I updated Entware's DNSCrypt-Proxy from v2.0.27 to v2.0.39 today on the R7800 with build 43084.
I also updated the new "toml" file to use IPv4 Quad9 DNSCrypt Servers. I have set the listen address to 127.0.0.3 on port 30.
These are my Additional Dnsmasq Options:
no-ping
no-resolv
all-servers
domain-needed
server=/ntp.org/208.67.220.220
server=127.0.0.3#30
I also attached UPDATED copy of the dnscrypt-proxy.toml.v2.0.39.zip (to use it just unzip and rename to dnscrypt-proxy.toml backup or rename your original and put it in the /opt/etc directory. I also added READ rights to Group & Others) for people having issues. This is a working example people can "play" with. Go to the 1st page of this thread for more information.
To restart Entware's DNSCrypt-Proxy, telnet or ssh to router and run...
/opt/etc/init.d/rc.unslung restart
OR
Reboot Router
When picking servers from the site https://dnscrypt.info/public-servers/ click the server-name for more settings keep tabs on these settings to correctly edit your "dnscrypt-proxy.toml" file...
# This example is for Quad9 DNSCrypt IPv4 Servers
# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true
# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = false
# Server must support DNS security extensions (DNSSEC)
require_dnssec = true
# Server must not log user queries (declarative)
require_nolog = true
# Server must not enforce its own blacklist (for parental control, ads blocking...)
require_nofilter = false
2020-05-11 UPDATED toml zip file...
Enabled Forced TCP and system log in toml file
## Always use TCP to connect to upstream servers.
## This can be useful if you need to route everything through Tor.
## Otherwise, leave this to `false`, as it doesn't improve security
## (dnscrypt-proxy will always encrypt everything even using UDP), and can
## only increase latency.
#force_tcp = false
# Use TCP to fix UDP issues if using older builds
force_tcp = true
## Use the system logger (syslog on Unix, Event Log on Windows)
use_syslog = true
The server list and server settings to correctly set for the toml file is at the site https://dnscrypt.info/public-servers/ the list of servers is alphabetic goto to the bottom of the page on the bottom right you can go to different pages. Quad9 server lists is on page 151-200 of 208. Click the server name like "quad9-dnscrypt-ip4-filter-alt" and you will get a pop-up window with more settings, clicking again will close the pop-up. Looking at server "quad9-dnscrypt-ip4-filter-alt" it tells you it uses DNSCrypt and the Blue Lock for DNSSEC.
Hope it answers the question.
Happy Mother's Day & Stay Safe Everyone! _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Since Entware DNSCrypt-Proxy is on version 2.0.39 and the latest is 2.0.42. Fixes are related to DoH Servers and UDP. Sicking with DNSCrypt Servers and TCP connection should fine using version 2.0.39.
Forcing TCP is in the toml file, just change it to true, save it and restart Entware DNSCrypt-Proxy with this CLI command...
/opt/etc/init.d/rc.unslung restart _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Since Entware DNSCrypt-Proxy is on version 2.0.39 and the latest is 2.0.42. Fixes are related to DoH Servers and UDP. Sicking with DNSCrypt Servers and TCP connection should fine using version 2.0.39.
Forcing TCP is in the toml file, just change it to true, save it and restart Entware DNSCrypt-Proxy with this CLI command...
/opt/etc/init.d/rc.unslung restart
but they don't really recommand tcp as ''true'' in toml file, right? It is about tor and could affect the latency?
Since Entware DNSCrypt-Proxy is on version 2.0.39 and the latest is 2.0.42. Fixes are related to DoH Servers and UDP. Sicking with DNSCrypt Servers and TCP connection should fine using version 2.0.39.
Forcing TCP is in the toml file, just change it to true, save it and restart Entware DNSCrypt-Proxy with this CLI command...
/opt/etc/init.d/rc.unslung restart
but they don't really recommand tcp as ''true'' in toml file, right? It is about tor and could affect the latency?
what do you think?
