What's new

DNScrypt dnscrypt installer for asuswrt

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

File format of the resolver list changed leading into some display issues as mentioned by @johnathonm , fixed it in dev and updated to 2.0.16. I have also started using dnscrypt-proxy new feature to drop to nobody as well as its own self healing ability instead of checking the process every 10s by my script. You guys can check it out by installing the dev version with:
Code:
curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/dev/installer && sh installer dev ; rm installer

If everything is ok I will merge it to master.


Just now installed. Appears to be working ok thus far.......
 
More then 24h on 2.0.16 dev working fine for me on rt-ac87u (384.6 first alpha)
 
Here is why it seems to not be working for me...

eb 13 19:00:50 dnscrypt-proxy[724]: Timeout while waiting for network connectivity
Feb 13 19:00:50 dnscrypt-proxy[724]: Source [public-resolvers.md] loaded
Feb 13 19:00:50 dnscrypt-proxy[724]: dnscrypt-proxy 2.0.16
Feb 13 19:00:50 dnscrypt-proxy[724]: Dropping privileges
Feb 13 19:00:50 dnscrypt-proxy[1160]: Network not available yet -- waiting...

Feb 13 19:01:00 dnscrypt-proxy[1160]: Network connectivity detected
Feb 13 19:01:00 dnscrypt-proxy[1160]: Source [public-resolvers.md] loaded
Feb 13 19:01:00 dnscrypt-proxy[1160]: dnscrypt-proxy 2.0.16
Feb 13 19:01:00 dnscrypt-proxy[1160]: Now listening to 127.0.0.1:65053 [UDP]
Feb 13 19:01:00 dnscrypt-proxy[1160]: Now listening to 127.0.0.1:65053 [TCP]
Feb 13 19:01:01 dnscrypt-proxy[1160]: Get https://dns.cloudflare.com/dns-quer..._padding=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: x509: certificate has expired or is not yet valid
Feb 13 19:01:01 dnscrypt-proxy[1160]: dnscrypt-proxy is waiting for at least one server to be reachable

What seems to be happening is that dnscrypt is unable to get a cloudflare certificate because the time doesn't get updated after I boot the router, because it can't access internet to update the time with dnscrypt.

Is there a workaround for this?

I did set the time in dnscrypt, but it doesn't seem to be do anything.
 
More likely an issue with your chosen resolvers.

I have merged the dev code to master branch, now you can install it normally to get 2.0.16.

I think you’re correct. I’m finding Cloudflare has issues with, or without dnscrypt.
A shame, as Cloudflare is the fastest public resolver for me. I have had to change to my second best, speed wise, Quad9.
Not accessible via dnscrypt though?
 
Here is why it seems to not be working for me...

eb 13 19:00:50 dnscrypt-proxy[724]: Timeout while waiting for network connectivity
Feb 13 19:00:50 dnscrypt-proxy[724]: Source [public-resolvers.md] loaded
Feb 13 19:00:50 dnscrypt-proxy[724]: dnscrypt-proxy 2.0.16
Feb 13 19:00:50 dnscrypt-proxy[724]: Dropping privileges
Feb 13 19:00:50 dnscrypt-proxy[1160]: Network not available yet -- waiting...

Feb 13 19:01:00 dnscrypt-proxy[1160]: Network connectivity detected
Feb 13 19:01:00 dnscrypt-proxy[1160]: Source [public-resolvers.md] loaded
Feb 13 19:01:00 dnscrypt-proxy[1160]: dnscrypt-proxy 2.0.16
Feb 13 19:01:00 dnscrypt-proxy[1160]: Now listening to 127.0.0.1:65053 [UDP]
Feb 13 19:01:00 dnscrypt-proxy[1160]: Now listening to 127.0.0.1:65053 [TCP]
Feb 13 19:01:01 dnscrypt-proxy[1160]: Get https://dns.cloudflare.com/dns-quer..._padding=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: x509: certificate has expired or is not yet valid
Feb 13 19:01:01 dnscrypt-proxy[1160]: dnscrypt-proxy is waiting for at least one server to be reachable

What seems to be happening is that dnscrypt is unable to get a cloudflare certificate because the time doesn't get updated after I boot the router, because it can't access internet to update the time with dnscrypt.

Is there a workaround for this?

I did set the time in dnscrypt, but it doesn't seem to be do anything.
You need to use an IP address for the NTP server instead of the domain name.
http://www.pool.ntp.org/zone/@
Pick your zone and then look up the ip for that domain.

Use PingInfoView to find best server
https://www.nirsoft.net/utils/multiple_ping_tool.html
Input all the ip addresses, ping them and use the one with lowest ping time.
 
Last edited:
@snakebite3 Thanks!

@bigeyes0x0 DNSCrypt v2 (DoH) does not work in version Asuswrt-Merlin v384.6

Please read this:
https://www.snbforums.com/threads/r...4-6-is-now-available.47941/page-7#post-420125

it works on my router.

Screenshot_1.jpg
 
I think @RMerlin or @bigeyes0x0 should add a note with big letters disable DNSSEC on the router if you are going to use DNSCrypt.
Are you sure it's not the "issue" he already mentioned in the log?
Code:
- CHANGED: Since dnsmasq 2.80, dnsmasq now ensures that unsigned
           DNS replies received with DNSSEC enabled are legitimate.
           If your upstream DNS doesn't support DNSSEC, this means
           all replies from signed zones will be considered
           invalid.  Make sure you only enable DNSSEC if your
           upstream DNS servers do support it.  This behaviour is
           a bit slower, but far more secure than the old default.
 
PS: I use unbound for encryption and DNSSEC for validation; this combination seems to work fine with 384.6 using Quad9 (9.9.9.9).
 
Last edited:
PS: I use unbound for encryption and DNSSEC for validation; this combination seems to work fine with 384.6 using Quad9 (9.9.9.9).

I was also under this impression.

I've seen many users that have both enabled.
 
Can you give me a brief explanation which is better and why?
I’m afraid I don’t know...

I switched to unbound when DNSCrypt (v1) seemed dead. When DNSCrypt v2 was introduced it did not support DNSSEC so I did not move back then. After that I never thought about it again...
 
Cloudflare DNS in the v384.6 or Newer and Recommendations

For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
Code:
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

If you reboot the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, in Network Map -> Internet status shows Disconnected or the internet not work. That happens because:
Makes me suspect that Cloudflare is the one that's broken, might be possibly due to their lack of proper support for EDNS.
In the version 384.6 Beta 1 Dnsmasq DNSSEC validation is stricter than previous versions, so broken upstream servers might no longer work as before.

I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.

I also recommend this:

01. LAN -> DHCP Server:
  • Enable DNSSEC support: Yes
  • Enable DNS Rebind protection: Yes
  • After Enable both, you have to Apply.

02. WAN:
  • Connect to DNS Server automatically: No
  • DNS Server1: 84.200.69.80 or 8.8.8.8 or 9.9.9.9
  • DNS Server2: 84.200.70.40 or 8.8.4.4 or 149.112.112.112
  • Use any of these DNS servers (DNS.WATCH or Google or Quad9), because they have full support with DNSSEC, to install DNSCrypt without problems.

03. Administration -> System:

04. In DNSCrypt v2 these are the only DNS servers that support DoH and five of them (aaflalo-me, cloudflare, gridns-sg and doh-cleanbrowsing) do not have full support with DNSSEC for now.
I recommend using another DNS server than these five:
ITyjzIm.png

(I tested the DNS servers one by one with DNSSEC enabled and works without problems) (2018/07/31)


05. When you install DNSCrypt and Manually choose the DNS servers that no log, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use any of these DNS servers:
. 84.200.69.80 or 8.8.8.8 or 9.9.9.9
kZgeNhG.png

(because they have full support with DNSSEC) [Do not use 1.1.1.1]


06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
7X0c393.png



Thanks to @RMerlin @snakebite3 @pattiri and @XIII
 
Last edited:
Mines set to auto with dnssec selected and I still have a log full of Insecure DS reply received, do upstream DNS servers support DNSSEC?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top