Dnscrypt from opendns

[ryzhov_al]

I am using the entware version. I tried to use two resolvers as in your post, but the second instance of dnscrypt-proxy does not seem to be starting on reboot. Do I need to call this in a script?

There are two start scripts for each dnscrypt-proxy instances: /opt/etc/init.d/S09dnscrypt-proxy and /opt/etc/init.d/S09dnscrypt-proxy1. Two-both will be automatically started with other Entware services. Please, check both scripts, there may be some errors. You may check them by manual start:

/opt/etc/init.d/S09dnscrypt-proxy start
/opt/etc/init.d/S09dnscrypt-proxy1 start

 

[gA2ZZCnZz]

There are two start scripts for each dnscrypt-proxy instances: /opt/etc/init.d/S09dnscrypt-proxy and /opt/etc/init.d/S09dnscrypt-proxy1. Two-both will be automatically started with other Entware services. Please, check both scripts, there may be some errors. You may check them by manual start:

/opt/etc/init.d/S09dnscrypt-proxy start
/opt/etc/init.d/S09dnscrypt-proxy1 start

I have both scripts. Where are they called from?

 

[ryzhov_al]

I have both scripts. Where are they called from?

As you can see, all start scripts for Entware services are placed to /opt/etc/init.d folder. Entware installation script writes /jffs/scripts/services-start, where you can find a following string:

/opt/etc/init.d/rc.unslung start

which is equal to

/opt/etc/init.d/S01xxxx start
/opt/etc/init.d/S02yyyy start
...
/opt/etc/init.d/S09dnscrypt-proxy start
/opt/etc/init.d/S09dnscrypt-proxy1 start
...
/opt/etc/init.d/S10zzzz start

and so on.

When you click "Reboot" button from WebUI,

/opt/etc/init.d/rc.unslung stop

will be executed from /jffs/scripts/services-stop, which is equal to:

/opt/etc/init.d/S10zzzz stop
...
/opt/etc/init.d/S09dnscrypt-proxy1 stop
/opt/etc/init.d/S09dnscrypt-proxy stop
...
/opt/etc/init.d/S02yyyy stop
/opt/etc/init.d/S01xxxx stop

This start scripts style came from Optware.

 

[gA2ZZCnZz]

As you can see, all start scripts for Entware services are placed to /opt/etc/init.d folder. Entware installation script writes /jffs/scripts/services-start, where you can find a following string:

/opt/etc/init.d/rc.unslung start

...

Thank you so much ryzhov_al. Your work and advice really helped me figure this all out.

I found the dnscrypt-proxy1 file in /opt/sbin had a typo in the symlink. It was trying to start dnscryppt-proxy (note mis-spelling) as dnscrypt-proxy1. I'm not sure if this was from a typo I made or if there is an error in a script somewhere. Anyways, I corrected the symlink to point at the correct file and all is working perfectly now.

 

[XIII]

My non-Entware setup seems to be working as well with 2 DNSCrypt servers.

Running the DNS leak test on https://dnsleaktest.com I often get only one server (the one on port 65053) and once got the other one (the one on port 65054) as well.

Does this mean that the router will always try the DNS servers in the order listed in dnsmasq.conf.add? And only try the second if the first one fails?

(that would be what I want)

 

[gA2ZZCnZz]

I have a few questions left. You mention changing dnsmasq to use DNSSEC. Can you tell me how to do this? I'm guessing just add lines with dnssec and dnssec-check-unsigned to dnsmasq.conf.add? I'm going to try this, but I won't know how to tell if it's working.

Also, the code for S09dnscrypt-proxy in this post show values for provider-name and provider-key in the ARGS. My files don't have this but isn't this needed? I posted my files just in case they're needed.

S09dnscrypt-proxy

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R dnscrypt.eu-nl"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

S09dnscrypt-proxy1

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy1
ARGS="--local-address=127.0.0.1:65054 --daemonize -R dnscrypt.eu-dk"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Thanks again!

 

[ryzhov_al]

I have a few questions left. You mention changing dnsmasq to use DNSSEC. Can you tell me how to do this? I'm guessing just add lines with dnssec and dnssec-check-unsigned to dnsmasq.conf.add? I'm going to try this, but I won't know how to tell if it's working.

This is NOT a DNSSEC, it's securing connection between DNS-client and DNS-server, DNS traffic will be encrypted with elliptic curves cypher.

IAlso, the code for S09dnscrypt-proxy in this post show values for provider-name and provider-key in the ARGS. My files don't have this but isn't this needed? I

It means default server is used, provided by OpenDNS.

 

[owine]

My non-Entware setup seems to be working as well with 2 DNSCrypt servers.

Running the DNS leak test on https://dnsleaktest.com I often get only one server (the one on port 65053) and once got the other one (the one on port 65054) as well.

Does this mean that the router will always try the DNS servers in the order listed in dnsmasq.conf.add? And only try the second if the first one fails?

(that would be what I want)

Add strict-order to your dnsmasq.conf.add file. That will get what you want.

 

[XIII]

Add strict-order to your dnsmasq.conf.add file. That will get what you want.

Oh, nice. Learned something new! Thanks.

 

[gA2ZZCnZz]

This is NOT a DNSSEC, it's securing connection between DNS-client and DNS-server, DNS traffic will be encrypted with elliptic curves cypher.

I apologize for the ignorance, but I'm somewhat confused. I thought DNSSEC was an additional measure and that is why it was said that it's best to pick a DNSCrypt server that supports DNSSEC and change the dnsmasq to support the additional validation. Do the two not work side by side?

 

[ryzhov_al]

I apologize for the ignorance, but I'm somewhat confused. I thought DNSSEC was an additional measure and that is why it was said that it's best to pick a DNSCrypt server that supports DNSSEC and change the dnsmasq to support the additional validation. Do the two not work side by side?

Now I get it, sorry.
Bottomline: DNSSEC and DNSCrypt are different technologies which can work perfectly together.

 

[mikecpt]

Hi,

I've been trying to get this DNScrypt to work on my Asus RT-N66U running Merlin firmware v3.0.0.4_376.44_0. I've chosen DNScrypt.eu (14) when prompted after installing everything following this guide at GIT. When I test with DNSleak I see that it correctly sees the DNScrypt.eu.

176.56.237.171 	resolver1.dnscrypt.eu 	RouteLabel V.O.F.

However when I make a TCPDump on my Asus router while I visit multiple sites on my main PC and then analyze the dump with Wireshark I don't see encrypted DNS messages but plain text URL's. I should be seeing something like malformed packages to confirm it's encrypted. So it does seem to be using the DNScrypt DNS, but it does not encrypt. I made a dump of the ETH0 device as this one is holding the external IP.

tcpdump -i eth0 -n -s 0 -vvv -w dump.pcap

So I went and checked if I could see that the dnscrypt-proxy is started correctly and that it is actually able to exchange certs. This seems to be going OK, yet encryption doesn't work.

Jan  1 01:00:12 rc_service: hotplug 420:notify_rc restart_nasapps
Aug 10 12:10:55 dnscrypt-proxy[668]: Starting dnscrypt-proxy 1.4.0
Aug 10 12:10:55 dnscrypt-proxy[668]: Initializing libsodium for optimal performance
Aug 10 12:10:55 dnscrypt-proxy[668]: Generating a new key pair
Aug 10 12:10:55 dnscrypt-proxy[668]: Done
Aug 10 12:10:55 dnscrypt-proxy[668]: Server certificate #808464433 received
Aug 10 12:10:55 dnscrypt-proxy[668]: This certificate looks valid
Aug 10 12:10:55 dnscrypt-proxy[668]: Chosen certificate #808464433 is valid from [2013-12-27] to [2014-12-27]
Aug 10 12:10:55 dnscrypt-proxy[668]: Server key fingerprint is 6231:4AFE:4AA3:7E6F:9B8C:DAA6:6F6E:E8A5:F84B:10A8:6DB1:C5CB:D264:77CA:7F03:0D5C
Aug 10 12:10:55 dnscrypt-proxy[668]: Proxying from 127.0.0.1:65053 to 176.56.237.171:443

Any clues as to what I can do to get this working?

P.S. @AtAM1
I to would like to know what you did to enable DNSsec as that is interesting combining encryption with validation would be even better.

This is basically the same issue I'm seeing, traffic does not seem to be encrypted the router to the server.

welcome.opendns.com test fails and:
drill txt debug.opendns.com @1
27.0.0.1 -p 65053
also doesn't show the key info, while:
drill txt debug.opendns.com @10.10.50.10 (this is a reply from a local unbound server proxing to dnscrypt, similar to what I'm trying with dnsmasq on the router)

;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server 7.lon"
debug.opendns.com. 0 IN TXT "flags 20 0 2F4 4000800000000000000"
debug.opendns.com. 0 IN TXT "originid 0"
debug.opendns.com. 0 IN TXT "actype 0"
debug.opendns.com. 0 IN TXT "source 89.114.47.44:54690"
debug.opendns.com. 0 IN TXT "dnscrypt enabled (...)


the syslog show certs are fine and its indeed proxing so I really have no idea what's wrong, because the direct query to port 65053 doesn't show the expected result :|

 

[mikecpt]

Hum... I killed dnsmasq and put dnscrypt-proxy listening on 53 and this way drill shows the correct output...

 

[halex4u]

Hum... I killed dnsmasq and put dnscrypt-proxy listening on 53 and this way drill shows the correct output...

How? Can you post the steps!

 

[mikecpt]

How? Can you post the steps!

stop dnsmasq and edit the S09dnscrypt-proxy script to use port 53...

And by correct output I mean "drill txt debug.opendns.com" show dnscrypt is enabled!

 

[halex4u]

stop dnsmasq and edit the S09dnscrypt-proxy script to use port 53...

And by correct output I mean "drill txt debug.opendns.com" show dnscrypt is enabled!

Thank you!

 

[GoNz0]

Precompiled binaries for asuswrt-merlin fixed too. To install DNSCrypt-proxy without Optware/Entware, please do:
1) Make sure JFFS is enabled from WebUI, you need to reboot after enabling JFFS,
2) Install precompiled dnscrypt binaries with start script from SSH/telnet console.

• on MIPS-based routers (RT-N16, RT-N66U, RT-AC66U):
  

  wget -O - http://files.ryzhov-al.ru/Routers/asuswrt-merlin/dnscrypt-proxy/dnscrypt-proxy-asuswrt-merlin-mipsel.tgz | tar -C / -xvz

• on ARM-based routers (RT-AC56U, RT-AC68U):
  

  wget -O - http://files.ryzhov-al.ru/Routers/asuswrt-merlin/dnscrypt-proxy/dnscrypt-proxy-asuswrt-merlin-arm.tgz | tar -C / -xvz

3) Reboot router.
The OpenDNS dnscrypt server will be used, if you wish to choose another one (from the list above), please install full package from Entware.

My install is quite old on the ac68u, is there a way to install with 2 dns servers on the ac68?

Thanks.

 

[InsaneInsured]

Hey,

Can someone please tell me how to change DNS servers AFTER installation?
The DNS servers I were using went offline, now I can't use dns-crypt anymore.

Please help!

Thanks!

Edit: Found the solution, all I had to do was edit /opt/etc/init.d/S09dnscrypt-proxy
With one of the predefined server-names mentioned earlier in this thread.

Thanks

 

[mikecpt]

Hey,

Can someone please tell me how to change DNS servers AFTER installation?
The DNS servers I were using went offline, now I can't use dns-crypt anymore.

Please help!

Thanks!

Edit: Found the solution, all I had to do was edit /opt/etc/init.d/S09dnscrypt-proxy
With one of the predefined server-names mentioned earlier in this thread.

Thanks

Is it working for you went you test with "welcome.opends.com" for try the dig/drill query?

I still can't understand why this fails I have 2 routers, one asus one linksys (with tomato firmware)

Both are able to run dnscrypt, dnsmasq proxies the requests but opendns test stilll fails!

Yet using the same resolvers on my local computer and server + unbound works!

I wonder if this is dnsmasq related

 

[netmik3]

I had that issue when using ipv6.