Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Apr 07, 2021 1:10 Post subject:
Does your setup work if you switch to "Adguard DNS 1"? Somewhere on their site -- I can't seem to find it again -- I saw something recently that gave me the impression they may be using "1" for IPv4 and "2" for IPv6. I'm NOT sure about this.
For "1" you can bypass dd-wrt's config if you want by disabling Encrypt DNS, adding server=127.0.0.1#30 in DNSMasq Additional Options and adding this to Startup:
"-m 5" sets the syslog logging level. The default is 6, and 7 is the most possible.
"-e1280" can be omitted to leave the UDP buffer size at the default 512 bytes. There are recommendations online to set it to 4096, but I find that 1280 is the most that dd-wrt/dnscrypt-proxy will use, at least with the VPN I route it through. My memory is fuzzy here, so research if interested.
I suspect the parameters in my code here are the same ones in the adguard-dns-ns1 line in /etc/dnscrypt/dnscrypt-resolvers.csv in dd-wrt. Check if curious.
I am using Adguard as my secondary DNS provider and haven't noticed any recent changes. Sometime in the next year or two they may change the IP address. They changed them around Sept 2020 (see their blog) for the non-DNSCrypt servers, but somewhere -- again I can't seem to find it again -- I read that they're leaving the IP addresses for DNSCrypt alone for now. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Does your setup work if you switch to "Adguard DNS 1"? Somewhere on their site -- I can't seem to find it again -- I saw something recently that gave me the impression they may be using "1" for IPv4 and "2" for IPv6. I'm NOT sure about this.
Thanks mate, I can confirm that the result is the same for both 1 & 2.
I've also tried to disable DNSCrypt and ran it through the startup script as you mentioned which the result wasn't different.
Is there a way that I enable debug mode and generate some logs?
try another one...
links in the other post above...
for best results use either DNScrypt called via script or DNScrypt-proxy 2 (link in my sig) _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Apr 07, 2021 13:28 Post subject:
Aha! When I checked this morning, my routers were not getting replies from Adguard either, so starting with dnscrypt.info, I followed links until discovering that the master for our dnscrypt-resolvers.csv file (full path in prev post) is kept here:
And sure enough, they have changed the IP address. It's now 94.140.14.14, with everything else apparently the same. For a quick test, splice it into the Startup approach I mentioned earlier.
Edit: Tried the new IP. Fails. Can't get certificate (same as the old IP). And at https://kb.adguard.com/en/general/dns-providers#adguard-dns they show the new IP for ordinary DNS but the old IP for dnscrypt. So it's not at all clear what's up at Adguard. I'm going to ask them to clarify and will update here when I get a response. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Apr 12, 2021 16:56 Post subject:
No response yet from AdGuard, and it's still the case that neither IP works.
Meanwhile, if you are feeling adventurous and want to experiment with a larger range of DNSCrypt providers, with a fallback provider, you can use the full, up-to-date resolvers list, loaded automatically when you boot, by putting this in Startup.
Use this WITHOUT enabling Encrypt DNS in the DNSMasq section. (You can enable it temporarily to look at the updated menu, but DON'T Save or Apply!) In your DNSMasq Additional Options, you need this:
I set Query DNS in Strict Order in DNSMasq (remember it uses the server= lines in reverse order (edit: still true as of 46816, but changed to use the order listed by 48141)), so as shown the code above uses Quad9 as the primary DNS provider and DNSCrypt Poland's new "Guardian" option for fallback DNS. If anything goes wrong in setting up the fancy stuff, it falls back to just using Quad9 (though DNSMasq will assume there's a second provider and will wait for it to respond if Quad9 is slow) without needing the resolvers file, in the spirit of the Quad9 link in my sig. DNSCrypt Poland used to be called soltysiak, and his new Guardian option is for malware/phishing filtering: https://dnscrypt.pl/reboot-of-dnscrypt-poland/
For the big list of DNSCrypt providers, see https://dnscrypt.info/public-servers. If this all worked right on startup, you'll also see it in the dd-wrt Encrypt DNS menu (again, don't Save/Apply), but the url of course gives you descriptions as well as names.
You can switch the two providers to others on the list. Look at your syslog to see if they work, as some don't. For example, cleanbrowsing-security gives an error message that the protocol version is not supported. There may be others like that.
I assume we'll eventually be able to access adguard-dns this way.
If you are feeling extreme and want to run three dnscrypt-proxy processes, it should be no problem. You'll need an extra line each in this startup code and in DNSMasq Additional Options. The number 3 will feature in each. That's as far as I want to go with the handholding on this idea though, because if you need more, you perhaps shouldn't be messing with Startup code this complex.
Note this code is at the "alpha test" stage. There may be errors. And older versions of dd-wrt may either need a -k added to the curl (to omit https security checking, which they can't do) or may need the curl call replaced with a properly tailored wget call. I'm not getting into those matters. I'll just wish you luck. I do have code similar to this (i.e. tailored for my circumstances) running under both 44048 and 46069, FWIW. I'm using Linksys WRT1900ACSv2 routers. YMMV with others, esp those with smaller memories.
Finally, I have to admit I'm not inclined at the moment to get into being tech support for any of this, though I may edit the code if I spot significant errors. FIgured I'd get it out there for you folks to mess with anyway. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Wow , very great script indeed ! Thanks for this one!
But at same time, is a script can create a Unbound file, into the Tmp folder ? In order to have a working DoT directly at boot, without those usb /jffs... So we could like having an updated dnscrypt list and possibility to switch to Dot if we want. As DoT is not supported on it's own.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Apr 14, 2021 12:35 Post subject:
I assume one could do something similar for DoT.
One might notice that my script doesn't actually need to "mount --bind" the new file over the old one if having the choices show in the GUI menu isn't important, as dnscrypt-proxy could simply be invoked with the new file as downloaded. But I was thinking about experimenting with trying to download and bind with "Encrypt DNS" switched on, to see if the bind could be there in time for dd-wrt's own call to dnscrypt-proxy to pick up the new file. Never quite got to that, and it's also a bit iffy to depend on the outcome of a race condition anyway. Which contestant wins might depend on the router model, the build number, how other things are configured (which could affect the startup sequence), etc.
For anyone curious enough to go there — FWIW — the built-in "Encrypt DNS" calls dnscrypt-proxy with 127.0.0.1:30 specified for communication with dnsmasq, and dd-wrt provides dnsmasq with the corresponding server= line behind the scenes. And let us know how it turns out! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Posted: Wed Apr 14, 2021 19:11 Post subject: Name Resolution
Hey, No one explained why name Resolution is broken with adguard DNS 1? Can anyone explain this?
It causes some issues for me I ended up adding every device mac address into Additional Dnsmasq Options to get the names back? Is this just a broken DDWRT issue as originally asked?
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Apr 14, 2021 20:01 Post subject:
It's not a dd-wrt issue. It's an AdGuard issue. I have an enquiry in to them.
Alozaros, yes, someone just wanting to run multiple dnscrypt DNS servers from the built-in dd-wrt list can do just as you say. Nice and simple!
Small notes on that: (1) do take care with the 127.0.0.1:30, etc. The .1 in particular. Keep what you use on the dnscrypt-proxy line matching what you have in the dnsmasq server= line, though dnscrypt-proxy uses : where dnsmasq uses #, so watch for that also. (2) With dnscrypt-proxy you don't need the -S, as it's implied by -d. (3) I actually use "-m 5" on my routers as well. That sets up a lesser level of logging so that you don't have to see a big message about renewed certificates every hour. The default logging level corresponds to "-m 6", and you can get a bit more with "-m 7". It's easy to google/ddg a dnscrypt-proxy man page with all these details.
Anyway, the script is for people who want to use dnscrypt providers not covered in the dd-wrt list, like quad9 for instance. Actually the two provider lists are very different. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
It's not a dd-wrt issue. It's an AdGuard issue. I have an enquiry in to them.
Alozaros, yes, someone just wanting to run multiple dnscrypt DNS servers from the built-in dd-wrt list can do just as you say. Nice and simple!
Small notes on that: (1) do take care with the 127.0.0.1:30, etc. The .1 in particular. Keep what you use on the dnscrypt-proxy line matching what you have in the dnsmasq server= line, though dnscrypt-proxy uses : where dnsmasq uses #, so watch for that also. (2) With dnscrypt-proxy you don't need the -S, as it's implied by -d. (3) I actually use "-m 5" on my routers as well. That sets up a lesser level of logging so that you don't have to see a big message about renewed certificates every hour. The default logging level corresponds to "-m 6", and you can get a bit more with "-m 7". It's easy to google/ddg a dnscrypt-proxy man page with all these details.
Anyway, the script is for people who want to use dnscrypt providers not covered in the dd-wrt list, like quad9 for instance. Actually the two provider lists are very different.
Thanks for the info. I was looking at the script and it seems to add a level of complication i'd rather not add to my already complicated setup. I already notice that some devices wont even get internet when adguard DNS goes down. I guess this is a use case for the script but ill wait till DDWRT adds a fallback DNS server to the setup, unless there is a simpler way to add a fallback?