DNScrypt dnscrypt installer for asuswrt

[bfrank]

New to this stuff, so this maybe this is an noob question. Try'd with google and search but noting to find.

I have a ASUS RT-AC68U with ASURWRT-Merlin 384.7_2 firmware running. Also installed Deversion and Skynet. All is running smooth.
I have installed DNSCrypt without problems but now one small problem has started. Chromecast is not working anymore. Chromecast is showing
on the devices but streaming does not start. As soon as I uninstall DNSCrypt chromecast is working again. Is there a solution for this?

Thx!!

 

[Zastoff]

New to this stuff, so this maybe this is an noob question. Try'd with google and search but noting to find.

I have a ASUS RT-AC68U with ASURWRT-Merlin 384.7_2 firmware running. Also installed Deversion and Skynet. All is running smooth.
I have installed DNSCrypt without problems but now one small problem has started. Chromecast is not working anymore. Chromecast is showing
on the devices but streaming does not start. As soon as I uninstall DNSCrypt chromecast is working again. Is there a solution for this?

Thx!!

I have 2 chromecasts, one v2 and one v1 and they work fine for me

 

[bfrank]

I have 2 chromecasts, one v2 and one v1 and they work fine for me

Mmm .. strange. Than it's something else.

 

[Torson]

Hi,

I'm running a script to check the status of a number of things running on the USB stick (Diversion, Skynet, dnscrypt, router temperatures, uptime, memory etc.). The question is related to the aesthetic output (in the script context) of the command:

/jffs/dnscrypt/dnscrypt-proxy -check

Is there any way of removing the information contained between the square brackets (date and NOTICE ?)

[2018-11-26 11:23:23] [NOTICE] Source [public-resolvers.md] loaded
[2018-11-26 11:23:23] [NOTICE] Configuration successfully checked

 

[Gymnae]

I've searched this thread, but couldn't find a clear answer:
How can I chain diversion (ab-solution) and dnscrypt-proxy?
I have both installed, but with

server=127.0.0.1#65053
server=::1#65053
server=/pool.ntp.org/1.1.1.1
server=/raw.githubusercontent.com/1.1.1.1

all DNS request reach dnscrypt-proxy directly, without this drop-in they never reach dnscrypt-proxy.
Am I missing a setting here?

 

[skeal]

Hi..

This might have been answered already, but could not find it here.

I currently use a smartdns proxy and was wondering if I install dnscrypt, will my smartdns proxy continue to work or do I need to do something during config?

thanks

On setup dnscrypt asks if you want all devices to resolve through it. You could elect other options. I haven't done this but you can check it out.

 

[Zastoff]

Hi..

This might have been answered already, but could not find it here.

I currently use a smartdns proxy and was wondering if I install dnscrypt, will my smartdns proxy continue to work or do I need to do something during config?

thanks

I would let dnscrypt-proxy resolve all dns requests and if you want to use smartdns proxy dns servers(for some special reason) try put them as a custom dns server under /Lan/dnsfilter for specific devices and see if that works for you
Or try as Mr Skeal suggested, But i haven't tried that either so don't know how that works

 

[darkony]

Why timeout on all but cloudflare, is this still working or EOL?

 

[skeal]

Why timeout on all but cloudflare, is this still working or EOL?

Although this has not been abandon. Stubby is the newest preference in this field. https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/ This is the future!!

 

[Vorlonsmoke]

I've been using dnscrypt-proxy v2 and it has been rock solid on my AC3200 for months and is very much an active development.

https://github.com/jedisct1/dnscrypt-proxy

Please do not confuse with v1 which was abandoned. Latest dnscrypt-proxy version is 2.0.19 which came out just last month. And updates happen every month or so.

It does not support DNSOverTLS (DOT) yet but will in future. Does DNS-over-HTTP (DoH) as well as Dnscrypt.

Stubby may well be the future given that the getdns team is behind it. But the latest release for Stubby is v0.2.3 which was released May 2018 - nine months ago.


Sent from my SM-G935F using Tapatalk

 

[amplatfus]

Hi all,

I tried this too today. I have some services installed already and I think I am doing something wrong.
So I have active HackerPorts, Samba, default LAN IP 172.16.x.x, VPN on bind IP address, custom redirect dns for blocking ads (0.0.0.0 ads.example.com).

All installed on a AC88U powerd by Merlin Firmware:380.70.
Using this details (or you can ask me other info) could you please provide some hint why dnscrypt-proxy put me offline? The WAN connection is UP, I have the IP, but without internet. Even Samba folder is not mounted any more.

If I found the reason I will post here what I have found.

Edit1: it worked after apply, not working any more after restart. Tried many restarts.
Edit2: I see this line in dnsmasq.conf. Should I change it to 172? Because this is my DHCP class

server=127.0.0.1#65053

Edit3: Happens with Stubby the same
Edit4: Following the community feedback I solved this by entering because I was loosing access to NTP server:

server=/pool.ntp.org/1.1.1.1 to /jffs/configs/dnsmasq.conf.add
server=/ntp.alsysdata.net/1.1.1.1 to /jffs/configs/dnsmasq.conf.add

Thank you in advance for any hint.
Best regards!

 

[Vorlonsmoke]

server=127.0.0.1#65053

is ok - if dnscrypt-proxy.toml config file contains,

listen_addresses = ['127.0.0.1:65053']

My router has firewall rules to ensure all dns requests from all clients on the LAN have UDP/TCP 53 requests always redirected to 127.0.0.1:53 (i.e. dnsmasq). Dnsmasq then uses 127.0.0.1:65053 (i.e. dnscrypt-proxy).

The benefits are added client lockdown and you leverage dnsmasq dns lookup caching capabilities.

I have pseudo-script like below in my /jffs/scripts/firewall-start

iptables -t nat -C PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) > /dev/null 2>&1
[ $? -ne 0 ] && iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -C PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) > /dev/null 2>&1
[ $? -ne 0 ] && iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


Sent from my SM-G935F using Tapatalk

 

[amplatfus]

How to report issue:
I need following directory and files:

/jffs/dnscrypt
/jffs/scripts/dnsmasq.postconf
/jffs/scripts/firewall-start
/jffs/scripts/wan-start

One can use this command to create a tar archive of these files:

echo .config > exclude-files; tar -cvf dnscrypt.tar -X exclude-files /jffs/dnscrypt /jffs/scripts/dnsmasq.postconf /jffs/scripts/firewall-start /jffs/scripts/wan-start ; rm exclude-files

in current directory and send me the archive for debug.

I also need follwoing information:
- Which dns server you selected during dnscrypt installtion
- Which router you're using
- Firmware and its version

Hi @bigeyes0x0 and all

Could you please help me?
I tried many approaches with the same outcome: after restart I loose internet, even WAN PPPoE have IP allocated. SAMBA from external HDD connected to router is not accessible too after restart. Only error I saw in syslog was:

Aug  1 00:00:45 dnscrypt-proxy[633]: Get https://dns.cloudflare.com/dns-query?ct=&dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA: x509: certificate has expired or is not yet valid
Aug  1 00:00:45 dnscrypt-proxy[633]: dnscrypt-proxy is waiting for at least one server to be reachable

Please find jffs dnscrypt mentioned files here.

- Which dns server you selected during dnscrypt installtion: I selected Cloudflare, ipv4
- Which router you're using: I am using Asus AC88U
- Firmware and its version, Firmware: Merlin 380.70

I mention I have also tried Stubby with the same behavior: after restart stooped working.
Other customisation I have:
1. custom DHCP LAN IP 172.x.x.1
2. custom dnsmasq.conf.add with this line: addn-hosts=/tmp/hosts.blocked.xfr.autoimpot
The head of this file is:

0.0.0.0 a.company-target.com
0.0.0.0 a.completeinstallstyle.net
0.0.0.0 a.consumer.net...

2, bind address 172.x.x.10 routed through VPN Client
3. transmission on port 9091
4. webserver
5. nzbget
6. HackerPorts
7. VPN Client
8. VPN Server


Please let me know other info may be required.

Thank you in advance,
amplatfus

 

[Zastoff]

Hi @bigeyes0x0 and all

Could you please help me?
I tried many approaches with the same outcome: after restart I loose internet, even WAN PPPoE have IP allocated. SAMBA from external HDD connected to router is not accessible too after restart. Only error I saw in syslog was:

Aug  1 00:00:45 dnscrypt-proxy[633]: Get https://dns.cloudflare.com/dns-query?ct=&dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA: x509: certificate has expired or is not yet valid
Aug  1 00:00:45 dnscrypt-proxy[633]: dnscrypt-proxy is waiting for at least one server to be reachable

Please find jffs dnscrypt mentioned files here.

- Which dns server you selected during dnscrypt installtion: I selected Cloudflare, ipv4
- Which router you're using: I am using Asus AC88U
- Firmware and its version, Firmware: Merlin 380.70

I mention I have also tried Stubby with the same behavior: after restart stooped working.
Other customisation I have:
1. custom DHCP LAN IP 172.x.x.1
2. custom dnsmasq.conf.add with this line: addn-hosts=/tmp/hosts.blocked.xfr.autoimpot
The head of this file is:

0.0.0.0 a.company-target.com
0.0.0.0 a.completeinstallstyle.net
0.0.0.0 a.consumer.net...

2, bind address 172.x.x.10 routed through VPN Client
3. transmission on port 9091
4. webserver
5. nzbget
6. HackerPorts
7. VPN Client
8. VPN Server


Please let me know other info may be required.

Thank you in advance,
amplatfus

Looks like you don't get NPT-server update.
Guess dnscrypt-proxy or stubby can't start without the time update
Make sure in your vpn client if you use policy rules and block routed clients that you put your router ip to wan (172.x.x.1)
You can also try to use fake-hwclock can be installed thru entware.
(would uninstall dnscrypt-proxy first then install fake-hwclock then reboot after that reinstall dnscrypt-proxy)

 

[sbsnb]

An easy fix for the time issue is to set dnsmasq to use a different resolver for your NTP server. On mine I have my NTP server set as us.pool.ntp.org, so I set the following line in dnsmasq.conf.add:

server=/us.pool.ntp.org/8.8.8.8

Seems to work without having to fudge with anything else.

 

[skeal]

An easy fix for the time issue is to set dnsmasq to use a different resolver for your NTP server. On mine I have my NTP server set as us.pool.ntp.org, so I set the following line in dnsmasq.conf.add:

server=/us.pool.ntp.org/8.8.8.8

Seems to work without having to fudge with anything else.

This will work without the "us" prefix. NTP in our area of the world is resolved from the basic server=/pool.ntp.org/1.1.1.1 or 8.8.8.8 or whatever dns provider.

 

[sbsnb]

ntp.org has region-specific pools. The closer, the better in terms of accuracy. Being overly paranoid I just wanted to be as specific as possible with the hole I was punching through the DNSCrypt veil.

 

[bmn1]

"Do you want to use DNS server over IPv6 (yes only if your connection has IPv6)? [y/n]:"

If my VPN changes my IP address to a IPv6 one, but without my VPN I browse with a IPv4 address, should I enable this or not?

 

[amplatfus]

Thank you dear community. You were right. I was loosing access to NTP.
I solved this by entering because I was loosing access to NTP server:

server=/pool.ntp.org/1.1.1.1 to /jffs/configs/dnsmasq.conf.add
server=/ntp.alsysdata.net/1.1.1.1 to /jffs/configs/dnsmasq.conf.add

Thank you so much for help.
I updated initial post with Edit 4 and Stubby post too.
Great community!

 

[amplatfus]

Hi again,

In the meantime I discovered that OpenVPN server is not responding to default port (normaly I would say). Could you please suggest what I should change? It this possible to have dns-proxy and OpenVPN server at the same time?
I Google it a until now without any working fix.

Thanks!