What's new

DNScrypt dnscrypt installer for asuswrt

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I added my vpn providers 2 dns servers that support dnscrypt v2 to the dnscrypt-proxy.toml (ovpn.com)
A couple of days ago i also added 1.1.1.1 for testing DoH but get:Using DNS over HTTPS (DoH) NO
Rechecked settings but could not see anything wierd
So removed it again..
 
Last edited:
Last edited:
This debug doesn't work for me.
DNSleaktest shows no leaks
Config I'm sure is like described
Cannot figure this out
Resolved: I turned off dnssec and rebind protection. The test works!
 
Sorry if this has been answered before but is there a way to test if this is all working?
 
Test: DNS server, DNSSEC and WebRTC

01. DNSSEC validation by dnsmasq Test: (need the firmware v384.6 or Newer for test)

LAN -> DHCP Server:
  1. Enable DNSSEC support: Yes
  2. Enable DNS Rebind protection: Yes
  3. After Enable both, you have to Apply.
This message does not have to appear in the System Log, after doing the test or when surfing the Web:
Code:
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
(and if this message appears or in Network Map -> Internet status shows Disconnected or the internet not work, it means that your DNS server does not have full suppport with DNSSEC)


02. DNS Spoofability and DNS Entrophy Test:

03. DNS Leak Test:

04. DNSSEC Test:

05. WebRTC Leak Test:
 
Last edited:
DNS Leak and Spoofability Test:

DNSSEC
Test:

DNSSEC validation: (v384.6 or Newer)
  • Check in the System Log -> General Log that this message does not appear:
Code:
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?


DNSCrypt encrypted Test:
  • Only the ISP knows the answer

I think cloudflare is being unfairly targetted !!!

I am using RMerlin V384.6 (have previously used V384.5 & V384.6 Beta 1).
I have DNSSEC validation on and use cloudflare and it has/does work fine. !!!???

I have run the 'DNSSEC Tests' as above and they validate OK.
I have IPv6 disabled as I do not need it and my ISP does not officially support it (although it does work).

dnssec-cloudflare-1.png


dnssec-cloudflare-2.png
 
@Twiglets Look at my previous post, I updated it.

01. DNSSEC validation by dnsmasq Test: (need the firmware v384.6 or Newer for test)

LAN -> DHCP Server:
  1. Enable DNSSEC support: Yes
  2. Enable DNS Rebind protection: Yes
  3. After Enable both, you have to Apply.
This message does not have to appear in the System Log, after doing the test or when surfing the Web:
Code:
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
(and if this message appears or in Network Map -> Internet status shows Disconnected or the internet not work, it means that your DNS server does not have full suppport with DNSSEC)
 
Last edited:
This is an excellent guide you created.

I'm been considering using this for awhile now so I may take the leap later.

I use Google as my dns provider and dnssec is already enabled.
 
For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
Code:
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

If you restart the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, the internet does not work. That happens because:


I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.

I also recommend this:

01. LAN -> DHCP Server:
  • Enable DNSSEC support: Yes
  • Enable DNS Rebind protection: Yes

02. WAN:
  • Connect to DNS Server automatically: No
  • DNS Server1: 8.8.8.8 (because this DNS server has full support with DNSSEC)
  • DNS Server2: 8.8.4.4 (because this DNS server has full support with DNSSEC)

03. Administration -> System:
  • Use an IP address for the NTP server instead of the domain name as @snakebite3 recommends and teaches, Example:
    VlUwftR.png

04. In DNSCrypt v2 these are the only DNS servers that support DoH and two of them (aaflalo-me and cloudflare) do not have full support with DNSSEC for now, I recommend using another DNS server than these two. (I tested one by one with DNSSEC enabled, the DNS servers that had less than 200 ping and works without problems)
cByndo3.png



05. When you install DNSCrypt and select a DNS server Manually, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use: 8.8.8.8 (Full support with DNSSEC) [Do not use 1.1.1.1]
Gx3LvXw.png



06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
7X0c393.png



Thanks to @RMerlin @snakebite3 @pattiri and @XIII
This is totally awesome!
 
Is anyone in contact with Cloudflare to help fix this? They claim to support DNSSEC so I would think they would have interest in ironing this out.

Has anyone tried without DNScrypt in the middle to isolate the issue?

I’d investigate, but can only reach CF via IPv6 which introduces a whole host of caveats to troubleshooting.
 
Is anyone in contact with Cloudflare to help fix this? They claim to support DNSSEC so I would think they would have interest in ironing this out.

Has anyone tried without DNScrypt in the middle to isolate the issue?

I’d investigate, but can only reach CF via IPv6 which introduces a whole host of caveats to troubleshooting.
There is NO problem with cloudflare !!! :)
 
There is NO problem with cloudflare !!! :)

With DNSSEC & DNS rebind protection both turned on, I had random problems with only some sites being unreachable. Not many, just some.
Both with, & without dnscrypt.

Removed dnscrypt, replaced Cloudflare with Quad9 & all is fixed. (DNSSEC & dns rebind protection still turned on).
 
For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
Code:
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

If you restart the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, the internet does not work. That happens because:


I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.

I also recommend this:

01. LAN -> DHCP Server:
  • Enable DNSSEC support: Yes
  • Enable DNS Rebind protection: Yes

02. WAN:
  • Connect to DNS Server automatically: No
  • DNS Server1: 8.8.8.8 (because this DNS server has full support with DNSSEC)
  • DNS Server2: 8.8.4.4 (because this DNS server has full support with DNSSEC)

03. Administration -> System:
  • Use an IP address for the NTP server instead of the domain name as @snakebite3 recommends and teaches, Example:
    VlUwftR.png

04. In DNSCrypt v2 these are the only DNS servers that support DoH and two of them (aaflalo-me and cloudflare) do not have full support with DNSSEC for now, I recommend using another DNS server than these two. (I tested one by one with DNSSEC enabled, the DNS servers that had less than 200 ping and works without problems)
cByndo3.png



05. When you install DNSCrypt and select a DNS server Manually, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use: 8.8.8.8 (Full support with DNSSEC) [Do not use 1.1.1.1]
Gx3LvXw.png



06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
7X0c393.png



Thanks to @RMerlin @snakebite3 @pattiri and @XIII
Any recommended NON LOGGING DNS servers other than Google?
 
With DNSSEC & DNS rebind protection both turned on, I had random problems with only some sites being unreachable. Not many, just some.
Both with, & without dnscrypt.

Removed dnscrypt, replaced Cloudflare with Quad9 & all is fixed. (DNSSEC & dns rebind protection still turned on).
There is not a reproducible problem with cloudflare that *everyone* can replicate AFAIK.

I am simply countering the 'cloudflare is broken ..... do not touch' message, of late, which is unfair as not everyone is having a problem.
I would suggest 1st try it (cloudflare) and see if there is a problem for you !!!

I am sure I am not the only one who is not having any issues using cloudflare.

I just feel it is a bit quick to tell everyone to avoid cloudflare when it might be a local problem or something else all together.
(Note: You are in Australia and I am in the UK, so different points of access to cloudflare and most other DNS providers, so not dealing with like for like.)
 
There is not a reproducible problem with cloudflare that *everyone* can replicate AFAIK.

I am simply countering the 'cloudflare is broken ..... do not touch' message, of late, which is unfair as not everyone is having a problem.
I would suggest 1st try it (cloudflare) and see if there is a problem for you !!!

I am sure I am not the only one who is not having any issues using cloudflare.

I just feel it is a bit quick to tell everyone to avoid cloudflare when it might be a local problem or something else all together.
(Note: You are in Australia and I am in the UK, so different points of access to cloudflare and most other DNS providers, so not dealing with like for like.)


I agree.

I would rather use Cloudflare, where I am it is the fastest public DNS, but due to the issues I had, I have to use the somewhat slower Quad9.

Quad9 working perfectly!

Seems I can’t have Quad9 & dnscrypt together though? Pity.....
 
You do realise that now I have defended cloudflare ......... it should burst into flames any second now :) ;)
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top