DNScrypt dnscrypt installer for asuswrt

[Zastoff]

Hi again,

In the meantime I discovered that OpenVPN server is not responding to default port (normaly I would say). Could you please suggest what I should change? It this possible to have dns-proxy and OpenVPN server at the same time?
I Google it a until now without any working fix.

Thanks!

I have OpenVPN-Server and dnscrypt-proxy and it works fine
Do you have "Advertise DNS to clients" set to yes?

 

[amplatfus]

I was set to yes. I changed to no, saved configuration, switch off and back on the OpenVPN-Server and I still cannot connect. I am trying to connect from my Android as usual. Before installing dnscrypt-proxy worked. Should I open a port or specify a rule in Firewall?

Thanks.

 

[Zastoff]

I was set to yes. I changed to no, saved configuration, switch off and back on the OpenVPN-Server and I still cannot connect. I am trying to connect from my Android as usual. Before installing dnscrypt-proxy worked. Should I open a port or specify a rule in Firewall?

Thanks.

Should not be needed
What happens in syslog when you are connecting? both in phone and router

 

[amplatfus]

I checked in the meantime to connect from Linux OS and it worked. Phone also started to work after a simple restart.
Sorry and thank you for prompt support!

 

[bmn1]

I have a RT-AC5300 running Merlin 384.8_2.
I have installed Diversion, Skynet and Stubby (DNSSec/DoT). Along with DNSCrypt for Asuswrt.

I just tried to connect to: https://dns-over-https.com/
( https://downforeveryoneorjustme.com/https://dns-over-https.com/ )
But I cannot connect to it from my network.

The same goes for the mentioned test:
"nslookup -type=txt debug.opendns.com"
Which returns:

Server: router.asus.com
Address: 192.168.1.1
*** router.asus.com can't find debug.opendns.com: Non-existent domain

However, running:
"pidof dnscrypt-proxy"
Does return a number:
"15340"
So that's promising, right?


When I uninstall DNSCrypt I neither can connect to the dns-over-https.com site, so I'm not sure if it is related to DNSCrypt or Stubby actually...

 

[pattiri]

When I uninstall DNSCrypt I neither can connect to the dns-over-https.com site, so I'm not sure if it is related to DNSCrypt or Stubby actually...

As I checked skynet is blocking the IP address 167.99.129.42 which belongs to "dns-over-https.com" if you're using skynet try unbanning this IP address and try again.

 

[bmn1]

Indeed, I was about to edit my post and point this out.

Also, as the people over at the Stubby topic point out, using this DNSCrypt with the Stubby for asuswrt might cause issues.
For the time being I'll just have to accept I cannot have DoT and DoH with just installing stuff on asuswrt.

 

[unsynaps]

server=127.0.0.1#65053

is ok - if dnscrypt-proxy.toml config file contains,

listen_addresses = ['127.0.0.1:65053']

My router has firewall rules to ensure all dns requests from all clients on the LAN have UDP/TCP 53 requests always redirected to 127.0.0.1:53 (i.e. dnsmasq). Dnsmasq then uses 127.0.0.1:65053 (i.e. dnscrypt-proxy).

The benefits are added client lockdown and you leverage dnsmasq dns lookup caching capabilities.

I have pseudo-script like below in my /jffs/scripts/firewall-start

iptables -t nat -C PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) > /dev/null 2>&1
[ $? -ne 0 ] && iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -C PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) > /dev/null 2>&1
[ $? -ne 0 ] && iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


Sent from my SM-G935F using Tapatalk

What is the need for the iptables settings? Push the DNS settings with DHCP.

 

[Vorlonsmoke]

What is the need for the iptables settings? Push the DNS settings with DHCP.

dnscrypt-proxy has whitelist, blacklist, and forwarding features which I use.

Stops common practice where people override there device network configuration with a different dns provider to that suggested by dhcp.

dhcp does not enforce the dns server it suggests.

It's not foolproof, but sufficient for countering my family and friends level of tech savviness.

Sent from my SM-G935F using Tapatalk

 

[sbsnb]

dnscrypt-proxy has whitelist, blacklist, and forwarding features which I use. Stops common practice where people override there device network configuration with a different dns provider to that suggested by dhcp. dhcp does not enforce the dns server it suggests. It's not foolproof, but sufficient for countering my family and friends level of tech savviness.

How are the manual iptables rules different than using the DNS filter to force all DNS queries to the router in the GUI?

 

[Rob Q]

Should I be using DNSCrypt as a standard home user? I'm not using anything like OpenDNS so I don't know how to see if it's working or if I need it, heck I don't even know that it's supposed to do.

 

[Vorlonsmoke]

How are the manual iptables rules different than using the DNS filter to force all DNS queries to the router in the GUI?

The GUI approach would probably work just as well

Not sure how AiProtection DNS filter exactly goes about it though.


Sent from my SM-G935F using Tapatalk

 

[Xentrk]

Should I be using DNSCrypt as a standard home user? I'm not using anything like OpenDNS so I don't know how to see if it's working or if I need it, heck I don't even know that it's supposed to do.

DNS queries are sent in plain text, allowing your ISP to see what sites you are visiting. DNSCrypt encrypts the queries. Optionally, you can also try Stubby.

 

[Rob Q]

DNS queries are sent in plain text, allowing your ISP to see what sites you are visiting. DNSCrypt encrypts the queries. Optionally, you can also try Stubby.

So it makes it more secure? I saw something about a DNS resolver, can it make things load faster?

 

[Xentrk]

So it makes it more secure? I saw something about a DNS resolver, can it make things load faster?

Encryption does have an overhead to it which may result in some performance impact in milliseconds. Checkout dnsperf.com for DNS benchmarks. Cloudflare DNS is what the Stubby installer is using. If you want to experiment with it, Cloudflare recently launched an app you can install on iOS or Android. You can choose between DoT or DoH.

 

[HuskyHerder]

I admit, I have'nt read a lot of this topic. Actually quite a bit as you folk's got way above my head rather quickly. I like to stand back and look for a bit and observe. I still feel as if I am slightly out of my comfort level here. But hey gotta risk it for those rewards.

I am looking to pull the trigger and try the installer, however it sates "overrides how the f/w manages dns". I get why, no issue there. My main concern, is I use the custom dns filter rules. Will this block or alter those in any way. I have a few devices that I use this for Diversion bypassing.

I am thinking about pulling one of my mesh nodes offline and just giving it go. So no risk to the live network and the mrs wrath if I bork it up, severely. