Netgear R7800 DNScrypt and MAC Cloning questions

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
Rerouting
DD-WRT Novice


Joined: 18 Dec 2019
Posts: 9

PostPosted: Sun Dec 29, 2019 10:36    Post subject: Netgear R7800 DNScrypt and MAC Cloning questions Reply with quote
I'm trying to enable my DNScrypt on build r41791 but I'm not sure if these settings are right and if it will work after I click the correct boxes.

These are my current settings:

Encrypt DNS Enable,
Resolver Adguard Family Protect,
Cache DNSSEC Data Disable,
Validate DNS Replies (DNSSEC) Enable,
Check Unsigned DNS replies Disable,
Local DNS Disable,
No DNS Rebind Enable,
QueryDNS in Strict Order Enable,
Add Requestor Mac to DNS Query Disable,
RFC4039 Rapid Commit Support Disable,
Max Cached Entries 1500.

I'm also having trouble cloning my MAC.
If I set the spoofing addresses for both the Device and Wireless (the two options in the MAC clone tab) it looks like it only clones ath0. If I check my status eth0 and ath1 are left to default while I did try to clone them. I have done no special settings on the router yet, it's a brand new router.
Could this be a bug in r41791 or am I doing something wrong?


Last edited by Rerouting on Sun Dec 29, 2019 12:14; edited 2 times in total
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Sun Dec 29, 2019 11:44    Post subject: Reply with quote
good to know your current build running, but do we know your router model yet??? this is due... Smile

as DNScrypt works as a local service you need Local DNS Enable...

there is a more elegant way to use DNScrypt via (CLI)/ start up script...its more convenient than the GUI option, as well it gives the option to choose more than one server...

the MAC spoofing must be a but as i can see ppl complaining about it recently if you do more testing and provide more results about it, you can file a ticket https://svn.dd-wrt.com/, just be more specific...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Rerouting
DD-WRT Novice


Joined: 18 Dec 2019
Posts: 9

PostPosted: Sun Dec 29, 2019 12:04    Post subject: Reply with quote
Alozaros wrote:
good to know your current build running, but do we know your router model yet??? this is due... Smile

as DNScrypt works as a local service you need Local DNS Enable...

there is a more elegant way to use DNScrypt via (CLI)/ start up script...its more convenient than the GUI option, as well it gives the option to choose more than one server...

the MAC spoofing must be a but as i can see ppl complaining about it recently if you do more testing and provide more results about it, you can file a ticket https://svn.dd-wrt.com/, just be more specific...


My model is in the topic Very Happy it's Netgear R7800.
Flashing went well, going from factory->Kong no problem, Kong->BS I did get Update Failed! but it did install it. My MAC problem can't have anything to do with that can it?

I will enable Local DNS. Should I enable or disable something else?
Is the script easy to use/install/maintain/keep alive? I have never run code on a router before so I'm pretty new to this and I don't want it to stop the service or not work if I mess up.

If more people have problems with MAC Cloning it must be a bug. How would I get more debug information?
The only thing I can do now is tell what happens, I think you can reproduce it on the same model.
I go to MAC Cloning on my R7800 build r41791, change both MACs, check status and only 1 MAC (ath0) is changed, the other two are not (eth0 and ath1).

Only ticket I can find is for ath0 and ath1 not both working. https://svn.dd-wrt.com/ticket/5603
I can't find any topics about eth0 not cloning through the MAC cloning option.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Sun Dec 29, 2019 14:59    Post subject: Reply with quote
hmm if you cannot change/clone mac address than its a bug in general i change only WAN MAC if needed the local wifi mac has nothing to do with connection but it must be changeable too...

yep DNScrypt via CLI is easy to use...just copy paste
few lines here and there the only thing vital for
DNScrypt to work is local DNS and NTP time, so you add
this IP to NTP time 216.239.35.4 and select time zone...

add those to start up script and turn encrypt DNS to disable
RESOLVER_FILE="/etc/dnscrypt/dnscrypt-resolvers.csv"
dnscrypt-proxy -S -m 5 -a 127.0.0.1:30 -R dnscrypt.eu-nl -L /etc/dnscrypt/dnscrypt-resolvers.csv -d
dnscrypt-proxy -S -m 5 -a 127.0.0.2:30 -R dnscrypt.eu-dk -L /etc/dnscrypt/dnscrypt-resolvers.csv -d

add those lines to additional DNSmasq rules
server=127.0.0.1#30
server=127.0.0.2#30

i used dnscrypt.eu-nl and dnscrypt.eu-dk as those ware free to use, quite constant, no filtering and DNSSEC compatible... you can replace those, with those you want to use, just have look at dnscrypt list of public resolvers..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Rerouting
DD-WRT Novice


Joined: 18 Dec 2019
Posts: 9

PostPosted: Sun Dec 29, 2019 15:38    Post subject: Reply with quote
Is adding the IP from google time (NTP) always required for DNScrypt? Even for the one build in DD-WRT?

The only difference I see between the lines you added and the standard dd-wrt function is that it adds 2 DNS domains, one bound to 127.0.0.1 and one to 127.0.0.2 am I right or am I missing something?

Is it ok to use a ntp server from pool.ntp.org?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Sun Dec 29, 2019 16:26    Post subject: Reply with quote
yep it adds 2 DNS server that's fine, if you want you can add a 3rd one or as many as you want...for me 2 ware fine..
you will have a couple of dnscrypt services running extra, but for this router is fine.....

IP instead of name is better...i use any of those GGl NTP time list just picked this one randomly, there are others as well...

on R7800, there is an easy way to install and use DNScrypt-proxy v2, witch is a bit more secure and has more options to play with...look at my signature there is a link in green ;)if you are interested...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Dec 29, 2019 17:10    Post subject: Reply with quote
Rerouting wrote:
If more people have problems with MAC Cloning it must be a bug.

I've been using WAN MAC clone for years with many many DD-WRT builds and never had a problem ...currently using r41811

then again --- I am using the EA8500 Razz
Rerouting
DD-WRT Novice


Joined: 18 Dec 2019
Posts: 9

PostPosted: Sun Dec 29, 2019 21:46    Post subject: Reply with quote
Alozaros wrote:
yep it adds 2 DNS server that's fine, if you want you can add a 3rd one or as many as you want...for me 2 ware fine..
you will have a couple of dnscrypt services running extra, but for this router is fine.....

IP instead of name is better...i use any of those GGl NTP time list just picked this one randomly, there are others as well...

on R7800, there is an easy way to install and use DNScrypt-proxy v2, witch is a bit more secure and has more options to play with...look at my signature there is a link in green ;)if you are interested...


There is a resolver near me so I might pick that one for NTP if it works, if not I'll use that IP Smile

Is there any significant difference between the DNScrypt proxy in dd-wrt and the v2 installed through your method?
As long as the encryption is secure enough and the DNS doesn't leak I would go for the one with the least work but if there is a big security difference I will install V2.
I do like the possibility to toggle it on and off in GUI without having to use CLI. I could use a randomizer (d0wn Moldova or Anycast) to have it pick the fastest DNS so I don't know what the security difference is between the two versions.

mrjcd wrote:

I've been using WAN MAC clone for years with many many DD-WRT builds and never had a problem ...currently using r41811

then again --- I am using the EA8500 Razz


It works fine on my old router too so it might be a small bug for this model, or I'm doing it wrong Razz
I switched to r41811 so maybe that solved something.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Mon Dec 30, 2019 0:29    Post subject: Reply with quote
between the version compiled in DDWRT and DNSCrypt-proxy v2 installed via Entware...there is a big difference...
v2 has a little support but mainly from a very secure public DNS servers...it does have tons of useful settings, it supports DoH and has a fall back servers and ect.....
while the old version in DDWRT is still supported and working it has no settings to fiddle with and its very basic.. kind of, but still tough enough...and works out of the box...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Fri Apr 24, 2020 18:25    Post subject: Reply with quote
Alozaros wrote:
hmm if you cannot change/clone mac address than its a bug in general i change only WAN MAC if needed the local wifi mac has nothing to do with connection but it must be changeable too...

yep DNScrypt via CLI is easy to use...just copy paste
few lines here and there the only thing vital for
DNScrypt to work is local DNS and NTP time, so you add
this IP to NTP time 216.239.35.4 and select time zone...

add those to start up script and turn encrypt DNS to disable
RESOLVER_FILE="/etc/dnscrypt/dnscrypt-resolvers.csv"
dnscrypt-proxy -S -m 5 -a 127.0.0.1:30 -R dnscrypt.eu-nl -L /etc/dnscrypt/dnscrypt-resolvers.csv -d
dnscrypt-proxy -S -m 5 -a 127.0.0.2:30 -R dnscrypt.eu-dk -L /etc/dnscrypt/dnscrypt-resolvers.csv -d

add those lines to additional DNSmasq rules
server=127.0.0.1#30
server=127.0.0.2#30

i used dnscrypt.eu-nl and dnscrypt.eu-dk as those ware free to use, quite constant, no filtering and DNSSEC compatible... you can replace those, with those you want to use, just have look at dnscrypt list of public resolvers..


Is there a way to have dnscrypt-proxy randomly select a resolver? And can the dnscrypt-proxy 1.9 be overwritten with dnscrypt-proxy 2.0 as provided by entware? Ubuntu distros say that 1.9 has to be purged before using 2.0 but I don't think that's possible with dd-wrt firmware. There doesn't seem to be much documentation for using dnscrypt on dd-wrt. When I try to use the dd-wrt dnscrypt-proxy 1.9 I don't get any name resolution. It's probably a setting issue but I haven't found a dnscrypt-proxy wiki that is current.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum