DNScrypt dnscrypt installer for asuswrt

[skeal]

Ok one last question @Twiglets ... I want to use the log file included in the directory of dnscrypt. No matter what I do I cannot get it to work. Can you explain if it works for you please?

 

[M@rco]

Ok one last question @Twiglets ... I want to use the log file included in the directory of dnscrypt. No matter what I do I cannot get it to work. Can you explain if it works for you please?

Did you try killing all instances and manually restarting dnscrypt-proxy without the -syslog parameter which is included automatically when you execute

/jffs/dnscrypt/manager dnscrypt-start

Executing the line above, actually executes

/jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml

and my guess would be it overrides any general logging options specified in dnscrypt-proxy.toml.

 

[skeal]

Did you try killing all instances and manually restarting dnscrypt-proxy without the -syslog parameter which is included automatically when you execute

/jffs/dnscrypt/manager dnscrypt-start

Executing the line above, actually executes

jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml

and my guess would be it overrides any general logging options specified in dnscrypt-proxy.toml.

Thank you for your speedy reply sir! ... The second line in the above post, what does it do exactly? I'm a little confused it's early morning here...LOL.

 

[M@rco]

Even though their AMS data center is hosted at AMSIX, CloudFlare is not the fastest around here, response times vary between 13 ~ 60 ms, whereas others consistently are around 9 ~ 12 ms. However, none of them support DoH, which is why I tried with cache = true.

If I am not wrong, yes, Frank default is on, but using the installer, the default I think is off.

That's correct indeed. I haven't found a reason yet why @bigeyes0x0 decided to disable it by default. It would honestly surprise me when it was to prevent wearing out memory. It seems to me like we in general underestimate the quality of the internal components of our hardware, when reading Eric's comments on it.

 

[M@rco]

Thank you for your speedy reply sir! ... The second line in the above post, what does it do exactly? I'm a little confused it's early morning here...LOL.

Go grab some coffee first

Manager is just a script used to perform several actions. Use nano for example to open it and you'll see a section start_dnscrypt (which is called when you execute /jffs/dnscrypt/manager dnscrypt-start). If you look at the piece of code that is really executed (lines 30-36), it's

/jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml

which causes dnscrypt-proxy to launch, log to syslog (where I assume it disregards any other logging options specified in its config file, see next parameter) and use /jffs/dnscrypt-proxy.toml as it's config file.

 

[M@rco]

@DonnyJohnny, I found it!

Is there any reason to not use dnscrypt's cache? Or does dnsmasq still cache so it's unnecessary overhead?

Few reasons:
- Running dnscrypt as standalone recursive and caching DNS server without dnsmasq as forwarder:
. It can only be run as root as you need to listen on port 53
. Without dnsmasq some internal domain names and router features will not work
- Running dnscrypt as recursive and caching DNS server with dnsmasq as forwarder: unnecessary overhead so it's better to leave dnsmasq with caching function anyway.

Makes sense now. I'll leave it disabled. Heads up to @bengalih.

 

[skeal]

Go grab some coffee first

Manager is just a script used to perform several actions. Use nano for example to open it and you'll see a section start_dnscrypt (which is called when you execute /jffs/dnscrypt/manager dnscrypt-start). If you look at the piece of code that is really executed (lines 30-36), it's

/jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml

which causes dnscrypt-proxy to launch, log to syslog (where I assume it disregards any other logging options specified in its config file, see next parameter) and use /jffs/dnscrypt-proxy.toml as it's config file.

Sorry to be a pain in the butt. In manager I see this:

start_dnscrypt () {
  DNSCRYPT_START="/jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml"
  killall -q dnscrypt-proxy
  logger "Start dnscrypt-proxy"
  cd /jffs/dnscrypt
  nohup $DNSCRYPT_START >/dev/null 2>&1 </dev/null &
}

I don't understand. I know it starts with the command you mentioned, but how do I get the dnscrypt-proxy.log working. My dnscrypt-proxy.log is blank and remains that way.

 

[skeal]

Go grab some coffee first

Manager is just a script used to perform several actions. Use nano for example to open it and you'll see a section start_dnscrypt (which is called when you execute /jffs/dnscrypt/manager dnscrypt-start). If you look at the piece of code that is really executed (lines 30-36), it's

/jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml

which causes dnscrypt-proxy to launch, log to syslog (where I assume it disregards any other logging options specified in its config file, see next parameter) and use /jffs/dnscrypt-proxy.toml as it's config file.

In the script .toml file I have this:

## log file for the application
 
# log_file = 'dnscrypt-proxy.log'
 
 
## Use the system logger (syslog on Unix, Event Log on Windows)
 
# use_syslog = true

 

[martinr]

Please let me know your router model and firmware version too?

Something else going on. I decided to format jffs and got dns resolution back. But I found that reboots (no usb drives or connections present) now gave erratic results. As if every other reboot would cause a loss of dns resolution. But at least I got my router back long enough to release
my Asus DDNS so that it could be used on my spare router.

Not messing about further: factory reset and manual restoration of settings.

So I don’t know if dnscrypt played any part, except that clearing jffs and removing the usb drive gave intermittent service.

Thanks again for your kind help.

 

[M@rco]

Sorry to be a pain in the butt.

No worries, you're not. I think my explanation fell short.

I don't understand. I know it starts with the command you mentioned, but how do I get the dnscrypt-proxy.log working. My dnscrypt-proxy.log is blank and remains that way.

I haven't gotten around to test this myself. Looking at your config there's a # in front of

# log_file = 'dnscrypt-proxy.log'

The # needs to be removed, as you're not specifying any location to log to right now. You can change the location if you want, so it won't log to jffs but to your USB drive for instance. Just enter the full location to where you want to log to:

/mnt/<insert usb label here>/<insert folder here or leave blank>/dnscrypt-proxy.log

and save your changes.

Now dnscrypt-proxy needs to be restarted without the parameter -syslog, as we don't want it to log it to syslog anymore (you can't have both, I tried that). Also check the line

# use_syslog = true

This line should have been commented out by default, so there needs to be a #-sign at beginning of the line.

Next, for now, edit manager and remove -syslog from the following line

  DNSCRYPT_START="/jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml"

so it becomes

  DNSCRYPT_START="/jffs/dnscrypt/dnscrypt-proxy -config /jffs/dnscrypt/dnscrypt-proxy.toml"

Save your changes. In nano that's done by <CTRL>-X, W. Now execute

 /jffs/dnscrypt/manager dnscrypt-start

This will kill all instances of dnscrypt-proxy and restart it, but now without the parameter to log to syslog. Instead, if you edited the .toml config file correctly, it should log to the file you specified. Keep in mind, you won't see dnscrypt-proxy restarting in syslog now as you have just told it to log to a file. So check the logfile to see if it works.

As said, I haven't tried this myself (and I can't currently), but this is how it should work. If it doesn't, you only need to restore manager by adding -syslog (see code line above) and everything should be fine again.

Let me know if it works (or otherwise I can try it first this weekend).

 

[skeal]

No worries, you're not. I think my explanation fell short.

I haven't gotten around to test this myself. Looking at your config there's a # in front of

# log_file = 'dnscrypt-proxy.log'

The # needs to be removed, as you're not specifying any location to log to right now. You can change the location if you want, so it won't log to jffs but to your USB drive for instance. Just enter the full location to where you want to log to:

/mnt/<insert usb label here>/<insert folder here or leave blank>/dnscrypt-proxy.log

and save your changes.

Now dnscrypt-proxy needs to be restarted without the parameter -syslog, as we don't want it to log it to syslog anymore (you can't have both, I tried that). Also check the line

# use_syslog = true

This line should have been commented out by default, so there needs to be a #-sign at beginning of the line.

Next, for now, edit manager and remove -syslog from the following line

  DNSCRYPT_START="/jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml"

so it becomes

  DNSCRYPT_START="/jffs/dnscrypt/dnscrypt-proxy -config /jffs/dnscrypt/dnscrypt-proxy.toml"

Save your changes. In nano that's done by <CTRL>-X, W. Now execute

 /jffs/dnscrypt/manager dnscrypt-start

This will kill all instances of dnscrypt-proxy and restart it, but now without the parameter to log to syslog. Instead, if you edited the .toml config file correctly, it should log to the file you specified. Keep in mind, you won't see dnscrypt-proxy restarting in syslog now as you have just told it to log to a file. So check the logfile to see if it works.

As said, I haven't tried this myself (and I can't currently), but this is how it should work. If it doesn't, you only need to restore manager by adding -syslog (see code line above) and everything should be fine again.

Let me know if it works (or otherwise I can try it first this weekend).

Does this line need the single quotes by chance?

/mnt/<insert usb label here>/<insert folder here or leave blank>/dnscrypt-proxy.log

So it looks like this:

log_file = '/mnt/<insert usb label here>/<insert folder here or leave blank>/dnscrypt-proxy.log'

 

[M@rco]

So it looks like this:

log_file = '/mnt/<insert usb label here>/<insert folder here or leave blank>/dnscrypt-proxy.log'

Yes, that's correct. The full path and filename is between single quotes, like the example in dnscrypt-proxy.toml.

 

[skeal]

No worries, you're not. I think my explanation fell short.

I haven't gotten around to test this myself. Looking at your config there's a # in front of

# log_file = 'dnscrypt-proxy.log'

The # needs to be removed, as you're not specifying any location to log to right now. You can change the location if you want, so it won't log to jffs but to your USB drive for instance. Just enter the full location to where you want to log to:

/mnt/<insert usb label here>/<insert folder here or leave blank>/dnscrypt-proxy.log

and save your changes.

Now dnscrypt-proxy needs to be restarted without the parameter -syslog, as we don't want it to log it to syslog anymore (you can't have both, I tried that). Also check the line

# use_syslog = true

This line should have been commented out by default, so there needs to be a #-sign at beginning of the line.

Next, for now, edit manager and remove -syslog from the following line

  DNSCRYPT_START="/jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml"

so it becomes

  DNSCRYPT_START="/jffs/dnscrypt/dnscrypt-proxy -config /jffs/dnscrypt/dnscrypt-proxy.toml"

Save your changes. In nano that's done by <CTRL>-X, W. Now execute

 /jffs/dnscrypt/manager dnscrypt-start

This will kill all instances of dnscrypt-proxy and restart it, but now without the parameter to log to syslog. Instead, if you edited the .toml config file correctly, it should log to the file you specified. Keep in mind, you won't see dnscrypt-proxy restarting in syslog now as you have just told it to log to a file. So check the logfile to see if it works.

As said, I haven't tried this myself (and I can't currently), but this is how it should work. If it doesn't, you only need to restore manager by adding -syslog (see code line above) and everything should be fine again.

Let me know if it works (or otherwise I can try it first this weekend).

This works really nice. The system log shows only that it started a one line statement. The log location I have set works the line has to look like this though:

log_file = '/mnt/<insert usb label here>/<insert folder here or leave blank>/dnscrypt-proxy.log'

Thanks so much you are a genius man!!

 

[bengalih]

When you visit https://cloudflare-dns.com/help/ it will show you're 'connected' to 1.1.1.1 (ie. where your DNS-queries are being sent to) but it will also show which Cloudflare data center is responding to your queries. I assume that's the secondary IP you're mentioning.

Thanks for that...easy way to actually see if DoH is being used short of having to actually read the packets!

I see no reason of crushing. By right, the installer manager will check for dnscrypt availablity and restart it if needed.
I am thinking of it could be USB disk problem. Corruption maybe?

Have you tried changing a USB disk and try again? Also, please turn off query cache in the toml. I don’t think it is needed and it will take up memory space and system resources.

Also try limiting to 1 or 2 dns servers instead of letting dnscrypt choose for you.

I've had this issue on 2 different USB drives (both formatted new specifically for this purpose). The drive I have in there now is brand new. Also, not having any issues with AB or pixelserv. Only disk issue I was running into was when I had my new drive (which is USB 3.1) plugged into the USB 3.0 port it would fail to mount sometimes. So I switched it to the 2.0 port and no issues.

I've also had this issue when using the "automatic" option or when setting it manually to Google or as I have now cloudflare.

I have been running for close to 20 hours now with seemingly no crash, but it seems very fragile. For instance, there is no reason it should be crashing if I run a tcpdump, etc. Also it is incredibly non-resilient. As I mentioned when I have got crashes occasionally a restart of the service doesn't fix it. It doesn't always launch the -child process and I sometimes need to restart it like 5 times to see that run. In some cases I have to reboot the entire router. Based on the error messages I recorded in my earlier posts it sure seems to be a memory issue of some sort, but I find that incredibly unlikely based on what my router is reporting. Sure is is always possible something is wrong with my hardware (as all the software, settings, drive, etc has been reset more than once) - but there is nothing else that points to that.

Makes sense now. I'll leave it disabled. Heads up to @bengalih.

Thanks, I'll disable mine too if for no other reason than to run the same config as at least one other person for testing reasons.

Something else going on. I decided to format jffs and got dns resolution back. But I found that reboots (no usb drives or connections present) now gave erratic results. As if every other reboot would cause a loss of dns resolution. But at least I got my router back long enough to release
my Asus DDNS so that it could be used on my spare router.

Not messing about further: factory reset and manual restoration of settings.

So I don’t know if dnscrypt played any part, except that clearing jffs and removing the usb drive gave intermittent service.

Thanks again for your kind help.

Well if you cleared jffs, that would mean you would have to reinstall dns-crypt, right? So if you are reinstalling you are restarting the services. Also, if you aren't booting up with a usb drive in then you likely don't have a swap file, right?

I have found that I can't get this to run for more than a couple of minutes without a swap file. If you look back a few pages at my first posts in the thread you will see that I was actually getting memory errors on (some of) my install attempts. This was even though the router reported over 50% of free memory. While I am still getting crashes I seem to be doing much better having a swap file configured, even though the system reports it isn't being used at all. I'm unsure of why this is (perhaps some sort of vmem allocation issue?).

Anyway - I'm curious who of you are using a swap file?
Also - if anyone would be so kind as to do some tests for me and see what you see.

1) Check if you are running a swap file: Type 'free' at the command prompt at send the output.

2) Try to run a tcpdump:

tcpdump -i any -w mydump

See if either a) dns-crypt crashes or b) you are unable to browse the web while the tcpdump is running.
(press ctrl+c) to end dump. Right now a tcpdump for me causes no dns queries to be returned - though dnscrypt is currently *not* crashing and resumes operation as soon as I kill the tcpdump.

EDIT: More tests and I have dns-crypt crashing now everytime tcpdump is stopped or started. Seems if I start tcpdump first and then dns-crypt I can get a capture. However the behavior of all this is very erratic.

3) Tell me what the output of your running dnscrypt process are. What I see is:

admin@RT-AC68U-4C30:/tmp/home/root# ps | grep dnscrypt
  129 admin     777m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml
  533 nobody    778m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml -child
 1238 admin     4492 S    grep dnscrypt

When DNS resolution breaks what I usually see is that the "-child" process isn't running. I'm interested to see if others see the same behavior.

UPDATE - In my poking around just now I've realized that apparently I'm *not* running a swap file from my last rebuild and yet thing seem to be relatively stable (i.e. no crash in 12+ hours, no crash (but stall) when running tcpdump). Nothing has really changed from prior when I couldn't get this thing to run 2 minutes without a swap...so don't know. I'm going to keep it up for a while like this and see how many days I can run without issue.

 

[Twiglets]

Skeal,
Sorry I was too late to answer your question but M@rco answered it 'par excellence' !!!

FYI, look at the 'example-dnscrypt-proxy.toml' & 'example*.txt' files in /jffs/dnscrypt to see how to use/configure files for dnscrypt-proxy.
Also see https://github.com/jedisct1/dnscrypt-proxy/wiki where all is explained.

Note: When upgrading dnscrypt-proxy it is always worth checking the 'example-dnscrypt-proxy.toml' file as new options sometimes appear in the configuration file.

 

[skeal]

Skeal,
Sorry I was too late to answer your question but M@rco answered it 'par excellence' !!!

FYI, look at the 'example-dnscrypt-proxy.toml' & 'example*.txt' files in /jffs/dnscrypt to see how to use/configure files for dnscrypt-proxy.
Also see https://github.com/jedisct1/dnscrypt-proxy/wiki where all is explained.

Note: When upgrading dnscrypt-proxy it is always worth checking the 'example-dnscrypt-proxy.toml' file as new options sometimes appear in the configuration file.

Hey there! Should we enable the cache option in dnscrypt-proxy.toml file?

 

[skeal]

Skeal,
Sorry I was too late to answer your question but M@rco answered it 'par excellence' !!!

FYI, look at the 'example-dnscrypt-proxy.toml' & 'example*.txt' files in /jffs/dnscrypt to see how to use/configure files for dnscrypt-proxy.
Also see https://github.com/jedisct1/dnscrypt-proxy/wiki where all is explained.

Note: When upgrading dnscrypt-proxy it is always worth checking the 'example-dnscrypt-proxy.toml' file as new options sometimes appear in the configuration file.

Sorry I read up on it and decided it would be good to enable cache. I also used the same instructions to setup query logging! Works great!

 

[Twiglets]

Sorry I read up on it and decided it would be good to enable cache. I also used the same instructions to setup query logging! Works great!

I run both dnsmasq caching & dnscrypt-proxy caching, its value is dependent on how fast normal dns lookups are for you, how much you access the same dns addresses and can your router handle the additional memory use for more caching. !!!???
[read: how long is a piece of string !!!??? .... try it for a day or two and compare to performance without it enabled & typical performance. ]

I think the general advice is use dnsmasq caching OR dnscrypt-proxy caching ..... but I am not good at taking advice blindly
I do not have any metrics to compare the performance of each type of caching but one will be faster than the other and with particular usage patterns it may be possible you are slower than the *best* performance you could theoretically get.

I know from experience, many many moons ago, you can get strange interuptions to 'flow' when multiple caches are in a pipeline due to caches being manipulated at different times.
[I am sure that there is some very interesting maths to describe it all, which I could not possibly understand. ]

 

[bengalih]

UPDATE - In my poking around just now I've realized that apparently I'm *not* running a swap file from my last rebuild and yet thing seem to be relatively stable (i.e. no crash in 12+ hours, no crash (but stall) when running tcpdump). Nothing has really changed from prior when I couldn't get this thing to run 2 minutes without a swap...so don't know. I'm going to keep it up for a while like this and see how many days I can run without issue.

Ok, I just came home and found that my dns was out again and dnscrypt looks like it stopped about 2 hours ago while I was out. I have logging turned up to "0" and everytime I have a problem what the log shows is:

[2018-08-25 04:36:46] [NOTICE] dnscrypt-proxy is ready - live servers: 1
[2018-08-25 04:37:59] [NOTICE] Stopped.
[2018-08-25 04:37:59] [NOTICE] Stopped.

This seems kind of strange as-in, not exactly a crash since dnscrypt is able to log that it has stopped. It has to somehow then be aware that it is being terminated in a somewhat graceful manner.

I then tried to restart with

 /jffs/dnscrypt/manager dnscrypt-start

And this is what was showing in my log:

[2018-08-24 22:00:46] [NOTICE] Stopped.
[2018-08-24 22:00:46] [NOTICE] Stopped.
[2018-08-25 04:34:07] [NOTICE] Stopped.
[2018-08-25 04:34:08] [NOTICE] Source [public-resolvers.md] loaded
[2018-08-25 04:34:08] [NOTICE] dnscrypt-proxy 2.0.16
[2018-08-25 04:34:08] [NOTICE] Dropping privileges
[2018-08-25 04:34:09] [NOTICE] Source [public-resolvers.md] loaded
[2018-08-25 04:34:09] [NOTICE] dnscrypt-proxy 2.0.16
[2018-08-25 04:34:09] [NOTICE] Now listening to 127.0.0.1:65053 [UDP]
[2018-08-25 04:34:09] [NOTICE] Now listening to 127.0.0.1:65053 [TCP]
[2018-08-25 04:34:10] [NOTICE] Source [public-resolvers.md] loaded
[2018-08-25 04:34:10] [NOTICE] dnscrypt-proxy 2.0.16
....
[2018-08-25 04:34:12] [NOTICE] Now listening to 127.0.0.1:65053 [UDP]
[2018-08-25 04:34:12] [NOTICE] Now listening to 127.0.0.1:65053 [TCP]
[2018-08-25 04:34:14] [NOTICE] Source [public-resolvers.md] loaded
[2018-08-25 04:34:14] [NOTICE] dnscrypt-proxy 2.0.16
...

This goes on many times until it either stops completely and nothing is loaded, or I kill the process or attempt another dnscrypt-start.

I have recreated this issue several times on the device as it is currently running.

As soon as I enable my swap file and try dnscrypt-start it loads properly. In some cases I have actually been able to catch it in this loop and see that immediately after the swap is loaded it finishes loading properly. Meanwhile, my memory shows 50% and even after dnscrypt initialization my swap file shows 0 usage. And yet it is dependent on the swap being enabled.

Here is a full example which I just grabbed which definitively shows some dependence on the swap:

(here I turn off swap and issue a dnscrypt-start to restart...)

[2018-08-25 05:06:10] [NOTICE] Stopped.
[2018-08-25 05:06:10] [NOTICE] Stopped.

(as you can see, the services stopped - but nothing at all is reloaded.
If I look for running dns-crypt processes I see none.
So I go ahead and issue *another* dnscrypt-start...)

[2018-08-25 05:06:27] [NOTICE] Source [public-resolvers.md] loaded
[2018-08-25 05:06:27] [NOTICE] dnscrypt-proxy 2.0.16
[2018-08-25 05:06:27] [NOTICE] Dropping privileges

(So it starts to initialize...and I get this "dropping privileges" message.
If I look for running processes I see the dns-crypt process, but not the --child.
I let it sit like this for about 10 seconds and then I enable swap...)

[2018-08-25 05:06:44] [NOTICE] Source [public-resolvers.md] loaded
[2018-08-25 05:06:44] [NOTICE] dnscrypt-proxy 2.0.16
[2018-08-25 05:06:44] [NOTICE] Now listening to 127.0.0.1:65053 [UDP]
[2018-08-25 05:06:44] [NOTICE] Now listening to 127.0.0.1:65053 [TCP]
[2018-08-25 05:06:45] [INFO] [cloudflare] TLS version: 303 - Protocol: h2 - Cipher suite: 52393
[2018-08-25 05:06:45] [NOTICE] [cloudflare] OK (DoH) - rtt: 24ms
[2018-08-25 05:06:45] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 24ms)
[2018-08-25 05:06:45] [NOTICE] dnscrypt-proxy is ready - live servers: 1

You can see here that as soon as I enable the swap dns-crypt initializes successfully.

All I can really deduce from this is that is appears that dns-crypt it doing something with vmem that is requiring it to have a swap file even if there is plenty of ram free and it won't even use the swap file. I'm not expert enough on linux memory allocation to hazard a guess on what exactly is going on here. But it seems that at least on my hardware and firmware a swap file is *not optional*, but absolutely required.

Once again I would like to ask those of you successfully running this:
Do you use a swap file, or are you working without issue sans swap?

I'm just going to have to tag @bigeyes0x0 here to maybe instruct me what could be going on, as I'm not sure what can be happening and I can't seem to find anything in dns-crypt or system logs that would indicate what the issue is.

thanks.

 

[M@rco]

Do you use a swap file, or are you working without issue sans swap?

I use a swap file by default (512MB) as it is recommended for use with Skynet, AB-Solution and dnscrypt as well.

Maybe @RMerlin can shed some light on your questions regarding memory usage?