AdGuard DNSCrypt has stopped working on Netgear r7000

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
LightMoon
DD-WRT User


Joined: 09 Sep 2012
Posts: 64

PostPosted: Tue Apr 06, 2021 12:17    Post subject: AdGuard DNSCrypt has stopped working on Netgear r7000 Reply with quote
Hi,

I noticed the name resolution will break if someone enables DNSCrypt and uses AdGuard Servers; however, it is fine for the other servers.

Not sure if this is related to DD-WRT or something went wrong on the AdGuard side.

Firmware VersionDD-WRT v3.0-r46294 std (04/06/21)

_________________
Netgear R7000
(Latest SVN revision)
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Tue Apr 06, 2021 14:36    Post subject: Reply with quote
Opening this ticket since you didn't get an answer in the forum was uncalled for: https://svn.dd-wrt.com/ticket/7388 Please wait for someone to respond here in the forum instead of creating an invalid ticket. Tickets aren't for getting help to fix your configuration issue. Thanks.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Wed Apr 07, 2021 1:10    Post subject: Reply with quote
Does your setup work if you switch to "Adguard DNS 1"? Somewhere on their site -- I can't seem to find it again -- I saw something recently that gave me the impression they may be using "1" for IPv4 and "2" for IPv6. I'm NOT sure about this.

For "1" you can bypass dd-wrt's config if you want by disabling Encrypt DNS, adding server=127.0.0.1#30 in DNSMasq Additional Options and adding this to Startup:
Code:
dnscrypt-proxy -d -m 5 -e 1280 -a 127.0.0.1:30 \
 -r 176.103.130.130:5443 -N 2.dnscrypt.default.ns1.adguard.com -k \
 d12b:47f2:52dc:f2c2:bbf8:9910:86ea:f79c:e449:5d8b:16c8:a0c4:322e:52ca:3f39:0873

"-m 5" sets the syslog logging level. The default is 6, and 7 is the most possible.

"-e1280" can be omitted to leave the UDP buffer size at the default 512 bytes. There are recommendations online to set it to 4096, but I find that 1280 is the most that dd-wrt/dnscrypt-proxy will use, at least with the VPN I route it through. My memory is fuzzy here, so research if interested.

I suspect the parameters in my code here are the same ones in the adguard-dns-ns1 line in /etc/dnscrypt/dnscrypt-resolvers.csv in dd-wrt. Check if curious.

I am using Adguard as my secondary DNS provider and haven't noticed any recent changes. Sometime in the next year or two they may change the IP address. They changed them around Sept 2020 (see their blog) for the non-DNSCrypt servers, but somewhere -- again I can't seem to find it again -- I read that they're leaving the IP addresses for DNSCrypt alone for now.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
LightMoon
DD-WRT User


Joined: 09 Sep 2012
Posts: 64

PostPosted: Wed Apr 07, 2021 3:51    Post subject: Reply with quote
SurprisedItWorks wrote:
Does your setup work if you switch to "Adguard DNS 1"? Somewhere on their site -- I can't seem to find it again -- I saw something recently that gave me the impression they may be using "1" for IPv4 and "2" for IPv6. I'm NOT sure about this.



Thanks mate, I can confirm that the result is the same for both 1 & 2.

I've also tried to disable DNSCrypt and ran it through the startup script as you mentioned which the result wasn't different.

Is there a way that I enable debug mode and generate some logs?

Here is my current config
Code:


root@DD-C2:~# cat /tmp/resolv.dnsmasq
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 8.8.4.4

root@DD-C2:~# cat /tmp/resolv.conf
search home.lan
search home.lan
nameserver 192.168.10.1

root@DD-C2:~# cat /tmp/dnsmasq.conf
interface=br0
resolv-file=/tmp/resolv.dnsmasq
server=127.0.0.1#30
no-resolv
domain=home.lan
dhcp-leasefile=/tmp/dnsmasq.leases
dhcp-lease-max=62
dhcp-option=br0,3,192.168.10.1
dhcp-authoritative

bogus-priv
conf-file=/etc/rfc6761.conf
conf-file=/etc/trust-anchors.conf
dnssec
dnssec-check-unsigned
proxy-dnssec
stop-dns-rebind
dhcp-option=252,"\n"
cache-size=1500
domain=home.lan
expand-hosts
address=/api.ximalaya.com/37.235.155.101
address=/c.ctc.w.ximalaya.com/37.235.155.101

_________________
Netgear R7000
(Latest SVN revision)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Apr 07, 2021 7:28    Post subject: Reply with quote
Adguard DNS is problematic this days...
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=328795

try another one...
links in the other post above...

for best results use either DNScrypt called via script or DNScrypt-proxy 2 (link in my sig)

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
itwontbewe
DD-WRT User


Joined: 29 Sep 2020
Posts: 260
Location: United States

PostPosted: Wed Apr 07, 2021 11:51    Post subject: Reply with quote
i dont use dnsycrypt but adguard recently changed their dns addresses

maybe they changed the strings for dnsycrypt too?

https://adguard.com/en/adguard-dns/overview.html

https://kb.adguard.com/en/dns/setup-guide

Moderator edit 04.07.2021:

Please do not paste unusually large strings of characters into a post as it skews the forum page format.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Wed Apr 07, 2021 13:28    Post subject: Reply with quote
Aha! When I checked this morning, my routers were not getting replies from Adguard either, so starting with dnscrypt.info, I followed links until discovering that the master for our dnscrypt-resolvers.csv file (full path in prev post) is kept here:

https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v1/dnscrypt-resolvers.csv

And sure enough, they have changed the IP address. It's now 94.140.14.14, with everything else apparently the same. For a quick test, splice it into the Startup approach I mentioned earlier.

Edit: Tried the new IP. Fails. Can't get certificate (same as the old IP). And at https://kb.adguard.com/en/general/dns-providers#adguard-dns they show the new IP for ordinary DNS but the old IP for dnscrypt. So it's not at all clear what's up at Adguard. I'm going to ask them to clarify and will update here when I get a response.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Mon Apr 12, 2021 16:56    Post subject: Reply with quote
No response yet from AdGuard, and it's still the case that neither IP works.

Meanwhile, if you are feeling adventurous and want to experiment with a larger range of DNSCrypt providers, with a fallback provider, you can use the full, up-to-date resolvers list, loaded automatically when you boot, by putting this in Startup.
Code:
( cd /tmp/root
  until ping -qc1 -W1 1.1.1.1 &>/dev/null; do sleep 1; done
  D=dnscrypt R=$D-resolvers F=$R.csv P=/etc/$D/$F
  G=raw.githubusercontent.com/$D/$R/master/v1/$F
  dnsc(){ dnscrypt-proxy -d -a 127.0.0.$1:30 -R $2 -L $P; }
  dnsalt(){ dnscrypt-proxy -d -a 127.0.0.1:30 \
   -r 9.9.9.9:8443 -N 2.dnscrypt-cert.quad9.net \
   -k 67c8:47b8:c875:8cd1:2024:5543:be75:6746:df34:df1d:84c0:0b8c:4703:68df:821d:863e; }
  curl -Lfo $F https://$G 2>curl_$D.log
  [[ -s $F ]] \
  && sed -i.orig -E 's/,([^,]*),/,"\1",/' $F \
  && mount --bind $F $P \
  && { dnsc 2 dnscrypt.pl-guardian
       dnsc 1 quad9-dnscrypt-ip4-filter-pri; } \
  || dnsalt
) &
Use this WITHOUT enabling Encrypt DNS in the DNSMasq section. (You can enable it temporarily to look at the updated menu, but DON'T Save or Apply!) In your DNSMasq Additional Options, you need this:
Code:
server=127.0.0.2#30
server=127.0.0.1#30
server=/githubusercontent.com/1.1.1.1
I set Query DNS in Strict Order in DNSMasq (remember it uses the server= lines in reverse order (edit: still true as of 46816, but changed to use the order listed by 48141)), so as shown the code above uses Quad9 as the primary DNS provider and DNSCrypt Poland's new "Guardian" option for fallback DNS. If anything goes wrong in setting up the fancy stuff, it falls back to just using Quad9 (though DNSMasq will assume there's a second provider and will wait for it to respond if Quad9 is slow) without needing the resolvers file, in the spirit of the Quad9 link in my sig. DNSCrypt Poland used to be called soltysiak, and his new Guardian option is for malware/phishing filtering: https://dnscrypt.pl/reboot-of-dnscrypt-poland/

For the big list of DNSCrypt providers, see https://dnscrypt.info/public-servers. If this all worked right on startup, you'll also see it in the dd-wrt Encrypt DNS menu (again, don't Save/Apply), but the url of course gives you descriptions as well as names.

You can switch the two providers to others on the list. Look at your syslog to see if they work, as some don't. For example, cleanbrowsing-security gives an error message that the protocol version is not supported. There may be others like that.

I assume we'll eventually be able to access adguard-dns this way.

If you are feeling extreme and want to run three dnscrypt-proxy processes, it should be no problem. You'll need an extra line each in this startup code and in DNSMasq Additional Options. The number 3 will feature in each. That's as far as I want to go with the handholding on this idea though, because if you need more, you perhaps shouldn't be messing with Startup code this complex.

Note this code is at the "alpha test" stage. There may be errors. And older versions of dd-wrt may either need a -k added to the curl (to omit https security checking, which they can't do) or may need the curl call replaced with a properly tailored wget call. I'm not getting into those matters. I'll just wish you luck. I do have code similar to this (i.e. tailored for my circumstances) running under both 44048 and 46069, FWIW. I'm using Linksys WRT1900ACSv2 routers. YMMV with others, esp those with smaller memories.

Finally, I have to admit I'm not inclined at the moment to get into being tech support for any of this, though I may edit the code if I spot significant errors. FIgured I'd get it out there for you folks to mess with anyway.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.


Last edited by SurprisedItWorks on Fri Jan 28, 2022 17:14; edited 2 times in total
Docop1
DD-WRT Novice


Joined: 22 Feb 2021
Posts: 23

PostPosted: Tue Apr 13, 2021 23:39    Post subject: Reply with quote
Wow , very great script indeed ! Thanks for this one!

But at same time, is a script can create a Unbound file, into the Tmp folder ? In order to have a working DoT directly at boot, without those usb /jffs... So we could like having an updated dnscrypt list and possibility to switch to Dot if we want. As DoT is not supported on it's own.

thanks again
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Wed Apr 14, 2021 12:35    Post subject: Reply with quote
I assume one could do something similar for DoT.

One might notice that my script doesn't actually need to "mount --bind" the new file over the old one if having the choices show in the GUI menu isn't important, as dnscrypt-proxy could simply be invoked with the new file as downloaded. But I was thinking about experimenting with trying to download and bind with "Encrypt DNS" switched on, to see if the bind could be there in time for dd-wrt's own call to dnscrypt-proxy to pick up the new file. Never quite got to that, and it's also a bit iffy to depend on the outcome of a race condition anyway. Which contestant wins might depend on the router model, the build number, how other things are configured (which could affect the startup sequence), etc.

For anyone curious enough to go there — FWIW — the built-in "Encrypt DNS" calls dnscrypt-proxy with 127.0.0.1:30 specified for communication with dnsmasq, and dd-wrt provides dnsmasq with the corresponding server= line behind the scenes. And let us know how it turns out!

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Apr 14, 2021 13:03    Post subject: Reply with quote
not willing to take over, just sharing an option..

that's the old code i used to run DNScrypt DDWRT embedded version: (shared by mac913)

turn off GUI option DNScrypt (encrypted DNS)
add to Additional DNSmasq rules

no-resolv
domain-needed
server=127.0.0.1#30
server=127.0.0.2#30

add those lines in startup script

RESOLVER_FILE="/etc/dnscrypt/dnscrypt-resolvers.csv"
dnscrypt-proxy -S -m 5 -a 127.0.0.1:30 -R dnscrypt.eu-nl -L /etc/dnscrypt/dnscrypt-resolvers.csv -d
dnscrypt-proxy -S -m 5 -a 127.0.0.2:30 -R dnscrypt.eu-dk -L /etc/dnscrypt/dnscrypt-resolvers.csv -d

or that older variation of it...

