What's new

[Release] dnscrypt installer for asuswrt

SomeWhereOverTheRainBow

Very Senior Member
Okay thanks! It works. I had previously encountered the problem that I had no internet for the clients due to the defect of the "dnscrypt".
lg.
Yea I have been following their releases but these past few they have change things that appear not listed in their change log, so it is hard to figure out what is wrong until someone reports something.
 

Zastoff

Very Senior Member
Can confirm that reconfigure now works fine with the latest installer
Thanks @SomeWhereOverTheRainBow Awesome job as always :)
Info: Checking dnscrypt-proxy configuration...
[2020-06-13 17:12:33] [NOTICE] dnscrypt-proxy 2.0.44
[2020-06-13 17:12:33] [NOTICE] Dropping privileges
[2020-06-13 17:12:33] [NOTICE] Source [public-resolvers] loaded
[2020-06-13 17:12:33] [NOTICE] Source [relays] loaded
[2020-06-13 17:12:33] [NOTICE] Anonymized DNS: routing everything via [anon-xx-xx anon-xx-xx]
[2020-06-13 17:12:33] [NOTICE] Configuration successfully checked
Info: Restarting dnscrypt-proxy with new config...
Info: Operation completed. You can quit or continue
 
Last edited:

Kenji

Occasional Visitor
Yea I have been following their releases but these past few they have change things that appear not listed in their change log, so it is hard to figure out what is wrong until someone reports something.
okay,
after restarting a router I suddenly had the same error. I tried to uninstall dnscrypt via Putty but after entering "di" it stopped after 3 lines. After another 5 restarts it worked again at some point. So despite fallback_resolver the connection did not work.

--
Jun 13 18:36:37 lul dnscrypt-proxy[857]: System DNS configuration not usable yet, exceptionally resolving [doh.233py.com] using fallback resolvers over tcp
Jun 13 18:36:37 lul dnscrypt-proxy[857]: Fallback resolvers didn't respond - Trying with the system resolver as a last resort
Jun 13 18:36:37 lul dnscrypt-proxy[857]: Unable to resolve [doh.233py.com] - Make sure that the system resolver works, or that `fallback_resolver` has been set to a resolver that can be reached
Jun 13 18:36:37 lul dnscrypt-proxy[857]: [arvind-io] TIMEOUT
Jun 13 18:36:37 lul dnscrypt-proxy[857]: [ibksturm] TIMEOUT
Jun 13 18:36:37 lul dnscrypt-proxy[857]: [dnscrypt.uk-ipv4] TIMEOUT
Jun 13 18:36:37 lul dnscrypt-proxy[857]: System DNS configuration not usable yet, exceptionally resolving [dns.alekberg.net] using fallback resolvers over tcp
--

lg.
 

SomeWhereOverTheRainBow

Very Senior Member
Looks like there may be an issue going on with that server making a proper connection with you just for testing purposes try using different servers. Sometimes these servers change their hash and dnscrypt proxy falls behind on updating their resolver files. @Kenji
 

dugaduga

Senior Member
So far so good after running for a few days. No more issues from the upstream dnscrypt-proxy 2. every thing seems pretty stable.
here too, updated fast, generated a new config, everything is fine.

updated and it was half working with the previous toml, just "incompatibility" issues with anonymous relays that was rectified in just 2 minutes of generating a fresh toml configuration. it may have worked if "skipping" incompatible was disabled.
 

SomeWhereOverTheRainBow

Very Senior Member
here too, updated fast, generated a new config, everything is fine.

updated and it was half working with the previous toml, just "incompatibility" issues with anonymous relays that was rectified in just 2 minutes of generating a fresh toml configuration. it may have worked if "skipping" incompatible was disabled.
You can now make backups ;).
 

ninjada

New Around Here
had some issues the past week and uninstalled, glad to know it wasn't just me misconfiguring ;)

however, bit of a general question for the most secure setup options when using DNScrypt, what should WAN DNS settings in the asus-merlin user interface be set to??

atm i've got:

WAN DNS Setting
Connect to DNS Server automatically - No
DNS Server1 208.67.222.222
DNS Server2 208.67.220.220
Forward local domain queries to upstream DNS
- No
Enable DNS Rebind protection - No
Enable DNSSEC support - No
DNS Privacy Protocol - None
DNSFilter is enabled - anything configured there to something other than No Filtering or Router will bypass DNS Privacy servers.

any issues with those settings? what should they be when using DNScrypt? does it matter?

have got DNScrypt working nicely again via AMTM. EXCEPT, i previously had youtube ad's pretty well blocked when using my chromecast. something i configured a long time ago was working well, but now im seeing ads again.
 

SomeWhereOverTheRainBow

Very Senior Member
had some issues the past week and uninstalled, glad to know it wasn't just me misconfiguring ;)

however, bit of a general question for the most secure setup options when using DNScrypt, what should WAN DNS settings in the asus-merlin user interface be set to??

atm i've got:

WAN DNS Setting
Connect to DNS Server automatically - No
DNS Server1 208.67.222.222
DNS Server2 208.67.220.220
Forward local domain queries to upstream DNS
- No
Enable DNS Rebind protection - No
Enable DNSSEC support - No
DNS Privacy Protocol - None
DNSFilter is enabled - anything configured there to something other than No Filtering or Router will bypass DNS Privacy servers.

any issues with those settings? what should they be when using DNScrypt? does it matter?

have got DNScrypt working nicely again via AMTM. EXCEPT, i previously had youtube ad's pretty well blocked when using my chromecast. something i configured a long time ago was working well, but now im seeing ads again.
Dont worry about what wan is set to in general you could just leave it set to automatic. The only traffic that gets used by the wan dns is the local router traffic. If you have setup dnscrypt proxy using the installer then all clients should only be using dnscrypt proxy unless you did not configure dnsfilter or have a client specifically pointed at something else.
In general you want to enable dnssec if your servers used support it and dns rebind protection
 

SomeWhereOverTheRainBow

Very Senior Member
MINOR INSTALLER UPDATE
New Updates to Dnscrypt-Proxy2 Resolver files

Source ---- https://www.reddit.com/r/dnscrypt/comments/hdfntg/heads_up_servers_lists_have_moved_to_a_new/

Short version:
If you are running at least dnscrypt-proxy 2.0.43, in dnscrypt-proxy.toml, change /v2/ to /v3/ in URLs.

For example here:

[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']

both /v2/ instances should be replaced by /v3/.

Same for other sources, such as relays.

It is totally fine not to do it, but you may get access to more servers if you do.

Long version:
dnscrypt-proxy 2.0.43 added the ability to have multiple stamps for the same server definition.

This is neat. If a server has multiple IP addresses, instead of having different names, it can now be accessed using a single one.

This removes redundancy in configuration files, but also makes lists way more readable and easier to maintain. Instead of having just one "sdns://" line, there can now be more than one. Pretty simple and intuitive.

Unfortunately, older versions were not prepared for this. They ignore entries with multiple stamps, which is not optimal. But I discovered that with really old versions (<= 2.0.27) this is a showstopper as these errors were originally considered fatal.

Some servers also couldn't be added to the lists due to bugs in their DoH implementation, that makes them incompatible with older versions of the proxy.

If you are using a recent version, you should be able to take advantage of the new features. But limiting ourselves to what old versions can support doesn't allow this.

So, lists have been moved to a new directory. The previous directory was called v2, the new one is unsurprisingly called v3.

Future releases will use v3 in the example configuration file.

If you are running a current version, you can also update your configuration file to use v3 now.

But you don't have to. The v2 directory still exists, so old URLs are still accessible. The v2 will also keep being updated, automatically, using data from version 3. But the version 2 lists don't benefit from alternative stamps, and resolvers unsupported by old dnscrypt-proxy versions are not present.
Due to this I have pushed an update to adjust the installer for this. Users will need to reconfigure with a new .toml file or manually edit their .toml files with the following instructions above to use the newest supported resolver files.
 

Zastoff

Very Senior Member
New encrypted DNS servers and relays

The list of public DNS servers is constantly updated, but once a server list has been configured in dnscrypt-proxy, we usually don’t pay much attention to new options becoming available.

So, here are some recent additions (resolvers and relays) that may be of interest.

  • yofiji-se-ipv4 and yofiji-se-ipv6: a new uncensored, no logging, DNSSEC-capable DNSCrypt server in Sweden, operated by @yofiji.

  • anon-yofigi-se-ipv4 and anon-yofigi-se-ipv6: new DNS anonymizer in Sweden.

  • anon-bcn: new DNS anonymizer in Barcelona, operated by @koki.

  • bcn-dnscrypt and bcn-doh: non-logging, non-filtering, DNSSEC capable DNSCrypt and DoH resolvers in Barcelona, operated by @koki.

  • arapurayil-dnscrypt and arapurayil-doh: DNSCrypt and DoH resolvers in Mumbai (https://www.dns.arapurayil.com). Blocking ads, trackers, resource-abusers, malware and phishing.

  • doh-eastas-pi-dns and doh-eastas-pi-dns-ipv6: non-logging DoH server blocking ads/malware/trackers in Tokyo. By https://pi-dns.com

  • faelix-ch-ipv4 and faelix-ch-ipv6 in Switzerland; faelix-uk-ipv4 and faelix-uk-ipv6 in the UK. Anycast, non logging, non-filtering resolvers operated by https://faelix.net

  • acsacsar-ams-ipv4 and acsacsar-ams-ipv6: non-censoring, non-logging, DNSSEC-capable DNSCrypt resolver in Amsterdam, operated by @acsacsar

  • anon-acsacsar-ams-ipv4 and anon-acsacsar-ams-ipv6: new DNS anonymizers in Amsterdam, operated by @acscsar.
Welcome to these new DNS resolvers and anonymizers, and thanks a ton to all the people running these.

Also, with the v3 list format supporting multiple stamps per resolver name, we started adding backup IP addresses to existing entries, and simplifying existing ones. Thanks a lot to @hugepants for his help on this.
Link
 

Zastoff

Very Senior Member
How i can fix this please:

View attachment 24793
Give the install/update command from post 1 a try
Code:
curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer ; rm installer
And when you get the dnscrypt menu run 1)install/update to get the latest installer and run 1) again if other updates is needed
 

jorgsmash

Occasional Visitor
Just installed on my AX88U. A couple questions I had about the install process:

1. The installer asks if you want to only use dns-crypt servers, and then asks if you only want to use DoH servers. I was under the impression these were two different protocols and you had to choose which one you wanted to use. I said yes to both lol. And it seemed to work fine without hiccups.

2. The installer lets you pick your resolvers from a list:

Code:
 =>  Do you want to skip using incompatible resolvers instead of using them directly? [y/n]: y
 Info:  Available Relay servers:
  1) anon-acsacsar-ams-ipv4: Anonymized DNS relay hosted in AMS on Scaleway
  2) anon-ams-nl: Anonymized DNS relay hosted in Netherlands - NL
  .......
  33) anon-v.dnscrypt.uk-ipv4: Anonymized DNS relay hosted in UK on Vultr
  34) anon-yofiji-se-ipv4: Anonymized DNS relay hosted in Sweden and maintained by yofiji.
 =>  Please choose RELAY server, [1-34]: 19
 =>  Please choose next RELAY server or press n to stop, [1-34/n]: 16
 =>  Please choose next RELAY server or press n to stop, [1-34/n]:
Are the choices you select here all used in succession, hopping from your first choice, to your second, to third and so on depending on how many you choose? Or is it more for redundancy if one goes down? Because if it hops through the ones you select I would assume the more you select (10+, all of them?) it would take longer to process the queries? If it's for redundancy I would want to go back and pick a few that aren't all US-based provided by https://cryptostorm.is/.

Sorry if this has been asked before, I'm just tinkering away! Thanks everyone!
 

Zastoff

Very Senior Member
Just installed on my AX88U. A couple questions I had about the install process:

1. The installer asks if you want to only use dns-crypt servers, and then asks if you only want to use DoH servers. I was under the impression these were two different protocols and you had to choose which one you wanted to use. I said yes to both lol. And it seemed to work fine without hiccups.

2. The installer lets you pick your resolvers from a list:

Code:
 =>  Do you want to skip using incompatible resolvers instead of using them directly? [y/n]: y
Info:  Available Relay servers:
  1) anon-acsacsar-ams-ipv4: Anonymized DNS relay hosted in AMS on Scaleway
  2) anon-ams-nl: Anonymized DNS relay hosted in Netherlands - NL
  .......
  33) anon-v.dnscrypt.uk-ipv4: Anonymized DNS relay hosted in UK on Vultr
  34) anon-yofiji-se-ipv4: Anonymized DNS relay hosted in Sweden and maintained by yofiji.
=>  Please choose RELAY server, [1-34]: 19
=>  Please choose next RELAY server or press n to stop, [1-34/n]: 16
=>  Please choose next RELAY server or press n to stop, [1-34/n]:
Are the choices you select here all used in succession, hopping from your first choice, to your second, to third and so on depending on how many you choose? Or is it more for redundancy if one goes down? Because if it hops through the ones you select I would assume the more you select (10+, all of them?) it would take longer to process the queries? If it's for redundancy I would want to go back and pick a few that aren't all US-based provided by https://cryptostorm.is/.

Sorry if this has been asked before, I'm just tinkering away! Thanks everyone!
1: It works fine with DNSCrypt protocol and DoH protocol at the same time ;)
This option help out with what servers is used
Code:
## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'

lb_strategy = 'random'
Link to wiki
2: Your relays is randomly chosen on proxy startup (there is a "health check" that restarts the proxy in the code for randomizing this in the installer :))
(Only pick relay servers that is close to you, There is no load-balancing option yet for relays)
Link
 
Last edited:

jorgsmash

Occasional Visitor
1: It works fine with DNSCrypt protocol and DoH protocol at the same time ;)
This option help out with what servers is used
Code:
## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'

lb_strategy = 'random'
Link to wiki
2: Your relays is randomly chosen on proxy startup (there is a "health check" that restarts the proxy in the code for randomizing this in the installer :))
(Only pick relay servers that is close to you, There is no load-balancing option yet for relays)
Link

Can you tell me what the results from a website like this might mean? Here are my results:


Code:
IP    Hostname    ISP    Country
12.190.13.98    None    AT&T Services    Lilburn, United States
172.217.36.1    None    Google    Atlanta, United States
172.217.36.10    None    Google    Atlanta, United States
172.217.36.129    None    Google    Atlanta, United States
172.217.36.13    None    Google    Atlanta, United States
172.217.36.134    None    Google    Atlanta, United States
172.217.36.14    None    Google    Atlanta, United States
172.217.36.196    None    Google    Atlanta, United States
172.217.36.198    None    Google    Atlanta, United States
172.217.36.205    None    Google    Atlanta, United States
172.217.36.206    None    Google    Atlanta, United States
172.217.36.4    None    Google    Atlanta, United States
172.217.36.68    None    Google    Atlanta, United States
172.217.36.69    None    Google    Atlanta, United States
172.217.36.7    None    Google    Atlanta, United States
172.253.0.1    None    Google    Los Angeles, United States
172.253.0.4    None    Google    Los Angeles, United States
172.253.0.5    None    Google    Los Angeles, United States
172.253.2.2    None    Google    Los Angeles, United States
178.216.201.222    dc1.soltysiak.com.    Fotigo.pl Sp. z o.o.    Krakow, Poland
193.70.85.11    radia.bortzmeyer.org.    OVH SAS    France
51.158.147.50    mail-out.lelux.fi.    Dedibox SAS    Paris, France
66.85.30.115    None    Idigital Internet    Spruce Grove, Canada
95.216.24.230    95.216.24.230.    Hetzner Online GmbH    Helsinki, Finland
Not sure if the servers I picked for DNScrypt have anything to do with this. Lol
 

Zastoff

Very Senior Member
Can you tell me what the results from a website like this might mean? Here are my results:


Code:
IP    Hostname    ISP    Country
12.190.13.98    None    AT&T Services    Lilburn, United States
172.217.36.1    None    Google    Atlanta, United States
172.217.36.10    None    Google    Atlanta, United States
172.217.36.129    None    Google    Atlanta, United States
172.217.36.13    None    Google    Atlanta, United States
172.217.36.134    None    Google    Atlanta, United States
172.217.36.14    None    Google    Atlanta, United States
172.217.36.196    None    Google    Atlanta, United States
172.217.36.198    None    Google    Atlanta, United States
172.217.36.205    None    Google    Atlanta, United States
172.217.36.206    None    Google    Atlanta, United States
172.217.36.4    None    Google    Atlanta, United States
172.217.36.68    None    Google    Atlanta, United States
172.217.36.69    None    Google    Atlanta, United States
172.217.36.7    None    Google    Atlanta, United States
172.253.0.1    None    Google    Los Angeles, United States
172.253.0.4    None    Google    Los Angeles, United States
172.253.0.5    None    Google    Los Angeles, United States
172.253.2.2    None    Google    Los Angeles, United States
178.216.201.222    dc1.soltysiak.com.    Fotigo.pl Sp. z o.o.    Krakow, Poland
193.70.85.11    radia.bortzmeyer.org.    OVH SAS    France
51.158.147.50    mail-out.lelux.fi.    Dedibox SAS    Paris, France
66.85.30.115    None    Idigital Internet    Spruce Grove, Canada
95.216.24.230    95.216.24.230.    Hetzner Online GmbH    Helsinki, Finland
Not sure if the servers I picked for DNScrypt have anything to do with this. Lol
From the previous post it looks like you selected automatic?
With relay servers.
In "Manually" you pick specific dns servers.

The sth-doh and sth-dnscrypt servers use all server in the list(public-resolvers.md) as a sort of anonymized service and can be confusing in dnsleaktests
How does it look in syslog when dnscrypt-proxy starts?(with selected servers)
 
Last edited:

honu

New Around Here
I realise this is probably the wrong place to ask this, but, this thread has been going on a few years and it's clear people are regular users of dnscrypt-proxy2 here, so, why not try...

I installed dnscrypt-proxy2 from Entware manually. I have run dnscrypt-proxy2 on other systems for years, so, I have a specific set of changes I made to my .toml setup for how I know I like to run the software.

The challenge I've had is that with asuswrt-merlin, dnscrypt-proxy2 is not starting up on boot on its own. I'm new to this firmware, so, I'm likely missing some part of the process. /opt/etc/init.d has the right startup scripts, the modes are all correct, everything looks right, but, it just doesn't start. So I have to ssh in to the router and run "nohup /opt/sbin/dnscrypt-proxy2 -config /opt/etc/dnscrypt-proxy.toml &" -- if I do it without the nohup, it will stop running as soon as my ssh session ends.

I see that there's a dnscrypt-installer in amtm, and I see this thread's references to the https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer installer from post 1 and repeated frequently - but I'm not sure what chaos will ensue if I effectively run this other installer and just modify what appears to be the /jffs/dnscrypt/dnscrypt-proxy.toml file to be of my own liking.

I suppose my question is either: How do I make the entware dnscrypt-proxy2 start on boot, OR, can/should I use the installer from post 1 and copy over the .toml with my configuration requirements? Or am I doing this all wrong?
 

SomeWhereOverTheRainBow

Very Senior Member
I realise this is probably the wrong place to ask this, but, this thread has been going on a few years and it's clear people are regular users of dnscrypt-proxy2 here, so, why not try...

I installed dnscrypt-proxy2 from Entware manually. I have run dnscrypt-proxy2 on other systems for years, so, I have a specific set of changes I made to my .toml setup for how I know I like to run the software.

The challenge I've had is that with asuswrt-merlin, dnscrypt-proxy2 is not starting up on boot on its own. I'm new to this firmware, so, I'm likely missing some part of the process. /opt/etc/init.d has the right startup scripts, the modes are all correct, everything looks right, but, it just doesn't start. So I have to ssh in to the router and run "nohup /opt/sbin/dnscrypt-proxy2 -config /opt/etc/dnscrypt-proxy.toml &" -- if I do it without the nohup, it will stop running as soon as my ssh session ends.

I see that there's a dnscrypt-installer in amtm, and I see this thread's references to the https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer installer from post 1 and repeated frequently - but I'm not sure what chaos will ensue if I effectively run this other installer and just modify what appears to be the /jffs/dnscrypt/dnscrypt-proxy.toml file to be of my own liking.

I suppose my question is either: How do I make the entware dnscrypt-proxy2 start on boot, OR, can/should I use the installer from post 1 and copy over the .toml with my configuration requirements? Or am I doing this all wrong?
The asuswrt installer version of dnscrypt proxy uses the build provided by the official dnscrypt proxy team and not the one published for entware. The entware version is always several versions behind without the latest stuff. This installer does not require entware to run dnscrypt proxy and uses a more uptodate version of dnscrypt proxy that is compiled by the dnscrypt proxy team. For those reasons i dont know if any one can give you effective advice for the entware version.
 

honu

New Around Here
The asuswrt installer version of dnscrypt proxy uses the build provided by the official dnscrypt proxy team and not the one published for entware. The entware version is always several versions behind without the latest stuff. This installer does not require entware to run dnscrypt proxy and uses a more uptodate version of dnscrypt proxy that is compiled by the dnscrypt proxy team. For those reasons i dont know if any one can give you effective advice for the entware version.
Thanks. I've gone ahead and nuked the Entware version and installed the one from the installer here.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top