DNScrypt dnscrypt installer for asuswrt

[DonnyJohnny]

Maybe worth noticing that the install script generates a config file (dnscrypt-proxy.toml) which might be different compared to the one used by the latest release of dnscrypt-proxy, as the installer hasn't yet been updated to reflect any changes (if any, I don't know for sure, as I stopped using dnscrypt-proxy). Maybe check your current config against the new default config file to see what changes have been been made?

More from Quad9!
Now Quad9 have all major dns encryption protocol.
DOT,Dnscrypt,DOH. Nice!
https://www.quad9.net/doh-quad9-dns-servers/

Use below static stamp for now
sdns://AgcAAAAAAAAABzkuOS45LjkADmRuczkucXVhZDkubmV0Ci9kbnMtcXVlcnk

Generated via
https://dnscrypt.info/stamps/

 

[DonnyJohnny]

Quad9 DOH updated.
https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md

But note of Frank’s comment.
https://github.com/jedisct1/dnscrypt-proxy/issues/612#issuecomment-428598347

 

[unsynaps]

Now if I can only find out why the service is crashing and getting restarted by watchdog 400 times a day.

Oct 10 20:11:01 admin: Warning: dnscrypt-proxy is not responding
Oct 10 20:11:01 dnscrypt-proxy[24771]: Stopped.
Oct 10 20:11:01 admin: Start dnscrypt-proxy
Oct 10 20:11:01 dnscrypt-proxy[25780]: Source [public-resolvers.md] loaded
Oct 10 20:11:01 dnscrypt-proxy[25780]: dnscrypt-proxy 2.0.17
Oct 10 20:11:01 dnscrypt-proxy[25780]: Loading the set of blocking rules from [blacklist.txt]
Oct 10 20:11:01 dnscrypt-proxy[25780]: Dropping privileges
Oct 10 20:11:01 dnscrypt-proxy[25780]: Source [public-resolvers.md] loaded
Oct 10 20:11:01 dnscrypt-proxy[25780]: dnscrypt-proxy 2.0.17
Oct 10 20:11:01 dnscrypt-proxy[25780]: Loading the set of blocking rules from [blacklist.txt]
Oct 10 20:11:01 dnscrypt-proxy[25780]: Now listening to 127.0.0.1:65053 [UDP]
Oct 10 20:11:01 dnscrypt-proxy[25780]: Now listening to 127.0.0.1:65053 [TCP]
Oct 10 20:11:01 dnscrypt-proxy[25780]: Now listening to [::1]:65053 [UDP]
Oct 10 20:11:01 dnscrypt-proxy[25780]: Now listening to [::1]:65053 [TCP]
Oct 10 20:11:01 dnscrypt-proxy[25780]: [cloudflare] OK (DoH) - rtt: 7ms
Oct 10 20:11:01 dnscrypt-proxy[25780]: [cloudflare-ipv6] OK (DoH) - rtt: 12ms
Oct 10 20:11:01 dnscrypt-proxy[25780]: [quad9-ip4-nofilter-pri] OK (crypto v1) - rtt: 5ms
Oct 10 20:11:01 dnscrypt-proxy[25780]: [quad9-ip4-nofilter-alt] OK (crypto v1) - rtt: 4ms
Oct 10 20:11:01 dnscrypt-proxy[25780]: [quad9-ip6-nofilter-pri] OK (crypto v1) - rtt: 6ms
Oct 10 20:11:01 dnscrypt-proxy[25780]: [quad9-ip6-nofilter-alt] OK (crypto v1) - rtt: 5ms
Oct 10 20:11:01 dnscrypt-proxy[25780]: Server with the lowest initial latency: quad9-ip4-nofilter-alt (rtt: 4ms)
Oct 10 20:11:01 dnscrypt-proxy[25780]: dnscrypt-proxy is ready - live servers: 6

2.0.17 and 384.7 updated in snort order. Need to find out which is causing the problems. >.>

 

[unsynaps]

Quad9 DOH updated.
https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md

But note of Frank’s comment.
https://github.com/jedisct1/dnscrypt-proxy/issues/612#issuecomment-428598347

Their no filter DoH ones are not DNSSEC.

EDIT: Must have read something wrong a bit ago. NONE of Quad9's no filter servers support DNSSEC.

 

[DonnyJohnny]

Their no filter DoH ones are not DNSSEC.

EDIT: Must have read something wrong a bit ago. NONE of Quad9's no filter servers support DNSSEC.

Yes you are right. That’s have been all along the case.
Only 9.9.9.9 and its sec 149.112.112.9 and ipv6 2620:fe::9 and 2620:fe::fe:9 has DNSSEC.

It is very clear that their filtering is similar to opendns with minimum filtering. Go read their faq
https://www.quad9.net/faq/#How_does_Quad9_protect_me_from_malicious_domains
https://www.quad9.net/faq/#Does_Quad9_implement_DNSSEC

 

[SMS786]

Latest version 2.0.17 finally "officially" passes Cloudflare's debug test!

 

[genuine]

Is there any progress (news) integrating dot tls encryption i know about stubby but would like to see it working in this project
Grtz

 

[DonnyJohnny]

Latest version 2.0.17 finally "officially" passes Cloudflare's debug test!

Just wondering if you enable strict dnssec validation in asus webgui

 

[DinoBot]

Is there any progress (news) integrating dot tls encryption i know about stubby but would like to see it working in this project
Grtz

for your info, this is just an installer made by bigeyes0x0 to help us in installing dnscrypt-proxy (created by Frank aka jedisct1)
You may direct your question to him @ https://github.com/jedisct1/dnscrypt-proxy

But for your information, as far as i know, he has no intention to integrate DOT into dnscrypt-proxy. Why? You can ask him or search in his github.

 

[genuine]

for your info, this is just an installer made by bigeyes0x0 to help us in installing dnscrypt-proxy (created by Frank aka jedisct1)
You may direct your question to him @ https://github.com/jedisct1/dnscrypt-proxy

But for your information, as far as i know, he has no intention to integrate DOT into dnscrypt-proxy. Why? You can ask him or search in his github.

Ok thx for the answer but if you know it why don't share me the reponse or is it a secret...
I dont see why not because I'm also using john firmware and stubby works flawless also standalone in asusmerlin so i don't see the hiccups for implementing.
For me Stubby is running about 6 days and don't see problems using cloudflare its just more secure because http still reveal info.....
@DinoBot i don't see or find anything about DOT discussion.
Maybe that's because i'm never used Github for posting requests or commits
So @bigeyes0x0 feedback pls about findings implementing DOT / or not if so why??? i think for the people its a nice value to your script "installer"

 

[SMS786]

Just wondering if you enable strict dnssec validation in asus webgui

DNSSEC protection is enabled, but no, not strict validation. DNSSEC tests are positive though, given the "ad" flag:

 

[DonnyJohnny]

DNSSEC protection is enabled, but no, not strict validation. DNSSEC tests are positive though, given the "ad" flag:

I tested with stubby dot too. Cloudflare cannot use strict dnssec if not the cloudflare test will fail.

 

[XIII]

i think for the people its a nice value to your script "installer"

I don’t think DOT is a feature that you can enable in an installer if the actual tool installed by that installer does not support it (as said above).

DNSCrypt already provides DOH. What is the benefit of DOT over DOH?

(Also asking because I now use DOT via unbound, but might need to re-evaluate now Quad9 also supports DOH)

 

[DonnyJohnny]

Ok thx for the answer but if you know it why don't share me the reponse or is it a secret...
I dont see why not because I'm also using john firmware and stubby works flawless also standalone in asusmerlin so i don't see the hiccups for implementing.
For me Stubby is running about 6 days and don't see problems using cloudflare its just more secure because http still reveal info.....
@DinoBot i don't see or find anything about DOT discussion.
Maybe that's because i'm never used Github for posting requests or commits
So @bigeyes0x0 feedback pls about findings implementing DOT / or not if so why??? i think for the people its a nice value to your script "installer"

Not secret just that I too lazy to find.. lol.
As mentioned, you may go both side, stubby and dnscrypt-proxy developer to ask them.

https://github.com/getdnsapi/stubby
https://github.com/jedisct1/dnscrypt-proxy

I too Google around but there is no definite answer to why and who is better. Why? Dnscrypt-proxy say he don’t like dot, stubby developer say he don’t like doh. What can you do. Lol. Currently they are the mainstream Developers pushing for the 2 protocol and they are say theirs is better than the other. Everyone has their own say.

I like dnscrypt-proxy more as it is more active in its development however I use stubby as it is more system resources friendly.

I also see dot is already an official standard protocol compared to doh which is still in draft. And if not wrong, stubby is OpenSSL 1.1.1 and tls 1.3 ready if your system has tls 1.3 (OpenSSL 1.1.1).

 

[DonnyJohnny]

I don’t think DOT is a feature that you can enable in an installer if the actual tool installed by that installer does not support it (as said above).

DNSCrypt already provides DOH. What is the benefit of DOT over DOH?

(Also asking because I now use DOT via unbound, but might need to re-evaluate now Quad9 also supports DOH)

I personally feel dot seems to be better compared to doh. I think mainly is the overhead differences. However it seems like doh is created to make easy integration/compatibility to client/system like browsers or OS. Basically it just need a simple query link.
Example
https://dns.quad9.net/dns-query
Or
https://dns.google.com/query?name=example
Now that Firefox and Google is pushing hard for DoH.

 

[tomsk]

Im not sure that DOH is more resource hungry than DOT. I guess most people on the forum are using DNSCrypt2 to do the DOH, which is a little resource hungry in itself.
One of DOH advantages is that it looks just like regular HTTPS traffic whereas DOT is easier to spot/block.

Theres a comparison of protocols in the dnscrypt FAQ ... obviously slanted more to promote dnscrypt and the info is a little out of date, but worth a read

https://dnscrypt.info/faq/

 

[DonnyJohnny]

Im not sure that DOH is more resource hungry than DOT. I guess most people on the forum are using DNSCrypt2 to do the DOH, which is a little resource hungry in itself.
One of DOH advantages is that it looks just like regular HTTPS traffic whereas DOT is easier to spot/block.

Theres a comparison of protocols in the dnscrypt FAQ ... obviously slanted more to promote dnscrypt and the info is a little out of date, but worth a read

https://dnscrypt.info/faq/

If you follow the development of dnscrypt-proxy, you would know that the developer seems a bit biased on the comparison. dnscrypt.info is done up by the dnscrypt-proxy developer.
There was a time where dnscrypt-proxyV1 choose to shut down, stop supporting and its website was diverted to dnsprivacy.org and ask people to use dns over tls.
https://malwaretips.com/threads/dnscrypt-has-been-abandoned-what-is-dns-over-tls.78932/
Suddenly he come back with dnscrypt-proxyV2 and tell people that dns over tls is useless..
we don’t know what happened between the Developers.


https://www.reddit.com/r/privacytoolsIO/comments/7wakeh/dnscrypt_v2_vs_dnsoverhttp2/ Check jedisct1 comment.

When googling around, there is no really comprehensive comparison between these protocol. Just personally preference I guess. I am sure dns queries are all secure via encryption to prevent mimt. But if you thinking it will prevent isp from knowing what websites you enter, VPN is the only way.

 

[M@rco]

Here's some more recent info to read: DOH! DNS over HTTPS explained / DOT vs DOH and DNSSEC 'and' DNS over TLS
Both articles where educational to me, so maybe they're of use to someone else as well.

 

[Zonkd]

Just to let everyone know, there exists a bug where DNSCrypt blocks NTP sync if your router has booted up before your bridged modem has finished booting and hasn't got a line sync to the ISP. The simplest solution was suggested by @rromeroa - create a dnsmasq.conf.add file in /jffs/configs and then write out an entry that forces the domain of your NTP server to be resolved by the IP address of a public DNS server like this.

Read this thread here #1 for details.

 

[unsynaps]

Latest version 2.0.17 finally "officially" passes Cloudflare's debug test!

This page has always worked fine for me prior to 2.0.17.