DNSCrypt Configuration

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
dahosepipe
DD-WRT Novice


Joined: 24 Mar 2015
Posts: 33

PostPosted: Thu Jun 11, 2020 0:10    Post subject: DNSCrypt Configuration Reply with quote
Hey guys, I've run into a problem I don't know how to fix. I'm running firmware 43217 with the built-in DNSCrypt v1.95 I believe.

I've been using "Cisco OpenDNS" for a long time, that I chose in the dropdown on the services tab. It's worked great but I'd like to switch to something more privacy focused.

So, I chose "dnscrypt.ca Server 1" and "dnscrypt.ca Server 2". It didn't work so I looked at /etc/dnscrypt/dnscrypt-resolvers.csv and the IP and Fingerprints are all wrong! These are the correct ones: https://dnscrypt.ca/

Code:
dnscrypt.ca-1,"dnscrypt.ca Server 1","Uncensored DNSSEC validating and log-free","Montreal, Canada","","https://dnscrypt.ca/",1,yes,yes,no,"167.114.220.125:443","2.dnscrypt-cert.dnscrypt.ca-1",1A53:A3C9:5078:9CBD:D10B:1933:A468:9B6C:846A:40F1:B73D:1752:AECA:C982:9ECB:7CE2,

dnscrypt.ca-2,"dnscrypt.ca Server 2","Uncensored DNSSEC validating and log-free","Montreal, Canada","","https://dnscrypt.ca/",1,yes,yes,no,"199.167.128.112:5353","2.dnscrypt-cert.dnscrypt.ca-2",43D5:2C82:5922:96C2:DB6F:8D48:CE22:4FDC:C726:26E1:06F6:E388:6193:FA00:9029:631B,

So I tried to modify /etc/dnscrypt/dnscrypt-resolvers.csv and it's a read-only filesystem.

Where to I go from here? Any help or suggestions are appreciated.
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Thu Jun 11, 2020 7:39    Post subject: Reply with quote
to use an old DNScrypt version 1.95
and be able to use all non v2 DNScrypt public servers
follow this guide

*do notice this do not require any entware installation"
----------------- GUI encrypt DNS options needs to be turned off
you must use DNSmasq for DNS

add to Additional DNSmasq rules

no-resolv
domain-needed
server=127.0.0.1#30
server=127.0.0.2#30

add those lines in startup script and click save start up script

RESOLVER_FILE="/etc/dnscrypt/dnscrypt-resolvers.csv"
dnscrypt-proxy -S -m 5 -a 127.0.0.1:30 -R dnscrypt.eu-nl -L /etc/dnscrypt/dnscrypt-resolvers.csv -d
dnscrypt-proxy -S -m 5 -a 127.0.0.2:30 -R dnscrypt.eu-dk -L /etc/dnscrypt/dnscrypt-resolvers.csv -d

use this format to add your desired servers, you can add as many as you want

GUI option lets you to use only one...so it needs to be turned off to not interfere with those settings...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
dahosepipe
DD-WRT Novice


Joined: 24 Mar 2015
Posts: 33

PostPosted: Fri Jun 12, 2020 3:04    Post subject: Reply with quote
Thank You @Alozaros !

Since the default /etc/dnscrypt/dnscrypt-resolvers.csv file has incorrect data and can't be modified, I had to create my own file. I used data from https://github.com/zer0def/dnscrypt-resolvers-csvgen and https://dnscrypt.ca/. Here are my startup commands:

Code:
# dnscrypt setup
#
cat << "EOF" > "/tmp/root/dnscrypt-resolvers.csv"
"Name","Full name","Description","Location","Coordinates","URL","Version","DNSSEC validation","No logs","Namecoin","Resolver address","Provider name","Provider public key","Provider public key TXT record"
"dnscrypt.ca-1","","Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated DNS service for your pleasure.","Canada","+45.5063, -73.5794","","1","yes","yes","no","167.114.220.125:443","2.dnscrypt-cert.dnscrypt.ca-1","1A53:A3C9:5078:9CBD:D10B:1933:A468:9B6C:846A:40F1:B73D:1752:AECA:C982:9ECB:7CE2",""
"dnscrypt.ca-2","","Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated DNS service for your pleasure.","Canada","+45.5063, -73.5794","","1","yes","yes","no","149.56.228.45:443","2.dnscrypt-cert.dnscrypt.ca-2","0108:54AB:3B56:A7EE:F9D3:9158:FEF6:820B:FF93:A235:7C89:1608:DB9E:15D3:BBE0:1185",""
EOF

RESOLVER_FILE="/tmp/root/dnscrypt-resolvers.csv"
dnscrypt-proxy -S -m 5 -a 127.0.0.1:30 -R dnscrypt.ca-1 -L /tmp/root/dnscrypt-resolvers.csv -d
dnscrypt-proxy -S -m 5 -a 127.0.0.2:30 -R dnscrypt.ca-2 -L /tmp/root/dnscrypt-resolvers.csv -d


In Services, I turned OFF "Encrypt DNS" and used your suggestions for "Additional Dnsmasq Options":

Code:
# dnscrypt setup
#
no-resolv
domain-needed
server=127.0.0.1#30
server=127.0.0.2#30


Now my results from https://www.dnsleaktest.com/ show both servers, Yay!
    149.56.228.45 ip45.ip-149-56-228.net. OVH SAS Saint-Jean-sur-Richelieu, Canada
    167.114.220.125 ip125.ip-167-114-220.net. OVH SAS Montreal, Canada

and, https://www.cloudflare.com/ssl/encrypted-sni/ reports:
    DNSSEC
    Your resolver validates DNS responses with DNSSEC.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Fri Jun 12, 2020 7:19    Post subject: Reply with quote
yep its working, if you need more control over DNSCrypt you can use DNSCrypt-proxy v2... check the link in my signature, its not a rocket science to make it work, you just need USB/Entware installation..
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum