Dnscrypt from opendns

[Calisro]

no. just reboot and look at the actual timestamps of the logfile. They should be *close* to correct pretty early in the boot process.

 

[ILMostro]

Thanks so much for the extensive support, helping me to resolve this issue and add another page of discussion to this thread . AFAICT, my problem stems from the fake-hwclock not working correctly. Once I add the /jffs/configs/dnsmasq.conf.add script and reboot I don't have name resolution and the "date" command spits out the wrong date/time. I'll leave it at this until I figure out a way to fix the hwclock issue. Thanks again.

 

[Calisro]

Try this for hwclock. This is the way I have it set up. If we get it working, i'll fix the wiki. This will move hwclock to /jffs and it will set the clock very early in the boot process. It will also save the time to disk once an hour and on shutdown.

sed 's~FILE=.*$~FILE=/jffs/fake-hwclock.data~' /opt/bin/fake-hwclock > /jffs/fake-hwclock
chmod +x /jffs/fake-hwclock

/jffs/fake-hwclock

echo "/jffs/fake-hwclock load" >> /jffs/scripts/init-start
chmod +x /jffs/scripts/init-start

echo "/jffs/fake-hwclock save" >> /jffs/scripts/services-stop
chmod +x /jffs/scripts/services-stop

echo "sleep 2;/jffs/fake-hwclock save" >> /jffs/scripts/wan-start
chmod +x /jffs/scripts/wan-start
echo "cru a hwclock \"0 * * * * /jffs/fake-hwclock save\" >> /jffs/scripts/wan-start

opkg remove fake-hwclock

 

[ILMostro]

No luck with that either. It seems that the /opt directory, under which the writeable /jffs directory is mounted, doesn't get mounted until well after booting is completed; none of the partitions on the USB drive do. Therefore, the scripts might not get executed correctly in time; though, I'm just speculating according to my observations of post-boot syslogs/dmesg.

Let's add a test to the script so that we can check if it ran correctly or not. I saw something to that effect on the Wiki somewhere a long time ago, where the script creates a file; therefore, if the file doesn't exist, the script didn't run.

 

[ILMostro]

NOTE: you're example failed to include a "shebang" in the init-start and wan-start scripts.

To test if the scripts started I added some lines taken from the Wiki:

:/tmp/home/root# cat /jffs/scripts/init-start
#!/bin/sh

touch /tmp/000initstartted

/jffs/fake-hwclock load

and

:/tmp/home/root# cat /jffs/scripts/wan-start
#!/bin/sh

touch /tmp/001wanscriptstarted

sleep 2; /jffs/fake-hwclock save
cru a hwclock "0 * * * * /jffs/fake-hwclock save"

After I added the missing shebangs to the scripts and rebooted the scripts executed correctly, creating the respective files in the /tmp directory. Additionally, when I execute

# cru l

I see the listing of the cron job. Sadly, though, dnscrypt-proxy still doesn't work.

 

[RogueSpear]

I'm rather delinquent with posting here, but the post by ASAT, #249, is spot on. If you're running an ARM based unit, be sure to get the binaries from lancethepants. With Merlins .55 build, I have this running with great success and stability. On an AC3200 at home, and on an AC68U I brought to my in-laws in Europe (still there for another week, hence my delay in posting).

Sent from my LG-D850 using Tapatalk

 

[Calisro]

No luck with that either. It seems that the /opt directory, under which the writeable /jffs directory is mounted, doesn't get mounted until well after booting is completed; none of the partitions on the USB drive do. Therefore, the scripts might not get executed correctly in time; though, I'm just speculating according to my observations of post-boot syslogs/dmesg.

Let's add a test to the script so that we can check if it ran correctly or not. I saw something to that effect on the Wiki somewhere a long time ago, where the script creates a file; therefore, if the file doesn't exist, the script didn't run.

jffs gets mounted very early. I run this setup. Add a "touch /jffs/touched" to /jffs/init-start.

 

[Calisro]

NOTE: you're example failed to include a "shebang" in the init-start and wan-start scripts.

Sadly, though, dnscrypt-proxy still doesn't work.

i'll correct them before I put on wiki. What error is in your /tmp/syslog.log?

grep dnscrypt /tmp/syslog.log

If there are no entries at all, It sounds like entware is not starting properly (which would also make sense as to why hwclock wasn't starting).

 

[amigohd]

if I use
iptables -A OUTPUT -p tcp --dport 53 -j DROP
in
/jffs/scripts/firewall-start
my router can't connect to members.dyndns.org to update dyndns, nor can I ping any site nor does opkg update works.
All my connected devices do run without any problems, so I am guessing dnscrpyt is working fine.
But I would love to disable outgoing dpt 53 and still getting my router to connect to the outside.
How to solve?

 

[Calisro]

if I use
iptables -A OUTPUT -p tcp --dport 53 -j DROP
in
/jffs/scripts/firewall-start
my router can't connect to members.dyndns.org to update dyndns, nor can I ping any site nor does opkg update works.
All my connected devices do run without any problems, so I am guessing dnscrpyt is working fine.
But I would love to disable outgoing dpt 53 and still getting my router to connect to the outside.
How to solve?

redirect. Don't block.

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

 

[amigohd]

thank you
https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt now updated as well (y)

 

[amigohd]

But why does blocking dpt 53 not work? i thought dnscrypt is proxing dns requests from spt 53 to dpt 443 of the dnscrypt provider?
how may i check (without the need to sniff the network) if dns requests from clients are really encrypted now?

 

[ILMostro]

i'll correct them before I put on wiki. What error is in your /tmp/syslog.log?

grep dnscrypt /tmp/syslog.log

If there are no entries at all, It sounds like entware is not starting properly (which would also make sense as to why hwclock wasn't starting).

There are no entries pertaining to dnscrypt at all. Maybe I need to reinstall entware?

 

[Calisro]

But why does blocking dpt 53 not work? i thought dnscrypt is proxing dns requests from spt 53 to dpt 443 of the dnscrypt provider?
how may i check (without the need to sniff the network) if dns requests from clients are really encrypted now?

This has nothing to do with dnscrypt. I'm guessing you have your dns on whatever device it is failing on to use some other dns server and you've told it to block that. Ir sounds like your dns server settings are not set to use your router ON your router.

My commands will simply hijack those calls and direct them to the router rather than drop them.

same for clients. If someone on your network puts 8.8.8.8 in their dns, the iptables will allow that and just hijack it and send it the router (through dnscrypt) instead.

 

[Calisro]

There are no entries pertaining to dnscrypt at all. Maybe I need to reinstall entware?

In /opt/etc/init.d/ do you have dnscrypt file set to start? look at contents. it should read daemon=true or something similar.

 

[ILMostro]

:/# cat /opt/etc/init.d/S09dnscrypt-proxy
#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R opendns"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

 

[Calisro]

:/# cat /opt/etc/init.d/S09dnscrypt-proxy
#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R opendns"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Looks right but entware isn't starting stuff. That's your problem... You'd see entries in syslog if it was.

 

[ryzhov_al]

Please note, default "opendns" resolver doesn't exist anymore, that's because Cisco bought OpenDNS company. Please update Entware package by:

opkg update
opkg upgrade

New default resolver is called (surprise! surprise!) "cisco".

i'll correct them before I put on wiki. What error is in your /tmp/syslog.log?

grep dnscrypt /tmp/syslog.log

If there are no entries at all, It sounds like entware is not starting properly (which would also make sense as to why hwclock wasn't starting).

Did I messed up with wiki? Tested twice on clean installation with no issues.

PS I have to add postinst script of fake-hwclock package to save current time after it was installed.
PPS Wait, I've done that before No need to run fake-hwclock right after installation.

 

[kvic]

Thanks for breaking the news, ryzhov_al. Good for OpenDNS. Btw, it's amazing sometimes when ppl need a package, boom, it's in Entware already.

On dnscrypt-proxy, this thread need an asterisk. OpenDNS resolvers can be used just like google dns in its plain old fashion.

Dnscrypt in its current incarnation has little value to users. Are ppl paranoid that they use it to stop ISP from spying on their port 53 activities? Or I miss something else..

 

[lancethepants]

I use dnscrypt to circumvent DNS filtering and interception.