DNScrypt dnscrypt installer for asuswrt

[HowIFix]

With DNSSEC & DNS rebind protection both turned on, I had random problems with only some sites being unreachable. Not many, just some.
Both with, & without dnscrypt.

Removed dnscrypt, replaced Cloudflare with Quad9 & all is fixed. (DNSSEC & dns rebind protection still turned on).

I recommend you read this:

• What benefits do you get when using DNSCrypt and DNSSEC?
• Use the DNSCrypt instead of the DNS servers of your VPN Client.
  
• DNSCrypt Necessary or not?
• DNSSEC vs DNSCrypt
• With DNSCrypt and without DNSCrypt [Test]
• Frequently Asked Questions about DNSCrypt, DNS, DNSSEC, protocols DoT and DoH

Post about CloudFlare DNS and How to test your DNS server:

• Cloudflare DNS in the v384.6 or Newer and Recommendations
  
• Test: DNS server, DNSSEC and WebRTC

Any recommended NON LOGGING DNS servers other than Google?

Only Google and Quad9 log, you can use any other DNS server if you want, they no log:
(aaflalo-me, cloudflare, gridns-sg and doh-cleanbrowsing do not have full support with DNSSEC for now)

Source:

• Google DNS - Your Privacy - What we log
• Quad9 DNS - My Privacy? - What does Quad9 log/store about the DNS queries?

 

[Treadler]

Ping time alone isn't decisive to be fastest DNS.

Cloudflare seems to have one or two more tricks than Google.

Interested people may take a look at my earlier blog post: Cloudflare vs Google

For me, Cloudflare is fastest, then Quad9, with Google a distant last.
Location reasons I guess.

 

[eclp]

Can someone say why I get this debug information displayed? (Cloudflare Germany)
The DNSSEC test all work on the mentioned test Websites.

Jul 30 11:16:16 dnscrypt-proxy[205]: Network connectivity detected
Jul 30 11:16:16 dnscrypt-proxy[205]: Source [public-resolvers.md] loaded
Jul 30 11:16:16 dnscrypt-proxy[205]: dnscrypt-proxy 2.0.16
Jul 30 11:16:16 dnscrypt-proxy[205]: Dropping privileges
Jul 30 11:16:16 dnscrypt-proxy[894]: Source [public-resolvers.md] loaded
Jul 30 11:16:16 dnscrypt-proxy[894]: dnscrypt-proxy 2.0.16
Jul 30 11:16:17 dnscrypt-proxy[894]: Now listening to 127.0.0.1:65053 [UDP]
Jul 30 11:16:17 dnscrypt-proxy[894]: Now listening to 127.0.0.1:65053 [TCP]
Jul 30 11:16:20 dnscrypt-proxy[894]: [cloudflare] OK (DoH) - rtt: 37ms
Jul 30 11:16:20 dnscrypt-proxy[894]: [cloudflare-ipv6] OK (DoH) - rtt: 39ms
Jul 30 11:16:20 dnscrypt-proxy[894]: Server with the lowest initial latency: cloudflare (rtt: 37ms)
Jul 30 11:16:20 dnscrypt-proxy[894]: dnscrypt-proxy is ready - live servers: 2

 

[Treadler]

Can someone say why I get this debug information displayed? (Cloudflare Germany)
The DNSSEC test all work on the mentioned test Websites.

Jul 30 11:16:16 dnscrypt-proxy[205]: Network connectivity detected
Jul 30 11:16:16 dnscrypt-proxy[205]: Source [public-resolvers.md] loaded
Jul 30 11:16:16 dnscrypt-proxy[205]: dnscrypt-proxy 2.0.16
Jul 30 11:16:16 dnscrypt-proxy[205]: Dropping privileges
Jul 30 11:16:16 dnscrypt-proxy[894]: Source [public-resolvers.md] loaded
Jul 30 11:16:16 dnscrypt-proxy[894]: dnscrypt-proxy 2.0.16
Jul 30 11:16:17 dnscrypt-proxy[894]: Now listening to 127.0.0.1:65053 [UDP]
Jul 30 11:16:17 dnscrypt-proxy[894]: Now listening to 127.0.0.1:65053 [TCP]
Jul 30 11:16:20 dnscrypt-proxy[894]: [cloudflare] OK (DoH) - rtt: 37ms
Jul 30 11:16:20 dnscrypt-proxy[894]: [cloudflare-ipv6] OK (DoH) - rtt: 39ms
Jul 30 11:16:20 dnscrypt-proxy[894]: Server with the lowest initial latency: cloudflare (rtt: 37ms)
Jul 30 11:16:20 dnscrypt-proxy[894]: dnscrypt-proxy is ready - live servers: 2

I don’t believe that Cloudflare page is accurate. For me (in the 2nd box) it says I’m still using Cloudflare IPv4 resolvers (I’m using Quad9 for IPv4 & IPv6).


Debug Information
Connected to 1.1.1.1 No
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) No
AS Name WoodyNet
AS Number 42
Cloudflare Data Center MEL
Connectivity to Resolver IP Addresses
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 No
2606:4700:4700::1001 No



Try going here (GRC), let it run, I think this is more to be relied on?

https://www.grc.com/dns/dns.htm

Dunno, I’m confused. ;-)

 

[HowIFix]

@eclp @Treadler

Disable DNSSEC in the router (LAN -> DHCP Serve) and test again:

• https://cloudflare-dns.com/help/

The same page that is used to test CloudFlare DNS (this), shows how it does not have full support with DNSSEC, you have to Disable DNSSEC in the router to make it work and if you enable DNSSEC, many web pages do not work when you browse and this message will appear in log: (from v384.6 or Newer)

Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

Look at my previous post, there is 1 link about CloudFlare DNS:
https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-55#post-420537

 

[eclp]

@HowIFix … thanks!

This works only as long as DNSSEC remains disabled in the router. As soon as I activate DNSSEC again, the debug information will be NO again.

 

[eclp]

Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

The message I had never in my syslog.

 

[HowIFix]

The message I had never in my syslog.

This message only appears, if you are using CloudFlare DNS in the firmware v384.6 or Newer, because DNSSEC validation by dnsmasq now is strict or dnsmasq is broken.

   - CHANGED: Updated dnsmasq to 2.80test2-17-g51e4eee (themiron)
   - CHANGED: Since dnsmasq 2.80, dnsmasq now ensures that unsigned
              DNS replies received with DNSSEC enabled are legitimate.
              If your upstream DNS doesn't support DNSSEC, this means
              all replies from signed zones will be considered
              invalid.  Make sure you only enable DNSSEC if your
              upstream DNS servers do support it.  This behaviour is
              a bit slower, but far more secure than the old default.

 

[Twiglets]

Can someone say why I get this debug information displayed? (Cloudflare Germany)
The DNSSEC test all work on the mentioned test Websites.

Jul 30 11:16:16 dnscrypt-proxy[205]: Network connectivity detected
Jul 30 11:16:16 dnscrypt-proxy[205]: Source [public-resolvers.md] loaded
Jul 30 11:16:16 dnscrypt-proxy[205]: dnscrypt-proxy 2.0.16
Jul 30 11:16:16 dnscrypt-proxy[205]: Dropping privileges
Jul 30 11:16:16 dnscrypt-proxy[894]: Source [public-resolvers.md] loaded
Jul 30 11:16:16 dnscrypt-proxy[894]: dnscrypt-proxy 2.0.16
Jul 30 11:16:17 dnscrypt-proxy[894]: Now listening to 127.0.0.1:65053 [UDP]
Jul 30 11:16:17 dnscrypt-proxy[894]: Now listening to 127.0.0.1:65053 [TCP]
Jul 30 11:16:20 dnscrypt-proxy[894]: [cloudflare] OK (DoH) - rtt: 37ms
Jul 30 11:16:20 dnscrypt-proxy[894]: [cloudflare-ipv6] OK (DoH) - rtt: 39ms
Jul 30 11:16:20 dnscrypt-proxy[894]: Server with the lowest initial latency: cloudflare (rtt: 37ms)
Jul 30 11:16:20 dnscrypt-proxy[894]: dnscrypt-proxy is ready - live servers: 2

The reason this page does not work is because it is intended for a simpler purpose than has been assumed.

It is simply looking for your dns to be set to 1.1.1.1. !!!

If I change the DNS settings on windows 7 (Sp1) to 1.1.1.1 the 1st line of the 'Debug Information' box changes to 'Yes' !!!
[This means that dnsmasq & dnscrypt-proxy are completely missed out and the dns query goes directly to 1.1.1.1. This is not what we want.]

This page is setup to test the settings as per cloudflare's installation instructions (see https://1.1.1.1/ ) which does not mirror the setup we have on our routers.
Our routers have dnsmasq on port 53 (default unless changed) redirecting dns queries via dnscrypt-proxy on port 65053 (default unless changed).
The DNS Server address we use is the address of our router NOT 1.1.1.1 !!!

This page failing proves little in relation to the setup on our routers.

I can enable all the logs in the dnscrypt-proxy .toml file and 'prove' doh is working when this page 'fails'.

 

[Treadler]

The reason this page does not work is because it is intended for a simpler purpose than has been assumed.

It is simply looking for your dns to be set to 1.1.1.1. !!!

If I change the DNS settings on windows 7 (Sp1) to 1.1.1.1 the 1st line of the 'Debug Information' box changes to 'Yes' !!!
[This means that dnsmasq & dnscrypt-proxy are completely missed out and the dns query goes directly to 1.1.1.1. This is not what we want.]

This page is setup to test the settings as per cloudflare's installation instructions (see https://1.1.1.1/ ) which does not mirror the setup we have on our routers.
Our routers have dnsmasq on port 53 (default unless changed) redirecting dns queries via dnscrypt-proxy on port 65053 (default unless changed).
The DNS Server address we use is the address of our router NOT 1.1.1.1 !!!

This page failing proves little in relation to the setup on our routers.

I can enable all the logs in the dnscrypt-proxy .toml file and 'prove' doh is working when this page 'fails'.

Well done! That makes sense.
Thank you.

 

[pattiri]

It is simply looking for your dns to be set to 1.1.1.1. !!!

If I change the DNS settings on windows 7 (Sp1) to 1.1.1.1 the 1st line of the 'Debug Information' box changes to 'Yes' !!!

In my case; my PC's DNS address is set to my router's IP address and my router uses 1.1.1.1 as DNS server and Debug information says "Yes"

 

[Treadler]

Cloudflare DNS in the v384.6 or Newer and Recommendations

For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:

Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

If you reboot the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, in Network Map -> Internet status shows Disconnected or the internet not work. That happens because:


I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.

I also recommend this:

01. LAN -> DHCP Server:

• Enable DNSSEC support: Yes
• Enable DNS Rebind protection: Yes
• After Enable both, you have to Apply.

02. WAN:

• Connect to DNS Server automatically: No
• DNS Server1: 84.200.69.80 or 8.8.8.8 or 9.9.9.9
• DNS Server2: 84.200.70.40 or 8.8.4.4 or 149.112.112.112
• Use any of these DNS servers, because they have full support with DNSSEC, to install DNSCrypt without problems.

03. Administration -> System:

• Use an IP address for the NTP server instead of the domain name as @snakebite3 recommends and teaches, Example:
  

04. In DNSCrypt v2 these are the only DNS servers that support DoH and five of them (aaflalo-me, cloudflare, gridns-sg and doh-cleanbrowsing) do not have full support with DNSSEC for now.
I recommend using another DNS server than these five:

(I tested the DNS servers one by one with DNSSEC enabled and works without problems) (2018/07/31)


05. When you install DNSCrypt and Manually choose the DNS servers that no log, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use any of these DNS servers:

. 84.200.69.80 or 8.8.8.8 or 9.9.9.9 ​

(because they have full support with DNSSEC) [Do not use 1.1.1.1]​

06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:

Thanks to @RMerlin @snakebite3 @pattiri and @XIII

Is Quad9 supported by dnscrypt?
I didn’t think it was, I didn’t see it in the list of available servers?
Or, should I put my glasses on & look again!?

 

[HowIFix]

@Treadler Read this please:

I only use these DNS servers (DNS.WATCH or Google or Quad9) in the router because they has full support with DNSSEC, to install DNSCrypt without problems, because I have DNSSEC enabled in the router (LAN -> DHCP Server) and then in DNSCrypt I choose Manually the DNS servers that no log.

And if you want to use Quad9 DNS to encrypt your DNS queries, it's as if you were using Google DNS, because both DNS servers log.
Quad9 only has support for DoT and this protocol is not supported by DNSCrypt, Google only has support for DoH and this protocol is better than DoT.

All your DNS queries are now encrypted so your ISP can't collect that data on you (DoT). And with DNSSEC its checking to make sure your DNS responses are coming from where you sent the query...no spoofing redirects allowed.

 

[Treadler]

@Treadler Read this please:


And if you want to use Quad9 DNS to encrypt your DNS queries, it's as if you were using Google DNS, because both DNS servers log.
Quad9 only has support for DoT and this protocol is not supported by DNSCrypt, Google only has support for DoH and this protocol is better than DoT.



Note: In the next version 384.7 of Asuswrt-Merlin, there is an update of dnsmasq and has many bugs fixed, again I will try one by one the DNS server.

Thanks very much for your research & explanations.
Appreciated.
Yes, maybe in future, Cloudflare will play nice with Asuswrt-Merlin!
For me, Cloudflare is the fastest public resolver, followed by Quad9, then Google a very slow last. (Not to mention the logging issues).
So, I would prefer to be using Cloudflare (& dnscrypt), but I’m stuck with Quad9 & no dnscrypt just now........

 

[HowIFix]

@Treadler

It is not the problem of Asuswrt-Merlin, it is a problem of Cloudflare DNS for not having full support with DNSSEC.

Some quick notes:

• Cloudflare does have problems with DNSSEC enabled (not related to this implementation). You can either disable DNSSEC or uncheck the 'Strict DNSSEC enforcement' option when using Cloudflare.

In DNSCrypt use Google or any of the others DNS servers that have full support with DNSSEC and enable DNSSEC in the router. (it's better than nothing)

 

[Treadler]

@Treadler

It is not the problem of Asuswrt-Merlin, it is a problem of Cloudflare DNS for not having full support with DNSSEC.



In DNSCrypt use Google or any of the others DNS servers that have full support with DNSSEC and enable DNSSEC in the router. (it's better than nothing)

I tried dnscrypt using google + dnssec enabled + dns rebind protection enabled.
Got the same dnssec errors in the router log as with Cloudflare.
Reverted to Quad9, & no dnscrypt for now.....

 

[HowIFix]

I tried dnscrypt using google + dnssec enabled + dns rebind protection enabled.
Got the same dnssec errors in the router log as with Cloudflare.
Reverted to Quad9, & no dnscrypt for now.....

I already tried Google with DNSSEC enabled for an hour and that message did not happen to me.

Then you have to test the DNS server Anycast (that are Google and Cloudflare) to see which one works for your region, or use the other DNS servers that are not Anycast.

 

[tomsk]

Hi .. my dnscrypt is all is good if i run the installer... but it doesn't survive a reboot. Im assuming its an issue with ntp with the start_monitor function forever waiting for the nvram get ntp_ready signal which never comes?... any idea where its going wrong... it must be working for everyone else.
I tried setting the ntp server to an IP address but that doesn't make a difference.
I also noticed that in the config file you have set cert_ignore_timestamp = true in the global settings..... does this mean this setting is maintained even after ntp is valid?

 

[HowIFix]

@tomsk

• Recommendations how to install Step #3 and #6

 

[tomsk]

@tomsk

• Recommendations how to install Step #3 and #6

Thanks HowIFix .... as i mentioned Step #3 already done..... can anyone enlighten me on how the step #6 is important to do after the server has been selected?... i tried setting local time before and i thought that maybe this was the issue ...and was going to retry without it.