1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Which DNS encryption script do I use?

Discussion in 'Asuswrt-Merlin' started by MatrixGeeker, Jan 24, 2020.

  1. MatrixGeeker

    MatrixGeeker Occasional Visitor

    Joined:
    Feb 12, 2018
    Messages:
    47
    AC88U router here with Merlin

    I have entware/AMTM and Diversion all set up.

    So which script do I use for encrypting dns? I here about dnscrypt proxy/dnscrypt abd stubby

    I'm reading different things and its confusing as to which one to use.
     
  2. Treadler

    Treadler Very Senior Member

    Joined:
    Nov 9, 2017
    Messages:
    599
    Location:
    South Australia

    WAN > Dns Privacy Protocol?
    Seems easiest to me.........:)
     
    Butterfly Bones and Zastoff like this.
  3. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Very Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    668
  4. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    420
    I would say it comes down to what DNS servers you want to use.
    DoT (WAN > Dns Privacy Protocol) Included in Asuswrt-Merlin is a good option and as @Treadler say it`s easiest ;)
    DNSCrypt-proxy: Supports DoH and DNSCrypt protocol, Gives good info in syslog and has a lot of servers and more options built in for users wiki & features
    And it now also supports Anonymized DNSCrypt wiki and option to setup up NextDNS if wanted from DNSCrypt installer menu.
     
    Last edited: Jan 24, 2020
  5. Treadler

    Treadler Very Senior Member

    Joined:
    Nov 9, 2017
    Messages:
    599
    Location:
    South Australia
    A question from an amateur then.

    I installed Dnscrypt via amtm.
    All looked good & happy, router rebooted.
    I did a dns leak test, & it showed I was still using the servers I had manually entered in both wan, & IPv6. (Cleanbrowsing).
    (These servers were different from the ones I specified manually in the Dnscrypt instal - Cloudflare)
    I wanted to end up with DoH via Cloudflare.

    I have both IPv4 & 6.
    I have dns filter set to ‘router’.
    I have enabled dns rebind protection, & dnssec.
    I disabled dns privacy prior to the Dnscrypt install.

    What did I forget/do wrong?
     
  6. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    420
    Test to set in gui: Under Tools/Other settings: Wan: Use local caching DNS server as system resolver (default: No)=Yes
    and try again (think the default was yes in earlier firmwares)
     
    Treadler likes this.
  7. MatrixGeeker

    MatrixGeeker Occasional Visitor

    Joined:
    Feb 12, 2018
    Messages:
    47
    Treadler and Zastoff like this.
  8. Treadler

    Treadler Very Senior Member

    Joined:
    Nov 9, 2017
    Messages:
    599
    Location:
    South Australia
    & it works! Many thanks! :)
    EDIT: no, broken again. Guess I’ll go back to DoT.
     
    Last edited: Jan 24, 2020
    Zastoff likes this.
  9. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    420
    What happend?
     
  10. Treadler

    Treadler Very Senior Member

    Joined:
    Nov 9, 2017
    Messages:
    599
    Location:
    South Australia
    All was working well, tests showed I was using Cloudflare.

    Then after a short while my dns servers, as reported on more than one site, reverted to Cleanbrowsing.

    Uninstalled dnscrypt, re enabled DoT, & Cloudflare is being reported once more.

    Im confused......
     
  11. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    420
    Could be a browser cache issue
    I have no issues with with sites reporting my selected(isp) wan dns servers
    Only the ones chosen in DNSCrypt
     
    Last edited: Jan 24, 2020
  12. Treadler

    Treadler Very Senior Member

    Joined:
    Nov 9, 2017
    Messages:
    599
    Location:
    South Australia
    I will investigate further.

    Many thanks for your help & attention!
     
    Zastoff likes this.
  13. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,660
    Location:
    The Land of Smiles
    I use the built in DoT on the WAN page and use Cloudflare servers. Easy setup.

    This is a nice summary of the DNS options.
    https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+-+The+Solutions

    DNSCrypt has some disadvantages you should be aware of.
     
    Kingp1n and Treadler like this.
  14. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    420
    And once again..that is from December 6, 2017 and compared to dnscrypt v1
    More then 35 releases of DNSCrypt-proxy since then
    https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-73#post-543671
    and
    DoT DoH & DNSCrypt v2
    And we got all of them to choose from :)
    So it comes down to what DNS Servers and options the user need
     
    Last edited: Jan 24, 2020
  15. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Very Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    668
    Try removing manually defined dns tho I doubt it has anything to do with it. Could potentially be that tho. Especially since dns filter is set to router. Maybe forcing traffic to cleanbrowsing
     
    SuperDuke and Treadler like this.
  16. ajh

    ajh Occasional Visitor

    Joined:
    Jan 13, 2020
    Messages:
    10
    As another option I happen to prefer, try none, no scripts at all. Instead just use Merlin's webui to enable DoT. If you'd like to take a look, you can check out my own settings here.
     
    Kingp1n, Treadler and L&LD like this.