dnscrypt-proxy (Entware)

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Wed Mar 31, 2021 15:49    Post subject: dnscrypt-proxy (Entware) Reply with quote
Not sure if this belongs here or some other forum but I'll start here. I'm running dnscrypt-proxy2 - 2.0.45-1 on Entware on a Netgear R9000 router and it works most of the time but for some reason dns resolving quit working in the middle of a movie last night. According to the Status tabs everything looked fine but when I executed drill the query failed. I was able to access the router and executed rc.unslung restart but rc.unslung check showed dnscrypt-proxy as dead. I then rebooted the router from the Administration tab but that wouldn't fix it even though I rebooted 3 times. So, I powered off the router, waited 30 seconds and then powered up again and that fixed the problem. So I have to assume that the dnscrypt-proxy package to be OK. So, what else can I do to diagnose this problem? This isn't the first time this has happened in the past month where I've done at least 3 firmware flashes. dd-wrt firmware 46177.

Additional info:

root@r9000master:~# opkg list | grep dnscrypt-proxy
dnscrypt-proxy - 2019-08-20-07ac3825-3 - dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server. The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.
dnscrypt-proxy-resolvers - 2019-08-20-07ac3825-3 - Package with current list of dnscrypt-proxy resolvers.
dnscrypt-proxy2 - 2.0.45-1 - DNSCrypt is a network protocol designed by Frank Denis and Yecheng Fu, which authenticates Domain Name System (DNS) traffic between the user's computer and recursive name servers.
dnscrypt-proxy2_nohf - 2.0.45-1 - DNSCrypt is a network protocol designed by Frank Denis and Yecheng Fu, which authenticates Domain Name System (DNS) traffic between the user's computer and recursive name servers.
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Mar 31, 2021 16:24    Post subject: Reply with quote
hmm...yes it happens form time to time, but not very often...at all
i also have DNScrypt-proxy on remote router i manage (R7800)..few days ago i've updated Entware, so check it may need..

opkg update
opkg upgrade

also some resolvers go down from time to time..

to be honest DNScrypt or Stubby or SmartDNS don't fail too often..it could be the router process monitor that looks after the running services/processes...
if it happens too often.. report again... Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Wed Mar 31, 2021 17:36    Post subject: Reply with quote
Alozaros wrote:
hmm...yes it happens form time to time, but not very often...at all
i also have DNScrypt-proxy on remote router i manage (R7800)..few days ago i've updated Entware, so check it may need..

opkg update
opkg upgrade

also some resolvers go down from time to time..

to be honest DNScrypt or Stubby or SmartDNS don't fail too often..it could be the router service manager that looks after the running services/processes...
if it happens too often.. report again... Cool


I did an update this morning but I didn't see anything related to dnscrypt-proxy. Anyway, why doesn't a router reboot fix it but a power recycle does? I would think a reboot should've fixed it. By the way, I have 3 dnscrypt servers setup in the config file - 1 stateside, 1 asia, 1 europe.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Mar 31, 2021 18:44    Post subject: Reply with quote
if DNScrypt is in opt (where it should be), issue from ssh or telnet to reboot it only...

/opt/etc/init.d/rc.unslung restart

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Wed Mar 31, 2021 20:00    Post subject: Reply with quote
Alozaros wrote:
if DNScrypt is in opt (where it should be), issue from ssh or telnet to reboot it only...

/opt/etc/init.d/rc.unslung restart


That's one of the things I tried. After running that command I ran /opt/etc/init.d/rc.unslung check and it said that dnscrypt-proxy was dead. Reboot from the CLI didn't help either. So, the last thing I tried was powering off the router with the on-off switch and, of course, back on. That worked. I had to wait an excruciating 4 minutes before everything came back up.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Thu Apr 01, 2021 19:21    Post subject: Reply with quote
And remember, flash drives can go bad. I lost the one on my main router recently, and it began with weird errors.
_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Fri Apr 02, 2021 3:37    Post subject: Reply with quote
Whenever upgrading to the latest Entware DNSCrypt Proxy V2 always use the *NEW* toml file and update it to your configuration.

I have changed my listening port to 5353 for example in the the toml file I use...

listen_addresses = ['127.0.0.1:5353', '[::1]:5353']

In the DNSMasq GUI I have...

no-resolv
domain-needed
all-servers
server=/ntp.org/2620:fe::9
server=/ntp.org/9.9.9.9
server=::1#5353
server=127.0.0.1#5353
dhcp-option-force=option6:dns-server,[2620:fe::9]
dhcp-option=6,9.9.9.9


I do Force DNS to DNSCrypt with these Firewall Rules...

# Free Router/Gateway and up to address 127 from DNSCrypt
# Have DHCP start IP 192.168.1.128 with Max DHCP Users as 127
iptables -t nat -I PREROUTING -p udp -s 192.168.1.128/25 --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.128/25 --dport 53 -j DNAT --to 192.168.1.1:53
# Always Delete Incase of Reload
ip6tables -t nat -D PREROUTING -p udp -i br0 --dport 53 -j DNAT --to [::1]:5353
ip6tables -t nat -D PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to [::1]:5353
ip6tables -t nat -I PREROUTING -p udp -i br0 --dport 53 -j DNAT --to [::1]:5353
ip6tables -t nat -I PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to [::1]:5353


Just some ideas to try. I have have over 5 days uptime with build r46177 with Entware v2.0.45 DNSCrypt-Proxy V2.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Mon Aug 01, 2022 18:25    Post subject: Reply with quote
I think I'm still having problems with dnscrypt proxy for Entware. ;; Query time: 10153 msec -- subsequent queries are shorter but still over 100 ms.

