DNScrypt dnscrypt installer for asuswrt

[skeal]

Thank to all for helping but i have a problem, if i try reconfigure by running installer router crash and lost internet access


Dns leak test is ok?
https://www.dnsleaktest.com

I know this is a pain in the butt but if you format your /jffs partition and re-install you should be ok. Be warned that formatting /jffs will remove all your scripts installed to that directory.

 

[Martin_D]

You can check the validity of the .toml file by running the following:

cd to /jffs/dnscrypt

./dnscrypt-proxy -check

Any errors will be listed and the line causing the problem advised.
Fix the error and re-run the command.
Repeat until file passes the check.

BTW: It looks OK by a quick visual check !!!

Thank you does this look right

I have just upload it to the router I will leave it for 24 hours to see how it goes

cert_ignore_timestamp = true

server_names = ['cisco', 'cisco-familyshield']

listen_addresses = ['127.0.0.1:65053']

## Maximum client connections to accept

max_clients = 250

## Require servers (from static + remote sources) to satisfy specific properties

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6
ipv6_servers = false

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true

## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions (DNSSEC)
require_dnssec = false

# Server must not log user queries (declarative)
require_nolog = false

# Server must not enforce its own blacklist
require_nofilter = false

## Always use TCP to connect to upstream servers

force_tcp = false

## How long a DNS query will wait for a response, in milliseconds

timeout = 2500

## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds

keepalive = 30

## Load-balancing

lb_strategy = 'p2'

## Log level

log_level = 2

## log file for the application

# log_file = 'dnscrypt-proxy.log'

## Use the system logger

# use_syslog = true

## Delay, in minutes, after which certificates are reloaded

cert_refresh_delay = 240

## DNSCrypt: Ephemeral_keys

 dnscrypt_ephemeral_keys = true

## DoH: Disable TLS session tickets - increases privacy but also latency

# tls_disable_session_tickets = false

## DoH: specific cipher suite

 tls_cipher_suite = [52392, 49199]

## Fallback resolver

fallback_resolver = '194.168.8.100:53'

ignore_system_dns = true

## Automatic log files rotation

# Maximum log files size in MB
log_files_max_size = 10

# How long to keep backup files, in days
log_files_max_age = 5

# Maximum log files backups to keep
log_files_max_backups = 1

## Filters
      
block_ipv6 = true

## Enable a DNS cache to reduce latency and outgoing traffic

cache = true

## Cache size

cache_size = 512

## Minimum TTL for cached entries

cache_min_ttl = 600

## Maximum TTL for cached entries

cache_max_ttl = 86400

## TTL for negatively cached entries

cache_neg_ttl = 60

[sources]

  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

 

[Twiglets]

'./dnscrypt-proxy -check' output looks OK.

I notice you have not set to true the ' tls_disable_session_tickets' option.
Have you tried it and found it impacts latency too much ?

I don't know your particular setup so maybe this is a problem.
I have a lightly used network that it does not seem to impact in any measurable way, for me.

If you are not sure, try it set to 'false' and then 'true' and compare performance.

 

[Martin_D]

'./dnscrypt-proxy -check' output looks OK.

I notice you have not set to true the ' tls_disable_session_tickets' option.
Have you tried it and found it impacts latency too much ?

I don't know your particular setup so maybe this is a problem.
I have a lightly used network that it does not seem to impact in any measurable way, for me.

If you are not sure, try it set to 'false' and then 'true' and compare performance.

I completely missed that I have just updated the file and sent it to the router so let's see what happens to the latency

cert_ignore_timestamp = true

server_names = ['cisco', 'cisco-familyshield']

listen_addresses = ['127.0.0.1:65053']

## Maximum client connections to accept

max_clients = 250

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6
ipv6_servers = false

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true

# Server must support DNS security extensions (DNSSEC)
require_dnssec = false

# Server must not log user queries (declarative)
require_nolog = false

# Server must not enforce its own blacklist
require_nofilter = false

## Always use TCP to connect to upstream servers

force_tcp = false

## DNS query response, in milliseconds

timeout = 2500

## Keepalive: (HTTPS, HTTP/2) queries, in seconds

keepalive = 30

## Load-balancing

lb_strategy = 'p2'

## Log level

log_level = 2

## log file for the application

log_file = 'dnscrypt-proxy.log'

## Use the system logger

use_syslog = true

## Delay, in minutes, after which certificates are reloaded

cert_refresh_delay = 240

## DNSCrypt: Ephemeral_keys

 dnscrypt_ephemeral_keys = true

## DoH: Disable TLS session tickets

 tls_disable_session_tickets = true

## DoH: specific cipher suite

 tls_cipher_suite = [52392, 49199]

## Fallback resolver

fallback_resolver = '194.168.8.100:53'

ignore_system_dns = true

## Automatic log files rotation

# Maximum log files size in MB
log_files_max_size = 10

# How long to keep backup files, in days
log_files_max_age = 5

# Maximum log files backups to keep
log_files_max_backups = 1

## Filters
      
block_ipv6 = true

## DNS cache

cache = true

## Cache size

cache_size = 512

## Minimum TTL for cached entries

cache_min_ttl = 600

## Maximum TTL for cached entries

cache_max_ttl = 86400

## TTL for negatively cached entries

cache_neg_ttl = 60

[sources]

  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

 

[Twiglets]

MartinDEE,

Don't forget to re-start 'dnscrypt-proxy', as follows, whenever you make changes to the .toml file:

/jffs/dnscrypt/manager dnscrypt-start

[Starts it if NOT running and re-starts if already running]

 

[Treadler]

Newbie questions:
I have installed dnscrypt on router. All appears to be working ok. My first time ever, installing something like this.