It all about your priorities. IMO, a stable secure connection to a DNS server is more important to me then latency. I base it on what the newer builds offer and it looks like even the latest build still has issues with UDP so why use it.
IMO, a stable TCP connection out weighs an unstable UDP connection. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Anyone knows how to troubleshoot it?
I run the update, then the upgrade and when I run
/opt/etc/init.d/rc.unslung restart
it will fail.
tries rebooting etc, replaced the file dnscrypt-proxy.toml with a different one, none worked _________________ Netgear R9000 main router
RAX80 as AP
Anyone knows how to troubleshoot it?
I run the update, then the upgrade and when I run
/opt/etc/init.d/rc.unslung restart
it will fail.
tries rebooting etc, replaced the file dnscrypt-proxy.toml with a different one, none worked
Anyone knows how to troubleshoot it?
I run the update, then the upgrade and when I run
/opt/etc/init.d/rc.unslung restart
it will fail.
tries rebooting etc, replaced the file dnscrypt-proxy.toml with a different one, none worked
Enable the log to see
I looked at the scripts and was able to trace it to a wrong package that was downloaded.
I downloaded the correct package, installed it, now at lease I do not get illegal instructions, I will reboot the router later and try it( i had to completely disable the dnscrypt, network was down and wife and kids complaining) _________________ Netgear R9000 main router
RAX80 as AP
Anyone knows how to troubleshoot it?
I run the update, then the upgrade and when I run
/opt/etc/init.d/rc.unslung restart
it will fail.
tries rebooting etc, replaced the file dnscrypt-proxy.toml with a different one, none worked
If you plan to use the toml zip file I posted add these 4 lines to the Additional Dnsmasq Options...
Edit the IP Addresses if needed. The line with server=/ntp... the IP is for the Cisco DNS (I get the least latency so I use it); you need this line so that the router clocks are set when certificate dates get checked. The line with server=127.0.0.3#30 is the same IP & Port setting as in the toml file for "listen_addresses". The line with dhcp-option=br0,6... (is the DNS Address for br0) is set to the router address (to use DNSCrypt-Proxy), change it if the router IP is not 192.168.1.1
I installed enwtware (as per procs to auto mount) onto a USB stick and then installed dnscrypt-proxy-v2.
opkg install dnscrypt-proxy2_nohf
When I do a check after the start it says dnscrypt is dead.
root@nonoofyourbusiness:/opt/etc# Starting dnscrypt-proxy... done.
-sh: Starting: not found
root@nonoofyourbusiness:/opt/etc# root@nonoofyourbusiness:/opt/etc# /opt/etc/init.d/rc.unslung check
Checking dnscrypt-proxy... dead.
Syslog and log_file were enabled in the toml file but nothing is sent to syslog and the logfile is not created.
My R7000 already sends its syslog data to another server so I know syslog works.
I then installed dnscrypt-proxy-v2 on a Windows 10 Pro machine using the same config and it runs.
log file is created and updated, blacklist file is loaded and verified to be used.
I use the cisco servers and a
nslookup -type=txt debug.opendns.com.
comes back with dnscrypt enabled
so I know it works.
But for some reason it will NOT run on my Netgear R7000.
On the router under setup, I use my ISP NTP IP address. Previously I used its DNS name.
As no log are created I cannot find out why it will not run.
Does anyone have any suggestions to help debug this?
re-read the instructions it's working ok...
did you turned off/disabled encrypt DNS from GUI..?
did you edit the toml file with your settings and so on...correctly ?... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
re-read the instructions it's working ok...
did you turned off/disabled encrypt DNS from GUI..?
did you edit the toml file with your settings and so on...correctly ?...
This version of kongac does not have the encrypt DNS option in the GUI.
Not sure why you say it is working when it shows as dead and cannot be seen in Top as a running process.
No logs are being created at all.
As I said, the toml file is from a working version tested and running on a Windows 10 box.
A dig test does not show that encryption is enabled whereas on the Windows machine an NSLOOKUP does sow it as enabled.