Actually, @SurprisedItWorks , is your new version can also be implemented into the old one you post .. (in 2019) About : having the dnscrypt load up After the OpenVpn client and then used the vpn tunnel ?
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Apr 14, 2021 20:57 Post subject:
If you're good with picking both primary and fallback off the built-in list (and at least for now, not using adguard), you can go with the simple approach sketched by Alozaros. The complexity of my script is only to get you a more up-to-date provider list and to put it in the DD-WRT menu where you can see it.
So for Alozaros's approach, you'll need to leave Encrypt DNS off, include
Code:
server=127.0.0.2#30
server=127.0.0.1#30
in DNSMasq Additional Options, enable Query DNS in Strict Order, and then in Startup include two dnscrypt-proxy commands as he suggests. The primary should specify 127.0.0.1:30 in the command, and the secondary should specify 127.0.0.2:30. The order of the dnscrypt-proxy lines is irrelevant, but the server= lines need to be in the order I show, because DNSMasq starts with the last one and falls back to the first!
The tricky thing is finding a provider suitable for backup DNS. (I was using AdGuard for my backup, but they are out of action for now!) The dd-wrt provider list is old, and I expect that some of the providers are no longer around. Some of the ones listed are hobby projects. See what info you can find about them at https://dnscrypt.info in the providers tab, but remember that the name of the provider you use in the dnscrypt-proxy command needs to match the first field of some line in comma-separated dd-wrt file /etc/dnscrypt/dnscrypt-resolvers.csv. The dd-wrt menu will get you close, but it may show spaces instead of hyphens, have different upper/lower case, etc. You'll need to check the file. You can get the list of those acceptable names with this in your ssh CLI window:
cut -d, -f1 /etc/dnscrypt/dnscrypt-resolvers.csv
Or this if you just like sed better like I do:
sed 's/,.*//' /etc/dnscrypt/dnscrypt-resolvers.csv
As far as finding ones that work with the protocol dd-wrt uses, you just have to try them and look at the dd-wrt syslog after a reboot. If it works, you'll see a message from dnscrypt-proxy that it's proxying to the IP address of the provider. You'll likely see a less-positive message in the failure case.
No harm testing a bunch quickly, just to see which ones can connect to their servers and get certificates and such, by just running a dnscrypt-proxy command for each in the command line but with 127.0.0.N:30 using different N values for each. Pick N values that do NOT correspond to what's specified to DNSMasq, and there'll be no interference with your running DNS system. Then look your at your syslog (if you didn't get obvious errors from just running the command!) to see which could proxy successfully. If you are linux aware enough to use ps and the kill command, you can clean up afterward that way. Otherwise just reboot when done. Remember, the test of this paragraph will NOT set them up to function as DNS servers, so this is a preliminary test, a way to quickly test four or five providers without having to reboot each time. No harm in ignoring this paragraph though and just editing Startup and rebooting for each. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Apr 14, 2021 21:19 Post subject:
Docop1 wrote:
Actually, @SurprisedItWorks , is your new version can also be implemented into the old one you post .. (in 2019) About : having the dnscrypt load up After the OpenVpn client and then used the vpn tunnel ?
Many thanks.
Yeah... that. Actually in my routers I use a ping loop like
until ping -qc1 -W1 -Itun1 1.1.1.1 &>/dev/null; do sleep 5; done
(might be tun0 for your router or even oet1 or some such for wireguard) looking at Cloudflare DNS 1.1.1.1 (or use google 8.8.8.8 or something else) through the vpn interface until it's working, and only then do I execute the dnscrypt command. This waiting to start the dnscrypt proxies isn't really necessary unless you regard initial queries to the providers going outside the tunnel as leaks to be avoided.
To make things actually go through the tunnel, you can include something like
route 9.9.9.9
in the OpenVPN client's Additional Config or in a wireguard client setup, replace 0.0.0.0/1,128.0.0.0/1 with 9.9.9.9,0.0.0.0/1,128.0.0.0/1 in the peer Allowed IPs field.
If you run two dnscrypt proxies to two providers and happen to have both OpenVPN and wireguard clients running, run the primary DNS through the more reliable vpn and run the fallback DNS through the less reliable vpn. That way failure of a single vpn won't take down your entire DNS system. If you just run one VPN client, use it for primary DNS and let fallback, which you won't use often, just go to the WAN with no special routing. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Very great and super explanation and it did work fine indeed ! thanks for that.
But.. a small question on the how to confirm.. So let say i have ovpn or Wg tunnel up and pass over the dns peer, it show up as being the proper dns. So when i set dnscrypt, the leak show up the dnscrypt server used. But is there a way to see the route ? Like if i do a: dig or tracert example.com with or without the dnscrypt set, it always show :
Local ddwrt ip -) vpn tunnel 10.160.0.1 -) vpn server -) .. route to webpage
I was hoping to see somehow like :
Local ddwrt ip -) vpn tunnel 10.160.0.1 -) dnscrypt srv-) vpn server -) ..to web..
or i just looking too much..
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Mon Apr 19, 2021 17:27 Post subject:
hmm i dont know what you expect...in general, as DNScrypt uses DNSmasq, it blends inside the VPN tunnel...and it calls the DNS you use in DNScrypt...there are no call's from outside..
you can check with:
tcpdump -nnS -i tun1
or check your WAN
tcpdump -nnS -i eth0
if you have a kill-switch on your wan, you will see only UDP requests and nothing else, while on tun1, you will see the normal traffic... to ensure you can check only for DNS requests inside the VPN tun1
tcpdump -i tun1 | grep -Ei 'xxxxxxxx '
replace xxx inside the quotes, with the name of your dnsserver specified in DNScrypt set up...
also add this line, to your VPN advanced set up box
pull-filter ignore "dhcp-option DNS"
it will ignore the forced by the VPN DNS and will use only DNSmasq...(DNScrypt)
the good thing about Open VPN is, that you can use a fair amount of commands, while in WG is not like that.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Apr 19, 2021 20:22 Post subject:
Docop1 wrote:
Very great and super explanation and it did work fine indeed ! thanks for that.
But.. a small question on the how to confirm.. So let say i have ovpn or Wg tunnel up and pass over the dns peer, it show up as being the proper dns. So when i set dnscrypt, the leak show up the dnscrypt server used. But is there a way to see the route ? Like if i do a: dig or tracert example.com with or without the dnscrypt set, it always show :
Local ddwrt ip -) vpn tunnel 10.160.0.1 -) vpn server -) .. route to webpage
I was hoping to see somehow like :
Local ddwrt ip -) vpn tunnel 10.160.0.1 -) dnscrypt srv-) vpn server -) ..to web..
or i just looking too much..
If you are using, for example, Quad9 DNS like in my example and so have route 9.9.9.9 in your OpenVPN client config, there are a couple of things you can check. to an
First, you can do ip route show (or just ip r s actually) in the CLI to see the main routing table. You should see a line like
9.9.9.9 via 10.XX.XX.1 dev tun1
if OpenVPN has indeed set up routing through the tunnel as you specified. Also, in the CLI you can actually do traceroute 9.9.9.9 and look at all the relay steps. You can see it goes first to 10.XX.XX.1, then to your VPN server's IP, then through various other steps to finally reach 9.9.9.9 as desired. You can also do tcpdump -ni tun1 'port 8443' in the CLI and then go to a browser and visit https://dnsleaktest.com and do their simple test. It will make the tcpdump go wild with queries and replies to and from, in this case, 9.9.9.9. Use control-C to quit the tcpdump.
Note: Quad9 uses port 8443, adguard uses 5443 I believe, dnscrypt.pl-guardian uses 2054, but some use port 443 just like https, so those are trickier. Look in the resolver file to see what port a particular provider uses. Look for IP:port in comma-separated field 12 (commas inside quoted strings don't count). If there is no port shown, it uses the default 443. For DNSCrypt server YY.YY.YY.YY using port 443 you could just do tcpdump -ni tun1 | grep -F YY.YY.YY.YY instead. In any case specifying the interface with -i is what proves that your DNS queries and responses are going through the tunnel. On my router the WAN interface is eth0, so I can repeat the test using eth0 instead of tun1 to verify that queries are NOT going outside the tunnel. (Note that the VPN kill switches discussed in many forum posts do NOT restrict traffic to/from the router itself, like DNS queries, because they specify the FORWARD iptables chain and not the INPUT and OUTPUT chains.)
Unrelated note: DNSCrypt providers scaleway-fr and scaleway-ams, in Paris and Amsterdam respectively, are maintained by Frank Denis, the creator of DNSCrypt. See https://fr.dnscrypt.info for that service's features. I tried it this morning, and it's up and running fine. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Apr 28, 2021 17:53 Post subject:
Good News!
A. Adguard is back up. Both the old IP and the new IP are working, the old IP using adguard-dns-ns1 via dd-wrt's built-in resolvers file and the new IP using adguard-dns with my fancy script that downloads the current resolvers file. (Even though I am in the eastern US, both are matching me up with resolvers in Europe, FWIW.) Of note: I never actually heard back from Adguard, so this paragraph comes from my own testing, which I just happened to try today.
B. I mentioned earlier that with my new system you can also choose dnscrypt.pl-guardian (used to be called soltysiak). That's working fine today also. But I also tested scaleway-ams carefully this morning, and (it has no filtering but) is solid and seems quite fast, even from across the pond. So we are up to five choices (incl quad9-dnscrypt-ip4-filter-pri and both adguard choices) that are tested and known to be working.
C. I have had issues with the download site in my script for the new resolvers file. The site is refusing to let me download over my wireguard VPN, which is how I'm set up here (unlike in the script I posted in this thread). However, at https://github.com/dnscrypt/dnscrypt-resolvers there is a section called "Stable download URLs" that lists two URLs, a github one and a dnscrypt.info one. Following the latter and picking up the v1 options (instead of v2 and v3, which have the wrong format because they are for other versions of dnscrypt-proxy), leads to a new download path that is shorter, feels more permanent, and appears to work great. To modify the script to use it, eliminate the G=... line and in the curl line, replace the https://$G path with https://download.$D.info/$R/v1/$F (understanding that this change is not necessary unless you are having trouble with the original path). If you make this change, it's important that you also go to Additional Dmsmasq Options and replace the server=/githubusercontent.com/1.1.1.1 line discussed above with server=/dnscrypt.info/1.1.1.1 so that dnsmasq can resolve the domain for the download URL before dnscrypt is set up.
Aside for linux scripting people wondering why I eliminated the harmless use of variable G: I am hurting so badly for nvram space that I'm reduced to squeezing out a few characters here and there when I can do so without making things completely unreadable. Of course this is also why the original script is written in more of a compact way than a stylish/readable way.
And FWIW (can't remember whether I said before), this is working here on 46069 and 44048. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Posted: Thu Nov 25, 2021 20:53 Post subject: Flowing Alozaros's approach: CAN SOME ONE VALIDATE PLEASE?
Hi, I am a newly registered users but have been using DD-WRT for a few years and I applaud the great work you all do!
I had always used DNS unencrypted (use quad9 mainly) but with the recent dnsmasq issues this year, I wish to start using dnscrypt. So, I wonder if omeone can validate what my config would like like. Appreciate the time...here it goes (ee the attached file for easier reading)
## I am on a wrt3200acm running build 47581, I would:
## Turn off GUI option DNScrypt (encrypted DNS)
## add to Additional DNSmasq rules
## THERFORE my edited version of ADDITIONAL DNSMASQ OPTIONS (VIA GUI) WOULD LOOK LIKE:
local=/HOME.NET/
expand-hosts
domain-needed
no-negcache
cache-size=150
no-resolv
server=192.168.1.1 ## NOT MY REAL ROUTER ADDRESS
server=127.0.0.1#30
server=127.0.0.2#30
## WOULD THIS THE FALLBACK IF BOTH QUAD9 AND OPENDNS ARE BOTH DOWN? RE. I WOULD BE OKAY WITH USING NAKED GOOGLEDNS OVER MY ISP'S
server=8.8.8.8
## BLOCK CERTAIN WEBESITES FOR MY FAMILY (LIKE...
address=/baypirateproxy.org/127.0.0.1
address=/pornhub.com/127.0.0.1
address=/doubleclick.com/127.0.0.1
address=/doubleclick.net/127.0.0.1
## add these lines in startup script
## re. to use Quad9 as primary resolver with cisco opendns as secondary
## HERE ARE WHAT THE OPTIONS WOULD LOOK LIKE IN THE GUI:
Dnsmasq: Enable
Encrypt DNS: Disable
Cache DNSSEC data: Enable
Validate DNS Replies (DNSSEC): Enable
Check unsigned DNS replies: Disable
No DNS Rebind: Enable
Query DNS in Strict Order: Enable
Add Requestor MAC to DNS Query: Disable
RFC4039 Rapid Commit support: Disable
Based on this, QUESTIONS:
1. LOOK RIGHT?
2. CAN I STILL CACHE ENTRIES?
3. CAN I STILL USE DNSSEC VALIDATIONS? I ASSUME SO.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri Nov 26, 2021 0:27 Post subject:
"Check unsigned DNS replies" needs to be enabled if you want DNSSEC to mean anything. Google it to see why.
You should not have a server= line with your router IP. Remove it.
If you have Strict Order enabled, the last server= line entered has the DNS server that will be tried first, and it goes back from there. Reverse of what one might assume.
No time to look further just now. Hope that gets you started. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Fri Nov 26, 2021 6:30 Post subject:
for DNScrypt set up guides either look at SurprisedItWorks signature or green link at mine...
if possible use DNScrypt proxy v2 via Entware on USB...it provides better options.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sat Apr 02, 2022 16:19 Post subject:
A quick update: as of build 48141, dd-wrt is using an updated resolver list relative to what is discussed above. This new list includes Quad9 and the Adguard IP changes, so at the moment my fancy script above is mostly useful to handle multiple providers. The part that is no longer strictly needed is the downloading and mounting of the absolute latest provider list. The entire script still works fine as is, however.
As of today, the downloaded list has these changes relative to the 48141 built-in list:
This suggests that the master list is pretty actively managed, and for me that tips the balance in favor of staying with the script as is rather than editing it to strip out the download and mount, especially as changes to keys or IP addresses are particularly important to catch. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
