DoT as fallback for dnscrypt-proxy?

sbsnb

Very Senior Member
I'm trying to figure out how to have DoT be a fallback in the event that dnscrypt-proxy stops working, but I can't seem to do it. There's something about how DoT works with dnsmasq that I don't understand.

I have DoT set like this:

2021-07-25 13_35_53-ASUS Wireless Router RT-AX86U - Internet Connection — Mozilla Firefox.png


And dnscrypt-proxy has a line in dnsmasq.conf.add server=127.0.0.1#65053. DNS filter is set to global 'router.'

I was hoping configuring DoT would add a line in the dnsmasq config somewhere and I could use strict order to make it a failover system, but it doesn't appear to work that way. Enabling or disabling DoT has no effect on /etc/dnsmasq.conf or /tmp/resolv.dnsmasq. While DoT is enabled the system bypasses dnscrypt-proxy.

Is there any way to achieve what I'm trying to do?
 

sbsnb

Very Senior Member
OK. So it looks like what happens is stubby is configured as a DNS proxy for DoT queries listening on 127.0.1.1:53 and then /tmp/resolv.dnsmasq gets a line added server=127.0.1.1#53. So if I can figure out how to move that line from /tmp/resolv.dnsmasq to /jffs/configs/dnsmasq.conf.add I think I can make it work.

Or, better yet, how can I implement this on my own without using the GUI? I'm not sure how stubby gets started when the GUI is configured for DoT.
 
Last edited:

bbunge

Part of the Furniture
Might be rather difficult to get Dnsmasq to listen to two loopback sources at the same time. It may be possible to write a script that will switch between dnscrypt and stubby if one fails. But it may be better to dump dnscrypt and use just stubby DoT. If you want stubby can do DNSSEC instead of Dnsmasq. You can also round robin to a bunch of upstream resolvers for failsafe.
 

Zastoff

Very Senior Member
I'm trying to figure out how to have DoT be a fallback in the event that dnscrypt-proxy stops working, but I can't seem to do it. There's something about how DoT works with dnsmasq that I don't understand.

I have DoT set like this:

View attachment 35228

And dnscrypt-proxy has a line in dnsmasq.conf.add server=127.0.0.1#65053. DNS filter is set to global 'router.'

I was hoping configuring DoT would add a line in the dnsmasq config somewhere and I could use strict order to make it a failover system, but it doesn't appear to work that way. Enabling or disabling DoT has no effect on /etc/dnsmasq.conf or /tmp/resolv.dnsmasq. While DoT is enabled the system bypasses dnscrypt-proxy.

Is there any way to achieve what I'm trying to do?
Tried to follow your other thread on your dnscrypt issue, I would skip that entware version of DNSCrypt-proxy
Backup usb and jffs
Format the usb and jffs and start over with the dnscrypt installer in amtm it has been working great for years for me
Even without usb or swap it has worked for me.(on a 87u and now ax88u)
 
Last edited:

sbsnb

Very Senior Member
Might be rather difficult to get Dnsmasq to listen to two loopback sources at the same time. It may be possible to write a script that will switch between dnscrypt and stubby if one fails. But it may be better to dump dnscrypt and use just stubby DoT. If you want stubby can do DNSSEC instead of Dnsmasq. You can also round robin to a bunch of upstream resolvers for failsafe.
I don't prefer to use DoT. I just want to use it as a backup. I want dnsmasq for local name resolution and being able to do things like use my ISPs DNS for Netlfix domains.

I don't see why having two server directives in dnsmasq.conf should be any problem for dnsmasq. Other than the loopback IP dnsmasq doesn't know stubby and dnscrypt-proxy from any other DNS servers.

Tried to follow your other thread on your dnscrypt issue, I would skip that entware version of DNSCrypt-proxy
Backup usb and jffs
Format the usb and jffs and start over with the dnscrypt installer in amtm it has been working great for years for me
Even without usb or swap it has worked for me.(on a 87u and now ax88u)
That's what's strange. The same version of the Entware dnscrypt-proxy was working for me, too. Just on the RT-AC88U. I've been using it for years. It's only on the AX86U that it's closing every couple of hours. I entertained the idea of a problem with the USB, but chronyd is running from the USB for almost a week without issue.

I'll try the AMTM version, but I suspect I may have the same issue since the binaries directly from the dnscrypt-proxy2 github do exactly the same thing.
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
I don't prefer to use DoT. I just want to use it as a backup. I want dnsmasq for local name resolution and being able to do things like use my ISPs DNS for Netlfix domains.

I don't see why having two server directives in dnsmasq.conf should be any problem for dnsmasq. Other than the loopback IP dnsmasq doesn't know stubby and dnscrypt-proxy from any other DNS servers.


That's what's strange. The same version of the Entware dnscrypt-proxy was working for me, too. Just on the RT-AC88U. I've been using it for years. It's only on the AX86U that it's closing every couple of hours. I entertained the idea of a problem with the USB, but chronyd is running from the USB for almost a week without issue.

I'll try the AMTM version, but I suspect I may have the same issue since the binaries directly from the dnscrypt-proxy2 github do exactly the same thing.
Well you have one big issue, from your picture, you delete your wan1 and wan2 dns, this may prevent the router from properly setting its time. The can create major problems for stubby and dnscrypt proxy2 and any dns services that does dnssec or any dns function that relies on an accurate time stamp. Keep in mind your router is doing all the grunt work between you and the encrypted services, this requires accurate time stamps.
 

SomeWhereOverTheRainBow

Part of the Furniture
Your best option is to create a cronjob that checks for dnscrypt proxy status every maybe 30 minutes if it discovers dnscrypt proxy is dead , then have it run a restart command.
 

sbsnb

Very Senior Member
The AMTM version is running now. I did edit the manager script to ap
Well you have one big issue, from your picture, you delete your wan1 and wan2 dns, this may prevent the router from properly setting its time. The can create major problems for stubby and dnscrypt proxy2 and any dns services that does dnssec or any dns function that relies on an accurate time stamp. Keep in mind your router is doing all the grunt work between you and the encrypted services, this requires accurate time stamps.
That's why I have a server=/us.pool.ntp.org/8.8.8.8 in my dnsmasq.conf.add :)
 

sbsnb

Very Senior Member
I still think a cronjob for Restarting dnscrypt proxy is your best route
It looks like that's what the AMTM version does. I'm running it now. It has to run very often, though. When dnscrypt-proxy goes down with no fallback the internet is essentially dead for everything behind the router. It's going to have to be every 5 or 10 seconds. I have services running that require second-to-second access to the internet.
 

Zastoff

Very Senior Member
It looks like that's what the AMTM version does. I'm running it now. It has to run very often, though. When dnscrypt-proxy goes down with no fallback the internet is essentially dead for everything behind the router. It's going to have to be every 5 or 10 seconds. I have services running that require second-to-second access to the internet.
How is it going with the (amtm) dnscrypt installer for you?
 

sbsnb

Very Senior Member
Doesn't crash/close so far (the monitoring script never has to restart it). I'm experimenting to see if I can find out where it goes wrong under Entware. So far I've moved the amtm binary to /opt/sbin where Entware installs it and it's still not crashing/closing. I'm going to move the config file there next. If it still doesn't crash I'm going to experiment with using /opt/etc/init.d scripts to start/stop the stock amtm version. Eventually with patience I will hopefully stumble upon the issue running under the Entware environment. I've ruled out binaries and config files so far.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top