What's new

Dnscrypt from opendns

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I am using the entware version. I tried to use two resolvers as in your post, but the second instance of dnscrypt-proxy does not seem to be starting on reboot. Do I need to call this in a script?
There are two start scripts for each dnscrypt-proxy instances: /opt/etc/init.d/S09dnscrypt-proxy and /opt/etc/init.d/S09dnscrypt-proxy1. Two-both will be automatically started with other Entware services. Please, check both scripts, there may be some errors. You may check them by manual start:
Code:
/opt/etc/init.d/S09dnscrypt-proxy start
/opt/etc/init.d/S09dnscrypt-proxy1 start
 
There are two start scripts for each dnscrypt-proxy instances: /opt/etc/init.d/S09dnscrypt-proxy and /opt/etc/init.d/S09dnscrypt-proxy1. Two-both will be automatically started with other Entware services. Please, check both scripts, there may be some errors. You may check them by manual start:
Code:
/opt/etc/init.d/S09dnscrypt-proxy start
/opt/etc/init.d/S09dnscrypt-proxy1 start

I have both scripts. Where are they called from?
 
I have both scripts. Where are they called from?
As you can see, all start scripts for Entware services are placed to /opt/etc/init.d folder. Entware installation script writes /jffs/scripts/services-start, where you can find a following string:
Code:
/opt/etc/init.d/rc.unslung start
which is equal to
Code:
/opt/etc/init.d/S01xxxx start
/opt/etc/init.d/S02yyyy start
...
/opt/etc/init.d/S09dnscrypt-proxy start
/opt/etc/init.d/S09dnscrypt-proxy1 start
...
/opt/etc/init.d/S10zzzz start
and so on.

When you click "Reboot" button from WebUI,
Code:
/opt/etc/init.d/rc.unslung stop
will be executed from /jffs/scripts/services-stop, which is equal to:
Code:
/opt/etc/init.d/S10zzzz stop
...
/opt/etc/init.d/S09dnscrypt-proxy1 stop
/opt/etc/init.d/S09dnscrypt-proxy stop
...
/opt/etc/init.d/S02yyyy stop
/opt/etc/init.d/S01xxxx stop
This start scripts style came from Optware.
 
As you can see, all start scripts for Entware services are placed to /opt/etc/init.d folder. Entware installation script writes /jffs/scripts/services-start, where you can find a following string:
Code:
/opt/etc/init.d/rc.unslung start
...

Thank you so much ryzhov_al. Your work and advice really helped me figure this all out.

I found the dnscrypt-proxy1 file in /opt/sbin had a typo in the symlink. It was trying to start dnscryppt-proxy (note mis-spelling) as dnscrypt-proxy1. I'm not sure if this was from a typo I made or if there is an error in a script somewhere. Anyways, I corrected the symlink to point at the correct file and all is working perfectly now.
 
My non-Entware setup seems to be working as well with 2 DNSCrypt servers.

Running the DNS leak test on https://dnsleaktest.com I often get only one server (the one on port 65053) and once got the other one (the one on port 65054) as well.

Does this mean that the router will always try the DNS servers in the order listed in dnsmasq.conf.add? And only try the second if the first one fails?

(that would be what I want)
 
I have a few questions left. You mention changing dnsmasq to use DNSSEC. Can you tell me how to do this? I'm guessing just add lines with dnssec and dnssec-check-unsigned to dnsmasq.conf.add? I'm going to try this, but I won't know how to tell if it's working.

Also, the code for S09dnscrypt-proxy in this post show values for provider-name and provider-key in the ARGS. My files don't have this but isn't this needed? I posted my files just in case they're needed.

S09dnscrypt-proxy
Code:
#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R dnscrypt.eu-nl"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

S09dnscrypt-proxy1
Code:
#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy1
ARGS="--local-address=127.0.0.1:65054 --daemonize -R dnscrypt.eu-dk"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Thanks again!
 
Last edited:
I have a few questions left. You mention changing dnsmasq to use DNSSEC. Can you tell me how to do this? I'm guessing just add lines with dnssec and dnssec-check-unsigned to dnsmasq.conf.add? I'm going to try this, but I won't know how to tell if it's working.
This is NOT a DNSSEC, it's securing connection between DNS-client and DNS-server, DNS traffic will be encrypted with elliptic curves cypher.

IAlso, the code for S09dnscrypt-proxy in this post show values for provider-name and provider-key in the ARGS. My files don't have this but isn't this needed? I
It means default server is used, provided by OpenDNS.
 
My non-Entware setup seems to be working as well with 2 DNSCrypt servers.

Running the DNS leak test on https://dnsleaktest.com I often get only one server (the one on port 65053) and once got the other one (the one on port 65054) as well.

Does this mean that the router will always try the DNS servers in the order listed in dnsmasq.conf.add? And only try the second if the first one fails?

(that would be what I want)

Add strict-order to your dnsmasq.conf.add file. That will get what you want.
 
This is NOT a DNSSEC, it's securing connection between DNS-client and DNS-server, DNS traffic will be encrypted with elliptic curves cypher.

I apologize for the ignorance, but I'm somewhat confused. I thought DNSSEC was an additional measure and that is why it was said that it's best to pick a DNSCrypt server that supports DNSSEC and change the dnsmasq to support the additional validation. Do the two not work side by side?
 
Last edited:
I apologize for the ignorance, but I'm somewhat confused. I thought DNSSEC was an additional measure and that is why it was said that it's best to pick a DNSCrypt server that supports DNSSEC and change the dnsmasq to support the additional validation. Do the two not work side by side?
Now I get it, sorry.
Bottomline: DNSSEC and DNSCrypt are different technologies which can work perfectly together.
 
Hi,

I've been trying to get this DNScrypt to work on my Asus RT-N66U running Merlin firmware v3.0.0.4_376.44_0. I've chosen DNScrypt.eu (14) when prompted after installing everything following this guide at GIT. When I test with DNSleak I see that it correctly sees the DNScrypt.eu.

Code:
176.56.237.171 	resolver1.dnscrypt.eu 	RouteLabel V.O.F.

However when I make a TCPDump on my Asus router while I visit multiple sites on my main PC and then analyze the dump with Wireshark I don't see encrypted DNS messages but plain text URL's. I should be seeing something like malformed packages to confirm it's encrypted. So it does seem to be using the DNScrypt DNS, but it does not encrypt. I made a dump of the ETH0 device as this one is holding the external IP.

Code:
tcpdump -i eth0 -n -s 0 -vvv -w dump.pcap

So I went and checked if I could see that the dnscrypt-proxy is started correctly and that it is actually able to exchange certs. This seems to be going OK, yet encryption doesn't work.

Code:
Jan  1 01:00:12 rc_service: hotplug 420:notify_rc restart_nasapps
Aug 10 12:10:55 dnscrypt-proxy[668]: Starting dnscrypt-proxy 1.4.0
Aug 10 12:10:55 dnscrypt-proxy[668]: Initializing libsodium for optimal performance
Aug 10 12:10:55 dnscrypt-proxy[668]: Generating a new key pair
Aug 10 12:10:55 dnscrypt-proxy[668]: Done
Aug 10 12:10:55 dnscrypt-proxy[668]: Server certificate #808464433 received
Aug 10 12:10:55 dnscrypt-proxy[668]: This certificate looks valid
Aug 10 12:10:55 dnscrypt-proxy[668]: Chosen certificate #808464433 is valid from [2013-12-27] to [2014-12-27]
Aug 10 12:10:55 dnscrypt-proxy[668]: Server key fingerprint is 6231:4AFE:4AA3:7E6F:9B8C:DAA6:6F6E:E8A5:F84B:10A8:6DB1:C5CB:D264:77CA:7F03:0D5C
Aug 10 12:10:55 dnscrypt-proxy[668]: Proxying from 127.0.0.1:65053 to 176.56.237.171:443

Any clues as to what I can do to get this working?

P.S. @AtAM1
I to would like to know what you did to enable DNSsec as that is interesting combining encryption with validation would be even better.

This is basically the same issue I'm seeing, traffic does not seem to be encrypted the router to the server.

welcome.opendns.com test fails and:
drill txt debug.opendns.com @1
27.0.0.1 -p 65053
also doesn't show the key info, while:
drill txt debug.opendns.com @10.10.50.10 (this is a reply from a local unbound server proxing to dnscrypt, similar to what I'm trying with dnsmasq on the router)

;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server 7.lon"
debug.opendns.com. 0 IN TXT "flags 20 0 2F4 4000800000000000000"
debug.opendns.com. 0 IN TXT "originid 0"
debug.opendns.com. 0 IN TXT "actype 0"
debug.opendns.com. 0 IN TXT "source 89.114.47.44:54690"
debug.opendns.com. 0 IN TXT "dnscrypt enabled (...)


the syslog show certs are fine and its indeed proxing so I really have no idea what's wrong, because the direct query to port 65053 doesn't show the expected result :|
 
Hum... I killed dnsmasq and put dnscrypt-proxy listening on 53 and this way drill shows the correct output...

:confused:
 
Precompiled binaries for asuswrt-merlin fixed too. To install DNSCrypt-proxy without Optware/Entware, please do:
1) Make sure JFFS is enabled from WebUI, you need to reboot after enabling JFFS,
2) Install precompiled dnscrypt binaries with start script from SSH/telnet console.
  • on MIPS-based routers (RT-N16, RT-N66U, RT-AC66U):
    Code:
    wget -O - http://files.ryzhov-al.ru/Routers/asuswrt-merlin/dnscrypt-proxy/dnscrypt-proxy-asuswrt-merlin-mipsel.tgz | tar -C / -xvz
  • on ARM-based routers (RT-AC56U, RT-AC68U):
    Code:
    wget -O - http://files.ryzhov-al.ru/Routers/asuswrt-merlin/dnscrypt-proxy/dnscrypt-proxy-asuswrt-merlin-arm.tgz | tar -C / -xvz
3) Reboot router.
The OpenDNS dnscrypt server will be used, if you wish to choose another one (from the list above), please install full package from Entware.

My install is quite old on the ac68u, is there a way to install with 2 dns servers on the ac68?

Thanks.
 
Hey,

Can someone please tell me how to change DNS servers AFTER installation?
The DNS servers I were using went offline, now I can't use dns-crypt anymore.

Please help!

Thanks!

Edit: Found the solution, all I had to do was edit /opt/etc/init.d/S09dnscrypt-proxy
With one of the predefined server-names mentioned earlier in this thread.

Thanks
 
Last edited:
Hey,

Can someone please tell me how to change DNS servers AFTER installation?
The DNS servers I were using went offline, now I can't use dns-crypt anymore.

Please help!

Thanks!

Edit: Found the solution, all I had to do was edit /opt/etc/init.d/S09dnscrypt-proxy
With one of the predefined server-names mentioned earlier in this thread.

Thanks


Is it working for you went you test with "welcome.opends.com" for try the dig/drill query?

I still can't understand why this fails I have 2 routers, one asus one linksys (with tomato firmware)

Both are able to run dnscrypt, dnsmasq proxies the requests but opendns test stilll fails!

Yet using the same resolvers on my local computer and server + unbound works!

I wonder if this is dnsmasq related
 
Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top