AdGuard DNSCrypt has stopped working on Netgear r7000

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Mon Apr 12, 2021 16:56    Post subject: Reply with quote
No response yet from AdGuard, and it's still the case that neither IP works.

Meanwhile, if you are feeling adventurous and want to experiment with a larger range of DNSCrypt providers, with a fallback provider, you can use the full, up-to-date resolvers list, loaded automatically when you boot, by putting this in Startup.
Code:
( cd /tmp/root
  until ping -qc1 -W1 1.1.1.1 &>/dev/null; do sleep 1; done
  D=dnscrypt R=$D-resolvers F=$R.csv P=/etc/$D/$F
  G=raw.githubusercontent.com/$D/$R/master/v1/$F
  dnsc(){ dnscrypt-proxy -d -a 127.0.0.$1:30 -R $2 -L $P; }
  dnsalt(){ dnscrypt-proxy -d -a 127.0.0.1:30 \
   -r 9.9.9.9:8443 -N 2.dnscrypt-cert.quad9.net \
   -k 67c8:47b8:c875:8cd1:2024:5543:be75:6746:df34:df1d:84c0:0b8c:4703:68df:821d:863e; }
  curl -Lfo $F https://$G 2>curl_$D.log
  [[ -s $F ]] \
  && sed -i.orig -E 's/,([^,]*),/,"\1",/' $F \
  && mount --bind $F $P \
  && { dnsc 2 dnscrypt.pl-guardian
       dnsc 1 quad9-dnscrypt-ip4-filter-pri; } \
  || dnsalt
) &
Use this WITHOUT enabling Encrypt DNS in the DNSMasq section. (You can enable it temporarily to look at the updated menu, but DON'T Save or Apply!) In your DNSMasq Additional Options, you need this:
Code:
server=127.0.0.2#30
server=127.0.0.1#30
server=/githubusercontent.com/1.1.1.1
I set Query DNS in Strict Order in DNSMasq (remember it uses the server= lines in reverse order (edit: still true as of 46816, but changed to use the order listed by 48141)), so as shown the code above uses Quad9 as the primary DNS provider and DNSCrypt Poland's new "Guardian" option for fallback DNS. If anything goes wrong in setting up the fancy stuff, it falls back to just using Quad9 (though DNSMasq will assume there's a second provider and will wait for it to respond if Quad9 is slow) without needing the resolvers file, in the spirit of the Quad9 link in my sig. DNSCrypt Poland used to be called soltysiak, and his new Guardian option is for malware/phishing filtering: https://dnscrypt.pl/reboot-of-dnscrypt-poland/

For the big list of DNSCrypt providers, see https://dnscrypt.info/public-servers. If this all worked right on startup, you'll also see it in the dd-wrt Encrypt DNS menu (again, don't Save/Apply), but the url of course gives you descriptions as well as names.

You can switch the two providers to others on the list. Look at your syslog to see if they work, as some don't. For example, cleanbrowsing-security gives an error message that the protocol version is not supported. There may be others like that.

I assume we'll eventually be able to access adguard-dns this way.

If you are feeling extreme and want to run three dnscrypt-proxy processes, it should be no problem. You'll need an extra line each in this startup code and in DNSMasq Additional Options. The number 3 will feature in each. That's as far as I want to go with the handholding on this idea though, because if you need more, you perhaps shouldn't be messing with Startup code this complex.

Note this code is at the "alpha test" stage. There may be errors. And older versions of dd-wrt may either need a -k added to the curl (to omit https security checking, which they can't do) or may need the curl call replaced with a properly tailored wget call. I'm not getting into those matters. I'll just wish you luck. I do have code similar to this (i.e. tailored for my circumstances) running under both 44048 and 46069, FWIW. I'm using Linksys WRT1900ACSv2 routers. YMMV with others, esp those with smaller memories.

Finally, I have to admit I'm not inclined at the moment to get into being tech support for any of this, though I may edit the code if I spot significant errors. FIgured I'd get it out there for you folks to mess with anyway.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.


Last edited by SurprisedItWorks on Fri Jan 28, 2022 17:14; edited 2 times in total
Sponsor
Docop1
DD-WRT Novice


Joined: 22 Feb 2021
Posts: 23

PostPosted: Tue Apr 13, 2021 23:39    Post subject: Reply with quote
Wow , very great script indeed ! Thanks for this one!

But at same time, is a script can create a Unbound file, into the Tmp folder ? In order to have a working DoT directly at boot, without those usb /jffs... So we could like having an updated dnscrypt list and possibility to switch to Dot if we want. As DoT is not supported on it's own.

thanks again
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Wed Apr 14, 2021 12:35    Post subject: Reply with quote
I assume one could do something similar for DoT.

One might notice that my script doesn't actually need to "mount --bind" the new file over the old one if having the choices show in the GUI menu isn't important, as dnscrypt-proxy could simply be invoked with the new file as downloaded. But I was thinking about experimenting with trying to download and bind with "Encrypt DNS" switched on, to see if the bind could be there in time for dd-wrt's own call to dnscrypt-proxy to pick up the new file. Never quite got to that, and it's also a bit iffy to depend on the outcome of a race condition anyway. Which contestant wins might depend on the router model, the build number, how other things are configured (which could affect the startup sequence), etc.

For anyone curious enough to go there — FWIW — the built-in "Encrypt DNS" calls dnscrypt-proxy with 127.0.0.1:30 specified for communication with dnsmasq, and dd-wrt provides dnsmasq with the corresponding server= line behind the scenes. And let us know how it turns out!

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Wed Apr 14, 2021 13:03    Post subject: Reply with quote
not willing to take over, just sharing an option..

that's the old code i used to run DNScrypt DDWRT embedded version: (shared by mac913)

turn off GUI option DNScrypt (encrypted DNS)
add to Additional DNSmasq rules

no-resolv
domain-needed
server=127.0.0.1#30
server=127.0.0.2#30

add those lines in startup script

RESOLVER_FILE="/etc/dnscrypt/dnscrypt-resolvers.csv"
dnscrypt-proxy -S -m 5 -a 127.0.0.1:30 -R dnscrypt.eu-nl -L /etc/dnscrypt/dnscrypt-resolvers.csv -d
dnscrypt-proxy -S -m 5 -a 127.0.0.2:30 -R dnscrypt.eu-dk -L /etc/dnscrypt/dnscrypt-resolvers.csv -d

or that older variation of it...

RESOLVER_FILE="/etc/dnscrypt/dnscrypt-resolvers.csv"
dnscrypt-proxy -S -a 127.0.0.2:30 -R dnscrypt.eu-nl -L /etc/dnscrypt/dnscrypt-resolvers.csv -d > /dev/null 2>&1
dnscrypt-proxy -S -a 127.0.0.3:30 -R dnscrypt.eu-dk -L /etc/dnscrypt/dnscrypt-resolvers.csv -d > /dev/null 2>&1

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
00diabolic
DD-WRT User


Joined: 17 Aug 2011
Posts: 78

PostPosted: Wed Apr 14, 2021 19:11    Post subject: Name Resolution Reply with quote
Hey, No one explained why name Resolution is broken with adguard DNS 1? Can anyone explain this?

It causes some issues for me I ended up adding every device mac address into Additional Dnsmasq Options to get the names back? Is this just a broken DDWRT issue as originally asked?
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Wed Apr 14, 2021 20:01    Post subject: Reply with quote
It's not a dd-wrt issue. It's an AdGuard issue. I have an enquiry in to them.

Alozaros, yes, someone just wanting to run multiple dnscrypt DNS servers from the built-in dd-wrt list can do just as you say. Nice and simple!

Small notes on that: (1) do take care with the 127.0.0.1:30, etc. The .1 in particular. Keep what you use on the dnscrypt-proxy line matching what you have in the dnsmasq server= line, though dnscrypt-proxy uses : where dnsmasq uses #, so watch for that also. (2) With dnscrypt-proxy you don't need the -S, as it's implied by -d. (3) I actually use "-m 5" on my routers as well. That sets up a lesser level of logging so that you don't have to see a big message about renewed certificates every hour. The default logging level corresponds to "-m 6", and you can get a bit more with "-m 7". It's easy to google/ddg a dnscrypt-proxy man page with all these details.

Anyway, the script is for people who want to use dnscrypt providers not covered in the dd-wrt list, like quad9 for instance. Actually the two provider lists are very different.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
00diabolic
DD-WRT User


Joined: 17 Aug 2011
Posts: 78

PostPosted: Wed Apr 14, 2021 20:13    Post subject: Reply with quote
SurprisedItWorks wrote:
It's not a dd-wrt issue. It's an AdGuard issue. I have an enquiry in to them.

Alozaros, yes, someone just wanting to run multiple dnscrypt DNS servers from the built-in dd-wrt list can do just as you say. Nice and simple!

Small notes on that: (1) do take care with the 127.0.0.1:30, etc. The .1 in particular. Keep what you use on the dnscrypt-proxy line matching what you have in the dnsmasq server= line, though dnscrypt-proxy uses : where dnsmasq uses #, so watch for that also. (2) With dnscrypt-proxy you don't need the -S, as it's implied by -d. (3) I actually use "-m 5" on my routers as well. That sets up a lesser level of logging so that you don't have to see a big message about renewed certificates every hour. The default logging level corresponds to "-m 6", and you can get a bit more with "-m 7". It's easy to google/ddg a dnscrypt-proxy man page with all these details.

Anyway, the script is for people who want to use dnscrypt providers not covered in the dd-wrt list, like quad9 for instance. Actually the two provider lists are very different.


Thanks for the info. I was looking at the script and it seems to add a level of complication i'd rather not add to my already complicated setup. I already notice that some devices wont even get internet when adguard DNS goes down. I guess this is a use case for the script but ill wait till DDWRT adds a fallback DNS server to the setup, unless there is a simpler way to add a fallback?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Wed Apr 14, 2021 20:45    Post subject: Reply with quote
for a better use,control and fallback options use the DNScrypt-proxy v2 ...green link in my signature..
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Wed Apr 14, 2021 20:56; edited 1 time in total
Docop1
DD-WRT Novice


Joined: 22 Feb 2021
Posts: 23

PostPosted: Wed Apr 14, 2021 20:49    Post subject: Reply with quote
Actually, @SurprisedItWorks , is your new version can also be implemented into the old one you post .. (in 2019) About : having the dnscrypt load up After the OpenVpn client and then used the vpn tunnel ?

Many thanks.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Wed Apr 14, 2021 20:57    Post subject: Reply with quote
If you're good with picking both primary and fallback off the built-in list (and at least for now, not using adguard), you can go with the simple approach sketched by Alozaros. The complexity of my script is only to get you a more up-to-date provider list and to put it in the DD-WRT menu where you can see it.

So for Alozaros's approach, you'll need to leave Encrypt DNS off, include
Code:
server=127.0.0.2#30
server=127.0.0.1#30
in DNSMasq Additional Options, enable Query DNS in Strict Order, and then in Startup include two dnscrypt-proxy commands as he suggests. The primary should specify 127.0.0.1:30 in the command, and the secondary should specify 127.0.0.2:30. The order of the dnscrypt-proxy lines is irrelevant, but the server= lines need to be in the order I show, because DNSMasq starts with the last one and falls back to the first!

The tricky thing is finding a provider suitable for backup DNS. (I was using AdGuard for my backup, but they are out of action for now!) The dd-wrt provider list is old, and I expect that some of the providers are no longer around. Some of the ones listed are hobby projects. See what info you can find about them at https://dnscrypt.info in the providers tab, but remember that the name of the provider you use in the dnscrypt-proxy command needs to match the first field of some line in comma-separated dd-wrt file /etc/dnscrypt/dnscrypt-resolvers.csv. The dd-wrt menu will get you close, but it may show spaces instead of hyphens, have different upper/lower case, etc. You'll need to check the file. You can get the list of those acceptable names with this in your ssh CLI window:

cut -d, -f1 /etc/dnscrypt/dnscrypt-resolvers.csv

Or this if you just like sed better like I do:

sed 's/,.*//' /etc/dnscrypt/dnscrypt-resolvers.csv

As far as finding ones that work with the protocol dd-wrt uses, you just have to try them and look at the dd-wrt syslog after a reboot. If it works, you'll see a message from dnscrypt-proxy that it's proxying to the IP address of the provider. You'll likely see a less-positive message in the failure case.

No harm testing a bunch quickly, just to see which ones can connect to their servers and get certificates and such, by just running a dnscrypt-proxy command for each in the command line but with 127.0.0.N:30 using different N values for each. Pick N values that do NOT correspond to what's specified to DNSMasq, and there'll be no interference with your running DNS system. Then look your at your syslog (if you didn't get obvious errors from just running the command!) to see which could proxy successfully. If you are linux aware enough to use ps and the kill command, you can clean up afterward that way. Otherwise just reboot when done. Remember, the test of this paragraph will NOT set them up to function as DNS servers, so this is a preliminary test, a way to quickly test four or five providers without having to reboot each time. No harm in ignoring this paragraph though and just editing Startup and rebooting for each.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Wed Apr 14, 2021 21:19    Post subject: Reply with quote
Docop1 wrote:
Actually, @SurprisedItWorks , is your new version can also be implemented into the old one you post .. (in 2019) About : having the dnscrypt load up After the OpenVpn client and then used the vpn tunnel ?

Many thanks.

Yeah... that. Actually in my routers I use a ping loop like

until ping -qc1 -W1 -Itun1 1.1.1.1 &>/dev/null; do sleep 5; done

(might be tun0 for your router or even oet1 or some such for wireguard) looking at Cloudflare DNS 1.1.1.1 (or use google 8.8.8.8 or something else) through the vpn interface until it's working, and only then do I execute the dnscrypt command. This waiting to start the dnscrypt proxies isn't really necessary unless you regard initial queries to the providers going outside the tunnel as leaks to be avoided.

To make things actually go through the tunnel, you can include something like

route 9.9.9.9

in the OpenVPN client's Additional Config or in a wireguard client setup, replace 0.0.0.0/1,128.0.0.0/1 with 9.9.9.9,0.0.0.0/1,128.0.0.0/1 in the peer Allowed IPs field.

If you run two dnscrypt proxies to two providers and happen to have both OpenVPN and wireguard clients running, run the primary DNS through the more reliable vpn and run the fallback DNS through the less reliable vpn. That way failure of a single vpn won't take down your entire DNS system. If you just run one VPN client, use it for primary DNS and let fallback, which you won't use often, just go to the WAN with no special routing.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Docop1
DD-WRT Novice


Joined: 22 Feb 2021
Posts: 23

PostPosted: Mon Apr 19, 2021 16:10    Post subject: Reply with quote
Very great and super explanation and it did work fine indeed ! thanks for that.
But.. a small question on the how to confirm.. So let say i have ovpn or Wg tunnel up and pass over the dns peer, it show up as being the proper dns. So when i set dnscrypt, the leak show up the dnscrypt server used. But is there a way to see the route ? Like if i do a: dig or tracert example.com with or without the dnscrypt set, it always show :
Local ddwrt ip -) vpn tunnel 10.160.0.1 -) vpn server -) .. route to webpage

I was hoping to see somehow like :
Local ddwrt ip -) vpn tunnel 10.160.0.1 -) dnscrypt srv-) vpn server -) ..to web..
or i just looking too much..
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Mon Apr 19, 2021 17:27    Post subject: Reply with quote
hmm i dont know what you expect...in general, as DNScrypt uses DNSmasq, it blends inside the VPN tunnel...and it calls the DNS you use in DNScrypt...there are no call's from outside..
you can check with:
tcpdump -nnS -i tun1
or check your WAN
tcpdump -nnS -i eth0

if you have a kill-switch on your wan, you will see only UDP requests and nothing else, while on tun1, you will see the normal traffic... to ensure you can check only for DNS requests inside the VPN tun1
tcpdump -i tun1 | grep -Ei 'xxxxxxxx '

replace xxx inside the quotes, with the name of your dnsserver specified in DNScrypt set up...

also add this line, to your VPN advanced set up box

pull-filter ignore "dhcp-option DNS"

it will ignore the forced by the VPN DNS and will use only DNSmasq...(DNScrypt)

the good thing about Open VPN is, that you can use a fair amount of commands, while in WG is not like that..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Mon Apr 19, 2021 20:22    Post subject: Reply with quote
Docop1 wrote:
Very great and super explanation and it did work fine indeed ! thanks for that.
But.. a small question on the how to confirm.. So let say i have ovpn or Wg tunnel up and pass over the dns peer, it show up as being the proper dns. So when i set dnscrypt, the leak show up the dnscrypt server used. But is there a way to see the route ? Like if i do a: dig or tracert example.com with or without the dnscrypt set, it always show :
Local ddwrt ip -) vpn tunnel 10.160.0.1 -) vpn server -) .. route to webpage

I was hoping to see somehow like :
Local ddwrt ip -) vpn tunnel 10.160.0.1 -) dnscrypt srv-) vpn server -) ..to web..
or i just looking too much..

If you are using, for example, Quad9 DNS like in my example and so have route 9.9.9.9 in your OpenVPN client config, there are a couple of things you can check. to an

First, you can do ip route show (or just ip r s actually) in the CLI to see the main routing table. You should see a line like

9.9.9.9 via 10.XX.XX.1 dev tun1

if OpenVPN has indeed set up routing through the tunnel as you specified. Also, in the CLI you can actually do traceroute 9.9.9.9 and look at all the relay steps. You can see it goes first to 10.XX.XX.1, then to your VPN server's IP, then through various other steps to finally reach 9.9.9.9 as desired. You can also do tcpdump -ni tun1 'port 8443' in the CLI and then go to a browser and visit https://dnsleaktest.com and do their simple test. It will make the tcpdump go wild with queries and replies to and from, in this case, 9.9.9.9. Use control-C to quit the tcpdump.

Note: Quad9 uses port 8443, adguard uses 5443 I believe, dnscrypt.pl-guardian uses 2054, but some use port 443 just like https, so those are trickier. Look in the resolver file to see what port a particular provider uses. Look for IP:port in comma-separated field 12 (commas inside quoted strings don't count). If there is no port shown, it uses the default 443. For DNSCrypt server YY.YY.YY.YY using port 443 you could just do tcpdump -ni tun1 | grep -F YY.YY.YY.YY instead. In any case specifying the interface with -i is what proves that your DNS queries and responses are going through the tunnel. On my router the WAN interface is eth0, so I can repeat the test using eth0 instead of tun1 to verify that queries are NOT going outside the tunnel. (Note that the VPN kill switches discussed in many forum posts do NOT restrict traffic to/from the router itself, like DNS queries, because they specify the FORWARD iptables chain and not the INPUT and OUTPUT chains.)

Unrelated note: DNSCrypt providers scaleway-fr and scaleway-ams, in Paris and Amsterdam respectively, are maintained by Frank Denis, the creator of DNSCrypt. See https://fr.dnscrypt.info for that service's features. I tried it this morning, and it's up and running fine.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Wed Apr 28, 2021 17:53    Post subject: Reply with quote
Good News!

A. Adguard is back up. Both the old IP and the new IP are working, the old IP using adguard-dns-ns1 via dd-wrt's built-in resolvers file and the new IP using adguard-dns with my fancy script that downloads the current resolvers file. (Even though I am in the eastern US, both are matching me up with resolvers in Europe, FWIW.) Of note: I never actually heard back from Adguard, so this paragraph comes from my own testing, which I just happened to try today.

B. I mentioned earlier that with my new system you can also choose dnscrypt.pl-guardian (used to be called soltysiak). That's working fine today also. But I also tested scaleway-ams carefully this morning, and (it has no filtering but) is solid and seems quite fast, even from across the pond. So we are up to five choices (incl quad9-dnscrypt-ip4-filter-pri and both adguard choices) that are tested and known to be working.

C. I have had issues with the download site in my script for the new resolvers file. The site is refusing to let me download over my wireguard VPN, which is how I'm set up here (unlike in the script I posted in this thread). However, at https://github.com/dnscrypt/dnscrypt-resolvers there is a section called "Stable download URLs" that lists two URLs, a github one and a dnscrypt.info one. Following the latter and picking up the v1 options (instead of v2 and v3, which have the wrong format because they are for other versions of dnscrypt-proxy), leads to a new download path that is shorter, feels more permanent, and appears to work great. To modify the script to use it, eliminate the G=... line and in the curl line, replace the https://$G path with https://download.$D.info/$R/v1/$F (understanding that this change is not necessary unless you are having trouble with the original path). If you make this change, it's important that you also go to Additional Dmsmasq Options and replace the server=/githubusercontent.com/1.1.1.1 line discussed above with server=/dnscrypt.info/1.1.1.1 so that dnsmasq can resolve the domain for the download URL before dnscrypt is set up.

Aside for linux scripting people wondering why I eliminated the harmless use of variable G: I am hurting so badly for nvram space that I'm reduced to squeezing out a few characters here and there when I can do so without making things completely unreadable. Of course this is also why the original script is written in more of a compact way than a stylish/readable way.

And FWIW (can't remember whether I said before), this is working here on 46069 and 44048.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum