DNScrypt dnscrypt installer for asuswrt

[MarCoMLXXV]

@bigeyes0x0 , @Adamm , @thelonelycoder

Hey guys, just want to confirm there's no issue installing this script on an RT-AC68u with Skynet and AB-Solution currently running 380.68?

Nope, no issues whatsoever. Just remember: as long as you keep DNS Filtering off, all of the above will run smooth like butter! ( said the guy who turned DNS Filtering on starting with 380.68 and spent the last 3 days to figure out why AB-Solution was bypassed and therefore unable to do it's magic ) Just use the DNS-settings on the WAN page.

The only question that remains unanswered to me (or I missed it, which could very well be possible too, sorry in that case):

If using @bigeyes0x0's installer for DNSCrypt, it will ask you to choose 1 or 2 DNS servers and whether you want to route all your traffic through dnscrypt. If answering that last question with yes, do the DNS-servers on the WAN pages even matter, or will they simply be ignored and will the DNS-server(s) specified in the dnsscrypt setup be the only one(s) used for resolving DNS-queries?

 

[eclp]

Why DNS-leaks?
Can anyone here tell me or help me understand why I see in DNS-leak tests the IPs of my ISP? I assumed that everything is redirected via dnscrypt to port 443. In the installation process of the dnscrypt installer I gave securedns.eu (Netherlands).
AB-Solution, Skynet and dnscrypt (from this thread) are installed on my AC87U.

 

[MarCoMLXXV]

@eclp Did you also enter Yes when the installer script asked you whether all queries should be routed through dnscrypt? Allthough I have an RT-AC68U, I basically have the same software installed and I have no leaks whatsoever.

 

[joegreat]

Why DNS-leaks?
Can anyone here tell me or help me understand why I see in DNS-leak tests the IPs of my ISP? I assumed that everything is redirected via dnscrypt to port 443. In the installation process of the dnscrypt installer I gave securedns.eu (Netherlands).

Did you say "No" to "Connect to DNS Server automatically" under WAN DNS settings? And there are no manual setting in DNS Server1 and DNS Server2 (empty fields)?

Also check your config manually via Telnet:

chief@RT-AC87U:/tmp/home/root# cat /jffs/configs/dnsmasq.conf.add
### Dnscrypt
no-resolv
# DNScrypt server 1
server=127.0.0.1#65053
# DNScrypt server 2
server=127.0.0.1#65054
# DNScrypt server 3
server=127.0.0.1#65055

You might have only one server listed - and verify if the settings have been activated during restart via: cat /etc/dnsmasq.conf

Check if the resolver config files are empty: cat /tmp/resolv.conf and cat /tmp/resolv.dnsmasq

With this settings and verification you should be safe from DNS leaks! To be checked via ipleak.net !

 

[MarCoMLXXV]

@joegreat Thanks for the additional info.

I went through your guide, emptied the DNS-server fields at the WAN-page (even though I have had no prior DNS-leaks better safe than sorry).

Next, entering:

cat /jffs/configs/dnsmasq.conf.add

results in

cat: can't open '/jffs/configs/dnsmasq.conf.add': No such file or directory

File is not found in /jffs/configs/ Is that a typo or intented? Only fstab is in /jffs/config/

Next up:

cat /*/dnsmasq.conf

*=etc (to prevent autoblocking by forum software)

shows

pid-file=/var/run/dnsmasq.pid

user=nobody
bind-dynamic
interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=lan
expand-hosts
bogus-priv
local=/lan/
dhcp-range=lan,192.168.1.200,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,15,lan
dhcp-option=lan,252,"\n"
dhcp-authoritative
read-ethers
addn-hosts=/*/hosts.dnsmasq
## begin of AB-Solution entries ##
addn-hosts=/tmp/mnt/usb/adblocking/blocking_file
addn-hosts=/tmp/mnt/usb/adblocking/blacklist.txt
log-facility=/tmp/mnt/usb/adblocking/logs/dnsmasq.log
log-async
log-queries
## end of AB-Solution entries ##
no-resolv
server=127.0.0.1#65053
server=127.0.0.1#65054

*=etc (to prevent autoblocking by forum software)

and

cat /*/resolv.conf

*=etc (to prevent autoblocking by forum software)

shows

nameserver 127.0.0.1

Check if the resolver config files are empty: cat /tmp/resolv.conf and cat /tmp/resolv.dnsmasq

Both files are empty.

IPLeak.net shows only the IP-adres of the third party DNS-server using dnscrypt (like it did prior to deleting the DNS-servers on the WAN-page, but that might be because I chose 'Yes' when @bigeyes0x0's installer script whether I wanted to route all dns queries through dnscrypt. I think that bypasses the DNS-servers on the WAN-page anyway. But then again, what isn't there, can't be leaked either.)

 

[eclp]

Thank you both for the helpful answers. The IPv6-DNS settings were to blame. No more leaks.

 

[MarCoMLXXV]

Thank you both for the helpful answers. The IPv6-DNS settings were to blame. No more leaks.

Glad to hear you solved it. Thanks to @joegreat for his additional settings to check, wasn't aware of those. However, I'm still curious about the missing file Joe (/jffs/configs/dnsmasq.conf.add), so if you have some time, please let me know wether I'm missing something, or was looking in the wrong place?

 

[Akitaka]

Can some1 help with strange issue?
RT N66U, dnscrypt installed with this scrypt, everything seems fine, except strange issue:

admin@RT-N66U-4F40:/tmp/home/root# nslookup avito.ru
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      avito.ru
Address 1: 185.89.12.132

on computer i can't get ip address of this site:

dig @192.168.77.1 avito.ru
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.9.7-P3 <<>> @192.168.77.1 avito.ru
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41399
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;avito.ru.            IN    A

;; Query time: 116 msec
;; SERVER: 192.168.77.1#53(192.168.77.1)
;; WHEN: Fri Sep 29 00:26:40 MSK 2017
;; MSG SIZE  rcvd: 37

but with another DNS all ok:

 ~ dig @8.8.8.8 avito.ru

; <<>> DiG 9.9.7-P3 <<>> @8.8.8.8 avito.ru
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18385
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;avito.ru.            IN    A

;; ANSWER SECTION:
avito.ru.        6    IN    A    185.89.12.132

;; AUTHORITY SECTION:
avito.ru.        1214    IN    NS    grace.ns.cloudflare.com.
avito.ru.        1214    IN    NS    micah.ns.cloudflare.com.

;; ADDITIONAL SECTION:
grace.ns.cloudflare.com. 947    IN    A    173.245.58.159
grace.ns.cloudflare.com. 1370    IN    AAAA    2400:cb00:2049:1::adf5:3a9f
micah.ns.cloudflare.com. 1050    IN    A    173.245.59.206
micah.ns.cloudflare.com. 3913    IN    AAAA    2400:cb00:2049:1::adf5:3bce

;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 29 00:32:46 MSK 2017
;; MSG SIZE  rcvd: 198

mb router DNS doesn't work?:

dig @192.168.77.1 yandex.ru

; <<>> DiG 9.9.7-P3 <<>> @192.168.77.1 yandex.ru
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43873
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yandex.ru.            IN    A

;; ANSWER SECTION:
yandex.ru.        72    IN    A    77.88.55.88
yandex.ru.        72    IN    A    77.88.55.55
yandex.ru.        72    IN    A    5.255.255.55
yandex.ru.        72    IN    A    5.255.255.5

;; Query time: 46 msec
;; SERVER: 192.168.77.1#53(192.168.77.1)
;; WHEN: Fri Sep 29 00:34:33 MSK 2017
;; MSG SIZE  rcvd: 102

no, it's ok. Firewall disabled on this PC, but all devices on my network can't resolve avito.ru if DNS server in network config is router with dnscrypt...

 

[joegreat]

no, it's ok. Firewall disabled on this PC, but all devices on my network can't resolve avito.ru if DNS server in network config is router with dnscrypt...

Works like a charm in my case (on PC and router). Which DNS settings are used on the PC side?

 

[Akitaka]

Works like a charm in my case (on PC and router). Which DNS settings are used on the PC side?

on PC only one DNS server address: 192.168.77.1 - asus router
Router can resolve avito.ru to ip, but other devices on my network - can't if DNS server is router, if i change it to any other DNS 8.8.8.8 or 77.88.8.8 all works like a charm.

 

[john9527]

;; Truncated, retrying in TCP mode.

Bug in dnsmasq 2.76 when retrying with TCP (I picked up an upstream fix for my fork)

If you are also running dnssec, turning that off may help.

 

[Akitaka]

Bug in dnsmasq 2.76 when retrying with TCP (I picked up an upstream fix for my fork)

If you are also running dnssec, turning that off may help.

Thx, solved problem.

 

[Butterfly Bones]

Found how to change DNS server without re-installing: edit /jffs/dnscrypt/.config

Now anyone know why I keep getting "Unable to retrieve server certificates" for OpenNic?

Well, thanks to you I found this message since it was getting the same message "Unable to retrieve server certificates". I edit the .config file as you stated, changed the two DNS servers, rebooted and that fixed it. One DNS server was not being found.

My clue to what was wrong was found in using ipleak.net and it only showed one DNS server so I changed both in the .config file and now both show in ipleak and no more unable to retrieve errors.

 

[Luboknok]

I updated my DNS servers and when I run pidof dnscrypt-proxy i get a couple numbers (1093 1085). Does this mean the DNS is encrypted? When I run dig debug.opendns.com txt I don't see "dnscrypt enabled (717473654A614970)".

DNS tests do reflect the chosen servers. I know sometime before I saw "dnscrypt enabled" on a different server.

 

[Netbug]

@MarCoMLXXV

I'm not using Johns fork, i'm using asuswrt-merlin 380.68 (latest version) which does not have it integrated.

Will start from beginning when i got time next week, all works otherwise, ipleak and dnsleaktest both show opendns.

ab-solution still works, when i do nslookup -type=txt debug.opendns.com in terminal it shows dnscrypt enabled so all seems ok except for that niggle but a fresh install might be the solution.

Cheers.

Very late update,

had time the other day to do a full factory reset on my rtac68u and clear nvram, still same issue, when i reboot router i can access blocked websites that has been blocked via opendns website (in my account) for first few minutes after bootup. I can only assume that every time i reboot router i do usually get a new ip address, i see in logs opendns ip updated etc so i am thinking it takes a few minutes for opendns to update my ip through it's network and until it does it allows access for first few minutes while new ip is updated and associated with my account, i don't think it's an issue with router/scripts seeing as i done a full reset (did twice), held down wps button whilst turning on router and cleared nvram via telnet, and configured everything manually. I can't think of anything else.

Cheers.

 

[skeal]

Just a quick question...will dnscrypt be install-able on am382.x?

 

[eclp]

@skeal ...
Yes, that runs with me without problems on the rt-ac88u.

 

[Tom Jo-Jo Junior Shabadoo]

@skeal ...
Yes, that runs with me without problems on the rt-ac88u.

Hi,

It does not work on RT-AC86U Merlin 382.1_beta2
I get "This is unsupported platform, sorry."

/Tom

 

[thelonelycoder]

Hi,

It does not work on RT-AC86U Merlin 382.1_beta2
I get "This is unsupported platform, sorry."

/Tom

The RT-AC86U has a new processor type identifier that needs to be enabled first in the script.

 

[skeal]

@bigeyes0x0 I just updated from 380.68_4 to the official 382.1 I did not do anything other than update my scripts before updating the router. Everything went great. No problems and no errors. All scripts running without reinstall. You are awesome!