It seems every Entware DNSCrypt-Proxy2 update has new features and the toml file is a little larger. After the upgrade you get a new toml file, in this case dnscrypt-proxy.toml-opkg which you edit and rename to dnscrypt-proxy.toml.
One thing new I noticed on Entware's DNSCrypt-Proxy2 v2.1.0-1 new toml file was...
# Use servers implementing the Oblivious DoH protocol
odoh_servers = false
Also fallback_resolvers has been changed to bootstrap_resolvers which means the new toml file is going to be needed for DNSCrypt-Proxy2 v2.1.0 to startup correctly.
These are the 2 new setting that had my attention, maybe more new stuff.
Update...
Change Log from v2.0.45 to v2.1.0
# Version 2.1.0
- `dnscrypt-proxy` now includes support for Oblivious DoH.
- If the proxy is overloaded, cached and synthetic queries now keep being
served, while non-cached queries are delayed.
- A deprecation warning was added for `fallback_resolvers`.
- Source URLs are now randomized.
- On some platforms, redirecting the application log to a file was not
compatible with user switching; this has been fixed.
- `fallback_resolvers` was renamed to `bootstrap_resolvers` for
clarity. Please update your configuration file accordingly. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Sep 30, 2021 6:47 Post subject:
ok thanks...
so, its compulsory to use the new toml config with this new update, as i keep my old one in general as long its working....
will have a look ... once again thanks you very much... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Your welcome. Even in this Pandemic, I've have been very busy at work with some days with long hours with all the back log too. Plus family life keeps me too busy. Even finding the time to test a new build is not possible or to answer questions on the forum. I have to run another busy day again... _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
This is a bugfix only release, addressing regressions introduced in
version 2.1.0:
- When using DoH, cached responses were not served any more when experiencing connectivity issues. This has been fixed.
- Time attributes in allow/block lists were ignored. This has been fixed.
- The TTL as served to clients is now rounded and starts decreasing before the first query is received.
- Time-based rules are properly handled again in generate-domains-blocklist.
- DoH/ODoH: entries with an IP address and using a non-standard port used to require help from a bootstrap resolver. This is not the case any more.
Upgrade opkg packages, edited new toml file and restarted dnscrypt-proxy2. DD-WRT Syslog...
Dec 12 09:13:42 DOT01-GW-WireGuard daemon.notice dnscrypt-proxy[26174]: dnscrypt-proxy 2.1.1 _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Hi,great guide BTW I know it's an old thread but hope you guys can see this
I'm trying to setup dnscrypt-proxy to use on my wrt1900ac v1, r50357
I get this error msg:
Sat Feb 18 16:37:08 2023 [ERROR] Error: no resolver name given, no configuration file either.
Sat Feb 18 16:37:08 2023 [ERROR] The easiest way to get started is to edit the example configuration file
Sat Feb 18 16:37:08 2023 [ERROR] and to append the full path to that file to the dnscrypt-proxy command.
Sat Feb 18 16:37:08 2023 [ERROR] Example: dnscrypt-proxy /usr/local/etc/dnscrypt-proxy.conf
Sat Feb 18 16:37:08 2023 [ERROR] The local list of public resolvers is loaded from: [/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv]
Sat Feb 18 16:37:08 2023 [ERROR] Consult https://dnscrypt.org for more information about dnscrypt-proxy.
I've located the example file "/opt/etc/dnscrypt-proxy.toml" + edit it using VI but I don't understand what's required to have dnscrypt-proxy recognize and read from it as I'm not obviously really good with issuing commands. Trying to add anonymization as well. My setup looks like this.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Sun Feb 19, 2023 7:53 Post subject:
hmm its been quite a few changes on DNScrypt-proxy v2 since the guide was written i tried to keep it with the new updates but recently i moved to SmartDNS on the system that was running DNScrypt-proxy v2...
just bear in mind:
to make dnscrypt to work add this to usb script (via GUI)
sleep 10
/opt/etc/init.d/rc.unslung start
-resolving NTP time is vital for DNScrypt operation.
-DNScrypt GUI option must be disabled
-the new toml file must not be touched must be left as the way it is...
-to make DNScrypt-proxy v2 work you just have to edit the file (carefully) and add your values /details ...
-if you delete all and just paste this config that you posted above there is no way to make it work...(read the first paragraph)...
-make sure your servers support DNScrypt v2
-when DNScrypt-proxy v2 gets a new update, the new toml file is looked for changes and will not be replaced with the old one...so, you have to do this manually and its quite of a aim...(for me)
I may try to find my toml file and have a look at the servers i used..and post them here..
the new toml file contains some vital changes that needs to be taken into account...i guess if you just tried DNScrypt-proxy v2 now you will be provided with the new tompl file (the last one).. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
hmm its been quite a few changes on DNScrypt-proxy v2 since the guide was written i tried to keep it with the new updates but recently i moved to SmartDNS on the system that was running DNScrypt-proxy v2...
just bear in mind:
to make dnscrypt to work add this to usb script (via GUI)
sleep 10
/opt/etc/init.d/rc.unslung start
-resolving NTP time is vital for DNScrypt operation.
-DNScrypt GUI option must be disabled
-the new toml file must not be touched must be left as the way it is...
-to make DNScrypt-proxy v2 work you just have to edit the file (carefully) and add your values /details ...
-if you delete all and just paste this config that you posted above there is no way to make it work...(read the first paragraph)...
-make sure your servers support DNScrypt v2
-when DNScrypt-proxy v2 gets a new update, the new toml file is looked for changes and will not be replaced with the old one...so, you have to do this manually and its quite of a aim...(for me)
I may try to find my toml file and have a look at the servers i used..and post them here..
the new toml file contains some vital changes that needs to be taken into account...i guess if you just tried DNScrypt-proxy v2 now you will be provided with the new tompl file (the last one)..
Thanks for the tips as I had totally omitted that part
I'll probably switch to smartdns at some point as well
but the anonymize add on to dnscrypt got me all curious so I gave it a try
and managed to get it up and running at least from what I read from syslog and ipleak test
I used below settings for now just to test my setup and it worked
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Sun Feb 19, 2023 10:06 Post subject:
yep..glad you made it to work...
I used it for a fair amount of time and recently ive noticed with many clients running DNS hits
it takes a bit of a toll on CPU, so i moved to SmartDNS.. but regarding anonymization and options..DNScrypt holds the N1 spot..so far...the other very light alternative is Stubby for DoT..
but its Entware dependent...libssl, getdns and stubby binaries don't always get immediate update as Entware is sync with OpenWRT, sadly... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I hear ya and it's better imo to have mostly everything set up in the GUI
as I'm not too in luv with busybox, smartdns seems more reliable, convenient and fast. I'm runnin r50357 on a wrt1900ac which takes the CPU load like a champ. I'm hoping dnscrypt in the GUI gets an update soon enough.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Sun Feb 19, 2023 10:56 Post subject:
jzenberg wrote:
I hear ya and it's better imo to have mostly everything set up in the GUI
as I'm not too in luv with busybox, smartdns seems more reliable, convenient and fast. I'm runnin r50357 on a wrt1900ac which takes the CPU load like a champ. I'm hoping dnscrypt in the GUI gets an update soon enough.
for a home use DSNcrypt-proxy v2 is fine, but in my office (R9000) or at the student accommodation where my R7800 is, its too heavy..imagine 40-50 clients with DNS requests...so, far Stubby and SmartDNS are running smooth...
jeez.. you are running quite old build...as the new one has some vital security fixes and updated binaries...but than wrt1900ac could be picky...last build is 51741 and new is coming soon
also DNScrypt in the GUI is the old ver 1.95xx and will never get updated, due to many factors...mostly the new v2 is written in golang and its quite bulky..
use SmartDNS with confidence its faster and gets updated.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I hear ya and it's better imo to have mostly everything set up in the GUI
as I'm not too in luv with busybox, smartdns seems more reliable, convenient and fast. I'm runnin r50357 on a wrt1900ac which takes the CPU load like a champ. I'm hoping dnscrypt in the GUI gets an update soon enough.
for a home use DSNcrypt-proxy v2 is fine, but in my office (R9000) or at the student accommodation where my R7800 is, its too heavy..imagine 40-50 clients with DNS requests...so, far Stubby and SmartDNS are running smooth...
jeez.. you are running quite old build...as the new one has some vital security fixes and updated binaries...but than wrt1900ac could be picky...last build is 51741 and new is coming soon
also DNScrypt in the GUI is the old ver 1.95xx and will never get updated, due to many factors...mostly the new v2 is written in golang and its quite bulky..
use SmartDNS with confidence its faster and gets updated..
With that amount of devices I would have made the same choice.
Oh lord it's funny you mentionned that because last time I attempted upgrading to a new build was 2 days ago. I've tried so many ones, i have a folder with almost 20 builds that were almost all tested, most recent one was r51729 with a few bugs such as my dnsmasq static leases not working or VAP not providing IPs. I was lucky to have even found a stable/fairly recent build like r50357 compared to forum recommendations for this router.
I went by the book: factory reset before/after upgrade + no backup restore :s
I'm definetely missing on updates unfortunately but since I'm a novice user I have other priorities such as mastering iptables (I'm still trying to grasp the concept of such basic stuffs), that's like one of my next topics while it should have been probably one of the first before even getting to entware.
I'm really glad there are peeps like you around as I learnt a lot from your posts, being able to setup dnsproxy was a big score for me security wise. Wondering whether I can match smartdns + dnsmasq + dnscrypt-proxy