Menu
What's new
By:
Filters Better Search

DNScrypt dnscrypt installer for asuswrt

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I added my vpn providers 2 dns servers that support dnscrypt v2 to the dnscrypt-proxy.toml (ovpn.com)
A couple of days ago i also added 1.1.1.1 for testing DoH but get:Using DNS over HTTPS (DoH) NO
Rechecked settings but could not see anything wierd
So removed it again..
 
Last edited:
Last edited:
skeal said:
This debug doesn't work for me.
DNSleaktest shows no leaks
Config I'm sure is like described
Cannot figure this out
Click to expand...
Resolved: I turned off dnssec and rebind protection. The test works!
 
Sorry if this has been answered before but is there a way to test if this is all working?
 
Test: DNS server, DNSSEC and WebRTC

01. DNSSEC validation by dnsmasq Test: (need the firmware v384.6 or Newer for test)

LAN -> DHCP Server:
  1. Enable DNSSEC support: Yes
  2. Enable DNS Rebind protection: Yes
  3. After Enable both, you have to Apply.
This message does not have to appear in the System Log, after doing the test or when surfing the Web:
Code: 
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
(and if this message appears or in Network Map -> Internet status shows Disconnected or the internet not work, it means that your DNS server does not have full suppport with DNSSEC)


02. DNS Spoofability and DNS Entrophy Test:

03. DNS Leak Test:

04. DNSSEC Test:

05. WebRTC Leak Test:
 
Last edited:
HowIFix said:
DNS Leak and Spoofability Test:

DNSSEC Test:

DNSSEC validation: (v384.6 or Newer)
  • Check in the System Log -> General Log that this message does not appear:
Code: 
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?


DNSCrypt encrypted Test:
  • Only the ISP knows the answer
Click to expand...

I think cloudflare is being unfairly targetted !!!

I am using RMerlin V384.6 (have previously used V384.5 & V384.6 Beta 1).
I have DNSSEC validation on and use cloudflare and it has/does work fine. !!!???

I have run the 'DNSSEC Tests' as above and they validate OK.
I have IPv6 disabled as I do not need it and my ISP does not officially support it (although it does work).

dnssec-cloudflare-1.png


dnssec-cloudflare-2.png
 
@Twiglets Look at my previous post, I updated it.

HowIFix said:
01. DNSSEC validation by dnsmasq Test: (need the firmware v384.6 or Newer for test)

LAN -> DHCP Server:
  1. Enable DNSSEC support: Yes
  2. Enable DNS Rebind protection: Yes
  3. After Enable both, you have to Apply.
This message does not have to appear in the System Log, after doing the test or when surfing the Web:
Code: 
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
(and if this message appears or in Network Map -> Internet status shows Disconnected or the internet not work, it means that your DNS server does not have full suppport with DNSSEC)
Click to expand...
 
Last edited:
This is an excellent guide you created.

I'm been considering using this for awhile now so I may take the leap later.

I use Google as my dns provider and dnssec is already enabled.
 
HowIFix said:
For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
Code: 
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

If you restart the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, the internet does not work. That happens because:


I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.

I also recommend this:

01. LAN -> DHCP Server:
  • Enable DNSSEC support: Yes
  • Enable DNS Rebind protection: Yes

02. WAN:
  • Connect to DNS Server automatically: No
  • DNS Server1: 8.8.8.8 (because this DNS server has full support with DNSSEC)
  • DNS Server2: 8.8.4.4 (because this DNS server has full support with DNSSEC)

03. Administration -> System:
  • Use an IP address for the NTP server instead of the domain name as @snakebite3 recommends and teaches, Example:
    VlUwftR.png

04. In DNSCrypt v2 these are the only DNS servers that support DoH and two of them (aaflalo-me and cloudflare) do not have full support with DNSSEC for now, I recommend using another DNS server than these two. (I tested one by one with DNSSEC enabled, the DNS servers that had less than 200 ping and works without problems)
cByndo3.png



05. When you install DNSCrypt and select a DNS server Manually, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use: 8.8.8.8 (Full support with DNSSEC) [Do not use 1.1.1.1]
Gx3LvXw.png



06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
7X0c393.png



Thanks to @RMerlin @snakebite3 @pattiri and @XIII
Click to expand...
This is totally awesome!
 
Is anyone in contact with Cloudflare to help fix this? They claim to support DNSSEC so I would think they would have interest in ironing this out.

Has anyone tried without DNScrypt in the middle to isolate the issue?

I’d investigate, but can only reach CF via IPv6 which introduces a whole host of caveats to troubleshooting.
 
owine said:
Is anyone in contact with Cloudflare to help fix this? They claim to support DNSSEC so I would think they would have interest in ironing this out.

Has anyone tried without DNScrypt in the middle to isolate the issue?

I’d investigate, but can only reach CF via IPv6 which introduces a whole host of caveats to troubleshooting.
Click to expand...
There is NO problem with cloudflare !!! :)
 
Twiglets said:
There is NO problem with cloudflare !!! :)
Click to expand...

With DNSSEC & DNS rebind protection both turned on, I had random problems with only some sites being unreachable. Not many, just some.
Both with, & without dnscrypt.

Removed dnscrypt, replaced Cloudflare with Quad9 & all is fixed. (DNSSEC & dns rebind protection still turned on).
 
HowIFix said:
For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
Code: 
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

If you restart the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, the internet does not work. That happens because:


I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.

I also recommend this:

01. LAN -> DHCP Server:
  • Enable DNSSEC support: Yes
  • Enable DNS Rebind protection: Yes

02. WAN:
  • Connect to DNS Server automatically: No
  • DNS Server1: 8.8.8.8 (because this DNS server has full support with DNSSEC)
  • DNS Server2: 8.8.4.4 (because this DNS server has full support with DNSSEC)

03. Administration -> System:
  • Use an IP address for the NTP server instead of the domain name as @snakebite3 recommends and teaches, Example:
    VlUwftR.png

04. In DNSCrypt v2 these are the only DNS servers that support DoH and two of them (aaflalo-me and cloudflare) do not have full support with DNSSEC for now, I recommend using another DNS server than these two. (I tested one by one with DNSSEC enabled, the DNS servers that had less than 200 ping and works without problems)
cByndo3.png



05. When you install DNSCrypt and select a DNS server Manually, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use: 8.8.8.8 (Full support with DNSSEC) [Do not use 1.1.1.1]
Gx3LvXw.png



06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
7X0c393.png



Thanks to @RMerlin @snakebite3 @pattiri and @XIII
Click to expand...
Any recommended NON LOGGING DNS servers other than Google?
 
Treadler said:
With DNSSEC & DNS rebind protection both turned on, I had random problems with only some sites being unreachable. Not many, just some.
Both with, & without dnscrypt.

Removed dnscrypt, replaced Cloudflare with Quad9 & all is fixed. (DNSSEC & dns rebind protection still turned on).
Click to expand...
There is not a reproducible problem with cloudflare that *everyone* can replicate AFAIK.

I am simply countering the 'cloudflare is broken ..... do not touch' message, of late, which is unfair as not everyone is having a problem.
I would suggest 1st try it (cloudflare) and see if there is a problem for you !!!

I am sure I am not the only one who is not having any issues using cloudflare.

I just feel it is a bit quick to tell everyone to avoid cloudflare when it might be a local problem or something else all together.
(Note: You are in Australia and I am in the UK, so different points of access to cloudflare and most other DNS providers, so not dealing with like for like.)
 
Twiglets said:
There is not a reproducible problem with cloudflare that *everyone* can replicate AFAIK.

I am simply countering the 'cloudflare is broken ..... do not touch' message, of late, which is unfair as not everyone is having a problem.
I would suggest 1st try it (cloudflare) and see if there is a problem for you !!!

I am sure I am not the only one who is not having any issues using cloudflare.

I just feel it is a bit quick to tell everyone to avoid cloudflare when it might be a local problem or something else all together.
(Note: You are in Australia and I am in the UK, so different points of access to cloudflare and most other DNS providers, so not dealing with like for like.)
Click to expand...


I agree.

I would rather use Cloudflare, where I am it is the fastest public DNS, but due to the issues I had, I have to use the somewhat slower Quad9.

Quad9 working perfectly!

Seems I can’t have Quad9 & dnscrypt together though? Pity.....
 
You do realise that now I have defended cloudflare ......... it should burst into flames any second now :) ;)
 
You must log in or register to reply here.

Similar threads

SomeWhereOverTheRainBow
DNScrypt Dnscrypt Proxy Installer For Asuswrt-Merlin late 2023 Releases
Replies
8
Views
2K
zer0bitz
zer0bitz
CntrlAltDel
DNScrypt DNSCrypt Error During Setup
Replies
1
Views
2K
Zastoff
Zastoff
Viktor Jaep
TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (Now available in AMTM!)
26 27 28
Replies
556
Views
60K
XIII
XIII
W
Is one of my add-ons stopping my WAN connection
Replies
3
Views
1K
ColinTaylor
C
thelonelycoder
amtm amtm 4.9.3 - the Asuswrt-Merlin Terminal Menu, November 03, 2024
2 3
Replies
56
Views
6K
Earendil
Earendil
Similar threads
Thread starter Title Forum Replies Date
U Odd error installing dnscrypt 2.1.5 Asuswrt-Merlin AddOns 0
Viktor Jaep TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (Now available in AMTM!) Asuswrt-Merlin AddOns 556
thelonelycoder amtm amtm 4.9.3 - the Asuswrt-Merlin Terminal Menu, November 03, 2024 Asuswrt-Merlin AddOns 56
J Entware Possible to install jdownloader on asuswrt-merlin router with entware?? Asuswrt-Merlin AddOns 9
W Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14 Asuswrt-Merlin AddOns 10
thelonelycoder scMerlin scMerlin 2.5.8 - Service and script control menu for Asuswrt-Merlin, October 20, 2024 Asuswrt-Merlin AddOns 85
JGrana uKasa uKasa - A utility script that manages Kasa smart outlets and switches with Asuswrt-Merlin routers Asuswrt-Merlin AddOns 29
JGrana Updated Hue Utility - huetil Control and manage your Hue system from Asuswrt-Merlin or Raspbian Asuswrt-Merlin AddOns 1
8 ASUS RT-AX58U (F/W Ver.:V3.0.0.4.384.8601) with Asuswrt-Merlin 3004.388.5 - Transmission: "Could not connect to the server. You may need to reload" Asuswrt-Merlin AddOns 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 557 (members: 12, guests: 545)
Top