Entware DNSCrypt-Proxy V2 on DDWRT

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Sun May 10, 2020 3:48    Post subject: Reply with quote
I updated Entware's DNSCrypt-Proxy from v2.0.27 to v2.0.39 today on the R7800 with build 43084.

I also updated the new "toml" file to use IPv4 Quad9 DNSCrypt Servers. I have set the listen address to 127.0.0.3 on port 30.

These are my Additional Dnsmasq Options:
no-ping
no-resolv
all-servers
domain-needed
server=/ntp.org/208.67.220.220
server=127.0.0.3#30

I also attached UPDATED copy of the dnscrypt-proxy.toml.v2.0.39.zip (to use it just unzip and rename to dnscrypt-proxy.toml backup or rename your original and put it in the /opt/etc directory. I also added READ rights to Group & Others) for people having issues. This is a working example people can "play" with. Go to the 1st page of this thread for more information.

To restart Entware's DNSCrypt-Proxy, telnet or ssh to router and run...
/opt/etc/init.d/rc.unslung restart
OR
Reboot Router

When picking servers from the site https://dnscrypt.info/public-servers/ click the server-name for more settings keep tabs on these settings to correctly edit your "dnscrypt-proxy.toml" file...

# This example is for Quad9 DNSCrypt IPv4 Servers

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = false

# Server must support DNS security extensions (DNSSEC)
require_dnssec = true

# Server must not log user queries (declarative)
require_nolog = true

# Server must not enforce its own blacklist (for parental control, ads blocking...)
require_nofilter = false

2020-05-11 UPDATED toml zip file...
Enabled Forced TCP and system log in toml file

## Always use TCP to connect to upstream servers.
## This can be useful if you need to route everything through Tor.
## Otherwise, leave this to `false`, as it doesn't improve security
## (dnscrypt-proxy will always encrypt everything even using UDP), and can
## only increase latency.
#force_tcp = false
# Use TCP to fix UDP issues if using older builds
force_tcp = true

## Use the system logger (syslog on Unix, Event Log on Windows)
use_syslog = true



dnscrypt-proxy.toml.v2.0.39.zip
 Description:

Download
 Filename:  dnscrypt-proxy.toml.v2.0.39.zip
 Filesize:  7.06 KB
 Downloaded:  287 Time(s)


_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2


Last edited by mac913 on Mon May 11, 2020 20:45; edited 3 times in total
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun May 10, 2020 6:51    Post subject: Reply with quote
mac913 wrote:
I updated Entware's DNSCrypt-Proxy from v2.0.27 to v2.0.39 today on the R7800 with build 43084.


just to clarify.. did you update it via CLI...?

opkg update
opkg upgrade

ppl will need to know...!!

otherwise good to share toml file, could you add the full path to quad9 servers ...server value ...(attachment has a time limit Wink )
10x...

server_names = ['quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri']

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 101

PostPosted: Sun May 10, 2020 14:13    Post subject: Reply with quote
Alozaros wrote:
mac913 wrote:
I updated Entware's DNSCrypt-Proxy from v2.0.27 to v2.0.39 today on the R7800 with build 43084.


just to clarify.. did you update it via CLI...?

opkg update
opkg upgrade

ppl will need to know...!!

otherwise good to share toml file, could you add the full path to quad9 servers ...server value ...(attachment has a time limit Wink )
10x...

server_names = ['quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri']


I did it, via ssh, opkg update
opkg upgrade.
and it works
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Sun May 10, 2020 16:42    Post subject: Reply with quote
Alozaros wrote:
mac913 wrote:
I updated Entware's DNSCrypt-Proxy from v2.0.27 to v2.0.39 today on the R7800 with build 43084.


just to clarify.. did you update it via CLI...?

opkg update
opkg upgrade

ppl will need to know...!!


jauch888888 is correct.

Alozaros wrote:
otherwise good to share toml file, could you add the full path to quad9 servers ...server value ...(attachment has a time limit ;) )
10x...

server_names = ['quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri']


The server list and server settings to correctly set for the toml file is at the site https://dnscrypt.info/public-servers/ the list of servers is alphabetic goto to the bottom of the page on the bottom right you can go to different pages. Quad9 server lists is on page 151-200 of 208. Click the server name like "quad9-dnscrypt-ip4-filter-alt" and you will get a pop-up window with more settings, clicking again will close the pop-up. Looking at server "quad9-dnscrypt-ip4-filter-alt" it tells you it uses DNSCrypt and the Blue Lock for DNSSEC.

Hope it answers the question.

Happy Mother's Day & Stay Safe Everyone!

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Sun May 10, 2020 19:47    Post subject: Reply with quote
Since Entware DNSCrypt-Proxy is on version 2.0.39 and the latest is 2.0.42. Fixes are related to DoH Servers and UDP. Sicking with DNSCrypt Servers and TCP connection should fine using version 2.0.39.

Forcing TCP is in the toml file, just change it to true, save it and restart Entware DNSCrypt-Proxy with this CLI command...

/opt/etc/init.d/rc.unslung restart

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 101

PostPosted: Mon May 11, 2020 0:03    Post subject: Reply with quote
mac913 wrote:
Since Entware DNSCrypt-Proxy is on version 2.0.39 and the latest is 2.0.42. Fixes are related to DoH Servers and UDP. Sicking with DNSCrypt Servers and TCP connection should fine using version 2.0.39.

Forcing TCP is in the toml file, just change it to true, save it and restart Entware DNSCrypt-Proxy with this CLI command...

/opt/etc/init.d/rc.unslung restart


but they don't really recommand tcp as ''true'' in toml file, right? It is about tor and could affect the latency?

what do you think?
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Mon May 11, 2020 5:56    Post subject: Reply with quote
jauch888888 wrote:
mac913 wrote:
Since Entware DNSCrypt-Proxy is on version 2.0.39 and the latest is 2.0.42. Fixes are related to DoH Servers and UDP. Sicking with DNSCrypt Servers and TCP connection should fine using version 2.0.39.

Forcing TCP is in the toml file, just change it to true, save it and restart Entware DNSCrypt-Proxy with this CLI command...

/opt/etc/init.d/rc.unslung restart


but they don't really recommand tcp as ''true'' in toml file, right? It is about tor and could affect the latency?

what do you think?


It all about your priorities. IMO, a stable secure connection to a DNS server is more important to me then latency. I base it on what the newer builds offer and it looks like even the latest build still has issues with UDP so why use it.

IMO, a stable TCP connection out weighs an unstable UDP connection.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
blaser
DD-WRT Guru


Joined: 16 Jul 2006
Posts: 525

PostPosted: Tue May 12, 2020 23:16    Post subject: Reply with quote
Anyone knows how to troubleshoot it?
I run the update, then the upgrade and when I run
/opt/etc/init.d/rc.unslung restart
it will fail.
tries rebooting etc, replaced the file dnscrypt-proxy.toml with a different one, none worked

_________________
Netgear R9000 main router
RAX80 as AP
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 101

PostPosted: Tue May 12, 2020 23:19    Post subject: Reply with quote
blaser wrote:
Anyone knows how to troubleshoot it?
I run the update, then the upgrade and when I run
/opt/etc/init.d/rc.unslung restart
it will fail.
tries rebooting etc, replaced the file dnscrypt-proxy.toml with a different one, none worked


Enable the log to see
blaser
DD-WRT Guru


Joined: 16 Jul 2006
Posts: 525

PostPosted: Wed May 13, 2020 0:44    Post subject: Reply with quote
jauch888888 wrote:
blaser wrote:
Anyone knows how to troubleshoot it?
I run the update, then the upgrade and when I run
/opt/etc/init.d/rc.unslung restart
it will fail.
tries rebooting etc, replaced the file dnscrypt-proxy.toml with a different one, none worked


Enable the log to see


I looked at the scripts and was able to trace it to a wrong package that was downloaded.
I downloaded the correct package, installed it, now at lease I do not get illegal instructions, I will reboot the router later and try it( i had to completely disable the dnscrypt, network was down and wife and kids complaining)

_________________
Netgear R9000 main router
RAX80 as AP
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Wed May 13, 2020 0:53    Post subject: Reply with quote
blaser wrote:
Anyone knows how to troubleshoot it?
I run the update, then the upgrade and when I run
/opt/etc/init.d/rc.unslung restart
it will fail.
tries rebooting etc, replaced the file dnscrypt-proxy.toml with a different one, none worked


If you plan to use the toml zip file I posted add these 4 lines to the Additional Dnsmasq Options...

Edit the IP Addresses if needed. The line with server=/ntp... the IP is for the Cisco DNS (I get the least latency so I use it); you need this line so that the router clocks are set when certificate dates get checked. The line with server=127.0.0.3#30 is the same IP & Port setting as in the toml file for "listen_addresses". The line with dhcp-option=br0,6... (is the DNS Address for br0) is set to the router address (to use DNSCrypt-Proxy), change it if the router IP is not 192.168.1.1

no-resolv
server=/ntp.org/208.67.220.220
server=127.0.0.3#30
dhcp-option=br0,6,192.168.1.1

save settings and reboot

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
martymonster
DD-WRT Novice


Joined: 18 May 2020
Posts: 15

PostPosted: Mon May 18, 2020 7:16    Post subject: Reply with quote
Router Netgear R7000
Firmware v3.0-r40270M kongac (07/11/19)

I am having problems getting dnscrypt-proxy v2 to start.

I believe that I have followed all the instructions above.

The entware installed is from

wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh

I installed enwtware (as per procs to auto mount) onto a USB stick and then installed dnscrypt-proxy-v2.
opkg install dnscrypt-proxy2_nohf

When I do a check after the start it says dnscrypt is dead.

root@nonoofyourbusiness:/opt/etc# Starting dnscrypt-proxy... done.
-sh: Starting: not found
root@nonoofyourbusiness:/opt/etc# root@nonoofyourbusiness:/opt/etc# /opt/etc/init.d/rc.unslung check
Checking dnscrypt-proxy... dead.

Syslog and log_file were enabled in the toml file but nothing is sent to syslog and the logfile is not created.
My R7000 already sends its syslog data to another server so I know syslog works.

I then installed dnscrypt-proxy-v2 on a Windows 10 Pro machine using the same config and it runs.
log file is created and updated, blacklist file is loaded and verified to be used.
I use the cisco servers and a
nslookup -type=txt debug.opendns.com.
comes back with dnscrypt enabled
so I know it works.

But for some reason it will NOT run on my Netgear R7000.

On the router under setup, I use my ISP NTP IP address. Previously I used its DNS name.

As no log are created I cannot find out why it will not run.

Does anyone have any suggestions to help debug this?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon May 18, 2020 7:28    Post subject: Reply with quote
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320764&postdays=0&postorder=asc&start=0

re-read the instructions it's working ok...
did you turned off/disabled encrypt DNS from GUI..?
did you edit the toml file with your settings and so on...correctly ?...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
martymonster
DD-WRT Novice


Joined: 18 May 2020
Posts: 15

PostPosted: Mon May 18, 2020 7:53    Post subject: Reply with quote
Alozaros wrote:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320764&postdays=0&postorder=asc&start=0

re-read the instructions it's working ok...
did you turned off/disabled encrypt DNS from GUI..?
did you edit the toml file with your settings and so on...correctly ?...


This version of kongac does not have the encrypt DNS option in the GUI.

Not sure why you say it is working when it shows as dead and cannot be seen in Top as a running process.

No logs are being created at all.

As I said, the toml file is from a working version tested and running on a Windows 10 box.

A dig test does not show that encryption is enabled whereas on the Windows machine an NSLOOKUP does sow it as enabled.

root@nonoofyourbusiness:/opt/etc# dig debug.opendns.com txt

; <<>> DiG 9.14.8 <<>> debug.opendns.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55632
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT

;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server r9.mel1"
debug.opendns.com. 0 IN TXT "flags 460020 0 50 180000000000000000003B50700FD6000091CC1"
debug.opendns.com. 0 IN TXT "originid 218744810"
debug.opendns.com. 0 IN TXT "orgid 2505312"
debug.opendns.com. 0 IN TXT "actype 2"
debug.opendns.com. 0 IN TXT "bundle 11750174"
debug.opendns.com. 0 IN TXT "source 119.17.156.14:42437"

;; Query time: 45 msec
;; SERVER: 192.168.0.4#53(192.168.0.4)
;; WHEN: Mon May 18 17:51:46 AEST 2020
;; MSG SIZE rcvd: 288
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 101

PostPosted: Mon May 18, 2020 9:48    Post subject: Reply with quote
martymonster wrote:
Not sure why you say it is working when it shows as dead and cannot be seen in Top as a running process.


He says that cause it works, really. I think the problem is about your configuration. It can be anything.

I play a lot with dnscrypt proxy, I test a lot of things, anonymized_dns + different configurations etc.

And sometimes, just a little thing and it doesn't work after restarting .

Shoot your toml file
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 4 of 6
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum