Entware DNSCrypt-Proxy V2 on DDWRT

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Thu Sep 19, 2019 14:50    Post subject: Reply with quote
I gave an E3000 a shot with build 35531 loaded Entware for MIPSEL (tried MIPS too but would not load correctly) and dnscrypt-proxy2. Started with the normal startup command but the CPU was maxed out and no internet access. I tried many different setting in the toml file but nothing helped.
_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Sep 19, 2019 17:49    Post subject: Reply with quote
on 1043v2, mine didn't want to start i may need to call it, with start up script...on exit it was showing dead..
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Thu Oct 10, 2019 14:36    Post subject: Reply with quote
Alozaros wrote:
have you noticed DNScrypt-proxyv2 generates kind of a traffic...it's not that quite, like stubby is...


I haven't monitored any port connections. But do see it checking for a server with best ping time in syslog. It may also be updating security keys. DNScrypt-proxyv2 does have a more complex setup, maybe changes some of the settings.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Oct 10, 2019 15:44    Post subject: Reply with quote
there was an update for opkg upgrade
after that it said, there is a new dnscryptproxyv2.toml-opkg file...i opened it and it was the same settings i made before...so no idea whats happened...

I monitored eth0 with tcpdump -i eth0 and you can
see a tons of DNScrypt conversations...even when there is nothing on....
If i check router with stubby its a quiet...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Thu Oct 10, 2019 16:58    Post subject: Reply with quote
I checked my tcpdump and see mostly ipv6 and openvpn server traffic. I don't notice any odd dns traffic. Can you post sample of the DNScrypt-proxyv2 generated traffic so I check my end?
_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Thu Oct 10, 2019 17:57    Post subject: Reply with quote
By default tcpdump resolves names this can cause dns inquiry.

-nn = Don’t resolve hostnames or port names
-S = Get the entire packet

Try this command...
tcpdump -nnS -i eth0

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Fri Oct 11, 2019 5:48    Post subject: Reply with quote
well on quiet network i do have a lots of ARP and STP
requests as well some nasty stuff unrepaired and suddenly out of a blue i got this..

06.376072 IP xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > ns0.dnscrypt.nl.443: UDP, length 512
08:35:56.395269 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.xxxxxxxxxxxx8003, length 36
08:35:56.521794 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > ns0.dnscrypt.nl.443: UDP, length 512
08:35:56.761727 IP xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.50088 > ns0.dnscrypt.nl.443: UDP, length 512
08:35:57.089980 IP hostxxxxxxxxxxxxxxxxxxxxxxxxxx.40677 > ns0.dnscrypt.nl.443: UDP, length 512
08:35:57.233413 IP ns0.dnscrypt.nl.443 > hostxxxxxxxxxxxxxxxxxxxxxxxxxx.40677: UDP, length 368
08:35:57.240909 IP hostxxxxxxxxxxxxxxxxxxxxxxxxx.38116 > ns0.dnscrypt.nl.443: UDP, length 512
08:35:57.394831 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id xxxxxxxxxxxxxxxxxxxxxxxxx, length 36
08:35:57.466573 IP ns0.dnscrypt.nl.443 > hostxxxxxxxxxxxxxxxxxxxxxxxxx.38116: UDP, length 688
08:35:57.517919 IP6 xxxxxxxxxxxxxxxxxxxxxxxxx.546 > xxxxxxxxxxxxxxxxxxxxxxxxx: dhcp6 solicit
08:35:57.524830 IP hostxxxxxxxxxxxxxxxxxxxxxxxxx.37374 > ns0.dnscrypt.nl.443: UDP, length 1024
08:35:57.597676 IP ns0.dnscrypt.nl.443 > hostxxxxxxxxxxxxxxxxxxxxxxxxx.37374: UDP, length 880
08:35:57.599860 IP hostxxxxxxxxxxxxxxxxxxxxxxxxx.54853 > ns0.dnscrypt.nl.443: UDP, length 1024
08:35:57.661529 IP ns0.dnscrypt.nl.443 > hostxxxxxxxxxxxxxxxxxxxxxxxxx.54853: UDP, length 560
08:35:57.663734 IP hostxxxxxxxxxxxxxxxxxxxxxxxxx.45349 > ns0.dnscrypt.nl.443: UDP, length 1024
08:35:57.731087 IP hostxxxxxxxxxxxxxxxxxxxxxxxxx.37046 > ns0.dnscrypt.nl.443: UDP, length 1252
08:35:57.903393 IP ns0.dnscrypt.nl.443 > hostxxxxxxxxxxxxxxxxxxxxxxxxx.37046: UDP, length 240

its very frequent...i haven't tried any others DNScrypt v2 providers as they are only few...
im fine with those but as you said you have a lots of traffic...

this DNS on my main router is not forced as i do have other routers using different DNS
in the networks but than again their stuff is DoT and i cant see it as they are quiet

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Fri Oct 11, 2019 6:07    Post subject: Reply with quote
mac913 wrote:
By default tcpdump resolves names this can cause dns inquiry.

-nn = Don’t resolve hostnames or port names
-S = Get the entire packet

Try this command...
tcpdump -nnS -i eth0

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Fri Oct 11, 2019 6:28    Post subject: Reply with quote
mac913 wrote:
mac913 wrote:
By default tcpdump resolves names this can cause dns inquiry.

-nn = Don’t resolve hostnames or port names
-S = Get the entire packet

Try this command...
tcpdump -nnS -i eth0


tried that, i see only arp requests with it only
but with the standard -i eth0 i can see all the crap...
i don't have STP on br0 nor IGMP snooping turned on br0
and my WAN is full of crap too
multicast is filtered too...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Fri Oct 11, 2019 21:09    Post subject: Reply with quote
Alozaros wrote:
mac913 wrote:
mac913 wrote:
By default tcpdump resolves names this can cause dns inquiry.

-nn = Don’t resolve hostnames or port names
-S = Get the entire packet

Try this command...
tcpdump -nnS -i eth0


tried that, i see only arp requests with it only
but with the standard -i eth0 i can see all the crap...
i don't have STP on br0 nor IGMP snooping turned on br0
and my WAN is full of crap too
multicast is filtered too...


Using the "standard -i eth0" of tcpdump give you also "all the crap..." when using tcpdump.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun Oct 20, 2019 14:30    Post subject: Reply with quote
mac913 wrote:
Alozaros wrote:
mac913 wrote:
mac913 wrote:
By default tcpdump resolves names this can cause dns inquiry.

-nn = Don’t resolve hostnames or port names
-S = Get the entire packet

Try this command...
tcpdump -nnS -i eth0


tried that, i see only arp requests with it only
but with the standard -i eth0 i can see all the crap...
i don't have STP on br0 nor IGMP snooping turned on br0
and my WAN is full of crap too
multicast is filtered too...


Using the "standard -i eth0" of tcpdump give you also "all the crap..." when using tcpdump.


yep, using -nnS shows less...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun Oct 20, 2019 14:40    Post subject: Reply with quote
i recently tried again dnscrypt-proxy2 on 1043v2...
Entware lets me install it, than manually configured it, this time using DoH servers only, as it takes less CPU i guess..but no success..
for some reason dnscrypt-proxy2 doesn't wont to start normally triggered by /opt/etc/init.d/rc.unslung start, nor starts with /opt/etc/init.d/dnscrypt-proxy2 start

on my R7800 its starts normally with /opt/etc/init.d/rc.unslung start

Am I missing something??

P.S. finally i see that DNScrypt-proxy v2 is just not compatible with MIPS, so not much point to try it..
so far i can confirm its running well on R7800 and R7000 i tried before..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
blaser
DD-WRT Guru


Joined: 16 Jul 2006
Posts: 525

PostPosted: Tue Nov 12, 2019 23:18    Post subject: Reply with quote
Using Asus RT68U with Kong version 39660.
Followed all the installation instructions and configured as follows above standard configuration
server_names = ['cs-useast']
listen_addresses = ['127.0.0.1:30']

when trying to start the service getting failed.
Any ideas where to look?

_________________
Netgear R9000 main router
RAX80 as AP
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Wed Nov 13, 2019 1:50    Post subject: Reply with quote
Quote:
Once Entware is installed you will need install the correct DNScrypt-Proxy V2 package for your router.
- For the R7000 in CLI run "opkg install dnscrypt-proxy2_nohf" without quotes.
- For the R7800 in CLI run "opkg install dnscrypt-proxy2" without quotes.


I haven't done any firmware or entware updates since I installed it, busy with other things. I can recommend if there are more than one dnscrypt-proxy2 listed, uninstall the one you have and try installing the other.

If/when I do test newer installs I will report back.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Nov 13, 2019 13:14    Post subject: Reply with quote
blaser wrote:
Using Asus RT68U with Kong version 39660.
Followed all the installation instructions and configured as follows above standard configuration
server_names = ['cs-useast']
listen_addresses = ['127.0.0.1:30']

when trying to start the service getting failed.
Any ideas where to look?


you have to use only V2 compatible servers...
if you check the list you will see only few support v2
the rest with ver 1.95 support, will not work with v2 as they are not downward compatible...totally different !!

if you follow the guide and your router CPU is supported and has enough power than it will work...otherwise use
stubby or unbound as DNS encrypted alternative...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 2 of 6
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum