DNScrypt dnscrypt installer for asuswrt

[bengalih]

Ok I have built my router up from scratch after an "nvram erase."
All the issues I have reported a few posts up still apply.

Namely:
1) Dnscrypt crashes (and thus blocks all dns queries) unless I am using a swap file. This is the case even though virtually nothing else is running on the router (other an ab-solution) and "free" shows more than 50% memory free.
2) I am not able to do an nslookup test against opendns to see if dnscrypt is working. Thus I can't verify if anything is actually working (I don't know another way).
3) The only thing that seems resolved from previous post is that it seems I am able to use the "automatic" option instead of manually specifying a server.

The only type of test that I have performed which indicates there is something working is dnsleak.com will shows me a different dns server on every query.

Honestly I'm new to dnscrypt in general, so I'm not sure what I'm supposed to be seeing/testing to verify.
I'm also concerned that something is wrong with this version on my router as these out of memory messages and crashes are very strange considering that the system believes I have over 50% mem free.

Can someone assist on any of the above?

thanks.

Ok - so I'm getting crashes still now even with the swap file configured.
I know that people have worked hard to pull this package together, and undoubtedly some of you are using this successfully - but it simply doesn't work for me. I don't know how much more basic my setup can be:

- RT-AC68U running 384.6
- Reset (nvram erase) with only the most basic of setup done.
- AB-Solution and amtm installed. Entware installed with entware-setup.sh.

That's pretty much it. Running off a 35GB flash disk with a 2GB swap file.
Dnscrypt keeps crashing at least once every day (could be 10 minutes, could be 12 hours).

Only observable issue is that:

a) All dns queries stop.
b) The "-child" process as shown in the ps list below is no longer running:

 4444 admin     777m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml
 4463 admin     1424 S    {manager} /bin/sh /jffs/dnscrypt/manager monitor-start
 4477 nobody    778m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml -child

I can't see anything else I could have done / do on my end that would cause this, it simply just seems unstable at least on my router / fw version.

I've uninstalled for now as I can't have my dns down completely when this happens. I'd love to work with someone on fixing it - but doesn't seem there is much activity on this thread from someone who can :/

 

[M@rco]

I'd love to work with someone on fixing it - but doesn't seem there is much activity on this thread from someone who can :/

I wish I could be of assistance, but I've never experienced any issues like you, at least not since the most early builds of dnscrypt v2. I can't recall reading anyone having similar issues. I have the exact same router, use CloudFlare DoH solely and the only time dnscrypt is restarted when is when I install an update of it or a firmware update for the router itself. Regardless whether I install dnscrypt through amtm or directly, I configure it, reboot and it runs flawless.

Pinging @bigeyes0x0 for assistance, maybe he can help you out.

 

[bengalih]

I have the exact same router, use CloudFlare DoH ...

Could you provide some info on how to set it up this way? If you are only using it for DoH maybe you aren't running into the same thing. DoH is better than nothing even though the overhead is higher... Id be interested to mirror your config and see if I still have issues.

 

[M@rco]

I've pasted my config here: https://pastebin.com/rFffYFv1

You need to comment two lines out, in the sections query_log and nx_log the locations to the logfiles need to be preceded with a #-sign on line 304 and line 330. The only other manual change I made is that I enabled caching on line 265 (because CloudFlare is not the fastest DNS in my region and I'm trying to see whether this might slightly improve performance, because I'd like to keep using DoH). Change it to false if you don't want it.

You can save the config to

/jffs/dnscrypt/dnscrypt-proxy.toml

Use dos2unix through ssh if you decided to edit the config file in a Windows text editor befory copying it to your router. After saving the config, execute

/jffs/dnscrypt/manager dnscrypt-start

to kill remaining instances of dnscrypt-proxy and restart it with it's default options (log to syslog and use dnscrypt-proxy.toml as config).

 

[bengalih]

I've pasted my config here: https://pastebin.com/rFffYFv1

Ok, thanks. I've set it up just like yours - including the caching for now. I figure I don't want to alter what you know is working so I can see if I have issues.

It is working...for now...but I'm not too confident as I have had multiple crashes in just testing to make sure it is working.
I confirmed that dnsleaktest.com was going to cloudflare. I also installed tcpdump from the entware package and did some captures to confirm that after my clients request an IP, the router is going out to 1.0.0.1 over TLS.

So, it works - but I don't think it is stable. As I mention what keeps happening is that "-child" process gets terminated.

The command you meant to give I think was:

/jffs/dnscrypt/manager dnscrypt-start

But what I need was the manager file...I was looking for what controlled it so I looked inside and found the right parameter.
So now at least I hope to be able to restart things without having to do a full reboot/uninstall.

I'm going to keep my eye on it - but expect I will be back here by tomorrow stating it crashed again.

Any advice on what specifically I can log (and to where it goes) so that I might capture more info on a crash?

Also - what version of FW are you on?

One last question - when I do a dnsleaktest.com the results say:
"108.162.220.214 none Cloudflare"
I don't know what that 108 IP is? I see it is owned by Cloudflare, but it looks like their DNS servers (and my tcpdump) shows 1.0.0.1 (or 1.1.1.1)... I'm just curious how that 108 is involved. Any idea?

 

[martinr]

RT-AC68U 384.5

I’d be grateful for guidance on how to uninstall dnscrypt using the command line.

I’m unable to do it from within AMTM (option 2) because it hangs.


The problem I have is that I can’t resolve DNS queries. This happened once before but after a few reboots, the problem was suddenly resolved. This time, also out of nowhere, I lost DNS resolution but reboots haven’t helped. So I would like to uninstall DNSCRYPT but, whatever the corruption is, it also seems to affect the workings of AMTM.

(I also run AB-Solution and Skynet. It‘s all worked fine for months other than the 2 loss-of-DNS-resolution glitches. )

Thanks.

 

[bengalih]

One thing that is definitely crashing it 95% of the time is tcpdump.
I say 95% because I was somehow able to get it to run at least once for my test (though I was struggling then). As I tried more test, the instant I run:

"tcpdump -c 4000 -i any -w mydump.pcap"

all the dnscrypt processes are killed:

admin@RT-AC68U-4C30:/tmp/home/root# /jffs/dnscrypt/manager dnscrypt-start
admin@RT-AC68U-4C30:/tmp/home/root# sleep 30
admin@RT-AC68U-4C30:/tmp/home/root# ps | grep dnscrypt
 1148 admin     778m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml
 1156 nobody    778m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml -child
 1179 admin     2312 D    grep dnscrypt
admin@RT-AC68U-4C30:/tmp/home/root# tcpdump -c 4000 -i any -w mydump.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
^C1297 packets captured
1332 packets received by filter
14 packets dropped by kernel
admin@RT-AC68U-4C30:/tmp/home/root# ps | grep dnscrypt
 1200 admin     4492 S    grep dnscrypt
admin@RT-AC68U-4C30:/tmp/home/root# /jffs/dnscrypt/manager dnscrypt-start
admin@RT-AC68U-4C30:/tmp/home/root# ps | grep dnscrypt
 1206 admin     777m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml
 1214 nobody    778m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml -child
 1225 admin     4492 S    grep dnscrypt
admin@RT-AC68U-4C30:/tmp/home/root# sleep 30
admin@RT-AC68U-4C30:/tmp/home/root# ps | grep dnscrypt
 1206 admin     777m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml
 1214 nobody    778m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml -child
 1248 admin     4492 S    grep dnscrypt

In the example above you see that the "-child" started back up (and stayed up) for at least 30 seconds. However this was after a reboot. Prior to that after dnscrypt-start the -child would fail after only a few seconds.

Again, this router is newly reset and has virtually nothing on it that could be interfering. :/

 

[bengalih]

RT-AC68U 384.5

I’d be grateful for guidance on how to uninstall dnscrypt using the command line.

I’m unable to do it from within AMTM (option 2) because it hangs.


The problem I have is that I can’t resolve DNS queries. This happened once before but after a few reboots, the problem was suddenly resolved. This time, also out of nowhere, I lost DNS resolution but reboots haven’t helped. So I would like to uninstall DNSCRYPT but, whatever the corruption is, it also seems to affect the workings of AMTM.

Thanks.

Looks like you are probably having the same problems I am trying to work through.
What is your router and fw version?

The reason AMTM hangs is that it downloads the script to uninstall - so if you can't get out to the internet it kind of just hangs or just times out.

You can try a few things:

1) Restart dnscrypt with:

/jffs/dnscrypt/manager dnscrypt-start

and see if it runs long enough to have amtm uninstall.

2) Go to another system and get the installer script:

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer

(or just use a browser and then scp the file over).

3) Add a static entry into your hosts file to get to github
in hosts (in /etc)

then in hosts add to the end:
151.101.48.133 raw.githubusercontent.com

Then save that and run amtm again and it should load the uninstaller.

 

[martinr]

Looks like you are probably having the same problems I am trying to work through.
What is your router and fw version?

The reason AMTM hangs is that it downloads the script to uninstall - so if you can't get out to the internet it kind of just hangs or just times out.

You can try a few things:

1) Restart dnscrypt with:

/jffs/dnscrypt/manager dnscrypt-start

and see if it runs long enough to have amtm uninstall.

2) Go to another system and get the installer script:

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer

(or just use a browser and then scp the file over).

3) Add a static entry into your hosts file to get to github
in hosts (in /etc)

then in hosts add to the end:
151.101.48.133 raw.githubusercontent.com

Then save that and run amtm again and it should load the uninstaller.

Thank you very much. I will try your kind suggestions tomorrow (when my brain unscrambles).

RT-AC68U. 384.6

 

[bengalih]

Thank you very much. I will try your kind suggestions tomorrow (when my brain unscrambles).

Please let me know your router model and firmware version too?

 

[skeal]

Can anyone tell me if this is to be concerned about please ? Thanks in advance!

Aug 23 13:52:28 dnsmasq[387]: nameserver 127.0.0.1 refused to do a recursive query

This happens just after dnscrypt senses connection and runs.

 

[martinr]

Please let me know your router model and firmware version too?

Rt-AC68U and 384.6



Not sure if I’m making progress. Your Option 1 didn’t work but I managed to run that ...master/installer file but it stalls looking for:

https://raw.githubusercontent.com

https://github.com and

http://download.dnscrypt.info

which I have found are

151.101.112.133

192.30.253.113

37.59.238.213 respectively.

However, I’d appreciate help with putting a static entry in the hosts file. I see various files with hosts in the name: most are .bak files , one is AddPlusHosts and one is update-hosts-add.

Which, if any, is the correct one, and will there be other entries in the file which will show me the correct format?


Failing that, it may well be easier if I backup/copy the OpenVPN server credentials then format the jffs partiton and the usb drive and start again.

 

[Twiglets]

Can anyone tell me if this is to be concerned about please ? Thanks in advance!

Aug 23 13:52:28 dnsmasq[387]: nameserver 127.0.0.1 refused to do a recursive query

This happens just after dnscrypt senses connection and runs.

You get that if you have IPv6 disabled and something is trying to resolve IPv6 Addresses.
As IPv6 Addresses are not resolved and cached the only source is external (which is recursive by definition).
The external query is blocked by the 'block_ipv6 = true' line in the 'dnscrypt-proxy.toml' configuration file.

Example: Addresses are queried for clients3.google.com.

...
...
Aug 24 01:30:55 dnsmasq[25765]: query[AAAA] clients3.google.com from 192.168.2.1
Aug 24 01:30:55 dnsmasq[25765]: cached clients3.google.com is <CNAME>
Aug 24 01:30:55 dnsmasq[25765]: forwarded clients3.google.com to 127.0.0.1
Aug 24 01:30:55 dnsmasq[25765]: nameserver 127.0.0.1 refused to do a recursive query
Aug 24 01:30:55 dnsmasq[25765]: query[A] clients3.google.com from 192.168.2.1
Aug 24 01:30:55 dnsmasq[25765]: cached clients3.google.com is <CNAME>
...
...

 

[M@rco]

The command you meant to give I think was:

/jffs/dnscrypt/manager dnscrypt-start

Sorry, my mistake. I've corrected it in my post. I'm not an expert by far, just trying to see if I can help you out. Looking at your posts, you have way more knowledge on the whole networking matter than I have. But I keep learning...

One more option I changed regarding DNS btw: I enabled Rebind Protection in the WebUI, but as far as I'm aware this shouldn't affect dnscrypt in any way. I only recently turned it on after learning about it.

I'm on ASUSWRT-Merlin RT-AC68U 384.7-alpha1-g43c4482aa (see my signature) but I can't recall having issues on 384.6 either.

You can set the logging level in the config file, on line 119 in my example, to 0 for the most verbose logging. By default it's logging to syslog (due to the command line passed by manager to (re-)start dnscrypt). If you want to log it to a separate file, specify a location and filename in the config file and manually start dnscrypt-proxy without the syslog command line option.

As for your last question:

One last question - when I do a dnsleaktest.com the results say:
"108.162.220.214 none Cloudflare"
I don't know what that 108 IP is? I see it is owned by Cloudflare, but it looks like their DNS servers (and my tcpdump) shows 1.0.0.1 (or 1.1.1.1)... I'm just curious how that 108 is involved. Any idea?

I think this is caused by Cloudflare using Anycast. When I do a test on dnsleaktest.com, it returns:

141.101.75.238    none    Cloudflare    Netherlands

When you visit https://cloudflare-dns.com/help/ it will show you're 'connected' to 1.1.1.1 (ie. where your DNS-queries are being sent to) but it will also show which Cloudflare data center is responding to your queries. I assume that's the secondary IP you're mentioning.

 

[DonnyJohnny]

One thing that is definitely crashing it 95% of the time is tcpdump.
I say 95% because I was somehow able to get it to run at least once for my test (though I was struggling then). As I tried more test, the instant I run:

"tcpdump -c 4000 -i any -w mydump.pcap"

all the dnscrypt processes are killed:

admin@RT-AC68U-4C30:/tmp/home/root# /jffs/dnscrypt/manager dnscrypt-start
admin@RT-AC68U-4C30:/tmp/home/root# sleep 30
admin@RT-AC68U-4C30:/tmp/home/root# ps | grep dnscrypt
 1148 admin     778m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml
 1156 nobody    778m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml -child
 1179 admin     2312 D    grep dnscrypt
admin@RT-AC68U-4C30:/tmp/home/root# tcpdump -c 4000 -i any -w mydump.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
^C1297 packets captured
1332 packets received by filter
14 packets dropped by kernel
admin@RT-AC68U-4C30:/tmp/home/root# ps | grep dnscrypt
 1200 admin     4492 S    grep dnscrypt
admin@RT-AC68U-4C30:/tmp/home/root# /jffs/dnscrypt/manager dnscrypt-start
admin@RT-AC68U-4C30:/tmp/home/root# ps | grep dnscrypt
 1206 admin     777m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml
 1214 nobody    778m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml -child
 1225 admin     4492 S    grep dnscrypt
admin@RT-AC68U-4C30:/tmp/home/root# sleep 30
admin@RT-AC68U-4C30:/tmp/home/root# ps | grep dnscrypt
 1206 admin     777m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml
 1214 nobody    778m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml -child
 1248 admin     4492 S    grep dnscrypt

In the example above you see that the "-child" started back up (and stayed up) for at least 30 seconds. However this was after a reboot. Prior to that after dnscrypt-start the -child would fail after only a few seconds.

Again, this router is newly reset and has virtually nothing on it that could be interfering. :/

I see no reason of crushing. By right, the installer manager will check for dnscrypt availablity and restart it if needed.
I am thinking of it could be USB disk problem. Corruption maybe?

Have you tried changing a USB disk and try again? Also, please turn off query cache in the toml. I don’t think it is needed and it will take up memory space and system resources.

Also try limiting to 1 or 2 dns servers instead of letting dnscrypt choose for you.

 

[M@rco]

Also, please turn off query cache in the toml. I don’t think it is needed and it will take up memory space and system resources.

I've just turned it off myself and restarted dnscrypt, as I don't 'feel' a noticeable difference. Does anyone know if it's possible to actually measure whether there's a noticeable difference?

@DonnyJohnny, do you have any more info regarding the impact on system resources? From what I understand Frank advices it to be enabled by default? (https://github.com/jedisct1/dnscrypt-proxy/wiki/Caching)

Also try limiting to 1 or 2 dns servers instead of letting dnscrypt choose for you.

@bengalih is, assuming he's still using my config, only using Cloudflare at the moment.

 

[skeal]

You get that if you have IPv6 disabled and something is trying to resolve IPv6 Addresses.
As IPv6 Addresses are not resolved and cached the only source is external (which is recursive by definition).
The external query is blocked by the 'block_ipv6 = true' line in the 'dnscrypt-proxy.toml' configuration file.

Example: Addresses are queried for clients3.google.com.

...
...
Aug 24 01:30:55 dnsmasq[25765]: query[AAAA] clients3.google.com from 192.168.2.1
Aug 24 01:30:55 dnsmasq[25765]: cached clients3.google.com is <CNAME>
Aug 24 01:30:55 dnsmasq[25765]: forwarded clients3.google.com to 127.0.0.1
Aug 24 01:30:55 dnsmasq[25765]: nameserver 127.0.0.1 refused to do a recursive query
Aug 24 01:30:55 dnsmasq[25765]: query[A] clients3.google.com from 192.168.2.1
Aug 24 01:30:55 dnsmasq[25765]: cached clients3.google.com is <CNAME>
...
...

In your opinion should that setting be turned off? You are right I did change that setting. Going forward what would you recommend. My DNS knowledge is limited. Thanks in advance!

 

[Twiglets]

In your opinion should that setting be turned off? You are right I did change that setting. Going forward what would you recommend. My DNS knowledge is limited. Thanks in advance!

If you do not use IPv6 it should be set to 'block_ipv6 = true' as this stops the unnecessary resolution of IPv6 DNS queries, which you cannot use anyway !!!
If you do use IPv6 it should be set to 'block_ipv6 = false' to resolve external IPv6 Addresses.

I am not finding any IPv6 Only sites that I need to use so IPv6 is not used as my ISP does not 'officially' support IPv6, your situation may differ

 

[skeal]

If you do not use IPv6 it should be set to 'block_ipv6 = true' as this stops the unnecessary resolution of IPv6 DNS queries, which you cannot use anyway !!!
If you do use IPv6 it should be set to 'block_ipv6 = false' to resolve external IPv6 Addresses.

I am not finding any IPv6 Only sites that I need to use so IPv6 is not used as my ISP does not 'officially' support IPv6, your situation may differ

With my limited knowledge of DNS I figured the same. I reasoned that my ISP doesn't support IPv6 as well. Glad to know the log entry is ok though. Thank you @Twiglets you're awesome!

 

[DonnyJohnny]

I've just turned it off myself and restarted dnscrypt, as I don't 'feel' a noticeable differenc. Does anyone know if it's possible to actually measure whether there's a noticeable difference?

@DonnyJohnny, do you have any more info regarding the impact on system resources? From what I understand Frank advices it to be enabled by default? (https://github.com/jedisct1/dnscrypt-proxy/wiki/Caching)

@bengalih is, assuming he's still using my config, only using Cloudflare at the moment.

I do notice a slight increase in memory usage when cache on and I don’t know if it was me only, the browsing seems slightly slower.

I personally think that since CF ping is like 6-12ms to me. Assuming doing a query will give very fast response for me. Why waste resources caching it in router/usb disk. May shorten lifespan due to unnecessary read/write?

If I am not wrong, yes, Frank default is on, but using the installer, the default I think is off.

I am also using CF only.