What's new

DNSCrypt-Proxy version 2 and STUBBY add-ons for R7800/R9000

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Voxel

Part of the Furniture
!!! WARNING: Thread is obsolete, DNSCrypt-Proxu 2 and Stubby are included into my latest firmware !!!

DNSCrypt-Proxy 2


About:

This is DNSCrypt-proxy version 2 add-on for Netgear R7800 X4S running Voxel firmware.
More detailed info re: DNSCrypt:
https://dnscrypt.info/

Installation:
1. Enable telnet:
http://routerlogin.net/debug.htm

2. Login to the router using telnet:
Code:
telnet routerlogin.net

3. Download the two installation packages:
Code:
wget --no-check-certificate https://www.voxel-firmware.com/Downloads/Voxel/R7800-Voxel-firmware/DNSCrypt-Proxy-2/ca-certificates_20180409_all.ipk
wget --no-check-certificate https://www.voxel-firmware.com/Downloads/Voxel/R7800-Voxel-firmware/DNSCrypt-Proxy-2/dnscrypt-proxy-2_2.0.16-1_ipq806x.ipk

4. Install both of them:
Code:
/bin/opkg install ca-certificates_20180409_all.ipk
/bin/opkg install dnscrypt-proxy-2_2.0.16-1_ipq806x.ipk

5. Enable dnscrypt-proxy-2 init script (to start it automatically after reboot):
Code:
/etc/init.d/dnscrypt-proxy-2 enable

6. Reboot your router:
Code:
reboot

or start the daemon manually:
Code:
/etc/init.d/dnscrypt-proxy-2 start

Log file is /var/log/dnscrypt-proxy-2.log. Check it if something is wrong.

Configuration (optional):
You may customize your config file of DNSCrypt-proxy-2 (/etc/dnscrypt-proxy-2.toml). It contains very detailed comments inside re: what to do. Probably most interesting is to choose concrete public servers from this list:

https://dnscrypt.info/public-servers

i.e. line in the file:
Code:
# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']

Uninstall:
Code:
/etc/init.d/dnscrypt-proxy-2 stop
/etc/init.d/dnscrypt-proxy-2 disable
/bin/opkg remove dnscrypt-proxy-2

NOTE: it is recommended to disable dnscrypt-proxy version 1 if it is already used. I.e. to remove /etc/ dnscrypt.conf file if it exists.

STUBBY

About

Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.

Installation:

R7800
https://www.voxel-firmware.com/Downloads/Voxel/R7800-Voxel-firmware/Stubby/readme.txt

R9000
https://www.voxel-firmware.com/Downloads/Voxel/R9000-Voxel-firmware/Stubby/readme.txt

Voxel.
 
Last edited:
OMG thanks for this, been wanting forever! Hopefully you can update to 2.0.16 soon as .14 had some issues :)

So got an odd issue I got following your guide.

It works for a few minutes and stop after that.
It's using the correct DNS provider and dns leak test shows that however few minutes later it stops serving DNS to clients flat out and i have to restart the service to work again which repeats and only last a few min.

Thoughts?
 
t works for a few minutes and stop after that.
It's using the correct DNS provider and dns leak test shows that however few minutes later it stops serving DNS to clients flat out and i have to restart the service to work again which repeats and only last a few min.

Thoughts?
Hard to say. Maybe just a bug in this version 2.0.14. It works for me second day, no issues. OK, maybe it has a sense to try 2.0.16. But not right now.

dnscrypto-proxy 2 is written using "Go" language vs first version using "C". I am not expert in "Go". And to say true I like version 1 :). "Go" produces huge binary and eats resources.

Voxel.
 
So few more findings.

For starts I decided to factory reset router since I'd been through a few upgrades on your firmware anyway and like to start clean.
Doing so I learned that doesn't undo stuff like this. For example the config had remained intact, the add-on etc. same for the debug one... Beyond uninstalling them how would one do a true clean factory reset to revert to ONLY what the firmware has? would just be a re-flash?

On the DNSCrypt part it seems to be related to cloudflare-ipv6 or ipv6 itself.
I enabled it in the config file, my provider has native ipv6 and it works using only that on the old dnscrypt with opendns (that one doesn't support cloudflare)

On this one it starts off working and within 30-60 seconds stops. restarting the service repeats this cycle.
I disabled ipv6 in config and left the normal cloudflare and it seems to be working.

Do you have a way to test v6 with? Not sure if it's a dnscrypt bug or some integration issue when using v6.

I also found if I put cloudflare and cisco as the two it seems to bounce between when doing dnsleak test. Which is odd because I thought only the best one was grabbed. This is prob more dnscrypt related though. It even has the require no logging flag on yet let cisco work despite they are flagged as logging lol.

Anyway I'm more interested in the v6 part though if we can figure that sucker out

Thanks again for all your efforts!

FWIW I'd say rip V1 out of your next release fw (if you plan to keep separate) also or replace with v2 since v1 is EOL/no longer maintained and doesn't work with any of the newer providers/methods.
 
Last edited:
Beyond uninstalling them how would one do a true clean factory reset to revert to ONLY what the firmware has? would just be a re-flash?
Flashing the same version will not erase your data. So there should be some manual actions such as format overlay partition: "mtd erase overlay_volume: from telnet login. And hard reset.

ipv6. Well, unfortunately I do not have the possibility to test it. OK, let's check later with latest version (.16?).

FWIW I'd say rip V1 out of your next release fw (if you plan to keep separate) also or replace with v2 since v1 is EOL/no longer maintained and doesn't work with any of the newer providers/methods.
V2 has significant disadvantage: it requires to use "Go" compiler and

(a) It is additional headache to put it into toolchain (compilation tools).
(b) Resulting binary is very huge (file size). 6.7MB vs 140KB (v2 vs v1). It is too big to include it into FW when most of people just do not use dnscrypt at all. I have to drop some other package including it into FW. So I plan to keep it as an add-on. (Untill v3 will be released :)).

BTW as you can see OpenWRT/LEDE are using v1 still.

Voxel.
 
Thanks for the newer ver.
Seems to not fix it sadly :(

It is definitely an IPv6 issue, I tried all the providers and fail yet all v4 work.
The only thing in the log is it fails to communicate with them/time out.

So I did some more testing.

While telnet on router I can NOT ping ipv6 address, however clients can access IPv6 addresses.
I can ping IPv4 on router though. So something is blocking v6 on the router itself I suspect is the issue?
 
Apologies in advanced for my novice questions... Completely understand the concept of DNScrypt and vaguelly when I looked at enabling this cloudflare (1.1.1.1, 1.0.0.1) didn't support it.

Does this version support it?
Is it easy to enable if it does?
Lastly any downsides (latency overhead e.g.)
 
Apologies in advanced for my novice questions...
No problem gobble. We all were novices starting with this. And IMO I am still a novice with v.2 ;-)

cloudflare:
Does this version support it?
Is it easy to enable if it does?
Lastly any downsides (latency overhead e.g.)

It is easy. You should just edit a bit /etc/dnscrypt-proxy-2.toml file. Find the string:

Code:
# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']

and add your cloudflare here, i.e. change to:

Code:
server_names = ['cloudflare']

NOTE: "#" symbol is removed.

After this just reboot your router.

Voxel.
 
No problem gobble. We all were novices starting with this. And IMO I am still a novice with v.2 ;-)

cloudflare:


It is easy. You should just edit a bit /etc/dnscrypt-proxy-2.toml file. Find the string:

Code:
# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']

and add your cloudflare here, i.e. change to:

Code:
server_names = ['cloudflare']

NOTE: "#" symbol is removed.

After this just reboot your router.

Voxel.

Do I need to be on version 2 to enable it for cloudflare?
 
What’s the difference between the dnscrypt that u post and dnscrypt 2.0.14-1 in ur entware repository?
This version is prepared especially as an add-on for my firmware and it does not require Entware installation (standalone). E.g. could be installed even w/o USB disk. Entware version need in some re-configuration in conjunction with say dnsmasq. And Entware version works only if minimal Entware is installed.

Voxel.
 
Hello,

I saw that this package is also in the R9000 folder on your firmware page. Can we use DNScrypt2 also on r9000 using the same procedure as above, but with the package in the R9000 folder?

It seems to miss the certificates though....
 
Hello,

I saw that this package is also in the R9000 folder on your firmware page. Can we use DNScrypt2 also on r9000 using the same procedure as above, but with the package in the R9000 folder?

It seems to miss the certificates though....
You can use it, sure. Certificates are already included into firmware. Similar installation.

Voxel.
 
@Voxel If you still doubt the implementation of DNSCrypt v2, why do not you use Unbound/Stubby DoT o_O on the router? and you can configure it through the GUI. like this firmware:
dot-final-png.14208
 
Last edited:
sorry is that both have the same name.

Voxel meaning of the term:

https://en.wikipedia.org/wiki/Voxel

(X)Vortex meaning of the term:

https://en.wikipedia.org/wiki/Mister_X_(Vortex)

or

https://en.wikipedia.org/wiki/Vortex

I do not see any similarity. These three identical characters V O and X? I do use my nick since 1992 as a remembrance of my first login to Unix SGI workstation using this name. And as a remembrance of my sensei and friend who is passed away. Well, no details.

You know, I do make the custom firmware builds for NETGEAR routers. Using GPL source codes published by NETGEAR according to GPL license requirement. It is absolutely legal stuff to use these codes for own version of firmware with own changes if the last (changes of source codes) are published. My changes are there:

https://github.com/SVoxel

Other thing if somebody uses the job done by third party and modifies theirs pre-built binaries (hacking) instead of changes in codes violating many proprietary licenses and laws. So for me such a mess in naming sounds offending.

Now, your question. I have no doubts in DNSCrypt 2 advantages. It is good, I do use it myself. Preferring vs other alternatives and as a test. I have doubts only in the way of concrete implementation used by author (respect to him of course). For me C/C++ is preferable way. But not Go for embedded devices.

Voxel.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top