DNScrypt dnscrypt installer for asuswrt

[Lost Dog]

What's the latest info for having one or more devices use a different DNS while using dnscrypt? At one point (maybe still) using DNS-filtering in the router was not compatible with dnscrypt. I'm wanting to use dnscrypt for all devices except my son's Chromebook... I'd like that to use opendns with our parental options set.

Is this possible?

 

[SMS786]

When selecting the Cloudflare DNS servers (option 13) on dnscrypt does this set up DNS over TLS or just the vanilla DNS resolution on cloudflare's servers?

 

[DonnyJohnny]

When selecting the Cloudflare DNS servers (option 13) on dnscrypt does this set up DNS over TLS or just the vanilla DNS resolution on cloudflare's servers?

It is DOH not TLS. Dnscrypt-proxy don’t support Dns over TLS

 

[SMS786]

It is DOH not TLS. Dnscrypt-proxy don’t support Dns over TLS

Thanks. Would you happen to know if DOH is enabled by default when I select the cloudflare option in dnscrypt or does it require extra setup?

Edit: Nevermind..dnscrypt 2.0+ supports DoH out of the box.

 

[penguin22]

I notice dnscrypt installer does not disable WAN "Connect to DNS Server automatically" though it gives the option to input a DNS server for NPT on boot; Does leaving "Connect DNS Server automatically" enabled mess any dnscrypt installer configuration up, during boot or normal uptime?

I know it will depend on each person's configuration, but I found that leaving Connect DNS Server automatically in WAN settings was needed to resolve OpenVPN DNS quickly and start the tunnel. With it set to No and even with manually populating a different DNS address, such as 1.1.1.1 or 8.8.8.8, it still kept failing to resolve the OpenVPN name. With DNSCrypt loaded and OpenVPN "Accept DNS Configuration" set to Strict, I don't see any DNS leaks from various testing locations.

 

[Twiglets]

For those interested, 2.09b1 is out. Unstable and tester needed by developer. Feedback at github. Not here.
https://github.com/jedisct1/dnscrypt-proxy/releases/tag/2.0.9b1

FYI,
2.0.9 is out, runs fine on my ASUS RT-AC56U.

New options in .toml file are below:

## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
## [Increased from 10 due to 'tls_disable_session_tickets' set to true]
keepalive = 30

## DNSCrypt: Create a new, unique key for every single DNS query
## This may improve privacy but can also have a significant impact on CPU usage
## Only enable if you don't have a lot of network load

dnscrypt_ephemeral_keys = true

## DoH: Disable TLS session tickets
## increases privacy but also latency - Bump keepalive up to compensate.

tls_disable_session_tickets = true

## DoH: Use a specific cipher suite instead of the server preference
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
##
## On non-Intel systems such as MIPS routers and ARM systems (Android, Raspberry Pi...),
## the following suite improves performance.
##
## Delete or comment the next line if you have issues connecting to some DoH servers, but
## any modern server should support this cipher suite. Google and Cloudflare do.

tls_cipher_suite = [52392, 49199]

 

[skeal]

FYI,
2.0.9 is out, runs fine on my ASUS RT-AC56U.

New options in .toml file are below:

## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
## [Increased from 10 due to 'tls_disable_session_tickets' set to true]
keepalive = 30

## DNSCrypt: Create a new, unique key for every single DNS query
## This may improve privacy but can also have a significant impact on CPU usage
## Only enable if you don't have a lot of network load

dnscrypt_ephemeral_keys = true

## DoH: Disable TLS session tickets
## increases privacy but also latency - Bump keepalive up to compensate.

tls_disable_session_tickets = true

## DoH: Use a specific cipher suite instead of the server preference
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
##
## On non-Intel systems such as MIPS routers and ARM systems (Android, Raspberry Pi...),
## the following suite improves performance.
##
## Delete or comment the next line if you have issues connecting to some DoH servers, but
## any modern server should support this cipher suite. Google and Cloudflare do.

tls_cipher_suite = [52392, 49199]

This version is still being tested it is not availble by the installer.

Info:  Downloading dnscrypt-proxy-linux_arm-2.0.8.tar.gz

 

[Twiglets]

This version is still being tested it is not availble by the installer.

Info:  Downloading dnscrypt-proxy-linux_arm-2.0.8.tar.gz

I cheated and edited the installer line 3 to '2.0.9'
I had the 2.0.9b2 version working OK so took the risk

Sorry if I jumped the gun.

 

[DonnyJohnny]

This version is still being tested it is not availble by the installer.

Info:  Downloading dnscrypt-proxy-linux_arm-2.0.8.tar.gz

No issue. I just add in those additional configuration and overwrite the dnscrypt_proxy from the unzip pre-complied available in Frank github and restart the service.

The additional configuration is cool.. increased in security and privacy.

 

[skeal]

FYI,
2.0.9 is out, runs fine on my ASUS RT-AC56U.

New options in .toml file are below:

## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
## [Increased from 10 due to 'tls_disable_session_tickets' set to true]
keepalive = 30

## DNSCrypt: Create a new, unique key for every single DNS query
## This may improve privacy but can also have a significant impact on CPU usage
## Only enable if you don't have a lot of network load

dnscrypt_ephemeral_keys = true

## DoH: Disable TLS session tickets
## increases privacy but also latency - Bump keepalive up to compensate.

tls_disable_session_tickets = true

## DoH: Use a specific cipher suite instead of the server preference
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
##
## On non-Intel systems such as MIPS routers and ARM systems (Android, Raspberry Pi...),
## the following suite improves performance.
##
## Delete or comment the next line if you have issues connecting to some DoH servers, but
## any modern server should support this cipher suite. Google and Cloudflare do.

tls_cipher_suite = [52392, 49199]

I figured this out and tried out these settings. I have seen no hit to my cpu at all or memory either.

 

[blueshark]

What is the code for opendns, cant find it

 

[joegreat]

What is the code for opendns, cant find it

Look for cisco as they own now OpenDNS...

 

[Twiglets]

What is the code for opendns, cant find it

Google 'Opendns'.
Near the top of replies is https://www.opendns.com/setupguide/

Gives:

Our nameservers are always:

• 208.67.222.222
• 208.67.220.220

 

[DonnyJohnny]

Refers here for all server names for dnscrypt / DOH
https://dnscrypt.info/public-servers

 

[Martin_D]

I am looking for some help In the process of making a custom .toml file

Does this look good

cert_ignore_timestamp = true

server_names = ['cisco', 'cisco-familyshield']

listen_addresses = ['127.0.0.1:65053']

## Maximum number of simultaneous client connections to accept

max_clients = 250

## Require servers (from static + remote sources) to satisfy specific properties

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6
ipv6_servers = false

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true

## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions (DNSSEC)
require_dnssec = false

# Server must not log user queries (declarative)
require_nolog = false

# Server must not enforce its own blacklist (for parental control, ads blocking...)
require_nofilter = false

## Always use TCP to connect to upstream servers

force_tcp = false

## How long a DNS query will wait for a response, in milliseconds

timeout = 2500

## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds

keepalive = 30

## Load-balancing

lb_strategy = 'p2'

## Log level

log_level = 2

## log file for the application

# log_file = 'dnscrypt-proxy.log'

## Use the system logger

# use_syslog = true

## Delay, in minutes, after which certificates are reloaded

cert_refresh_delay = 240

## DNSCrypt: Ephemeral_keys (Beta)

 dnscrypt_ephemeral_keys = true

## DoH: Disable TLS session tickets - increases privacy but also latency

# tls_disable_session_tickets = false

## DoH: specific cipher suite (Beta)

 tls_cipher_suite = [52392, 49199]

## Fallback resolver

fallback_resolver = '194.168.8.100:53'

ignore_system_dns = true

## Automatic log files rotation

# Maximum log files size in MB
log_files_max_size = 10

# How long to keep backup files, in days
log_files_max_age = 5

# Maximum log files backups to keep
log_files_max_backups = 1

## Filters
      
block_ipv6 = true

## Enable a DNS cache to reduce latency and outgoing traffic

cache = true

## Cache size

cache_size = 512

## Minimum TTL for cached entries

cache_min_ttl = 600

## Maximum TTL for cached entries

cache_max_ttl = 86400

## TTL for negatively cached entries

cache_neg_ttl = 60

[sources]

  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

 

[DonnyJohnny]

I think 53 is used by dnsmasq and dnscrypt-proxy as per its name is used as proxy. What it does is forwarding all DNS request in 53 via 65053. I don't think you can set the custom toml as 53 as it will have conflict and likely the dnscrypt-proxy will not be able to start.

 

[Twiglets]

I am looking for some help In the process of making a custom .toml file

Does this look good

cert_ignore_timestamp = true

server_names = ['cisco', 'cisco-familyshield']

listen_addresses = ['127.0.0.1:65053']

## Maximum number of simultaneous client connections to accept

max_clients = 250

## Require servers (from static + remote sources) to satisfy specific properties

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6
ipv6_servers = false

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true

## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions (DNSSEC)
require_dnssec = false

# Server must not log user queries (declarative)
require_nolog = false

# Server must not enforce its own blacklist (for parental control, ads blocking...)
require_nofilter = false

## Always use TCP to connect to upstream servers

force_tcp = false

## How long a DNS query will wait for a response, in milliseconds

timeout = 2500

## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds

keepalive = 30

## Load-balancing

lb_strategy = 'p2'

## Log level

log_level = 2

## log file for the application

# log_file = 'dnscrypt-proxy.log'

## Use the system logger

# use_syslog = true

## Delay, in minutes, after which certificates are reloaded

cert_refresh_delay = 240

## DNSCrypt: Ephemeral_keys (Beta)

 dnscrypt_ephemeral_keys = true

## DoH: Disable TLS session tickets - increases privacy but also latency

# tls_disable_session_tickets = false

## DoH: specific cipher suite (Beta)

 tls_cipher_suite = [52392, 49199]

## Fallback resolver

fallback_resolver = '194.168.8.100:53'

ignore_system_dns = true

## Automatic log files rotation

# Maximum log files size in MB
log_files_max_size = 10

# How long to keep backup files, in days
log_files_max_age = 5

# Maximum log files backups to keep
log_files_max_backups = 1

## Filters
   
block_ipv6 = true

## Enable a DNS cache to reduce latency and outgoing traffic

cache = true

## Cache size

cache_size = 512

## Minimum TTL for cached entries

cache_min_ttl = 600

## Maximum TTL for cached entries

cache_max_ttl = 86400

## TTL for negatively cached entries

cache_neg_ttl = 60

[sources]

  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

You can check the validity of the .toml file by running the following:

cd to /jffs/dnscrypt

./dnscrypt-proxy -check

Any errors will be listed and the line causing the problem advised.
Fix the error and re-run the command.
Repeat until file passes the check.

BTW: It looks OK by a quick visual check !!!

I think 53 is used by dnsmasq and dnscrypt-proxy as per its name is used as proxy. What it does is forwarding all DNS request in 53 via 65053. I don't think you can set the custom toml as 53 as it will have conflict and likely the dnscrypt-proxy will not be able to start.

If you are refering to the 'fallback resolver' it is valid as it is only used if the configured 'Server' cannot' be reached.
DoH will be using Port 443.

 

[blueshark]

Do i need upnp active to run dnscrypt ?

 

[skeal]

Do i need upnp active to run dnscrypt ?

Nope.

 

[blueshark]

Nope.

Thank to all for helping but i have a problem, if i try reconfigure by running installer router crash and lost internet access


Dns leak test is ok?
https://www.dnsleaktest.com