Posted: Tue Dec 08, 2020 6:49 Post subject: Anybody using dd-wrt's new features?
I recently noticed the new Features box on the Sys-Info page of the Web GUI.
"Wi-Fi Speedchecker
Is your Wi-Fi slowing you down? One-click speed test for both Internet and Wi-Fi speed."
Sounds like a useful diagnosis tool, but consider me a tad uneasy at opening my router to external software, especially without being familiar with the organization.
"DNSCRYPT
DNSCrypt authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing."
Which service is this referring to exactly? "Encrypt DNS" in the Dnsmasq section? I think I experimented with this long ago, but for some reason decided to keep it disabled, even though it sounds like a good idea. Or is there something else?
I'm not sure, but is "SmartDNS Resolver" new? There's a wiki page about it: https://wiki.dd-wrt.com/wiki/index.php/SmartDNS Is anyone using it? I tried enabling it, but didn't notice a difference using 'dig [URL]' partly because the results get cached and a single measurement isn't very meaningful.
I don't upgrade firmware as often as before so I'm wondering what new goodies might have gone unnoticed.
DNScrypt is different than dnsmasq, but dnscrypt provides an encryption for dns queries. I have used it and liked it. (Or is this the hashing, cannot remember off top of my head)
Smart DNS has been modded to aid dnsmasq. A good example is that when you make a DNS request, you get a TTL for that value. Your dns server/caching (such as dnsmasq) will save and wait until that time expires before it requests and update for DNS (ie makes a new request to the DNS server), with Smart DNS it can pre-cache the DNS responses, I think it is something like 10% of the default TTL. So for example, if the TTL of the DNS entry is 60, when an new request comes in a 6 or below, Smart DNS will automatically send a request to the dns server to update this and thus you will go back up to 60, thus locally your dns queries are much faster because the router will have a non-expired value always instead of the TTL expiring and then deciding to get the new value. So think of it as hiding the latency.
https://www.dnscrypt.org/
or click a link in my signature corresponding with DNScrypt, to get best details/info about it,
read all the thread...
asking in the forum its very easy and cheeky ..
and very likely you to keep asking and asking, as you don't have a basic knowledge...start with reading and understanding, than ask and expose what your concerns are, backed up with some data and so on...
If your level of paranoia is very high, its more likely because you don't know what you are doing or you don't know what all those do...so we got back to reading and understanding the matter, at the first instance _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Thu Dec 10, 2020 8:04 Post subject:
fizikz wrote:
Thanks for the links.
I don't have time for that kind of homework right now, so indirectly it gives me an answer: DNSCrypt will remain disabled for the time being.
Directly DNSCrypt is a great feature...much better/safer to use, than a plain DNS requests...even the DDWRT embedded old version of it, is still in use... worldwide...many servers support it and it's secure enough...
for more details ...keep reading...
u can do it while in the loo, plenty of time there (at least once a day)... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Thu Dec 10, 2020 17:16 Post subject:
fizikz wrote:
Thanks for the links.
I don't have time for that kind of homework right now, so indirectly it gives me an answer: DNSCrypt will remain disabled for the time being.
Alozaros is the go-to guy on setting up the newer version of DNSCrypt using entware and external USB storage (hope I have that right!), but there is an older version of DNSCrypt built into dd-wrt that you can tap with the "Encrypt DNS" button and the drop-down (except on tiny routers memorywise).
I use the latter in all my routers, but I also had concerns about a single point of failure, so I poked around the forums at some length to find a way to run two dnscrypt-proxy processes to use two different DNSCrypt-supporting DNS providers, with one as primary and the other as automatic backup after a short timeout. Also, I wanted to use Quad9 DNS (quad9.net), which supports DNSCrypt but which was not in the drop-down.
I eventually got all that working and use it on six routers today. For details, see the link in my signature below. The linked post mentions using "adguard-dns" for the Adguard option, but it's now "adguard-dns-ns1" or "adguard-dns-ns2" instead, your choice I believe. That's actually the only necessary change. Everything else still works. Eventually I got tired of looking at all the syslog messages about their hourly refetching of security certificates, so I added "-m 5" to the command lines of the dnscrypt-proxy invocations to lower the level of reporting, but that's strictly optional. At first it's comforting to see those certificate fetches. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
@SurprisedItWorks I truly enjoyed reading your Quad 9 guide, I set it up and honestly I'm a pretty big noobie at most of this so I am not sure it is working correctly, however everything seems to be functioning at least lol. What I will say is that guide was extremely well written and even ignorant people like myself are able to follow it. I've viewed the OpenVPN guide on here and a few others and some are extremely hard to follow if you do not have enough knowledge. I just wanted to say I really enjoyed reading your guide. I think I learned something or so I hope.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri Dec 18, 2020 16:44 Post subject:
crudat wrote:
@SurprisedItWorks I truly enjoyed reading your Quad 9 guide, I set it up and honestly I'm a pretty big noobie at most of this so I am not sure it is working correctly, however everything seems to be functioning at least lol. What I will say is that guide was extremely well written and even ignorant people like myself are able to follow it. I've viewed the OpenVPN guide on here and a few others and some are extremely hard to follow if you do not have enough knowledge. I just wanted to say I really enjoyed reading your guide. I think I learned something or so I hope.
Many thanks, @crudat. You've inspired me to go back and update that guide a bit and to add a note that you can watch the action in the CLI for awhile to comfort yourself that queries are going to Quad9 (or also Adguard in this example):
tcpdump -i eth0 | grep -Ei 'quad9|adguard'
Replace eth0 with the WAN interface for your router if yours is not a Linksys/Marvell device. (In the CLI use command ip route | awk '/^default/{print $NF}' to identify your WAN interface.) You will also see entries in the syslog showing when dnscrypt-proxy starts or obtains/updates security certificates, hourly by default. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
@SurprisedItWorks I believe in the updated forum you removed the piece , I just wanted to verify if this step is necessary when setting up the backup to the quad9 dns...thanks
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Sat Dec 19, 2020 22:03 Post subject:
crudat wrote:
@SurprisedItWorks I believe in the updated forum you removed the piece , I just wanted to verify if this step is necessary when setting up the backup to the quad9 dns...thanks
if you use start up commands to configure DNScrypt
you must turn the GUI dnscrypt option off...
although, SurprisedItWorks did an excellent job to describe his approach...for more info there is a link in my sig...(green)
crudat wrote:
Also, I am curious you linked the linux commands but are there window commands that can produce the same results?
yep those commands are linux commands, and they must be executed from routers CLI (telnet or SSh), do not run those commands from GUI....
also do keep in mind your router must have 'tcpdump' command..
otherwise you may need to install it via entware/opt
if you want, to use windows, to sniff your network, for best results you'd need a wireshark on tap...otherwise from your computer you wont see the results, like monitor from the router side... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sun Dec 20, 2020 15:00; edited 1 time in total
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Dec 20, 2020 4:48 Post subject:
crudat wrote:
@SurprisedItWorks I believe in the updated forum you removed the piece , I just wanted to verify if this step is necessary when setting up the backup to the quad9 dns...thanks
Can't remember what I removed, but nothing important. And as @alozaros says, it is important that you disable "encrypt dns" in the gui if using my approach, because you are custom creating two dnscrypt-proxy processes (assuming you use backup like I did) to do the job, and you don't want the GUI creating a third one.
Re Windows... can't help you there, as I don't know Windows at all. But all of it you can do in the CLI accessed using PuTTY, I think they call it, from Windows. There's a wiki on setting up ssh, the linux equivalent. It may cover PuTTY as well. If not, just use the wiki for general orientation and for what to enable in the GUI and search to find the PuTTY specifics, which should be easy to find. The whole CLI thing a pretty essential tool in the long run once you start customizing dd-wrt. Worth the trouble. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
@Alozaros Ok installing the 'tcpdump' is something I need to do and makes sense. Not exactly sure where on the router that should go I'll google around some.
And to you both it makes sense if you put it in the commands you don't use the GUI. Makes much more sense. Thank you both. Now if only I could get my Vap on a Wap working :-p.