I know some are still reading this thread, so for posterity's sake I thought I would post an update with my current configuration. I've changed a couple of current things and also have IPv6 enabled with corresponding listeners and DNSCrypt configuration. However, I haven't been able to completely validate that yet, but if I force my laptop to use the IPv6 gateway address as the resolver, I get resolutions back:
HalfBit, I have dnscrypt-proxy working on a spare R7000 with build 30815. I'm having problems auto starting dnscrypt-proxy after reboot how have you auto started it?
TIA! _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
HalfBit, I have dnscrypt-proxy working on a spare R7000 with build 30815. I'm having problems auto starting dnscrypt-proxy after reboot how have you auto started it?
TIA!
I formatted my USB drive attached to the router, made an opt and jffs partition, then put the following script in /jffs/etc/config/ and called it dnscrypt-proxy.startup.
start_instance() {
instance=$FULL_PROG" -a "$ADDRESS":"$PORT" -L "$RESOLVER_LIST" -R "$RESOLVER
if [ $ephemeral_keys -eq 1 ]; then instance=$instance" -E "
fi
if [ -n "$CLIENT_KEY" ]; then instance=$instance" -K "$CLIENT_KEY
fi
if [ $DAEMONIZE -eq 1 ]; then instance=$instance" -d"
fi
`$instance`
}
main () {
if [ "$CURRENT_YR" == "1969" ]; then
sleep 120
fi
`killall dnscrypt-proxy`
dnscrypt_instance_1
#dnscrypt_instance_2
#dnscrypt_instance_3
dnscrypt_ipv6_instance
exit 0
}
# Starts script
main
exit 0
In my experience, running more than one IPv4 and one IPv6 instance understandably craters my R7000. I wouldn't run more than one or two at most unless you have a more powerful CPU etc.
Thinking about it now, there's really no reason to run multiple instances as my br0 network interface and br1 guest network interface both use the same instance. I think my thought was to have one for each going to different resolvers. I guess that could be a use case but not for me.
The check for the current year of 1969 is because DNSCrypt checks the date on the certificate received from the DNS server and flags it as not valid when the date hasn't been set yet. You can ignore that validation, but, as an InfoSec professional, I choose not to do so.
Also, this script is pretty quick and dirty, so if anyone has any suggestions to simplify or clean up, let me know. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
HalfBit Thanks on your code to auto start DNSCrypt-Proxy works great.
The past 3 days I been working on having DNSCrypy-Proxy and 2 OpenVPN Clients operating on one R7000 this will cut down my router count from 4 to 2. I'm still on build 30815.
One thing I noticed when using DNSCrypt was the high CPU usage. So I did some searhcing on the web and the DNSCrypt-Proxy doesn't do any caching but is possible with Unbound. On the DD-WRT Basic Setup page you can enable Unbound by selecting 'Recursive DNS Resolving'. The default Unbound configuration doesn't work with DNSCrypt-Proxy and needed modifing. I created a unbound.wanup script in the /jffs/etc/config directory....
#!/bin/sh
#Using DNSCrypt in combination with a DNS cache
#by adding the script to the unbound.conf file
#https://dnscrypt.org/
Change the forward-addr(s) to your DNSCrypt-Proxy addresses, I'm using 3 instances if you are using one instance remove the other 2 lines of code. By running Unbound with DNSCrypt-Proxy I notice no big cpu usage and mostly nil. And to test that Unbound is going through DNSCrypt-Proxy just 'killall dnscrypt-proxy' and go to a site that isn't cached and you should get webpage errors. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
I've never been able to get Unbound working. Do you just enable the Recursive DNS checkbox and run this script? Whenever I enable Unbound, I lose DNS completely.
Also, when I try your script, I get the following error:
Quote:
killall: unbound: no process killed
[1479009135] unbound[26367:0] error: can't bind socket: Address in use for 0.0.0.0
[1479009135] unbound[26367:0] fatal error: could not open ports
Any ideas?
Edit:
Nevermind. I did just what I asked and it worked! Check the box, save and apply changes, and run the script. When I got the error, I had not checked the box yet. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
I've been a lot of configuration changes to my new setup with rebooting and noticed unbound wasn't starting with the new unbound2.conf file on wanup. Maybe my script was starting up before unbond started??? In any case I add a 2 sec delay at startup... Just in case anyone else the same issue.
#!/bin/sh
#Using DNSCrypt in combination with a DNS cache
#by adding the script to the unbound.conf file
#https://dnscrypt.org/
I've still been experimenting with Unbound on my router. I just wrote the conf file on the opt drive instead of to tmp every time, and my wanup script is pretty short. I've been trying to find the right amount of time to delay the script to get unbound to start up with my custom conf file, so far 20 seconds isn't long enough.
Code:
#!/bin/sh
#Using DNSCrypt in combination with a DNS cache
#by adding the script to the unbound.conf file
#https://dnscrypt.org/
sleep 30
killall unbound
sleep 1
unbound -c /opt/unbound/unbound-opt.conf
exit 0
I did get three instances of dnscrypt running without cratering my r7000 though! That was cool as I can tell that I get different responses based on the instance that is hit for the DNS query. More to come. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
Last edited by HalfBit on Wed Nov 16, 2016 4:21; edited 1 time in total
There must be a bug with startup and wanup script control as it seems to cause other delays when the scripts take too long to complete. I found that adding long sleep times things don't get better and seem to run into more timing issues. What do you think? _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
There must be a bug with startup and wanup script control as it seems to cause other delays when the scripts take too long to complete. I found that adding long sleep times things don't get better and seem to run into more timing issues. What do you think?
I'm at a loss for the startup scripts. I've not been able to get them to consistently work. At one point, I was seeing the .wanup scripts execute 2-3 times after a reboot.
I'm trying to get YAMon3, DNSCrypt, and Unbound with custom conf file all started after a reboot. So far only DNSCrypt is starting consistently. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
There must be a bug with startup and wanup script control as it seems to cause other delays when the scripts take too long to complete. I found that adding long sleep times things don't get better and seem to run into more timing issues. What do you think?
I'm at a loss for the startup scripts. I've not been able to get them to consistently work. At one point, I was seeing the .wanup scripts execute 2-3 times after a reboot.
I'm trying to get YAMon3, DNSCrypt, and Unbound with custom conf file all started after a reboot. So far only DNSCrypt is starting consistently.
Unbound is restarted when time changes, after ntp client ran, thus it does not really work using wan up script. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Tue Nov 22, 2016 7:59 Post subject:
honestly I really don't see the point of running unbound + dnscrypt. the way unbound is being run in this thread with auto-trust-anchor-file commented out disables dnssec and if memory serves only one dnscrypt server in north america supports dnssec anyways. Having a catchall forwarding zone turns unbound into a caching dns forwarder and not a dns resolver.
dnsmasq is a caching dns forwarder and is already being used for dhcp so there really isn't any reason in running unbound other than to say i did it.
A lot of the config seems overly complicated and over engineered as well.
all you really need is one instance of dnscrypt listening on ipv4 localhost on an alternative port
Code:
dnscrypt-proxy -R cisco -a 127.0.0.1:5353 -L /jffs/dnscrypt-resolvers.csv -d
and add two lines to the dnsmasq config + the ntp server line
Code:
no-resolv
server=127.0.0.1#5353
first line disables the default ddwrt resolve file statement and the second tells it to forward to the listening dnscrypt port on localhost
dnsmasq will now listen on both ipv4 + ipv6 ports and forward both ipv4+ipv6 queries via ipv4 localhost then on to opendns via ipv4 which will then resolv both ipv4 + ipv6 queries.
doing it this way also allows you to setup your guest networks using dnsmasq the same way you always have.
Anyway my 2 cents
*** another option in lieu of setting a static address for ntp server is to run ntpclient ip_of_favored_ntp_server prior to calling dnscrypt if time is an issue
There must be a bug with startup and wanup script control as it seems to cause other delays when the scripts take too long to complete. I found that adding long sleep times things don't get better and seem to run into more timing issues. What do you think?
I'm at a loss for the startup scripts. I've not been able to get them to consistently work. At one point, I was seeing the .wanup scripts execute 2-3 times after a reboot.
I'm trying to get YAMon3, DNSCrypt, and Unbound with custom conf file all started after a reboot. So far only DNSCrypt is starting consistently.
Unbound is restarted when time changes, after ntp client ran, thus it does not really work using wan up script.
Could a custom config radio button and field be implemented in the GUI? That is probably the best solution, right?
Well, I guess it is more complicated than that. It would be best to have a hybrid scenario where it pulls the static lease information from the GUI, as well as some of the default, then has an "additional options" box like DNSMasq. A radio button for DNSSEC enablement would be good to, but then that opens the door up for more and more. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
honestly I really don't see the point of running unbound + dnscrypt. the way unbound is being run in this thread with auto-trust-anchor-file commented out disables dnssec and if memory serves only one dnscrypt server in north america supports dnssec anyways. Having a catchall forwarding zone turns unbound into a caching dns forwarder and not a dns resolver.
dnsmasq is a caching dns forwarder and is already being used for dhcp so there really isn't any reason in running unbound other than to say i did it.
A lot of the config seems overly complicated and over engineered as well.
all you really need is one instance of dnscrypt listening on ipv4 localhost on an alternative port
Code:
dnscrypt-proxy -R cisco -a 127.0.0.1:5353 -L /jffs/dnscrypt-resolvers.csv -d
and add two lines to the dnsmasq config + the ntp server line
Code:
no-resolv
server=127.0.0.1#5353
first line disables the default ddwrt resolve file statement and the second tells it to forward to the listening dnscrypt port on localhost
dnsmasq will now listen on both ipv4 + ipv6 ports and forward both ipv4+ipv6 queries via ipv4 localhost then on to opendns via ipv4 which will then resolv both ipv4 + ipv6 queries.
doing it this way also allows you to setup your guest networks using dnsmasq the same way you always have.
Anyway my 2 cents
*** another option in lieu of setting a static address for ntp server is to run ntpclient ip_of_favored_ntp_server prior to calling dnscrypt if time is an issue
Your logic is sound. I am still learning Linux/DD-WRT and understanding how things work. I am sure that things could be done better or simpler.
The reason why I am only running DNSCrypt is because we use OpenDNS which does not support DNSSEC--I wish they did. If it weren't for the filtering provided by OpenDNS, I would just use Unbound with DNSSEC and call it a day.
For now I implemented DNSCrypt because 1) OpenDNS supports it, 2) I wanted to learn how to do it, and 3) understand what all the hype was about with it.
But hey, now it works not only with DNSMasq, but Unbound as well, I understand what needs to be done for both.
Speaking of Unbound, in testing, I also tinkered with the default config file, and other custom files pointing to Google DNS (which supports DNSSEC) and checked the results on various DNS, and DNSSEC testing sites to see and understand the results. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
note if using google dns as your resolver, there is no need to enable dnssec as google does the dnssec validation before replying to the query
Good point. I read that in another thread, and was going to edit my post, but you beat me to it. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy