Combine privoxy with dnscrypt

[TheTux]

Hello!

I configured the router with dnscrypt and privoxy as described in the wiki articles.
Everything works fine - as long as each tool is working on its own.

As soon as I include an IP for privoxy i loose the dnscrypt function.
I don't know how to configure privoxy to use dnscrypt for the Nameserver part.
Have tried using a forward rule or even forward-socks but it's not working.

Anyone using this combination and give me a hint where to make the neccessary entry(s)?

Thanks
TheTux

 

[krabs]

Hello!

I configured the router with dnscrypt and privoxy as described in the wiki articles.
Everything works fine - as long as each tool is working on its own.

As soon as I include an IP for privoxy i loose the dnscrypt function.
I don't know how to configure privoxy to use dnscrypt for the Nameserver part.
Have tried using a forward rule or even forward-socks but it's not working.

Anyone using this combination and give me a hint where to make the neccessary entry(s)?

Thanks
TheTux

It's working for me.
I have tested it with tcpdump and dig.
I have temporarily point firefox on my labtop to use privoxy which is on 192.168.1.1:8123 with me.

# dig txt debug.opendns.com
; <<>> DiG 9.8.1-P1 <<>> txt debug.opendns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29759
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.		IN	TXT

;; ANSWER SECTION:
debug.opendns.com.	0	IN	TXT	"server 3.ams"
debug.opendns.com.	0	IN	TXT	"flags 20 0 2ce 0"
debug.opendns.com.	0	IN	TXT	"id 15990703"
debug.opendns.com.	0	IN	TXT	"source 213.119.97.171:35582"
debug.opendns.com.	0	IN	TXT	"dnscrypt enabled (7136666E76576A42)"

;; Query time: 21 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 20 10:24:30 2013
;; MSG SIZE  rcvd: 212

If dnscrypt is correctly configured, it just should work.

 

[TheTux]

Hello,

i did forget to mention that i wanted to do this via the iptables
on the Router and not via the Proxy Settings on the client itself.
The other Version did work without problems also, but not via iptables.

I did the test you mentioned but couldn't reach the server at all.
Even with only the opendns configuration running (veryfied via website)

Thanks
TheTux

 

[krabs]

Hello,

i did forget to mention that i wanted to do this via the iptables
on the Router and not via the Proxy Settings on the client itself.
The other Version did work without problems also, but not via iptables.

I did the test you mentioned but couldn't reach the server at all.
Even with only the opendns configuration running (veryfied via website)

Thanks
TheTux

Hi,

hmm, strange why you could not reach the server (with dig) and still being able to successfully pass the test on the website.
try this: dig txt debug.opendns.com @208.67.222.222
dig txt debug.opendns.com @127.0.0.1
If dnscrypt is working correctly both must reply with a "dnscrypt enable" answer.
You can force your clients to use the router configured dnsservers with this rule from asuswrt-merlin wiki

# /jffs/scripts/nat-start
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`

This will intercept and redirect traffic into Privoxy using iptables for HTTP traffic.

iptables -t nat -A PREROUTING --source 192.168.1.x
-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

# multiple ip's				
iptables -t nat -A PREROUTING -m iprange --src-range 192.168.1.x-192.168.1.x
-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

 

[TheTux]

Hi!

Sorry it seems my dig was corrupt, it threw me no connection to the server.
Downloaded a fresh one from the Bind Website and then it worked flawlessly.

I am getting the dnscrypt enable message exactly as in your post.
But when i am trying to pass the test from the opendns site all of them don't work.
Is this the normal behaviour when combining the two methods or is it working with you?

I performed the dig from a notebook of mine included in the iptables privoxy range.

; <<>> DiG 9.9.0 <<>> txt debug.opendns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3698
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.             IN      TXT

;; ANSWER SECTION:
debug.opendns.com.      0       IN      TXT     "server 3.ams"
debug.opendns.com.      0       IN      TXT     "flags 20 0 2f4 800000000000000"

debug.opendns.com.      0       IN      TXT     "id 0"
debug.opendns.com.      0       IN      TXT     "source 80.243.43.130:60686"
debug.opendns.com.      0       IN      TXT     "dnscrypt enabled (7136666E76576
A42)"

;; Query time: 46 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Jul 23 21:51:54 2013
;; MSG SIZE  rcvd: 218

Thanks!
TheTux

 

[vdemarco]

Hi,

hmm, strange why you could not reach the server (with dig) and still being able to successfully pass the test on the website.
try this: dig txt debug.opendns.com @208.67.222.222
dig txt debug.opendns.com @127.0.0.1
If dnscrypt is working correctly both must reply with a "dnscrypt enable" answer.
You can force your clients to use the router configured dnsservers with this rule from asuswrt-merlin wiki

# /jffs/scripts/nat-start
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`

This will intercept and redirect traffic into Privoxy using iptables for HTTP traffic.

iptables -t nat -A PREROUTING --source 192.168.1.x
-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

# multiple ip's				
iptables -t nat -A PREROUTING -m iprange --src-range 192.168.1.x-192.168.1.x
-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

On a sort of related note, what if i had privoxy running on another machine on the net.

What would the iptables rule be to redirect all http traffic to port 3128 on machine x on my network??

 

[xaviercharles]

I currently have opendns as my dns of chouse on my router and use dnsmasq so that a handful of sites use the unblock-us dns. Would it be possible to use opendns DNScrypt for all traffic apart from the sites which use unblock-us using DNSmasq?

 

[krabs]

I am getting the dnscrypt enable message exactly as in your post.
But when i am trying to pass the test from the opendns site all of them don't work.
Is this the normal behaviour when combining the two methods or is it working with you?

In the orignal setup thread there were also people who failed to pass at least one test.
Aslong dnscrypt-proxy fetch the certificates it shouldn't be a problem.
But test x and x should work with privoxy.
On openwrt wiki they said this

How to check you are using OpenDNS servers
*   The OpenDNS welcome page should display Oops…, otherwise your clients are using OpenDNS directly, i.e. they are bypassing DNSCrypt.
x   The OpenDNS demonstration phishing test page should block you.
x   The OpenDNS typo test page should resolve to real Craiglist site.
    The DNS randomness test will show you actual IP of your DNS. You can check here if the IP is associated with OpenDNS (put the IP in search field).

* Not sure about this, I'm passed for all three test and also using dnscrypt(with opendns account)
What doesn't make sense for me is that you say dns testing fails only with privoxy.

from the man pages

First of all, the DNS resolution is done by the underlying operating system -- not Privoxy itself. Privoxy merely initiates the process and hands it off, and then later reports whatever the outcome was and tries to give a coherent message if there seems to be a problem. In some cases, this might otherwise be mitigated by the browser itself which might try some work-arounds and alternate approaches (e.g adding "www." to the URL).

So test x and x fails with or without privoxy or test x and x are passed with or without privoxy.

 

[krabs]

On a sort of related note, what if i had privoxy running on another machine on the net.

What would the iptables rule be to redirect all http traffic to port 3128 on machine x on my network??

adding a destination IP

iptables -t nat -A PREROUTING --source 192.168.1.x
-p tcp -m tcp --dport 80 -j REDIRECT -d 192.168.1.x --to-ports 3128

 

[krabs]

I currently have opendns as my dns of chouse on my router and use dnsmasq so that a handful of sites use the unblock-us dns. Would it be possible to use opendns DNScrypt for all traffic apart from the sites which use unblock-us using DNSmasq?

Yes it's possible
I'm doing the same for netflix
You already places the sites in dnsmasq.conf.add
Just install dnscrypt and it will work. http://forums.smallnetbuilder.com/showthread.php?t=11645

 

[TheTux]

Hello Krabs,

unfortunately my configuration doesn't work.

As soon as i use an ip from within the privoxy "controlled" area the Tests are failing.
If i change my ip so i only use dnscrypt on the router i pass all of the Tests.

Phishing site opens the "dangerous" Version.
Craigslist.og gets answered by privoxy - with a "not found" error message.
It has to be something in my privoxy configuration, but what?

Privoxy is working fine and filters out the unwanted stuff.
Maybe i should just check with plain privoxy and throw out the blocking lists.

As soon as i am at home i can provide the configuration files too.

Thanks
TheTux

 

[xaviercharles]

Yes it's possible
I'm doing the same for netflix
You already places the sites in dnsmasq.conf.add
Just install dnscrypt and it will work. http://forums.smallnetbuilder.com/showthread.php?t=11645

Thanks dude, i'll try that out.

 

[TheTux]

Hello!

Had not much time the last days, but now i am back

I have updated to the latest Merlin Release and installed
everything from scratch exactly as told. But the error
still exists.

So here are my config files:

dnsmasq.conf.add

no-resolv
server=127.0.0.1#65053

Output of DIG from notebook in privoxy range

firewall-start

#!/bin/sh
iptables -t nat -A PREROUTING --source 192.168.1.30 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

post-mount
(moved unslung here because USB mount to slow)

#!/bin/sh

if [ $1 = "/tmp/mnt/sda1" ]
then
  ln -sf $1/entware /tmp/opt
  /opt/etc/init.d/rc.unslung start
fi

wan-start

#!/bin/sh

# Wait up to 15 seconds to make sure /opt partition is mounted
i=0
while [ $i -le 15 ]
do
  if [ -d /opt/tmp ]
   then
    break
   fi
 sleep 1
 i=`expr $i + 1`
done

# Now resolve DNS name for NTP server
ntp_name=$(nvram get ntp_server0)
grep "$ntp_name" /etc/hosts > /dev/null 2>&1 || \
for ip in $(/opt/sbin/dnscrypt-proxy-hostip $ntp_name)
 do
  echo $ip $ntp_name >>  /etc/hosts
 done

# and restart NTP client to eliminate 4-5 mins delay
killall ntp && sleep 1
service restart_ntpc

/etc/hosts

127.0.0.1 localhost.localdomain localhost
192.168.1.1 router.asus.com
192.168.1.1 www.asusnetwork.net
192.168.1.1 www.asusrouter.com
192.168.1.1 RT-N66U. RT-N66U
213.206.85.19 pool.ntp.org
87.195.109.207 pool.ntp.org
93.94.224.67 pool.ntp.org
5.39.184.5 pool.ntp.org

config (privoxy)

confdir /opt/etc/privoxy
logdir /opt/var/log
filterfile default.filter
logfile privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action   # Main actions file
actionsfile easylistgermany.script.action
actionsfile easylist.script.action
actionsfile user.action
filterfile easylistgermany.script.filter
filterfile easylist.script.filter
filterfile user.filter
listen-address  0.0.0.0:3128
toggle  1
enable-remote-toggle  1
enable-remote-http-toggle  0
enable-edit-actions 1
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries  0
accept-intercepted-requests 1
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 300
socket-timeout 300
#permit-access  192.168.1.0/24
debug   1    # show each GET/POST/CONNECT request
debug   4096 # Startup banner and warnings
debug   8192 # Errors - *we highly recommended enabling this*
#admin-address privoxy-admin@example.com
#proxy-info-url http://www.example.com/proxy-service.html

DIG output stays exactly the same as posted before.
But with DIG i am only querying the DNS solely.
Privoxy cant interfere here as i only forward port 80 to it.

As soon as I assign the privoxy controlled ip or use a proxy in the browser config i can't pass the tests on the OpenDNS Page.
Seems like Privoxy won't use the OpenDNS stuff but does the stuff on its own.

Any further ideas on this?

Thanks!

 

[krabs]

Hello!

Any further ideas on this?

Thanks!

Hi try this config file

confdir /opt/etc/privoxy
logdir /opt/var/log
filterfile default.filter
logfile privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action   # Main actions file
actionsfile easylistgermany.script.action
actionsfile easylist.script.action
#actionsfile user.action
filterfile easylistgermany.script.filter
filterfile easylist.script.filter
#filterfile user.filter
listen-address  192.168.1.1:3128
toggle  1
enable-remote-toggle  1
enable-remote-http-toggle  0
enable-edit-actions 1
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries  0
accept-intercepted-requests 1
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 300
socket-timeout 300
permit-access  [192.168.1.0][:80]/24
debug   1    # show each GET/POST/CONNECT request
debug   4096 # Startup banner and warnings
debug   8192 # Errors - *we highly recommended enabling this*
#admin-address privoxy-admin@example.com
#proxy-info-url http://www.example.com/proxy-service.html

 

[TheTux]

Hello Krabs,

shame on me!

Privoxy was not querying the local device but the entrys provided by my ISP.
Changed the automatic DNS connect to manual and setting the router as Nameserver did the trick!

Now all the ads are gone and I am using the crypted dns!

Thanks
TheTux

 

[krabs]

Hello Krabs,

shame on me!

Privoxy was not querying the local device but the entrys provided by my ISP.
Changed the automatic DNS connect to manual and setting the router as Nameserver did the trick!

Now all the ads are gone and I am using the crypted dns!

Thanks
TheTux

Hi TheTux

Never thought that should be the problem because adding no-resolv must prevent the use of the nameservers in /etc/resolv.conf. (ISP nameservers or manually inserted) So actually it doesn't matter what's filled in the dns nameservers. You have added them manually like server=127.0.0.1#65053

Well it's possible your phone was using the ISP nameservers. Then you could solved it by letting the router redirect all dns queries with inserting this rule from merlin's wiki in /jffs/scripts/nat-start

iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`

but I'm glad you solved it.