Questions; when a merlin-wrt firmware update is required, can I just install it over the top of the existing router configuration?
Or should dnscrypt be reinstalled after a firmware update?

(Dnscrypt installed directly on router, no USB drives involved).

Be gentle, I’m deep in learning mode here.......... ;-)
Any observations/advice you might have will be welcome.

 

[M@rco]

@Treadler: In general, when it's an asuswrt-merlin update which doesn't require a factory reset (like a new branch with loads of changes) and as long as you don't format your /jffs partition (which is an option in the UI), dnscrypt will survive updates without any issues. Should anything happen, you can just run the install script again, it will detect it's previous settings (as long as you didn't format /jffs) and ask you whether you want to use your previous settings or start fresh. So yes, you can just install firmware updates on top of your current firmware, as long as you keep the things mentioned in mind.

 

[TheUntouchable]

I was using 1.1.1.1 without dnsscrypt and now I am using 1.1.1.1 with dnsscrypt. The DNS response time increased from 20ms to 70ms. Is this due to DoH? dnscrypt itself tells me that the dns response from 1.1.1.1 is about 20-25ms, but my network monitoring tells me something different.. (The large number on the screenshot is the average of the last 30 days)

 

[Treadler]

@Treadler: In general, when it's an asuswrt-merlin update which doesn't require a factory reset (like a new branch with loads of changes) and as long as you don't format your /jffs partition (which is an option in the UI), dnscrypt will survive updates without any issues. Should anything happen, you can just run the install script again, it will detect it's previous settings (as long as you didn't format /jffs) and ask you whether you want to use your previous settings or start fresh. So yes, you can just install firmware updates on top of your current firmware, as long as you keep the things mentioned in mind.

Thanks for that, appreciated.

 

[Treadler]

I was using 1.1.1.1 without dnsscrypt and now I am using 1.1.1.1 with dnsscrypt. The DNS response time increased from 20ms to 70ms. Is this due to DoH? dnscrypt itself tells me that the dns response from 1.1.1.1 is about 20-25ms, but my network monitoring tells me something different.. (The large number on the screenshot is the average of the last 30 days)

I have done likewise, but found 1.1.1.1 with dnscrypt faster than without.

 

[TheUntouchable]

I have done likewise, but found 1.1.1.1 with dnscrypt faster than without.

Funny.. What settings do you use?

 

[Twiglets]

Funny.. What settings do you use?

I think 1.1.1.1 via DoH must be getting 'busy' and so periodically the response time stretches to approx 70ms.
I had noticed the same issue but now (2018-04-18) it is back to circa 20ms.

 

[CODYQX4]

I have this working with DoH Cloudflare for the entire network, but I also use OpenVPN with Exclusive DNS.

Sometimes, I still get Cloudflare DNS, so it's a DNS leak.

I removed the DNS Servers from LAN and in WAN I disabled the auto WAN get DNS option and left both of fields blank there as well. I hit apply on the Port Forwarding settings, despite not changing anything, and it isn't leaking currently, but I've had a few cases when changing settings on the router, that the DNS leaks for OpenVPN.

 

[Treadler]

Hmmm, I still have Cloudflare DNS set in the router under both IPv4 & IPv6.
I understood from posts by the developer that dnscrypt would ignore these?
Is it recommended to remove them?

 

[Treadler]

Funny.. What settings do you use?

Manual, rather than auto.
Use dnscrypt for everything, Cloudflare for IPv6 & IPv4.
P2 for load balancing, 1.1.1.1 for initial boot/ntp server if needed.
Set time zone & installed RNG.
No swap file.

Left DNS settings in router, as removing them breaks my internet.
(Yes, I tried the router’s IP as v4 resolver & set both v4/v6 DNS as manual).

 

[M@rco]

Left DNS settings in router, as removing them breaks my internet.
(Yes, I tried the router’s IP as v4 resolver & set both v4/v6 DNS as manual).

Your WAN DNS settings should be empty. If it breaks your internet try another initial DNS-resolver for NTP and downloading the resolver list during boot. If you leave DNS settings filled in, your router will be leaking.

 

[Treadler]

Your WAN DNS settings should be empty. If it breaks your internet try another initial DNS-resolver for NTP and downloading the resolver list during boot. If you leave DNS settings filled in, your router will be leaking.

I hear you M@rco, many thanks for your attention.

As a test, I replaced the resolvers in the router GUI (v4 & v6) with those of Quad9.
Rebooted. Tested at a number of sites & only Cloudflare servers are being used by me for resolution. Quad9 not detected in any of the tests I ran. I am guessing dnscrypt in my router is happy to ignore GUI specified DNS & override it/them?

(I have no VPN, so I will always be showing a DNS leak. The issue is, to confirm which server it is.)

 

[TheUntouchable]

If you use the dnscrypt installer there is a option to ignore the system dns entrys. Does no one read the things there?

 

[M@rco]

If you use the dnscrypt installer there is a option to ignore the system dns entrys. Does no one read the things there?

There's an option to "Redirect all traffic through dnscrypt" if I recall correctly. However, this wasn't completely waterproof in previous releases. Perhaps @bigeyes0x0 has managed to now completely ignore settings in the UI, causing @Treadler to see no leaks at all. As far as I'm aware, these fields should be blank.

 

[TheUntouchable]

There's an option to "Redirect all traffic through dnscrypt" if I recall correctly. However, this wasn't completely waterproof in previous releases. Perhaps @bigeyes0x0 has managed to now completely ignore settings in the UI, causing @Treadler to see no leaks at all. As far as I'm aware, these fields should be blank.

Unfortunately I have to admit that my statement was not correct! The option to ignore the System DNS setting is not selectable in the installer but only in the configuration file. But this is set to ignore by default