I don't know if this is causing my video streaming issues but the video streaming is getting worse to where it doesn't start the stream even after 5 minutes of waiting. This streaming issue occurs on Amazon Prime Video, youtube videos, and FoxNation videos.Speed tests show I have 500+ Mb download speeds. Even non-video web pages are slow to load. I just upgraded my routers to dd-wrt firmware to 49559 and still have a problem. And it doesn't matter if I'm hardwired to the router or on wifi.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Tue Aug 02, 2022 6:42    Post subject: Reply with quote
this is quite long delay for queries...
The Question remain:
-did you update Entware and DNScrypt
-did you use the new .toml config file..
-show us your config, cover the sensitive data
-try to use different resolver as those bad results could be related to your current:
-i had no problem with the new updated DNScrypt-proxy v2 when
i tested it.. (it runs on a R7800)..
-do you use a thumb drive or ssh/hdd drive...what format (entware usually uses .ext2, 3 or 4)

i don't need any rules to force DNScrypt...as it works out of the box...as a stub resolver...you can see router requests on port 53 are unreplayed and router DNScrypt-proxy v2 is using port 5353 or whatever you set it to use and 127.0.0.1 to listen...

Im not using ipv6 neither on my router nor on DNScrypt-proxy v2... Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Tue Aug 02, 2022 19:23    Post subject: Reply with quote
Alozaros wrote:
this is quite long delay for queries...
The Question remain:
-did you update Entware and DNScrypt

Yes.
root@r9000master:/opt/etc# opkg update
Downloading http://bin.entware.net/armv7sf-k3.2/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware
root@r9000master:/opt/etc# opkg upgrade
root@r9000master:/opt/etc#
root@r9000master:~# opkg list | grep dnscrypt
dnscrypt-proxy - 2019-08-20-07ac3825-3
dnscrypt-proxy-resolvers - 2019-08-20-07ac3825-3
dnscrypt-proxy2 - 2.1.1-1
dnscrypt-proxy2_nohf - 2.1.1-1

Alozaros wrote:

-did you use the new .toml config file..
-show us your config, cover the sensitive data
-try to use different resolver as those bad results could be related to your current:


root@r9000master:/opt/etc# cat dnscrypt-proxy.toml
# Empty listen_addresses to use systemd socket activation
listen_addresses = ['127.0.0.1:5353']
server_names = ['plan9-ns1','jp.tiar.app','ffmuc.net','ibksturm','dnscrypt.uk-ipv4']
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
require_dnssec = true
doh_servers = false

[query_log]
file = '/opt/var/log/dnscrypt-proxy/query.log'

[nx_log]
file = '/opt/var/log/dnscrypt-proxy/nx.log'

[sources]
[sources.'public-resolvers']
url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
minisign_key = <redacted>
refresh_delay = 72
prefix = ''

Alozaros wrote:

-i had no problem with the new updated DNScrypt-proxy v2 when
i tested it.. (it runs on a R7800)..
-do you use a thumb drive or ssh/hdd drive...what format (entware usually uses .ext2, 3 or 4)


thumb drive formatted to ext4

Alozaros wrote:
i don't need any rules to force DNScrypt...as it works out of the box...as a stub resolver...you can see router requests on port 53 are unreplayed and router DNScrypt-proxy v2 is using port 5353 or whatever you set it to use and 127.0.0.1 to listen...

Im not using ipv6 neither on my router nor on DNScrypt-proxy v2... Cool
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Tue Aug 02, 2022 21:01    Post subject: Reply with quote
Entware seems to be slightly behind the power curve:

https://github.com/DNSCrypt/dnscrypt-proxy

https://github.com/DNSCrypt/dnscrypt-resolvers

That's the trouble with relying on that option. If only the upstream developers hadn't tied dependency to golang.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Aug 03, 2022 9:31    Post subject: Reply with quote
ignore_system_dns = true
listen_addresses = ['127.0.0.1:30']
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
require_dnssec = true
doh_servers = false
refused_code_in_responses = true
fallback_resolver = '9.9.9.9:53'


the default listen address is 127.0.0.1:30 but not port 5353...
but i dont think it will make any difference

also make sure dnscypt form GUI is disabled...

those are the servers i use:

'dnscrypt-de-blahdns-ipv4' 'dnswarden-eu-adblock-dcv4' 'quad9-dnscrypt-ip4-filter-pri' 'v.dnscrypt.uk-ipv4'

if you have any server that's going off..not every time DNScrypt switches to the next that fast it takes time...as it needs to exchange certificates...(one reason i don't like it)... On my System R7800 ive build, it works 24/7 with no problem...touch wood...make sure you use the last .toml as the old versions are not compatible any more...try no to fiddle with all the settings...as sometimes it hangs with no reason and than you have to start all over...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Aug 03, 2022 9:46    Post subject: Reply with quote
I am a happy user of DoH via our built-in SmartDNS, easy to setup:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323896

But it is hard to keep track of all the DNS possibilities and the Pro's and Con's Sad

https://dnscrypt.info/faq/
https://help.nextdns.io/t/x2hmvas/what-is-dns-over-tls-dot-dns-over-quic-doq-and-dns-over-https-doh-doh3

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Aug 03, 2022 13:21    Post subject: Reply with quote
So far, DNScrypt v2 is "the most"....

SmartDNS is not bad alternative at all..it supports DoH or DoT...its present in DDWRT and much more..

I use Stubby DoT via Entware, as the worst option..cheap and simple DoT...and...it works...
But there is Unbound witch is great too, as it supports many DNS options as well DoH and DoT...

Any of those will do...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum