Menu
What's new
By:
Filters Better Search

Dnscrypt from opendns

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

mikecpt said:
Hum... Interesting I do use Ipv6, but I'm not using ipv6 resolver, In any case thanks for pointing me to that I will test :)
Click to expand...


Wait, but it fails on tomato firmware too, where I also have dnscrypt+ dnsmasq instead of unbound.... so I doesn't make sense (Ipv6 is off on that router actually)


I did disable ipv6 on the Asus just to be sure, and I still see the same issue with both routers... surely there's something in common, or some config I'm missing in both sides.
 
Hum... I was re-reading my old comments and investigating more...

he issue is not dnsmasq at all, in fact if I point dnsmasq to my local server runing unbound+dnscrypt it works perfect!

So the issue must be dnscrypt it self!

With:
Code: 
admin@RT-N66U-13C0:/jffs/configs# cat dnsmasq.conf.add 
no-resolv
server=127.0.0.1#65053

I don't get the correct info, but if I change the server to my server it works fine!

Code: 
admin@RT-N66U-13C0:/jffs/configs# cat dnsmasq.conf.add 
no-resolv
server=10.10.50.10
admin@RT-N66U-13C0:/jffs/configs# service restart_dnsmasq

Done.
admin@RT-N66U-13C0:/jffs/configs# drill -t txt debug.opendns.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 42110
;; flags: qr rd ra ; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; debug.opendns.com.   IN      TXT

;; ANSWER SECTION:
debug.opendns.com.      0       IN      TXT     "server 9.lon"
debug.opendns.com.      0       IN      TXT     "flags 20 0 2F4 4000800000000000000"
debug.opendns.com.      0       IN      TXT     "originid 0"
debug.opendns.com.      0       IN      TXT     "actype 0"
debug.opendns.com.      0       IN      TXT     "source ********:15968"
debug.opendns.com.      0       IN      TXT     "dnscrypt enabled (.........)"

Also querying dnscrypt directly also fails to show the TXT records!
Code: 
# drill -t txt debug.opendns.com -p 65053 @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 62358
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 
;; QUESTION SECTION:
;; debug.opendns.com.   IN      TXT

;; ANSWER SECTION:

;; AUTHORITY SECTION:
opendns.com.    8950    IN      SOA     auth1.opendns.com. noc.opendns.com. 1421437379 16384 2048 1048576 2560
.....
 
I got things running using the instructions on the first page of this thread, including setting up a second instance for IPv6 queries. However, DNS queries were still going to my ISP. I had to uncheck the "obtain DNS address automatically" in the GUI before it worked. Similarly, I had to clear the DNS entries in the IPv6 tab to prevent leakage there.

That said, something is still caching the old entries. In Firefox, visiting the opendns.org/welcome shows opendns is being used, but the badguys test page is not blocked. Using Internet Explorer, the reverse is true -- welcome fails, but badguys is blocked!

Question: is there a need to use port(s) 65053 (and 65054) instead of 53 (and 54)? Would not using the standard port assignments make more sense?
 
Hi, Firefox and Windows both have their own DNS cache.

For Windows/IE you will have to run the following command :
"ipconfig /flushdns"
and Firefox is *supposed* to clear it's DNS entries when you stop it.
However, you might see the cached page.
Either clear cache and history or try refreshing with Ctrl-F5 to force a refresh on any browser.

You do not want to use port 53 for DNScrypt.
DNScrypt is used by dnsmasq (the router's internal DNS server) like an external DNS server.
However, since dnsmasq already uses port 53 for your LAN computers, you can't use the same port for DNScrypt.
I believe you could skip dnsmasq, but you would lose the router's local DNS server that is doing caching and contains local DNS lookups between your computers.

http://www.thekelleys.org.uk/dnsmasq/doc.html
 
Yeah, I tried flushing the windows dns cache and clearing the histories in IE and Firefox to no avail. However, eventually something timed out and now the test pages show that DNSCrypt is functioning. I don't *think* it was dnsmasq because of the diametric difference between IE and FF.

Between my post and your reply, I tried changing the ports to 53/54 and that just broke everything, so I changed it back. Now I know why, thanks.
 
I'm having issues with DNSCrypt on my Asus RT-N66U

It was working just fine, but then after I updated the firmware of the router, it stopped working... "Oh I just have to redo the steps again" I thought... But it seems that after I reboot, opt simply vanishes... "can't cd to opt" ... Any ideas? I believe this is the root of my issues...

If I redo all the steps of installing Entware and DNSCrypt but don't reboot, I can see the items in opt but if I reboot then I can't access opt...

Edit: Let me clarify that I updated to 378.52

Edit 2: Problem solved, I have a nasty habit of not reading the changelogs for the versions between the one I'm at and the one I'm updating to... Apparently a factory default reset is required when updating to 378.50+ from versions prior to 378.50, otherwise issues may appear, and I believe that was the issue - After factory default reset and setting everything up again, opt is no longer removed after a reboot and everything works perfectly.

Edit 3: Actually I believe my issue was "Enable JFFS custom scripts and configs" - That option wasn't in the build I updated from, so I assume it was default set to "No" after the firmware update... After having done the factory default reset, I went through my settings and saw it and enabled it, so it was probably that which got things working again, not the default factory reset... Meaning that I probably did the restore in vain... Oh well, at least it's working now. =)
 
Last edited:
I have the same problem with 378.53. Dnscrypt is not started.

Add the following line in /jffs/scripts/services-start :
/opt/etc/init.d/S09dnscrypt-proxy start
 
Hi all,

Just thought I'd shared my wan-start script as I've now compiled and installed dnscrypt on my rt-ac68u and got it working with two dns providers.
The wan-start script below doesn't use hard-coded ntp servers and doesn't update /jffs/ either. Rather, it updates /etc/hosts directly using hostip and uses that to update the router's time.
In addition, I've copied the "dns-resolvers.csv" file to /jffs/configs/ so that it's easier to change dns providers.
The wan-start script below can easily be updated with a new dns provider and rerun to restart dnscrypt using the new dns providers. Hence, no reboot required.

The /jffs/configs/dnsmasq.conf.add remains largely the same as previously mentioned by ryzhov_al.

A huge thank you to ryzhov_al for the scripts which the below were based.
And another huge thank you for RMerlin for the awesome firmware.

/jffs/configs/dnsmasq.conf.add:
Code: 
## Use dnscrypt-proxy as a resolver
no-resolv
server=127.0.0.1#65053
server=127.0.0.1#65055

/jffs/scripts/wan-start:
Code: 
#!/bin/sh

# Run from "wan-start".
# This section starts dnscrypt-proxy to encrypt DNS requests.

logger -t $(basename $0) "started [$@]"

# Now resolve DNS name for NTP server
ntp_name=$(nvram get ntp_server0)
grep "$ntp_name" /etc/hosts > /dev/null 2>&1 || \
for ip in $(/jffs/bin/hostip $ntp_name)
do
    echo $ip $ntp_name >> /etc/hosts
done

# restart NTP client to eliminate 4-5 mins delay
killall ntp && sleep 1
service restart_ntpc

# Kill any existing dnscrypt-proxy sessions to ensure we start clean
killall dnscrypt-proxy >/dev/null 2>&1 && sleep 1

/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65053 --daemonize --resolvers-list=/jffs/configs/dnscrypt-resolvers.csv --resolver-name=opendns
/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65055 --daemonize --resolvers-list=/jffs/configs/dnscrypt-resolvers.csv --resolver-name=dnscrypt.eu-dk

# Restarting dnsmasq will overwrite /etc/hosts
service restart_dnsmasq
 
ledge said:
Hi all,

Just thought I'd shared my wan-start script as I've now compiled and installed dnscrypt on my rt-ac68u and got it working with two dns providers.
The wan-start script below doesn't use hard-coded ntp servers and doesn't update /jffs/ either. Rather, it updates /etc/hosts directly using hostip and uses that to update the router's time.
In addition, I've copied the "dns-resolvers.csv" file to /jffs/configs/ so that it's easier to change dns providers.
The wan-start script below can easily be updated with a new dns provider and rerun to restart dnscrypt using the new dns providers. Hence, no reboot required.

The /jffs/configs/dnsmasq.conf.add remains largely the same as previously mentioned by ryzhov_al.

A huge thank you to ryzhov_al for the scripts which the below were based.
And another huge thank you for RMerlin for the awesome firmware.

/jffs/configs/dnsmasq.conf.add:
Code: 
## Use dnscrypt-proxy as a resolver
no-resolv
server=127.0.0.1#65053
server=127.0.0.1#65055

/jffs/scripts/wan-start:
Code: 
#!/bin/sh

# Run from "wan-start".
# This section starts dnscrypt-proxy to encrypt DNS requests.

logger -t $(basename $0) "started [$@]"

# Now resolve DNS name for NTP server
ntp_name=$(nvram get ntp_server0)
grep "$ntp_name" /etc/hosts > /dev/null 2>&1 || \
for ip in $(/jffs/bin/hostip $ntp_name)
do
    echo $ip $ntp_name >> /etc/hosts
done

# restart NTP client to eliminate 4-5 mins delay
killall ntp && sleep 1
service restart_ntpc

# Kill any existing dnscrypt-proxy sessions to ensure we start clean
killall dnscrypt-proxy >/dev/null 2>&1 && sleep 1

/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65053 --daemonize --resolvers-list=/jffs/configs/dnscrypt-resolvers.csv --resolver-name=opendns
/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65055 --daemonize --resolvers-list=/jffs/configs/dnscrypt-resolvers.csv --resolver-name=dnscrypt.eu-dk

# Restarting dnsmasq will overwrite /etc/hosts
service restart_dnsmasq
Click to expand...

How did you install dnscrypt-proxy to /jffs?
 
ledge said:
Hi all,

Just thought I'd shared my wan-start script as I've now compiled and installed dnscrypt on my rt-ac68u and got it working with two dns providers.
The wan-start script below doesn't use hard-coded ntp servers and doesn't update /jffs/ either. Rather, it updates /etc/hosts directly using hostip and uses that to update the router's time.
In addition, I've copied the "dns-resolvers.csv" file to /jffs/configs/ so that it's easier to change dns providers.
The wan-start script below can easily be updated with a new dns provider and rerun to restart dnscrypt using the new dns providers. Hence, no reboot required.

The /jffs/configs/dnsmasq.conf.add remains largely the same as previously mentioned by ryzhov_al.

A huge thank you to ryzhov_al for the scripts which the below were based.
And another huge thank you for RMerlin for the awesome firmware.

/jffs/configs/dnsmasq.conf.add:
Code: 
## Use dnscrypt-proxy as a resolver
no-resolv
server=127.0.0.1#65053
server=127.0.0.1#65055

/jffs/scripts/wan-start:
Code: 
#!/bin/sh

# Run from "wan-start".
# This section starts dnscrypt-proxy to encrypt DNS requests.

logger -t $(basename $0) "started [$@]"

# Now resolve DNS name for NTP server
ntp_name=$(nvram get ntp_server0)
grep "$ntp_name" /etc/hosts > /dev/null 2>&1 || \
for ip in $(/jffs/bin/hostip $ntp_name)
do
    echo $ip $ntp_name >> /etc/hosts
done

# restart NTP client to eliminate 4-5 mins delay
killall ntp && sleep 1
service restart_ntpc

# Kill any existing dnscrypt-proxy sessions to ensure we start clean
killall dnscrypt-proxy >/dev/null 2>&1 && sleep 1

/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65053 --daemonize --resolvers-list=/jffs/configs/dnscrypt-resolvers.csv --resolver-name=opendns
/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65055 --daemonize --resolvers-list=/jffs/configs/dnscrypt-resolvers.csv --resolver-name=dnscrypt.eu-dk

# Restarting dnsmasq will overwrite /etc/hosts
service restart_dnsmasq
Click to expand...
I have tried updating my running dnscrypt with your script but i get no internet on rt-a87u.
I have notice that your script does not contain dnscrypt-cert provider-key, can you expand on that?
 
You must log in or register to reply here.

Similar threads

T
Wireguard Client VPN not using DNS
Replies
14
Views
801
Tom Jo-Jo Junior Shabadoo
Tom Jo-Jo Junior Shabadoo
S
Guide Wireguard-portforwarding
Replies
15
Views
4K
ZebMcKayhan
Z
P
DNS Director - Proprietary?
Replies
6
Views
534
Tech9
Tech9
K
Asus router as adblock/firewall server (but not acting as a router) between modem and mesh routers
Replies
7
Views
387
Tech9
Tech9
elrengo
Moving from RT-AC3100 to RT-AX88U Pro
Replies
13
Views
887
ColinTaylor
C
Similar threads
Thread starter Title Forum Replies Date
B (solved) Dnscrypt blocked-names.txt automatically deleted upon modification Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 926 (members: 20, guests: 906)
Top