DNScrypt dnscrypt installer for asuswrt

[noworries]

It worked, haveged is at v1.9.2 now following another update via amtm.

Thanks --

 

[noworries]

If you can get around to it, will you please consider adding log rotation to dnscrypt? In two weeks of running with a blacklist, the blocked.log file is up to 160k. My dnscrypt blacklist.txt file includes two wildcard domains:
*.doubleclick.net*
*.imrworldwide.com

There were are number of related addresses that were sneaking past the standard lists, and this looked like a clever way to filter the entire domains.

 

[Stern]

Thanks for the new release! Got a problem with creating the swap file. I have two partition on my flash drive. One is called swap at 1GB, and sdx2 is for the rest. When creating the swap file it doesn't see sdx1 the swap partition, but only sdx2. Can I have the swap file together with the rest, and only have one partition?

 

[Kal1975]

Hi all. I just installed dnscrypt and I don't know how to verify whether it's working or not. I have an RT-AC3100. I've decided to stay on 380.68 for now. I installed entware although it's not the latest version. I've installed amtm and then installed dnscrypt from there. It seems to be running. It shows up in the process list (i.e. ps) and pidof displays a pid. The WebUI log shows a bunch of output from dnscrypt. Looks like it's testing response from a bunch of servers to determine which to use. When I try to do an nslookup, it doesn't show the "dnscrypt enabled" as it states on the first post in this thread. One other thing...I connect through a OpenVPN for most of my devices.

How do I confirm dnscrypt is being used by my devices and the router itself?

Is it working for devices that go through the VPN and those that don't? How to check?

I currently have "Accept DNS Configuration" set to exclusive.

Are there any changes required on the router interface to use dnscrypt?
I currently have the router set to use DNS 8.8.8.8 and 8.8.4.4

Should the DNS be pointed to 127.0.0.1?

All help is appreciated.

 

[ironclad]

"Should the DNS be pointed to 127.0.0.1?"

No.

Delete all DNS entries in
LAN > DHCP Server > DNS

If the DNS entries are not clear it will use whatever's in the fields and not DNSCrypt.

"Is it working for devices that go through the VPN and those that don't? How to check?"

Set "Accept DNS Configuration" to disabled. This may not work with VPNs, I haven't tested it too much.

"How do I confirm dnscrypt is being used by my devices and the router itself?"

Make sure your client is configured to use DNS settings from the router and visit this website:
https://www.dnsleaktest.com/

If you set your servers manually, you will see a list of the ones you picked. If not you will get a random DNSCrypt server and you can verify the hostname is a DNSCrypt server with a search engine.

DNSCrypt starts a service on port 65053. Clients connect to routerip:65053 for DNS queries so on your clients it will look like your DNS server is your router.

 

[Zastoff]

Hey
I have updated from version 1 of the dnscrypt Proxy to version 2.06
Question is that i added my vpn isp dns servers in version 1 that supports dnscrypt now it seems to get servers from a differnt resolver file is it possible to add servers to the new list? and how do i get the SDNs adress?

Read in the dnscrypt-proxy.toml that you can add Optional, local, static list of additional servers.
is it possible to add dns server like in the dnscrypt-resolvers.csv file or is sdns: the only way?

Solved it working Perfect now with my vpn providers dns servers instead
(https://dnscrypt.info/stamps/)

 

[joegreat]

Make sure your client is configured to use DNS settings from the router and visit this website:
https://www.dnsleaktest.com/

Better use https://ipleak.net/ to verify the DNS settings - it will show all DNS servers configured and more important leaks!

 

[Kal1975]

Thanks for the assistance. Both dnsleak.com and ipleak.net show the encrypted DNS servers. I had to clear the DNS entries and set the OpenVPN client setting for "Accept DNS Configuration" to Disabled. Before changing the VPN DNS setting and just clearing the DNS entries, my devices were unable to resolve site addresses.

FYI, I was doing the nslookup on the router and then I re-read how to check if it was working and I should have been doing them in Windows. I then did the nslookup in Windows. FYI, looks like debug.opendns.com no longer exists. Also, when I tried another site, there was no "dnscrypt enabled (717473654A614970)" text. Maybe that's changed and the text no longer displays. Someone may want to update that first post.

In any case, thanks. I'm confident that it's working and the DNS requests are going through the encrypted servers. FYI, for others, all my devices get IP addresses through the router DHCP server defined manually as static IP addresses and the DNS settings are also automatically picked up.

Thanks again!

 

[JoaoAntonio]

Sorry my english. I installed the script and it worked great but, when i use VPn (nordvpn windows app) it doesent work. In the settings of the app has a place where i can set up my own dns... should i put something there? Thz

 

[Zastoff]

Sorry my english. I installed the script and it worked great but, when i use VPn (nordvpn windows app) it doesent work. In the settings of the app has a place where i can set up my own dns... should i put something there? Thz

The Nordvpn windows client override those settings in the computer i guess and have Nordvpn settings in it so it should be just fine.
(App is creating a tunnel inside your normal connection with the app settings)
But if you config Nordvpn in the router in openvpn client page it will use your Dnscrypt-proxy settings.

 

[Billy Chaney]

So to solve all the problems with installing dnscrypt with entware (or similar) then setting up various scripts to handle dnscrypt-proxy starting up including the ntp issue, I made my own installer for dnscrypt-proxy.

Requirements:
- ARM or MIPSEL based ASUS routers
- asuswrt-merlin firmwares or compatible
- jffs support and script enabled

Incompatibilities:
- No known issue

Current features:
- dnscrypt-proxy version 2 with DoH and DNSCrypt version 2 protocols, multiple resolvers, and other features
- Running as nobody through nonroot binary (using --user requires change to passwd)
- Support ARM and MIPSEL based routers
- Support OpenDNS dynamic IP update by entering your OpenDNS account information
- Handling ntp update at router boot up by starting dnscrypt-proxy with cert_ignore_timestamp option
- Redirect all DNS queries on your network to dnscrypt if user chooses to
- Install haveged/rngd for better speed with dnscrypt and other cryptographic applications
- Support various HW RNG such as TrueRNG (tested with v3), TrueRNGpro, OneRNG, EntropyKey
- Ability to setup a swap file
- Ability to setup timezone file (/etc/localtime) used by dnscrypt-proxy and other apps
- Ability to reconfigure dnscrypt-proxy without reinstalling unlike previous installer for dnscrypt-proxy version 1.x.x

Changelog:
https://github.com/thuantran/dnscrypt-asuswrt-installer/commits/master

Install/Update/Reconfig/Uninstall:
Run this command from ssh shell and following the prompt for dnscrypt-proxy version 2:

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer ; rm installer

User can safely update from dnscrypt-proxy version 1 to version 2. For dnscrypt-proxy version 1 use:

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/dnscrypt-proxy-v1/installer && sh installer dnscrypt-proxy-v1; rm installer

How to check if it works
If you use OpenDNS, run this command on Windows cmd

nslookup -type=txt debug.opendns.com

You should see something like

"dnscrypt enabled (717473654A614970)"

in result.
Otherwise running this command:

pidof dnscrypt-proxy

will return a number.

How to report issue:
I need following directory and files:

/jffs/dnscrypt
/jffs/scripts/dnsmasq.postconf
/jffs/scripts/firewall-start
/jffs/scripts/wan-start

One can use this command to create a tar archive of these files:

echo .config > exclude-files; tar -cvf dnscrypt.tar -X exclude-files /jffs/dnscrypt /jffs/scripts/dnsmasq.postconf /jffs/scripts/firewall-start /jffs/scripts/wan-start ; rm exclude-files

in current directory and send me the archive for debug.

I also need follwoing information:
- Which dns server you selected during dnscrypt installtion
- Which router you're using
- Firmware and its version

How I made this:
- Use dnscrypt-proxy binary packages from https://github.com/jedisct1/dnscrypt-proxy
- Compiling and stripping required binaries using firmware building toolchain from asuswrt-merlin
- Write the installer script with stuffs inspired from entware-setup.sh from asuswrt-merlin
- You can look at all the stuffs here https://github.com/thuantran/dnscrypt-asuswrt-installer

I've noticed though that whenever I go to DNS leaks test it still shows a DNS leak.

 

[joegreat]

I've noticed though that whenever I go to DNS leaks test it still shows a DNS leak.

Did you disable the WAN DNS Setting on the WAN config page?
Connect to DNS Server automatically = No should be set if you use dnscrypt.
AND: empty the fixed DNS values below!

 

[Billy Chaney]

Did you disable the WAN DNS Setting on the WAN config page?
Connect to DNS Server automatically = No should be set if you use dnscrypt.

Thanks for the reply. It's set to no. I use DNS 8.8.8.8 and 8.8.4.4.

 

[Billy Chaney]

Did you disable the WAN DNS Setting on the WAN config page?
Connect to DNS Server automatically = No should be set if you use dnscrypt.
AND: empty the fixed DNS values below!

Ok I emptied the values, but still leaking through dns leaks test.
Also: when doing a dns leak test I'm getting opendns servers showing up on the test. I need it to say no leaks. Maybe I have it configured wrong. I don't know.

 

[DonnyJohnny]

Ok I emptied the values, but still leaking through dns leaks test.
Also: when doing a dns leak test I'm getting opendns servers showing up on the test. I need it to say no leaks. Maybe I have it configured wrong. I don't know.

-check that you have disable dns filtering located at AI protection.
-check if your client do not have set their own DNS server in the lan/wifi.
-have you try using the installer to force all DNS 53 to go thru dnscrypt proxy?

 

[Billy Chaney]

First, thanks for the reply.

No dns filtering activated in AI Protection.
I do not have any dns numbers anywhere.
I am redirecting all traffic to go through the dnscrypt proxy.
What is DNS 53? I tried DNS 53 on the list of Servers and this one locked me up.
Also I'm using the default resolver p2. I hope this helps.

 

[DonnyJohnny]

Soon dnscrypt protocol will be removed in 2.0.9
https://github.com/jedisct1/dnscrypt-proxy/commit/dac52ab42ab4d3c61df4a2c70f3cef298fc21220

Guess DOH is the way to go....

 

[M@rco]

Soon dnscrypt protocol will be removed in 2.0.9
https://github.com/jedisct1/dnscrypt-proxy/commit/dac52ab42ab4d3c61df4a2c70f3cef298fc21220

Guess DOH is the way to go....

Sounds like DoH-proxy is on it's way...

 

[DonnyJohnny]

Omg... it was a April’s fool prank!!!

 

[Netbug]

Omg... it was a April’s fool prank!!!

are you referring to the message i posted on this thread earlier then deleted?

hehe sorry it was NO prank it was my password manager not updating password so when i entered it, it was using old one lol.

Edit: doh think you referring to message above yours, i dunno lol