RESOLVER_FILE="/etc/dnscrypt/dnscrypt-resolvers.csv"
dnscrypt-proxy -S -a 127.0.0.2:30 -R dnscrypt.eu-nl -L /etc/dnscrypt/dnscrypt-resolvers.csv -d > /dev/null 2>&1
dnscrypt-proxy -S -a 127.0.0.3:30 -R dnscrypt.eu-dk -L /etc/dnscrypt/dnscrypt-resolvers.csv -d > /dev/null 2>&1

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
00diabolic
DD-WRT User


Joined: 17 Aug 2011
Posts: 78

PostPosted: Wed Apr 14, 2021 19:11    Post subject: Name Resolution Reply with quote
Hey, No one explained why name Resolution is broken with adguard DNS 1? Can anyone explain this?

It causes some issues for me I ended up adding every device mac address into Additional Dnsmasq Options to get the names back? Is this just a broken DDWRT issue as originally asked?
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Wed Apr 14, 2021 20:01    Post subject: Reply with quote
It's not a dd-wrt issue. It's an AdGuard issue. I have an enquiry in to them.

Alozaros, yes, someone just wanting to run multiple dnscrypt DNS servers from the built-in dd-wrt list can do just as you say. Nice and simple!

Small notes on that: (1) do take care with the 127.0.0.1:30, etc. The .1 in particular. Keep what you use on the dnscrypt-proxy line matching what you have in the dnsmasq server= line, though dnscrypt-proxy uses : where dnsmasq uses #, so watch for that also. (2) With dnscrypt-proxy you don't need the -S, as it's implied by -d. (3) I actually use "-m 5" on my routers as well. That sets up a lesser level of logging so that you don't have to see a big message about renewed certificates every hour. The default logging level corresponds to "-m 6", and you can get a bit more with "-m 7". It's easy to google/ddg a dnscrypt-proxy man page with all these details.

Anyway, the script is for people who want to use dnscrypt providers not covered in the dd-wrt list, like quad9 for instance. Actually the two provider lists are very different.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
00diabolic
DD-WRT User


Joined: 17 Aug 2011
Posts: 78

PostPosted: Wed Apr 14, 2021 20:13    Post subject: Reply with quote
SurprisedItWorks wrote:
It's not a dd-wrt issue. It's an AdGuard issue. I have an enquiry in to them.

Alozaros, yes, someone just wanting to run multiple dnscrypt DNS servers from the built-in dd-wrt list can do just as you say. Nice and simple!

Small notes on that: (1) do take care with the 127.0.0.1:30, etc. The .1 in particular. Keep what you use on the dnscrypt-proxy line matching what you have in the dnsmasq server= line, though dnscrypt-proxy uses : where dnsmasq uses #, so watch for that also. (2) With dnscrypt-proxy you don't need the -S, as it's implied by -d. (3) I actually use "-m 5" on my routers as well. That sets up a lesser level of logging so that you don't have to see a big message about renewed certificates every hour. The default logging level corresponds to "-m 6", and you can get a bit more with "-m 7". It's easy to google/ddg a dnscrypt-proxy man page with all these details.

Anyway, the script is for people who want to use dnscrypt providers not covered in the dd-wrt list, like quad9 for instance. Actually the two provider lists are very different.


Thanks for the info. I was looking at the script and it seems to add a level of complication i'd rather not add to my already complicated setup. I already notice that some devices wont even get internet when adguard DNS goes down. I guess this is a use case for the script but ill wait till DDWRT adds a fallback DNS server to the setup, unless there is a simpler way to add a fallback?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Apr 14, 2021 20:45    Post subject: Reply with quote
for a better use,control and fallback options use the DNScrypt-proxy v2 ...green link in my signature..
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Wed Apr 14, 2021 20:56; edited 1 time in total
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum