Joined: 16 Nov 2015 Posts: 6408 Location: UK, London, just across the river..
Posted: Wed Aug 25, 2021 19:20 Post subject:
127.0.0.1 is an incorrect dns unless you use some special dns settings from a dns upfront
change it with 9.9.9.9 for example
and remove all-servers as you dont have more than 1 encrypted dns option
for better encrypted dns options check green and red links in my signature
read carefully, lots of info and examples there _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
127.0.0.1 is an incorrect dns unless you use some special dns settings from a dns upfront
change it with 9.9.9.9 for example
and remove all-servers as you dont have more than 1 encrypted dns option
for better encrypted dns options check green and red links in my signature
read carefully, lots of info and examples there
Thank you for the pointers and will take a look and appreciate it.
Btw, I have it as 127.0.0.1 as I read somewhere that if I set Static DNS IPs there, then it's not used anyways as I am using DNSMasq and the provider "cisco" will handle all the requests. Is that not correct?
Joined: 16 Nov 2015 Posts: 6408 Location: UK, London, just across the river..
Posted: Thu Aug 26, 2021 6:11 Post subject:
127.0.0.1 is a loop back interface...
and yes DNScrypt works on loopback interface...
but in those 3 boxes for static DNS you cannot point loopback interface...as a DNS (unless in very special scenarios) the moment when and where you need to point to 127.0.0.x is via DNSmasq advanced box, when you set up DNScrypt...but you need to add no-resolve and server= commands
setting a valid DNS in static boxes is needed for a normal boot up and NTP time resolving...please read the links and educate yourself, as it seams there will be a tons of questions coming...use ggl or a search option in the forum...
p.s. in those links there are working examples, if you want to use those plz follow the step by step guide... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
127.0.0.1 is a loop back interface...
and yes DNScrypt works on loopback interface...
but in those 3 boxes for static DNS you cannot point loopback interface...as a DNS (unless in very special scenarios) the moment when and where you need to point to 127.0.0.x is via DNSmasq advanced box, when you set up DNScrypt...but you need to add no-resolve and server= commands
setting a valid DNS in static boxes is needed for a normal boot up and NTP time resolving...please read the links and educate yourself, as it seams there will be a tons of questions coming...use ggl or a search option in the forum...
p.s. in those links there are working examples, if you want to use those plz follow the step by step guide...
I quoted you exactly from one of the working examples and that's why I was curious and posted the screenshot of the pids for dnscrypt which uses the loopback interface.
Yes, I added no-resolv after reading a little bit more and also added server= for the ntp and this is my current options setup:
Btw, thank you for all the help but the examples in the posts are not very clear as some of the posts contradict with each other. Anyways, I posted my options above and I read the man page for the dnsmasq and options and figured that some may need tweaking and that's what I did.
I was a little confused with the static dns entry - whether to put 127.0.0.1 or replace it with 192.168.1.1. I will change the "Static DNS 1" to 192.168.1.1. _________________ Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Joined: 16 Nov 2015 Posts: 6408 Location: UK, London, just across the river..
Posted: Thu Aug 26, 2021 19:11 Post subject:
''I was a little confused with the static dns entry - whether to put 127.0.0.1 or replace it with 192.168.1.1. I will change the "Static DNS 1" to 192.168.1.1. ''
none of those is correct...
this is correct...
if you put 1.1.1.1 or 9.9.9.9 or 8.8.8.8 in static DNS
here is what you need if you want to use the old DNScrypt provided along with the firmware....so no need to install anything...
its so simple to follow the step by step guide nothing contradictory
to use an old DNScrypt version 1.95 instead, on (R7800) builds
and be able to use all non v2 DNScrypt public servers i used this guide
*do notice this do not require any entware installation"
----------------- GUI encrypt DNS option needs to be turned off
add to Additional DNSmasq rules
no-resolv
domain-needed
server=127.0.0.1#30
server=127.0.0.2#30
add those lines in startup script (click save start up script)
*do notice those public resolvers used here are DNSSEC verified servers, you can use your favorite servers from
https://dnscrypt.info/public-servers/..., you can add as many as you want, just follow the basic idea!! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1444 Location: Appalachian mountains, USA
Posted: Thu Aug 26, 2021 23:45 Post subject:
Also, you don't want all-servers (query all servers in parallel) in the config window while you have "Query DNS in Strict Order" selected. They directly contradict each other. Neither is necessary if you only have one DNS server, which is the usual setup when you "Encrypt DNS." _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Also, you don't want all-servers (query all servers in parallel) in the config window while you have "Query DNS in Strict Order" selected. They directly contradict each other. Neither is necessary if you only have one DNS server, which is the usual setup when you "Encrypt DNS."
Thank you. Yes, after reading the man page, I got rid of the all-servers option.
Btw, what server do you use? I tried cisco and the syslog says that they are passing the client address and asking me to change it if I want privacy. lol
I tried few other servers but all of them sound fishy. Right now, I have plan9-ns1 (DNSCrypt server in New Jersey, USA. Non-logging, non-filtering, DNSSEC, anonymized) and I am in US. _________________ Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Joined: 04 Aug 2018 Posts: 1444 Location: Appalachian mountains, USA
Posted: Fri Aug 27, 2021 23:17 Post subject:
RainGater wrote:
SurprisedItWorks wrote:
Also, you don't want all-servers
Thank you. Yes, after reading the man page, I got rid of the all-servers option.
Btw, what server do you use? I tried cisco and the syslog says that they are passing the client address and asking me to change it if I want privacy. lol
I tried few other servers but all of them sound fishy. Right now, I have plan9-ns1 (DNSCrypt server in New Jersey, USA. Non-logging, non-filtering, DNSSEC, anonymized) and I am in US.
The encrypted-dns menu in dd-wrt (as of 46816 anyway) is out of date, so I had to cobble up some Startup code to use Quad9. Details in my sig below, but I encourage that road only if you are comfortable enough with linux scripting to sort out any issues. Using the standard menu only, I used to favor Adguard just to get free, no logging, DNSSEC support, and a corporate effort with US servers rather than a hobby project. But recently Adguard changed their IP addresses (see adguard.com / Products / DNS), so it may not work anymore. Of the hobby projects, I like soltysiak (now dnscrypt.pl) in Poland, who at least has been at it for a decade and takes the project seriously. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
The encrypted-dns menu in dd-wrt (as of 46816 anyway) is out of date, so I had to cobble up some Startup code to use Quad9. Details in my sig below, but I encourage that road only if you are comfortable enough with linux scripting to sort out any issues.
Thank you and will try your script. I am good at linux scripting and it's no big deal.
Btw, what do you use for Static DNS 1/2/3? Does it have to be a valid DNS server if we are using your script to populate the DNSCrypt provider? _________________ Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Joined: 16 Nov 2015 Posts: 6408 Location: UK, London, just across the river..
Posted: Sat Aug 28, 2021 18:34 Post subject:
RainGater wrote:
SurprisedItWorks wrote:
The encrypted-dns menu in dd-wrt (as of 46816 anyway) is out of date, so I had to cobble up some Startup code to use Quad9. Details in my sig below, but I encourage that road only if you are comfortable enough with linux scripting to sort out any issues.
Thank you and will try your script. I am good at linux scripting and it's no big deal.
Btw, what do you use for Static DNS 1/2/3? Does it have to be a valid DNS server if we are using your script to populate the DNSCrypt provider?
interesting....we keep telling you the same thing...
yep, you'd need a valid upstream DNS for some normal router boot up operations, than you can use no-resov and server= to point to DNSmasq to use only those configured in server= ...
You need DNS to resolve NTP time and its mentioned in the guide, NTP time is vital for DNScrypt to operate...
so yes you'd need a valid DNS in those 3 box put 9.9.9.9 or 1.1.1.1 or any you decide, just dont put 192.168.1.1 if your router has that ip or 127.0.0.1 as router cannot send DNS requests to itself...kinds of... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
yep, you'd need a valid upstream DNS for some normal router boot up operations, than you can use no-resov and server= to point to DNSmasq to use only those configured in server= ...
You say that I need to add a valid DNS ip for the normal boot up operations but it works even with 127.0.0.1 or 192.168.1.1. Why does it work then?
And, what is the purpose of using DNSMasq for DNS if we are using static DNS IPs? It should be either static DNS IPs or DNSMasq if we are using no-resolv, correct?
Btw, when you encrypt DNS and put no-resolv, then whatever you put in Static DNS 1/2/3 doesn't matter as it doesn't pick that up. So, why do you keep saying that it needs a valid DNS IP?
FWIW, even with 1127.0.0.1 or 192.168.1.1, NTP time sync up works as I see it in syslog. _________________ Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Last edited by RainGater on Sat Aug 28, 2021 21:17; edited 2 times in total
DD-WRT builtin NTP will revert to IP addy to sync time ... that is if you leave:
Time Settings >> Server IP/Name 'blank'
Mine has been blank for years and I am also again using 'unbound' last couple weeks.
NOTE: 'unbound' must have correct time sync to work
DD-WRT builtin NTP will revert to IP addy to sync time ... that is if you leave:
Time Settings >> Server IP/Name 'blank'
If you leave blank, where does it get the IP for NTP to sync time? _________________ Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Joined: 04 Aug 2018 Posts: 1444 Location: Appalachian mountains, USA
Posted: Sat Aug 28, 2021 21:56 Post subject:
RainGater wrote:
mrjcd wrote:
DD-WRT builtin NTP will revert to IP addy to sync time ... that is if you leave:
Time Settings >> Server IP/Name 'blank'
If you leave blank, where does it get the IP for NTP to sync time?
There are numerical IP addresses of NTP servers hardwired into dd-wrt. You don't need DNS to get time. Just leave the time-server field empty. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.