays is now a hard error. Thanks to @lifenjoiner!
• Mutexes/locking: bug fixes and improvements, by @ignoramous - Official packages now include linux/riscv64 builds.
• dnscrypt-proxy -resolve now reports if ECS (EDNS-clientsubnet) is supported by the server.
• dnscrypt-proxy -list now includes ODoH (Oblivious DoH) servers.
• Local DoH: queries made using the GET method are now handled.
• The service can now be installed on OpenRC-based systems.
• PTR queries are now supported for cloaked domains. Contributed by Ian Bashford, thanks!

Edit:
Installed and testing with settings from 2.1.1

Spoiler: from syslog

Aug 2 08:02:36 RT-AX88U dnscrypt-proxy[1727260]: dnscrypt-proxy 2.1.2
Aug 2 08:02:36 RT-AX88U dnscrypt-proxy[1727260]: Network connectivity detected
Aug 2 08:02:36 RT-AX88U dnscrypt-proxy[1727260]: Dropping privileges
Aug 2 08:02:36 RT-AX88U dnscrypt-proxy[1727260]: Network connectivity detected
Aug 2 08:02:36 RT-AX88U dnscrypt-proxy[1727260]: Now listening to 127.0.1.1:53 [UDP]
Aug 2 08:02:36 RT-AX88U dnscrypt-proxy[1727260]: Now listening to 127.0.1.1:53 [TCP]
Aug 2 08:02:36 RT-AX88U dnscrypt-proxy[1727260]: Source [public-resolvers] loaded
Aug 2 08:02:36 RT-AX88U dnscrypt-proxy[1727260]: Source [relays] loaded
Aug 2 08:02:36 RT-AX88U dnscrypt-proxy[1727260]: Source [odoh-servers] loaded
Aug 2 08:02:36 RT-AX88U dnscrypt-proxy[1727260]: Source [odoh-relays] loaded
...
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: Sorted latencies:
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: - 17ms odoh-koki-se
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: - 17ms odoh-cloudflare
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: - 22ms meganerd
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: - 23ms quad9-dnscrypt-ip4-filter-ecs-pri
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: - 26ms sth-dnscrypt-se
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: - 27ms cs-swe
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: - 27ms quad9-dnscrypt-ip4-filter-pri
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: - 45ms odoh-koki-noads-se
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: Server with the lowest initial latency: odoh-koki-se (rtt: 17ms)
Aug 2 08:02:47 RT-AX88U dnscrypt-proxy[1727260]: dnscrypt-proxy is ready - live servers: 8

Edit1:
We seem to get a toml error when configuring or doing new install from the default settings file(trying to locate what err we get so it hopefully can be solved with the installer),
IMPORTANT to do a backup before trying this version!

Edit2:
Found the issue with some testing and it is in dnscrypt-proxy.toml Servers and sources section.
I manually edited the dnscrypt-proxy.toml.err
so this section now looks like this:

Spoiler: Server section in dnscrypt-proxy.toml

[sources]

### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

[sources.public-resolvers]
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''

### Anonymized DNS relays

[sources.relays]
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md']
cache_file = 'relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''

### ODoH (Oblivious DoH) servers and relays

[sources.odoh-servers]
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
cache_file = 'odoh-servers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 24
prefix = ''
[sources.odoh-relays]
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
cache_file = 'odoh-relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 24
prefix = ''

### Quad9

# [sources.quad9-resolvers]
# urls = ['https://www.quad9.net/quad9-resolvers.md']
# minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
# cache_file = 'quad9-resolvers.md'
# prefix = 'quad9-'

### Another example source, with resolvers censoring some websites not appropriate for children
### This is a subset of the `public-resolvers` list, so enabling both is useless.

# [sources.parental-control]
# urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md']
# cache_file = 'parental-control.md'
# minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

Note had to remove some -->#<-- in ODoH sources and add one -->#<-- in quad9 sources and save the file.
Then:

izzt@RT-AX88U:/tmp/home/root# cd ..
izzt@RT-AX88U:/tmp/home# cd ..
izzt@RT-AX88U:/tmp# cd ..
izzt@RT-AX88U:/# cd jffs
izzt@RT-AX88U:/jffs# cd dnscrypt
izzt@RT-AX88U:/jffs/dnscrypt# mv dnscrypt-proxy.toml.err dnscrypt-proxy.toml
izzt@RT-AX88U:/jffs/dnscrypt# service restart_dnscrypt-proxy

Also tested some different DoH server to see if they support the new http/3 (quic)
Again edited the dnscrypt-proxy.toml

Spoiler: http/3 setting in toml

## Enable support for HTTP/3 (DoH3, HTTP over QUIC)
## Note that, like DNSCrypt but unlike other HTTP versions, this uses
## UDP and (usually) port 443 instead of TCP.

http3 = true

and another:

service restart_dnscrypt-proxy

Spoiler: DoH servers

[adguard-dns-doh] TLS version: 304 - Protocol: h2 - Cipher suite: 4865
[quad9-doh-ip4-port443-filter-pri] TLS version: 304 - Protocol: h2 - Cipher suite: 4866
[google] TLS version: 304 - Protocol: h3 - Cipher suite: 4865
[cloudflare] TLS version: 304 - Protocol: h2 - Cipher suite: 4865

From those servers it looks like only Google support http/3 atm