Encrypt DNS

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2, 3  Next
Author Message
RainGater
DD-WRT User


Joined: 07 Apr 2016
Posts: 160

PostPosted: Wed Aug 25, 2021 17:50    Post subject: Encrypt DNS Reply with quote
I am setting up my R7800 to encrypt DNS and please look at the attached screenshots for my settings.

Please let me know if I am doing something wrong or need to tweak my settings.

Thank you all for any and all replies.

My testing shows that it is encrypted but not sure whether the test is comprehensive.

Code:
C:\>nslookup -type=txt debug.opendns.com.
Server:  R7800
Address:  192.168.1.1

Non-authoritative answer:
debug.opendns.com       text =

        "server m37.dfw"
debug.opendns.com       text =

        "flags 20060020 0 70 180000000000000000007950800000000000000"
debug.opendns.com       text =

        "originid 0"
debug.opendns.com       text =

        "orgflags 2000000"
debug.opendns.com       text =

        "actype 0"
debug.opendns.com       text =

        "source 47.188.80.245:60711"
debug.opendns.com       text =

        "[b]dnscrypt enabled (716A7A6D6D486A53)[/b]"

_________________
Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Wed Aug 25, 2021 19:20    Post subject: Reply with quote
127.0.0.1 is an incorrect dns unless you use some special dns settings from a dns upfront
change it with 9.9.9.9 for example
and remove all-servers as you dont have more than 1 encrypted dns option
for better encrypted dns options check green and red links in my signature
read carefully, lots of info and examples there

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
RainGater
DD-WRT User


Joined: 07 Apr 2016
Posts: 160

PostPosted: Wed Aug 25, 2021 19:34    Post subject: Reply with quote
Alozaros wrote:
127.0.0.1 is an incorrect dns unless you use some special dns settings from a dns upfront
change it with 9.9.9.9 for example
and remove all-servers as you dont have more than 1 encrypted dns option
for better encrypted dns options check green and red links in my signature
read carefully, lots of info and examples there

Thank you for the pointers and will take a look and appreciate it.

Btw, I have it as 127.0.0.1 as I read somewhere that if I set Static DNS IPs there, then it's not used anyways as I am using DNSMasq and the provider "cisco" will handle all the requests. Is that not correct?

And, your link points to this:

Quote:
add those lines in startup script

RESOLVER_FILE="/etc/dnscrypt/dnscrypt-resolvers.csv"
dnscrypt-proxy -S -m 5 -a 127.0.0.1:30 -R dnscrypt.eu-nl -L /etc/dnscrypt/dnscrypt-resolvers.csv -d
dnscrypt-proxy -S -m 5 -a 127.0.0.2:30 -R dnscrypt.eu-dk -L /etc/dnscrypt/dnscrypt-resolvers.csv -d


When I check the pid on my router, I see this:

Code:
root@R7800:~# ps|grep dns
 1892 root       940 S    dnscrypt-proxy -d -S -a 127.0.0.1:30 -R cisco -L /etc/dnscrypt/dnscrypt-resolvers.csv
 1923 root      2992 S    dnsmasq -u root -g root -C /tmp/dnsmasq.conf


So, why do you think 127.0.0.1 is not valid?

_________________
Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Thu Aug 26, 2021 6:11    Post subject: Reply with quote
127.0.0.1 is a loop back interface...
and yes DNScrypt works on loopback interface...
but in those 3 boxes for static DNS you cannot point loopback interface...as a DNS (unless in very special scenarios) the moment when and where you need to point to 127.0.0.x is via DNSmasq advanced box, when you set up DNScrypt...but you need to add no-resolve and server= commands

setting a valid DNS in static boxes is needed for a normal boot up and NTP time resolving...please read the links and educate yourself, as it seams there will be a tons of questions coming...use ggl or a search option in the forum...

p.s. in those links there are working examples, if you want to use those plz follow the step by step guide... Wink

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
RainGater
DD-WRT User


Joined: 07 Apr 2016
Posts: 160

PostPosted: Thu Aug 26, 2021 14:30    Post subject: Reply with quote
Alozaros wrote:
127.0.0.1 is a loop back interface...
and yes DNScrypt works on loopback interface...
but in those 3 boxes for static DNS you cannot point loopback interface...as a DNS (unless in very special scenarios) the moment when and where you need to point to 127.0.0.x is via DNSmasq advanced box, when you set up DNScrypt...but you need to add no-resolve and server= commands

setting a valid DNS in static boxes is needed for a normal boot up and NTP time resolving...please read the links and educate yourself, as it seams there will be a tons of questions coming...use ggl or a search option in the forum...

p.s. in those links there are working examples, if you want to use those plz follow the step by step guide... Wink

I quoted you exactly from one of the working examples and that's why I was curious and posted the screenshot of the pids for dnscrypt which uses the loopback interface.

Yes, I added no-resolv after reading a little bit more and also added server= for the ntp and this is my current options setup:

Code:
bogus-priv
domain-needed
cache-size=3000
min-cache-ttl=3600
max-cache-ttl=86400
neg-ttl=60
dns-forward-max=350
no-negcache
no-resolv
#all-servers

server=/ntp.org/8.8.8.8


Btw, thank you for all the help but the examples in the posts are not very clear as some of the posts contradict with each other. Anyways, I posted my options above and I read the man page for the dnsmasq and options and figured that some may need tweaking and that's what I did.

I was a little confused with the static dns entry - whether to put 127.0.0.1 or replace it with 192.168.1.1. I will change the "Static DNS 1" to 192.168.1.1.

_________________
Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Thu Aug 26, 2021 19:11    Post subject: Reply with quote
''I was a little confused with the static dns entry - whether to put 127.0.0.1 or replace it with 192.168.1.1. I will change the "Static DNS 1" to 192.168.1.1. ''

none of those is correct...


this is correct...
if you put 1.1.1.1 or 9.9.9.9 or 8.8.8.8 in static DNS


here is what you need if you want to use the old DNScrypt provided along with the firmware....so no need to install anything...
its so simple to follow the step by step guide nothing contradictory

Basic Setup>Time Settings>Server IP/Name 216.239.35.4
---------------------------------------------------------

to use an old DNScrypt version 1.95 instead, on (R7800) builds
and be able to use all non v2 DNScrypt public servers i used this guide

*do notice this do not require any entware installation"

----------------- GUI encrypt DNS option needs to be turned off
add to Additional DNSmasq rules
no-resolv
domain-needed
server=127.0.0.1#30
server=127.0.0.2#30

add those lines in startup script (click save start up script)

RESOLVER_FILE="/etc/dnscrypt/dnscrypt-resolvers.csv"
dnscrypt-proxy -S -m 5 -a 127.0.0.1:30 -R dnscrypt.eu-nl -L /etc/dnscrypt/dnscrypt-resolvers.csv -d
dnscrypt-proxy -S -m 5 -a 127.0.0.2:30 -R dnscrypt.eu-dk -L /etc/dnscrypt/dnscrypt-resolvers.csv -d

*do notice those public resolvers used here are DNSSEC verified servers, you can use your favorite servers from
https://dnscrypt.info/public-servers/..., you can add as many as you want, just follow the basic idea!!

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Thu Aug 26, 2021 23:45    Post subject: Reply with quote
Also, you don't want all-servers (query all servers in parallel) in the config window while you have "Query DNS in Strict Order" selected. They directly contradict each other. Neither is necessary if you only have one DNS server, which is the usual setup when you "Encrypt DNS."
_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
RainGater
DD-WRT User


Joined: 07 Apr 2016
Posts: 160

PostPosted: Fri Aug 27, 2021 20:51    Post subject: Reply with quote
SurprisedItWorks wrote:
Also, you don't want all-servers (query all servers in parallel) in the config window while you have "Query DNS in Strict Order" selected. They directly contradict each other. Neither is necessary if you only have one DNS server, which is the usual setup when you "Encrypt DNS."

Thank you. Yes, after reading the man page, I got rid of the all-servers option.

Btw, what server do you use? I tried cisco and the syslog says that they are passing the client address and asking me to change it if I want privacy. lol

I tried few other servers but all of them sound fishy. Right now, I have plan9-ns1 (DNSCrypt server in New Jersey, USA. Non-logging, non-filtering, DNSSEC, anonymized) and I am in US.

_________________
Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Fri Aug 27, 2021 23:17    Post subject: Reply with quote
RainGater wrote:
SurprisedItWorks wrote:
Also, you don't want all-servers

Thank you. Yes, after reading the man page, I got rid of the all-servers option.

Btw, what server do you use? I tried cisco and the syslog says that they are passing the client address and asking me to change it if I want privacy. lol

I tried few other servers but all of them sound fishy. Right now, I have plan9-ns1 (DNSCrypt server in New Jersey, USA. Non-logging, non-filtering, DNSSEC, anonymized) and I am in US.

The encrypted-dns menu in dd-wrt (as of 46816 anyway) is out of date, so I had to cobble up some Startup code to use Quad9. Details in my sig below, but I encourage that road only if you are comfortable enough with linux scripting to sort out any issues. Using the standard menu only, I used to favor Adguard just to get free, no logging, DNSSEC support, and a corporate effort with US servers rather than a hobby project. But recently Adguard changed their IP addresses (see adguard.com / Products / DNS), so it may not work anymore. Of the hobby projects, I like soltysiak (now dnscrypt.pl) in Poland, who at least has been at it for a decade and takes the project seriously.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
RainGater
DD-WRT User


Joined: 07 Apr 2016
Posts: 160

PostPosted: Sat Aug 28, 2021 17:45    Post subject: Reply with quote
SurprisedItWorks wrote:

The encrypted-dns menu in dd-wrt (as of 46816 anyway) is out of date, so I had to cobble up some Startup code to use Quad9. Details in my sig below, but I encourage that road only if you are comfortable enough with linux scripting to sort out any issues.

Thank you and will try your script. I am good at linux scripting and it's no big deal.

Btw, what do you use for Static DNS 1/2/3? Does it have to be a valid DNS server if we are using your script to populate the DNSCrypt provider?

_________________
Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Sat Aug 28, 2021 18:34    Post subject: Reply with quote
RainGater wrote:
SurprisedItWorks wrote:

The encrypted-dns menu in dd-wrt (as of 46816 anyway) is out of date, so I had to cobble up some Startup code to use Quad9. Details in my sig below, but I encourage that road only if you are comfortable enough with linux scripting to sort out any issues.

Thank you and will try your script. I am good at linux scripting and it's no big deal.

Btw, what do you use for Static DNS 1/2/3? Does it have to be a valid DNS server if we are using your script to populate the DNSCrypt provider?


interesting....we keep telling you the same thing... Laughing

yep, you'd need a valid upstream DNS for some normal router boot up operations, than you can use no-resov and server= to point to DNSmasq to use only those configured in server= ...

You need DNS to resolve NTP time and its mentioned in the guide, NTP time is vital for DNScrypt to operate...
so yes you'd need a valid DNS in those 3 box Razz put 9.9.9.9 or 1.1.1.1 or any you decide, just dont put 192.168.1.1 if your router has that ip or 127.0.0.1 as router cannot send DNS requests to itself...kinds of...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
RainGater
DD-WRT User


Joined: 07 Apr 2016
Posts: 160

PostPosted: Sat Aug 28, 2021 19:35    Post subject: Reply with quote
Alozaros wrote:
yep, you'd need a valid upstream DNS for some normal router boot up operations, than you can use no-resov and server= to point to DNSmasq to use only those configured in server= ...

You say that I need to add a valid DNS ip for the normal boot up operations but it works even with 127.0.0.1 or 192.168.1.1. Why does it work then?

And, what is the purpose of using DNSMasq for DNS if we are using static DNS IPs? It should be either static DNS IPs or DNSMasq if we are using no-resolv, correct?

Btw, when you encrypt DNS and put no-resolv, then whatever you put in Static DNS 1/2/3 doesn't matter as it doesn't pick that up. So, why do you keep saying that it needs a valid DNS IP?

FWIW, even with 1127.0.0.1 or 192.168.1.1, NTP time sync up works as I see it in syslog.

_________________
Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]


Last edited by RainGater on Sat Aug 28, 2021 21:17; edited 2 times in total
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sat Aug 28, 2021 19:52    Post subject: Reply with quote
DD-WRT builtin NTP will revert to IP addy to sync time ... that is if you leave:
Time Settings >> Server IP/Name 'blank'
Mine has been blank for years and I am also again using 'unbound' last couple weeks.
NOTE: 'unbound' must have correct time sync to work Twisted Evil
RainGater
DD-WRT User


Joined: 07 Apr 2016
Posts: 160

PostPosted: Sat Aug 28, 2021 21:19    Post subject: Reply with quote
mrjcd wrote:
DD-WRT builtin NTP will revert to IP addy to sync time ... that is if you leave:
Time Settings >> Server IP/Name 'blank'

If you leave blank, where does it get the IP for NTP to sync time?

_________________
Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sat Aug 28, 2021 21:56    Post subject: Reply with quote
RainGater wrote:
mrjcd wrote:
DD-WRT builtin NTP will revert to IP addy to sync time ... that is if you leave:
Time Settings >> Server IP/Name 'blank'

If you leave blank, where does it get the IP for NTP to sync time?

There are numerical IP addresses of NTP servers hardwired into dd-wrt. You don't need DNS to get time. Just leave the time-server field empty.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum