What's new

DoT as fallback for dnscrypt-proxy?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sbsnb

Very Senior Member
I'm trying to figure out how to have DoT be a fallback in the event that dnscrypt-proxy stops working, but I can't seem to do it. There's something about how DoT works with dnsmasq that I don't understand.

I have DoT set like this:

2021-07-25 13_35_53-ASUS Wireless Router RT-AX86U - Internet Connection — Mozilla Firefox.png


And dnscrypt-proxy has a line in dnsmasq.conf.add server=127.0.0.1#65053. DNS filter is set to global 'router.'

I was hoping configuring DoT would add a line in the dnsmasq config somewhere and I could use strict order to make it a failover system, but it doesn't appear to work that way. Enabling or disabling DoT has no effect on /etc/dnsmasq.conf or /tmp/resolv.dnsmasq. While DoT is enabled the system bypasses dnscrypt-proxy.

Is there any way to achieve what I'm trying to do?
 
OK. So it looks like what happens is stubby is configured as a DNS proxy for DoT queries listening on 127.0.1.1:53 and then /tmp/resolv.dnsmasq gets a line added server=127.0.1.1#53. So if I can figure out how to move that line from /tmp/resolv.dnsmasq to /jffs/configs/dnsmasq.conf.add I think I can make it work.

Or, better yet, how can I implement this on my own without using the GUI? I'm not sure how stubby gets started when the GUI is configured for DoT.
 
Last edited:
Might be rather difficult to get Dnsmasq to listen to two loopback sources at the same time. It may be possible to write a script that will switch between dnscrypt and stubby if one fails. But it may be better to dump dnscrypt and use just stubby DoT. If you want stubby can do DNSSEC instead of Dnsmasq. You can also round robin to a bunch of upstream resolvers for failsafe.
 
I'm trying to figure out how to have DoT be a fallback in the event that dnscrypt-proxy stops working, but I can't seem to do it. There's something about how DoT works with dnsmasq that I don't understand.

I have DoT set like this:

View attachment 35228

And dnscrypt-proxy has a line in dnsmasq.conf.add server=127.0.0.1#65053. DNS filter is set to global 'router.'

I was hoping configuring DoT would add a line in the dnsmasq config somewhere and I could use strict order to make it a failover system, but it doesn't appear to work that way. Enabling or disabling DoT has no effect on /etc/dnsmasq.conf or /tmp/resolv.dnsmasq. While DoT is enabled the system bypasses dnscrypt-proxy.

Is there any way to achieve what I'm trying to do?
Tried to follow your other thread on your dnscrypt issue, I would skip that entware version of DNSCrypt-proxy
Backup usb and jffs
Format the usb and jffs and start over with the dnscrypt installer in amtm it has been working great for years for me
Even without usb or swap it has worked for me.(on a 87u and now ax88u)
 
Last edited:
Might be rather difficult to get Dnsmasq to listen to two loopback sources at the same time. It may be possible to write a script that will switch between dnscrypt and stubby if one fails. But it may be better to dump dnscrypt and use just stubby DoT. If you want stubby can do DNSSEC instead of Dnsmasq. You can also round robin to a bunch of upstream resolvers for failsafe.
I don't prefer to use DoT. I just want to use it as a backup. I want dnsmasq for local name resolution and being able to do things like use my ISPs DNS for Netlfix domains.

I don't see why having two server directives in dnsmasq.conf should be any problem for dnsmasq. Other than the loopback IP dnsmasq doesn't know stubby and dnscrypt-proxy from any other DNS servers.

Tried to follow your other thread on your dnscrypt issue, I would skip that entware version of DNSCrypt-proxy
Backup usb and jffs
Format the usb and jffs and start over with the dnscrypt installer in amtm it has been working great for years for me
Even without usb or swap it has worked for me.(on a 87u and now ax88u)
That's what's strange. The same version of the Entware dnscrypt-proxy was working for me, too. Just on the RT-AC88U. I've been using it for years. It's only on the AX86U that it's closing every couple of hours. I entertained the idea of a problem with the USB, but chronyd is running from the USB for almost a week without issue.

I'll try the AMTM version, but I suspect I may have the same issue since the binaries directly from the dnscrypt-proxy2 github do exactly the same thing.
 
Last edited:
I don't prefer to use DoT. I just want to use it as a backup. I want dnsmasq for local name resolution and being able to do things like use my ISPs DNS for Netlfix domains.

I don't see why having two server directives in dnsmasq.conf should be any problem for dnsmasq. Other than the loopback IP dnsmasq doesn't know stubby and dnscrypt-proxy from any other DNS servers.


That's what's strange. The same version of the Entware dnscrypt-proxy was working for me, too. Just on the RT-AC88U. I've been using it for years. It's only on the AX86U that it's closing every couple of hours. I entertained the idea of a problem with the USB, but chronyd is running from the USB for almost a week without issue.

I'll try the AMTM version, but I suspect I may have the same issue since the binaries directly from the dnscrypt-proxy2 github do exactly the same thing.
Well you have one big issue, from your picture, you delete your wan1 and wan2 dns, this may prevent the router from properly setting its time. The can create major problems for stubby and dnscrypt proxy2 and any dns services that does dnssec or any dns function that relies on an accurate time stamp. Keep in mind your router is doing all the grunt work between you and the encrypted services, this requires accurate time stamps.
 
Your best option is to create a cronjob that checks for dnscrypt proxy status every maybe 30 minutes if it discovers dnscrypt proxy is dead , then have it run a restart command.
 
The AMTM version is running now. I did edit the manager script to ap
Well you have one big issue, from your picture, you delete your wan1 and wan2 dns, this may prevent the router from properly setting its time. The can create major problems for stubby and dnscrypt proxy2 and any dns services that does dnssec or any dns function that relies on an accurate time stamp. Keep in mind your router is doing all the grunt work between you and the encrypted services, this requires accurate time stamps.
That's why I have a server=/us.pool.ntp.org/8.8.8.8 in my dnsmasq.conf.add :)
 
I still think a cronjob for Restarting dnscrypt proxy is your best route
It looks like that's what the AMTM version does. I'm running it now. It has to run very often, though. When dnscrypt-proxy goes down with no fallback the internet is essentially dead for everything behind the router. It's going to have to be every 5 or 10 seconds. I have services running that require second-to-second access to the internet.
 
It looks like that's what the AMTM version does. I'm running it now. It has to run very often, though. When dnscrypt-proxy goes down with no fallback the internet is essentially dead for everything behind the router. It's going to have to be every 5 or 10 seconds. I have services running that require second-to-second access to the internet.
How is it going with the (amtm) dnscrypt installer for you?
 
Doesn't crash/close so far (the monitoring script never has to restart it). I'm experimenting to see if I can find out where it goes wrong under Entware. So far I've moved the amtm binary to /opt/sbin where Entware installs it and it's still not crashing/closing. I'm going to move the config file there next. If it still doesn't crash I'm going to experiment with using /opt/etc/init.d scripts to start/stop the stock amtm version. Eventually with patience I will hopefully stumble upon the issue running under the Entware environment. I've ruled out binaries and config files so far.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top