Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Wed Aug 10, 2022 13:09 Post subject: DDWRT DNSCrypt Resolver
I am using the latest version of DDWRT. I use DNSCrypt Resolver and have been using Cisco. I also use a VPN and all my connection goes through a VPN.
I was looking at the logs and noticed this warning which I am aware of because I was using Cisco as my DNSCrypt Resolver -
DD-WRT 2 user.warn : - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern
I am aware Cisco log but I was not worried because I connect using a VPN and seems to be the only provider who when I do a DNS Leak test here https://whoer.net/dns-leak-test shows my DNS as protected, the rest do not.
Can anyone help and what provider should I choose so when I do a DNS test it shows my DNS queries are protected? _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Thu Aug 11, 2022 0:56 Post subject:
Those lesser-known sites that purport to check for protection generally are put up by VPN firms that tell you that you have no protection unless you are using their VPN. The de facto standard DNS test in this community is at dnsleaktest.com. It won't announce "protected!" or not, because it's not aimed at beginners. You need to be able to look at its display and known from what you see whether you are seeing the DNS servers you want to see or the ones your ISP provides.
There are a million opinions on what DNS system to use. If you are using the dd-wrt DNSCrypt encryption, however, there are only a few providers in the menu that satisfy (1) are in the US or Europe, (2) are substantial organizations with many DNS servers, (3) support DNSSEC, (4) have no (or minimal) logging, (5) filter out known malware domains, (6) do NOT use the EDNS (are those the right initials?) system to send part of your IP upstream, and (7) are quite fast. Those were my personal criteria when I reviewed my choices last week. Just as the last time I went through that exercise, I ended up settling on Quad9. They log the metro area you are in, but not your IP, but you and I both access DNS via a VPN, so who cares what location they record? And note that in dnsleaktest.com output, you can recognize their servers as those with ISP listed as WoodyNet. More on them at quad9.net.
The AdGuard system is worth a look as well, but in my testing they were slower, I believe because they send queries (anonymously) to google DNS and maybe cloudflare DNS and others and then filter out malware and adware domains before forwarding the responses to you. See https://adguard-dns.io/en/public-dns.html
To wade through the choices on your own, see dnscrypt.info and look for the master provider list. The dd-wrt menu was taken from that master list some months ago and should still match it pretty well. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Fri Aug 19, 2022 6:10 Post subject:
Hello Guru,
Followed your advice and used Adguard. I did try Quad9 which seems to work faster but adguard has a better privacy policy although it does not matter since we both on VPN.
I have having issues with my DDWRT router at the moment though because when I use a torrent client, I am unable to browse websites and cannot understand why. I turned off the firewall but to no effect and it was not like this before this update/2022/08-15-2022-r49741. Any ideas?
I think I may have to reset my router because I have been having issues which I thought the update fixed (Latest beta ) but it seems to have made things worse.
I must add that Tomato firmware which I am currently using works like a charm but I prefer DDWRT which requires time.
I am connected using WAN the router, main router is 192.168.1.1 and DDWRT is 192.168.2.1, using RJ45 to connect.
Cheers lad. _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Sun Aug 21, 2022 23:51 Post subject: SmartDNS Resolver
When I enable SmartDNS Resolver, Encrypt DNS is disabled by itself after I save. Could anyone please tell me what I should do to sort this out? _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Mon Aug 22, 2022 8:20 Post subject: Re: SmartDNS Resolver
manchesterblack wrote:
When I enable SmartDNS Resolver, Encrypt DNS is disabled by itself after I save. Could anyone please tell me what I should do to sort this out?
you don't need them both... use SmartDNS only and do the crypt there...!
its faster it does work out of the box and you can use more than one server...
just add those to advanced SmartDNS config box
(or any other option that supports DNS over HTTPS or TLS)
I did add that and stopped using dns encrypt. Just to let you know, I also have the code below on my VPN Open VPN section under additional configuration. Not sure what it does but a Guru says it forces the router not to use the VPN DNS servers:
just add those to advanced SmartDNS config box
(or any other option that supports DNS over HTTPS or TLS)
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "
Should I keep this or delete it?
Thank you mate. _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
in DNSmasq Additional Options
Validate DNS Replies (DNSSEC) - disabled
Encrypt DNS - disabled
Check Unsigned DNS replies - Disable - as you don't have Validate DNS Replies any more...
those are in OpenVPN Client>Additional Configuration
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS " _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sat Aug 27, 2022 12:03; edited 1 time in total
Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Fri Aug 26, 2022 20:22 Post subject:
Use Additional Servers Only - enabled
in DNSmasq Additional Options
Validate DNS Replies (DNSSEC) - disabled
Encrypt DNS - disabled
The above settings seemed to work because before I could not get Netflix to work and I was also having issues with the internet connection.
those are in OpenVPN Client>Additional Configuration
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "
I am not sure to keep this script or delete it from your message (Pull filter etc). I have currently kept it and the connection still works as well as Netflix. Please advice. I do not know if this script repeats the work done by DNSmasq. Yes it is much faster.
Cheers. _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Fri Aug 26, 2022 22:30 Post subject:
Another question, according to this post https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323866&sid=1e6a01132f32ee435346b3d652306dd6 I need to choose between Smart DNS Resolver and DNSMASQ. I have both on. Is this an issue? Everything works fine by the way with both on as you can see from my previous post.. Cheers. _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
DNSMasq automatically points to SmartDNS as it's resolver when both are enabled. No need to disable DNSMasq. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Sat Aug 27, 2022 9:40 Post subject:
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "
those will ignore your VPN forced DNS and will use whatever you have set on your system...so, keep those for sure.
and yes leave DNSmasq on, as its the backbone of DDWRT system...
SmartDNS works in conjunction with it...
Cheers for the confirmation of the above.
On Smart Resolver, I have Dual Stack IP Selection disabled. Everything works fine, no issues at all and the logs are much better and less yellow (It was all yellow two days ago, every page now it is as clear as the sky), should I leave it as it is?
Dnsmasq Infrastructure settings are as below and should I change anything or simply leave it?
Cache DNSSEC Data— disabled
Validate DNS Replies (DNSSEC)- disabled
Check Unsigned DNS Replies- enabled
No DNS Rebind- enabled
Query DNS in Strict Order- enabled and will not change due to previous advice from Gurus.
Add Requestor MAC to DNS Query- disabled
RFC4039 Rapid Commit Support- disabled
Cheers to 1. strange 2. dale_gribble39 (always replied) 3. Alozaros the Guru, mate you helped me a lot.
I want to save the configuration and back it up so it is saved. It is funny, I was about to give up on DDWRT for Tomato but persisted, everything is so fast, what have I been doing all these years?
Cheers and enjoy your weekend lads. _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500