DNScrypt dnscrypt installer for asuswrt

[Delusion]

Over 6 hours on 2.0.36-beta.1 and seems stable so far

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router

Did you find this new option "block_undelegated" in the .toml file? because I looked for it and didn't find the option (maybe I missed it twice when I checked). How do I enable this feature ?

 

[Zastoff]

Did you find this new option "block_undelegated" in the .toml file? because I looked for it and didn't find the option (maybe I missed it twice when I checked). How do I enable this feature ?

Yes you have to start from a new dnscrypt-proxy.toml file (not from the previous .toml)

 

[Twiglets]

Yes you have to start from a new dnscrypt-proxy.toml file (not from the previous .toml)

Or you could simply look at the 'example-dnscrypt-proxy.toml', that is downloaded when you update DNSCrypt-proxy, and copy the appropriate entries to your 'Live' dnscrypt-proxy.toml file.

 

[SomeWhereOverTheRainBow]

Or you could simply look at the 'example-dnscrypt-proxy.toml', that is downloaded when you update DNSCrypt-proxy, and copy the appropriate entries to your 'Live' dnscrypt-proxy.toml file.

Remember this only works for those who know their way around a few cat, echo, and sed commands, or simply know how to copy and paste with SSH terminal (this is the hardest method).

 

[Twiglets]

Remember this only works for those who know their way around a few cat, echo, and sed commands, or simply know how to copy and paste with SSH terminal (this is the hardest method).

Or install WinSCP and you can use an 'Explorer like' interface to navigate the Directory structure and display/edit any files etc etc.

See https://winscp.net/

 

[Zastoff]

Or install WinSCP and you can use an 'Explorer like' interface to navigate the Directory structure and display/edit any files etc etc.

See https://winscp.net/

I use SmarTTY also easy mode

 

[Twiglets]

I use SmarTTY also easy mode

FYI,
I know SomeWhereOverTheRainBow uses WinSCP !!!
Something about 'Devil's Advocate' comes to mind

 

[sbsnb]

Remember this only works for those who know their way around a few cat, echo, and sed commands, or simply know how to copy and paste with SSH terminal (this is the hardest method).

I just diff -u the two .toml files pipe that to grep for lines that don't start with '#" and look for the differences.

 

[SomeWhereOverTheRainBow]

FYI,
I know SomeWhereOverTheRainBow uses WinSCP !!!
Something about 'Devil's Advocate' comes to mind

Something about drag-and-drop seems to escape all permission issues.

 

[Zastoff]

The important part is that we get the right/new options in the dnscrypt-proxy.toml, There is many good ways to do that
The answer i gave Delusion is what can be done from DNSCrypt menu, the drawback on that one is you need to reconfigure servers and so on, But when you do like that dnscrypt makes a backup of the old settings--> "dnscrypt-proxy.toml.bak" where you also can copy/check settings/restore it, Be really sure you haven`t missed anything and the newest file options.

Nice info with some different SSH clients and ideas how it can be done
Anyone tested the local DoH-server/ESNI with Firefox?

 

[Zastoff]

Version 2.0.36 Released
Update/install thru amtm

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot

 

[sbsnb]

Version 2.0.36 Released

Looks like the only actual config change is the following:

## Immediately respond to queries for local zones instead of leaking them to
## upstream resolvers (always causing errors or timeouts).

block_undelegated = true

There are other clarifications and changes to comments in the config file, but that's the only actual config change I see.

 

[SomeWhereOverTheRainBow]

Looks like the only actual config change is the following:

## Immediately respond to queries for local zones instead of leaking them to
## upstream resolvers (always causing errors or timeouts).

block_undelegated = true

There are other clarifications and changes to comments in the config file, but that's the only actual config change I see.

Don't forget about the corrections to the few misspelled words, for the average user that can be detrimental to usage...

https://github.com/DNSCrypt/dnscryp...495b0ec#diff-f6f04170f3c6b8b556a88fa842de545c

## Certificate file and key - Note that the certificate has to be trusted.
-## See the documentatio (wiki) for more information.
+## See the documentation (wiki) for more information.

# cert_file = "localhost.pem"
# cert_key_file = "localhost.pem"

For the average user, I recommend doing a full history review of the config changes... just in case you are victim of not updating in over a year.

https://github.com/DNSCrypt/dnscrypt-proxy/commits/master/dnscrypt-proxy/example-dnscrypt-proxy.toml

 

[SomeWhereOverTheRainBow]

For those wanting to try out dnscrypt - blacklisting "pattern-blacklisting" using dnscrypts-proxy 2 python
script.

cd /opt
opkg install python
mkdir /opt/dnscrypt-blocked
cd /opt/dnscrypt-blocked

wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist.conf

wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist-local-additions.txt

wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-time-restricted.txt

wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-whitelist.txt

wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/generate-domains-blacklist.py

chmod a+x generate-domains-blacklist.py

nano domains-blacklist.conf

#comment or uncomment any list you want or don't want or add your own host file list.

nano domains-blacklist-local-additions.txt


add # comments to
#*.lan
#*.local
#*.localdomain
#*.workgroup
so router will not have issues.

#you can also add your own domains to whitelist

nano domains-whitelist.txt

/opt/bin/python2.7 generate-domains-blacklist.py > dnscrypt-blacklist-domains.txt

#copy domains to /jffs/dnscrypt

cp -a /opt/dnscrypt-blocked/dnscrypt-blacklist-domains.txt /jffs/dnscrypt/blocklist.txt

#make sure to uncomment # blacklist and whitelist inside your dncrypt config file.
you can also choose a place for additional logging if you like.

#restart dnscrypt.


#For making this run while entware is mounted only.

opkg install cron


cd /opt/etc/cron.weekly


nano blacklist.gen

#!/bin/sh

#!/bin/sh
INSTALL_DIR="/jffs/dnscrypt"
PY_DIR="/opt/dnscrypt-blocked"
PY_PATH="/opt/bin/python2.7"
GEN="generate-domains-blacklist.py"
BLACKLIST_GEN="dnscrypt-blacklist-domains.txt"
BLACKLIST_FIN="blacklist.txt"
WHITELIST_GEN="domains-whitelist.txt"
WHITELIST_FIN="whitelist.txt"
if [ -f "${PY_DIR}/${GEN}" ]; then
   cd "$PY_DIR" &&
   "${PY_PATH}" "${GEN}" > "${BLACKLIST_GEN}" &&
   cat "${BLACKLIST_GEN}" > "${INSTALL_DIR}/${BLACKLIST_FIN}" &&
   cat "${WHITELIST_GEN}" > "${INSTALL_DIR}/${WHITELIST_FIN}" &&
   cd "$INSTALL_DIR" &&
   "$INSTALL_DIR"/manager dnscrypt-start
fi


chmod 755 blacklist.gen

/opt/etc/init.d/S10cron start

EDIT *adjusted the cron script due to lack of python path logic*

 

[SomeWhereOverTheRainBow]

**Long Overdo Updates ~~ Dnscrypt Installer For Asuswrt **
Added changes to installer include:

• Menu support for Wildcard(server_name"*") Dnscrypt Server and Anonymized Relay Match

• Menu option to define NextDNS Custom using account SDNS stamp when NextDNS Server is chosen under Manual Selection.

More to come.... Stay Tuned!

https://github.com/thuantran/dnscry...mmit/fc798c309e6edb3fabd4b1d9b0b75315531d870d

Want to Thank @Zastoff for long hours and several days of testing and suggestions.
Want to Thank @thelonelycoder && @Martineau for their time and suggestions.
Want to Thank @bigeyes0x0 the original maker
Want to Thank @RMerlin for Asuswrt-Merlin

 

[Zastoff]

**Long Overdo Updates ~~ Dnscrypt Installer For Asuswrt **
Added changes to installer include:

• Menu support for Wildcard(server_name"*") Dnscrypt Server and Anonymized Relay Match

• Menu option to define NextDNS Custom using account SDNS stamp when NextDNS Server is chosen under Manual Selection.

More to come.... Stay Tuned!

https://github.com/thuantran/dnscry...mmit/fc798c309e6edb3fabd4b1d9b0b75315531d870d

Want to Thank @Zastoff for long hours and several days of testing and suggestions.
Want to Thank @thelonelycoder && @Martineau for their time and suggestions.
Want to Thank @bigeyes0x0 the original maker
Want to Thank @RMerlin for Asuswrt-Merlin

A really big Thanks to @SomeWhereOverTheRainBow for making this happen
I also want to Thank @dave14305 & @ColinTaylor for putting up with me and helping me in some of the suggestions

 

[L&LD]

@SomeWhereOverTheRainBow now, the next question is, is this amtm ready?

When I read 'installer', I went looking for an amtm update.

 

[Zastoff]

@SomeWhereOverTheRainBow now, the next question is, is this amtm ready?

When I read 'installer', I went looking for an amtm update.

Did a quick test with amtm
Removed installer

/jffs/dnscrypt/rm installer

Then started amtm and di It gets the new updated version of the installer

 

[JaimeZX]

So, I thought the new "DNS over TLS" made this obsolete? I'm always happy to see a script get updated, but what am I missing here?

 

[SomeWhereOverTheRainBow]

So, I thought the new "DNS over TLS" made this obsolete? I'm always happy to see a script get updated, but what am I missing here?

dnscrypt proxy supports anonymized dns traffic so your traffic when it reaches its final destination only reveals the ip the middle man (the relay server). Also this proxy has Doh as well with esni support for Firefox browser. You only have one side of the equation (dot).