Dnscrypt from opendns

[Milli]

Which my post just lead me to think of something, and now seems I have screwed things up somehow.

I went into the DNS Filtering options and turned that off, it was set to OpenDNS. When I did that I lost internet. So I rebooted the router to see if this would allow from dnscrypt-proxy to begin working. After it restarted I checked the log and when dnscrypt-proxy attempts to start, I now get an error of:

Aug 1 00:11:55 dnscrypt-proxy[1410]: No useable certificates found

Which also leads me to my clock is not syncing anymore it appears. I have it setup to use "us.pool.ntp.org", which was previously working. It now says though underneath the settings there that "* Reminder: The system time has not been synchronized with an NTP server."

To reestablish my internet connection I had to re-enable my DNS Filtering.

 

[Milli]

Sorry for repeatedly posting. Figure I will leave my posts for others reference if they run across the same issues as me.

I formatted the JFFS scripts/configs and started from scratch just now.
I first installed fake-hwclock. Then I installed dnscrypt-proxy and hostip. Choose server 20 (dnscrypt.org-fr). Rebooted device after adding no-resolv, etc to jffs scripts.

Then disabled DNS Filtering. Ran the tests again and it appears to be working this time with some weirdness, unless it is normal but I shall post it here.
* https://ipleaks.net - Everything looks good. Just the dnscrypt.org-fr DNS IP address for DNS address detection.
* http://dnssec.vs.uni-due.de/ - DNSSEC Resolver test completed with success.
* http://dnssectest.sidnlabs.nl/test.php - "This is taking unusually long"
* http://www.dnssec-failed.org/ - Failed this test. Page loaded.
* https://www.dnsleaktest.com/results.html - I don't remember how this test is supposed to go but it loads a page with "Cannot GET /results.html", so I believe it passed this test.
* http://dnscrypt.bit/ - This failed, page did not load.

Last thing: I'm still learning this a little so forgive me, but would just like to ask if you connect to a VPN is it supposed to use the DNS from the VPN and negate this dnscrypt-proxy setup on my router correct?

After connecting to the VPN and going to https://ipleaks.net it shows my VPN address as my IP address and my DNS address, as well as the dnscryp.org-fr DNS address. Then it also fails all of the tests above while connected to the VPN.

Thank you for the help by the way! It is greatly appreciated!

 

[spalife]

In your quest for perfection, you ran into issues because of dnscrypt-proxy being installed on both machine & router and with dns filtering enabled.

Additionally removing ake-hwclock complicated the issue.

fake-hwclock is an excellent utility provided by @ryzhov_al,
without which there are/will be race conditions between dnscrypt-proxy and
ntp servers, which prevented/delayed dnscrypt-proxy starting.

Good to know everything is resolved on your end.

As per VPN DNS it has been discussed a lot in this forum,
few threads below (you can do additional search to meet your requirement)

http://www.snbforums.com/threads/wan-dns-vs-dnscrypt-vs-vpn-client-dns-confusion.28181/#post-217270

http://www.snbforums.com/threads/vpn-dns-leak-issue.28883/

http://www.snbforums.com/threads/setting-dns-for-vpn-hosts.27843/#post-213668

 

[bayern1975]

what does this mean?is safe to use this dnscrypt server? using dnscrypt.org-fr server....

Dec 12 14:11:43 dnscrypt-proxy[811]: Received a suspicious reply from the resolver
Dec 12 14:11:44 dnscrypt-proxy[811]: Received a suspicious reply from the resolver
Dec 12 14:11:48 dnscrypt-proxy[811]: Received a suspicious reply from the resolver

 

[joegreat]

what does this mean?is safe to use this dnscrypt server? using dnscrypt.org-fr server....

Dec 12 14:11:43 dnscrypt-proxy[811]: Received a suspicious reply from the resolver
Dec 12 14:11:44 dnscrypt-proxy[811]: Received a suspicious reply from the resolver
Dec 12 14:11:48 dnscrypt-proxy[811]: Received a suspicious reply from the resolver

Let me google this for you and meaning will be clear to you: Go to your DNS provider and ask him what he does wrong!

 

[bayern1975]

Let me google this for you and meaning will be clear to you: Go to your DNS provider and ask him what he does wrong!

no, only from dnscrypt.org-fr i get this messages....so my DNS provider have nothing to do with this.....

 

[joegreat]

no, only from dnscrypt.org-fr i get this messages....so my DNS provider have nothing to do with this.....

Yes, your DNS provider is dnscrypt.org-fr!
With OpenDNS (my DNS provider) I have no problem...

 

[Moogle Stiltzkin]

Depends if you want faster response or no logging. Generally I try to pick a server that is physically closest to me that doesn't log.

how to know which does no logging? is it safe to do banking while using this for example :X



can anyone guide me how to do this.... in shibby tomato there already is a dnscrypt field you just tick and thats it. but i rather not resort to using that if possible since everything i like rt merlin's.

but the process seems a bit overly complicated for me.

i might be able to do putty with a guide and install entware and the other app for it. but configuring and doing script is beyond me X_X; need setting to be persistent on router reboots to make it worth even using.

intended usage is to use sock5 proxy for tixati torrent client, but i read its useless unless dns is encrypted as well from local ISP, but using dnscrypt which is available by opendns (not google yet). For additional protection for different security needs can also use dnssec (merlin added to his new alpha for testing).


Anyway would appreciate some guidance on this :}

 

[Zirescu]

You can look at the resolvers on github, and then scroll to the right a look for the "No logs" column, it'll be Yes for those that do not perform logging. Some also support dnssec. https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

The setup isn't that complicated, especially if you're only interested in enabling dnscrypt.
Step 1 - Format USB key was ext2 or 3 (I use 2). Guide for doing it in windows - http://www.partition-tool.com/easeus-partition-manager/linux-partition-manager.htm
Step 2 - Install Entware -https://github.com/RMerl/asuswrt-merlin/wiki/Entware#the-easy-way
Step 3 - Install Dnscrpt - https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt

Once it's installed it'll run at boot.

 

[Ronv42]

Just a minor annoyance with the syslog and Dnscrypt. The time stamps used by Dnscrypt seems to be logging in GMT and syslog default is baed on time zone. I was wondering why my log scraper kept missing lines in log since the timestamps aren't "time sequential" from it's point of view...oh well..just a fyi for anyone else that sees this.

 

[Zirescu]

Just a minor annoyance with the syslog and Dnscrypt. The time stamps used by Dnscrypt seems to be logging in GMT and syslog default is baed on time zone. I was wondering why my log scraper kept missing lines in log since the timestamps aren't "time sequential" from it's point of view...oh well..just a fyi for anyone else that sees this.

You can fix this using kvic's tip from this post.

 

[dody.wijaya]

Which my post just lead me to think of something, and now seems I have screwed things up somehow.

I went into the DNS Filtering options and turned that off, it was set to OpenDNS. When I did that I lost internet. So I rebooted the router to see if this would allow from dnscrypt-proxy to begin working. After it restarted I checked the log and when dnscrypt-proxy attempts to start, I now get an error of:

Aug 1 00:11:55 dnscrypt-proxy[1410]: No useable certificates found

Which also leads me to my clock is not syncing anymore it appears. I have it setup to use "us.pool.ntp.org", which was previously working. It now says though underneath the settings there that "* Reminder: The system time has not been synchronized with an NTP server."

To reestablish my internet connection I had to re-enable my DNS Filtering.

I have already enable the fakehwclock
But sometimes after restart the dnscrypt couldn't start, fakehwclock seems fail also.
My temporary solution is to put additional server in dnsmasq.add in jffs script for url pool.ntp.org, to shoot directly default dns, the rest is using dnscrypt
Hope it would help

 

[joegreat]

I have already enable the fakehwclock
But sometimes after restart the dnscrypt couldn't start, fakehwclock seems fail also.

Hi,

You have a timing issue! The solution is hostip (no need for fakehwclock fidling) see this posting on page 8 of this thread!

With kind regards
Joe

PS.: My version of the time sync script looks like this and is started with the post-mount user script:

#!/bin/sh
#
export TZ=$(cat /etc/TZ)
#
# Wait up to 15 seconds to make sure /opt partition is mounted
#
i=0
while [ $i -le 15 ]
do
    if [ -d /opt/tmp ]
    then
        break
    fi
  sleep 1
  i=`expr $i + 1`
  echo $i
done
#
# Now resolve DNS name for NTP server
ntp_name=$(nvram get ntp_server0)
grep "$ntp_name" /etc/hosts > /dev/null 2>&1 || \
for ip in $(/opt/bin/hostip $ntp_name)
do
    echo $ip $ntp_name >> /etc/hosts
done
#
# and restart NTP client to eliminate 4-5 mins delay
killall ntp && sleep 1
service restart_ntpc

 

[dody.wijaya]

Well thanks for the solution
Currently I'm stick with the my current plan

 

[Ronv42]

Well I was battling DNS all week here in the Chicago area. For some reason I found my kids on sites that should have been blocked by OpenDNS. Something changed on Sunday the 20th, and it appears that my DNS queries were being intercepted by AT&T. No matter what DNS server I put in my router, OpenDNS, Google, etc they were being serviced by our friends at AT&T. So I decided to re-inable DNSCRYPT on the router. Before I was seeing issues where the reponse from OpenDNS though DNSCRYPT being delayed or not recognizing my configuration. Well that seems to have changed since I first used it. It's working great now. I just wished OpenDNS would allow IPv6 with custom white/block lists like they do with IPv4.

I did query with AT&T on this earlier in the week and they had no answer and finally someone from their network team said that with them preparing for a GigaPower rollout in the Chicago area may have caused this issue. AT&T is planning with GigaPower fiber to collect usage data of the internet for sale. If you opt out you have to pay $20 more per month to keep the data private. One has to think they are using DNS and deep packet inspections to do this.

 

[Cake]

I got it to work following the Tutorial. I did have a ntp problem, but I just went in ssh

#/tmp/mnt/sda1/entware/etc/init.d sh S09dnscrypt-proxy restart

I used a ip address for the NTP setting in the router as well.

https://ipleak.net/ is a good place to see if it works.
Thanks for the tutorial. I am going to try it for a while, and see how it goes.

I would like to set up some redundancy as well.


Edit: I have a question... if I list 4 loopback address's with different port numbers in the /jffs/configs/dnsmasq.conf.add file, does the router (dnsmasq) just use the dns server that responds the fastest? https://ipleak.net/ only shows it seems the closest server to where my vpn service provider is located when I list multiple.

 

[Cake]

I have been having to manually start dnscrypt after my router reboots (ssh #sh /tmp/mnt/sda1/entware/etc/init.d/rc.unslung start). I fixed it by moving the contents of services-start to post-mount. It seems what was in services-start (my scheduled reboot and ddns stuff) had been written over as well.

I moved the code adding it to post-mount. Here is the contents of post-mount:

#!/bin/sh

if [ "$1" = "/tmp/mnt/sda1" ] ; then
  ln -nsf $1/entware /tmp/opt
fi


#DNSCRYPT was in services-start
RC='/opt/etc/init.d/rc.unslung'

i=30
until [ -x "$RC" ] ; do
  i=$(($i-1))
  if [ "$i" -lt 1 ] ; then
  logger "Could not start Entware"
  exit
  fi
  sleep 1
done
$RC start

It started after a reboot, got the time and I checked to see if it is using dnscrypt by going to https://ipleak.net/
Also I am using a ip address for the ntp server that I found here.
Hopes this helps someone.
I want to add also if you use multiple dnscrypt-proxies, you can see which one is getting used by using top. I just thought that it is interesting.

 

[spalife]

Edit: I have a question... if I list 4 loopback address's with different port numbers in the /jffs/configs/dnsmasq.conf.add file, does the router (dnsmasq) just use the dns server that responds the fastest? https://ipleak.net/ only shows it seems the closest server to where my vpn service provider is located when I list multiple.[/QUOTE]


You can change it by adding to dnsmasq.conf.add in /jffs/configs

strict-order
By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

all-servers
By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requester.
It is a good idea to have all-servers configuration set in dnsmasq.conf.add,
if you have more than one dnscrypt resolver as a fallback option.

 

[bmn1]

Here's my wiki mod. No Optware or Entware required.

/jffs/scripts/wan-start

#!/bin/sh
logger -t $(basename $0) "started [$$]"

/bin/pidof dnscrypt-proxy > /dev/null 2>&1 || \
(
  # Now resolve DNS name for NTP server
  ntp_name=$(nvram get ntp_server0)
  grep "$ntp_name" /jffs/configs/hosts.add > /dev/null 2>&1 || \
  for ip in $(/jffs/bin/hostip $ntp_name)
  do
    echo $ip $ntp_name >>  /jffs/configs/hosts.add
  done

  # restart NTP client to eliminate 4-5 mins delay
  killall ntp
  sleep 1
  service restart_dnsmasq
  service restart_ntpc
  sleep 5

  # wait up to 5 minutes to make sure the router has the correct time
  tmax=300
  i=0
  while [ $i -le $tmax ]
  do
    if [ "$(nvram get ntp_ready)" -eq "1" ]
    then
      break
    fi
    logger "Waiting for correct time to be set."
    sleep 1
    i=`expr $i + 1`
  done

  # dnscrypt-proxy requires the correct time for certificate validation
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:60053 --ephemeral-keys --resolver-name=dnscrypt.org-fr --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:60054 --ephemeral-keys --resolver-name=soltysiak --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
)

/jffs/configs/dnsmasq.conf.add

...
### dnscrypt
no-resolv
server=127.0.0.1#60053 # dnscrypt
server=127.0.0.1#60054 # dnscrypt
...

Hello,

I installed the compiled ARM version of dnscrypt-proxy and hostip from lancethepants (http://files.lancethepants.com/Binaries/dnscrypt-proxy/arm/dnscrypt-proxy 1.6.0 - libsodium 1.0.3/) and added them to /jffs/bin/.

After that, I added the dnsmasq.conf.add entries and copied your script to the file /jffs/scripts/wan-start but still can't get this to work.

The router shows me that NTP still can't be synced, even if I type the IP of the NTP server I'm using.
Some part of the script seems to work, since the dnsmasq entries are added to my dnsmasq.conf file, the script is definitely starting.

Could someone please help me out? I tried it for several hours.

Edit: This is a clean install (with wiped NVRAM) of Asuswrt 380.57 for my RT-AC68U

 

[ASAT]

Could someone please help me out? I tried it for several hours.

This problem can be fixed with real-time clock inside the router.

1. Open the router and identify where the serial console port is.

2. Buy this pieces on eBay:

• Arduino Nano
• DS3231 real-time clock
• SN74LS14N Hex Schmitt-Trigger Inverter for interfacing between the router's 3.3V TTL serial console port and the Arduino Nano's 5V TTL serial port. Must keep the router's TX pin LOW during power ON of the router, otherwise the router don't start up.

3. Write an Arduino sketch to wait for serial console port to receive this data, "Hit ENTER for console...". Now wait for 2 seconds, then send the Linux command over the serial console to set the current date/time from the real-time clock. Will it work?

4. Now whenever you reboot the router, the clock should get set very early in the Linux kernel boot process.

And you may still use NTP, if you wish.