Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Dec 02, 2019 23:15 Post subject:
Alozaros wrote:
donno why so much hassle....you running that long script...
Edit: Because this is specific to DNSCrypt! If you are not using DNSCrypt and just want to use the DNS server pushed by your VPN provider, you don't need it. A modern build will manage DNS just fine as you connect/disconnect/reconnect the VPN. If you are using Unbound or Stubby to manage DNSCrypt, I don't know the details of how things will go, but I doubt seriously that it will restart dnscrypt-proxy each time you switch between WAN and the VPN for DNS, which is the heart of what is happening here. I also don't know whether Unbound/Stubby can handle multiple DNSCrypt servers. This script can.
As to why so long, that's easy... I thought it would be a short script when I started! It just got longer and longer as I discovered I needed more tests to see when to switch back to WAN and as I added more and more logging and controllability to it. Bit like boiling the proverbial frog. (It's getting really hot in here! )
And if I didn't have a bit of the bulldog that never gives up in me, I'd never have survived an engineering career. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Dec 08, 2019 19:49 Post subject:
Important update to the first post today. See the Change Log at the end of the post. If you're using a version of the script with braces { } around everything, you need this small fix. Without it, if dd-wrt runs the script twice -- it will occasionally do this -- your router will crash! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Dec 30, 2019 16:49 Post subject:
My post before last now has an edit.
And the original script has been edited to wait longer before trying to route through the VPN again if the last block of time with routes through the VPN was less than ten minutes. Most extreme case: Route through VPN and immediately fail back out because, for example, the VPN gateway is not responding quickly. In that case, the script will move DNS back to the WAN and then wait an extra (nearly) five minutes before attempting to route DNS through the VPN again. This change is to prevent quickly and repeatedly thrashing back and forth between VPN and WAN in the case when things just aren't right with the VPN. It gives the VPN server a little time to sort matters out and get running right before we try the fancy stuff again. See the change log entry there made just before this post.
I made this change here after seing a case in the log a month or so ago when thrashing was a problem because a VPN gateway was responding slowly to pings. I've actually had these changes running here for a few weeks, but I haven't yet seen a case when the extra delay kicks in. So this is actually a very minor change that will affect things only in rare cases.
One can also attempt to address the problem of occasional slow gateway ping times by changing the way the ping tests are done to give the gateway more time or more pings (but while keeping the pings quick for the DNS servers). I'm testing such a change now, but it will take at least weeks to see whether the occasional (weeks between) to-WAN-and-back responses to slow gateway ping responses cease appearing in the system log. I won't update the posted script until I have more experience with these ping changes.
Sorry about discussing the messy details here. It's intended as a bit of a confidence builder rather than anything a user (I suspect I'm still the only one!) need be concerned with. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Feb 20, 2020 9:54 Post subject:
i can confidently say, that both DNSCrypt-proxy v2 and Stubby for DNS over TLS, are both working out of the box along with DNSmasq and VPN... all DNS hits go over the VPN, inside in the VPN pool...so no DNS leaks outside via WAN IP or so...
you dont need any other rules other than
no-resolv and server=xxx.xxx.xxx.xxx in DNSmasq...
tested both with tcpdump and wireshark...
p.s. 'If you are using Unbound or Stubby to manage DNSCrypt...' --- honestly that claim in this blue text is bombastic and makes me laugh...no, Unbound, nor Stubby can manage DNScrypt, but its DNSmasq that manages those...
just don't tell me, that you are the next security freak, that wants to use all those Unbound, Stubby and DNScrypt at once, all via bitcoin prepaid VPN just to improve security _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Thu Feb 20, 2020 19:46 Post subject:
Alozaros wrote:
p.s. 'If you are using Unbound or Stubby to manage DNSCrypt...' --- honestly that claim in this blue text is bombastic and makes me laugh...no, Unbound, nor Stubby can manage DNScrypt, but its DNSmasq that manages those...
just don't tell me, that you are the next security freak, that wants to use all those Unbound, Stubby and DNScrypt at once, all via bitcoin prepaid VPN just to improve security
That's a bit rough, don't you think? I don't consider myself a security freak (more a gently curious party) have never used bitcoin, and have never used Unbound or Stubby, much less simultaneously with whatever else. Having not used them, I have claimed no expertise or even basic understanding of their use. I assumed (but based on what long-ago too-quick reading, I have no idea) that they were alternatives to having dnsmasq handle DNS. If it's not so, please educate us all. But laughing accusations of bombast for simply trying to help people is out of line. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Feb 20, 2020 21:20 Post subject:
SurprisedItWorks wrote:
Alozaros wrote:
p.s. 'If you are using Unbound or Stubby to manage DNSCrypt...' --- honestly that claim in this blue text is bombastic and makes me laugh...no, Unbound, nor Stubby can manage DNScrypt, but its DNSmasq that manages those...
just don't tell me, that you are the next security freak, that wants to use all those Unbound, Stubby and DNScrypt at once, all via bitcoin prepaid VPN just to improve security
That's a bit rough, don't you think? I don't consider myself a security freak (more a gently curious party) have never used bitcoin, and have never used Unbound or Stubby, much less simultaneously with whatever else. Having not used them, I have claimed no expertise or even basic understanding of their use. I assumed (but based on what long-ago too-quick reading, I have no idea) that they were alternatives to having dnsmasq handle DNS. If it's not so, please educate us all. But laughing accusations of bombast for simply trying to help people is out of line.
oops, sorry no offense.....i just wrote that for a laugh ... I know you are not one of those...i ve to apologize if....any offense...
To my understanding Unbound, Stubby, and DNScrypt are DNS clients/resolvers and DNSmasq
is a small client/server (the backbone of DDWRT) ...that can go along and utilize/manage
the work of those clients _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913