Dnscrypt from opendns

[bilboSNB]

stop isp sniffing dns leaks

 

[Calisro]

Did I messed up with wiki? Tested twice on clean installation with no issues.

PS I have to add postinst script of fke-hwclock package to save current time after it was installed.
PPS Wait, I've done that before No need to run fke-hwclock right after installation.

I don't think so. I originally thought there was a problem but it seems the user was having entware problems itself.

 

[bilboSNB]

For this to work properly, does it matter what dns settings you have under the wan section, eg I have manually entered the opendns servers here rather than automatically use dns from isp?

 

[Calisro]

For this to work properly, does it matter what dns settings you have under the wan section, eg I have manually entered the opendns servers here rather than automatically use dns from isp?

Not those under the WAN section. Those do not matter. You're going to be telling dnsmasq to use dnscrypt port instead so those settings are now ignored by dnsmasq.

 

[bayern1975]

i am insert USB drive in asus rt-ac68u and try to install entware and dnscrypt but i got errors? I lost internet connection....what is wrong with my installation? here is a log:
http://pastebin.com/cDCi5mg4

Oct 21 18:52:57 dnscrypt-proxy[807]: Proxying from 127.0.0.1:65053 to 208.67.220.220:443

i think i solved this problem but why my real IP is still visible on the internet? and i chose number 2, i think cisco server....how can i change servers or set to default or automatic dnsproxy to choose?

 

[Zirescu]

dnscrypt-proxy purpose is not to hide your real IP.

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.

 

[joegreat]

i am insert USB drive in asus rt-ac68u and try to install entware and dnscrypt but i got errors? I lost internet connection....what is wrong with my installation? here is a log:
http://pastebin.com/cDCi5mg4

Oct 21 18:52:57 dnscrypt-proxy[807]: Proxying from 127.0.0.1:65053 to 208.67.220.220:443

Hi,

There is something wrong with your configuration: opendns provider now called cisco and the message "Server certificate #1435874751 received" is missing. On top evey hour you should have a "Refetching server certificates" message in the syslog.log (see details below).

Funny enough: the Proxying message looks correct!

Most likely you run an older version of dnscrypt. A update of Entware with the command: opkg update & opkg upgrade & sleep 2 & reboot would solve the problem.

With kind regards
Joe

Oct 21 23:25:42 dnscrypt-proxy: - [cisco] does not support DNS Security Extensions
Oct 21 23:25:42 dnscrypt-proxy: - [cisco] does not support Namecoin domains
Oct 21 23:25:42 dnscrypt-proxy: - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern
Oct 21 23:25:42 dnscrypt-proxy[1297]: Starting dnscrypt-proxy 1.6.0
Oct 21 23:25:42 dnscrypt-proxy[1297]: Generating a new session key pair
Oct 21 23:25:42 dnscrypt-proxy[1297]: Done
Oct 21 23:25:42 admin: Started  from .

Oct 21 23:25:42 dnscrypt-proxy[1297]: Server certificate #1435874751 received
Oct 21 23:25:42 dnscrypt-proxy[1297]: This certificate looks valid
Oct 21 23:25:42 dnscrypt-proxy[1297]: Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
Oct 21 23:25:42 dnscrypt-proxy[1297]: Server key fingerprint is ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
Oct 21 23:25:42 dnscrypt-proxy[1297]: Proxying from 127.0.0.1:65053 to 208.67.220.220:443
Oct 21 23:25:42 admin: Started transmission-daemon from .

Oct 22 00:26:10 dnscrypt-proxy[1297]: Refetching server certificates
Oct 22 00:26:10 dnscrypt-proxy[1297]: Server certificate #1435874751 received
Oct 22 00:26:10 dnscrypt-proxy[1297]: This certificate looks valid
Oct 22 00:26:10 dnscrypt-proxy[1297]: Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
Oct 22 00:26:10 dnscrypt-proxy[1297]: Server key fingerprint is ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315

 

[bayern1975]

dnscrypt-proxy purpose is not to hide your real IP.

thank you for reply....so i need to know if it possible to change dnscrypt server? i choose number 2 from list and for example i would like to change to server at number 17?

 

[bayern1975]

Hi,

There is something wrong with your configuration: opendns provider now called cisco and the message "Server certificate #1435874751 received" is missing. On top evey hour you should have a "Refetching server certificates" message in the syslog.log (see details below).

Funny enough: the Proxying message looks correct!

Most likely you run an older version of dnscrypt. A update of Entware with the command: opkg update & opkg upgrade & sleep 2 & reboot would solve the problem.

With kind regards
Joe

i got something like you post here:

admin: Started  from .
dnscrypt-proxy[1297]: Server certificate #1435874751 received
dnscrypt-proxy[1297]: This certificate looks valid
dnscrypt-proxy[1297]: Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
dnscrypt-proxy[1297]: Server key fingerprint is ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
dnscrypt-proxy[1297]: Proxying from 127.0.0.1:65053 to 208.67.220.220:443

but test site says you aren´t using openDNS?
http://welcome.opendns.com/

 

[bayern1975]

still waiting for answer how to change dnscrypt server....i am using cisco from number 2 within installation....there are 53 servers i think....server from number 17 i think not working.....i test it now with new installation....

EDIT: got it on page 11....

Only Cisco server do the test at http://welcome.opendns.com , all the other servers do not make the test?

I do not know why

 

[joegreat]

but test site says you aren´t using openDNS?
http://welcome.opendns.com/

Hi,

When I check OpenDNS is get the nice greeting:

Welcome to OpenDNS!
Your Internet is safer, faster, and smarter
because you’re using OpenDNS.
Thank you!​

Did you disable DNS on the WAN page / DNS Settings?
- Connect to DNS Server automatically = No
- DNS Server1 & DNS Server2 = empty

Check the resolver settings on the router by:
cat /tmp/resolv.conf
cat /tmp/resolv.dnsmasq
Both should be empty.

Check the final DNS configuration after a reboot:
cat /etc/dnsmasq.conf
for the dnscrypt settings at the end.

With kind regards
Joe

 

[bayern1975]

@joegreat, what dnscrypt server you use? Cisco? ok, i will check that settings and will post here....

 

[joegreat]

@joegreat, what dnscrypt server you use? Cisco? ok, i will check that settings and will post here....

Yes, Cisco - was recently renamed from OpenDNS...

 

[wbennett77]

Here's my wiki mod. No Optware or Entware required.

/jffs/scripts/wan-start

#!/bin/sh
logger -t $(basename $0) "started [$$]"

/bin/pidof dnscrypt-proxy > /dev/null 2>&1 || \
(
  # Now resolve DNS name for NTP server
  ntp_name=$(nvram get ntp_server0)
  grep "$ntp_name" /jffs/configs/hosts.add > /dev/null 2>&1 || \
  for ip in $(/jffs/bin/hostip $ntp_name)
  do
    echo $ip $ntp_name >>  /jffs/configs/hosts.add
  done

  # restart NTP client to eliminate 4-5 mins delay
  killall ntp
  sleep 1
  service restart_dnsmasq
  service restart_ntpc
  sleep 5

  # wait up to 5 minutes to make sure the router has the correct time
  tmax=300
  i=0
  while [ $i -le $tmax ]
  do
    if [ "$(nvram get ntp_ready)" -eq "1" ]
    then
      break
    fi
    logger "Waiting for correct time to be set."
    sleep 1
    i=`expr $i + 1`
  done

  # dnscrypt-proxy requires the correct time for certificate validation
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:60053 --ephemeral-keys --resolver-name=dnscrypt.org-fr --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:60054 --ephemeral-keys --resolver-name=soltysiak --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
)

/jffs/configs/dnsmasq.conf.add

...
### dnscrypt
no-resolv
server=127.0.0.1#60053 # dnscrypt
server=127.0.0.1#60054 # dnscrypt
...

I tried this but nothing would resolve....

 

[Jemail]

I tried this but nothing would resolve....

Entware installed with no errors, required opkg packages installed with no errors. I have followed the wiki instructions given, but I get no internet.
I tried ASAT instructions, but I get no internet. I've looked through this thread and see some people have it working (but they have tweaked configs that they do not reproduce step by step for others to follow), some don't.

So far I cannot get this working and I have spent over 4hrs reading and trying.

 

[ASAT]

I tried this but nothing would resolve....

My method is for Dnscrypt that you compile yourself using an ARM cross compiler included with the Asuswrt-Merlin firmware, and copy to /jffs/bin.

If you can't get it to compile, then use Entware. It should be easy. The Dnscrypt service startup script is in /opt/etc/init.d. If you need multiple instances of Dnscrypt, I think you could just copy the service startup script and edit to change the startup parameters for the 2nd instance.

If problems persist, then telnet/ssh to the router and "cat /tmp/syslog.log" to see what's going on.

 

[Zirescu]

still waiting for answer how to change dnscrypt server....i am using cisco from number 2 within installation....there are 53 servers i think....server from number 17 i think not working.....i test it now with new installation....

EDIT: got it on page 11....

Only Cisco server do the test at http://welcome.opendns.com , all the other servers do not make the test?

I do not know why

The OpenDNS test will only work with the Cisco/OpenDNS servers.

 

[bayern1975]

which is best, the fastest and the lowest ping dnscrypt server?

 

[Zirescu]

which is best, the fastest and the lowest ping dnscrypt server?

Depends if you want faster response or no logging. Generally I try to pick a server that is physically closest to me that doesn't log.

 

[RMerlin]

Depends if you want faster response or no logging. Generally I try to pick a server that is physically closest to me that doesn't log.

Closest is also always a good idea, for geolocation purposes with CDNs. Response time is irrelevant, as we're talking milliseconds there, and your router caches the first answer for any subsequent lookups on the same hostname.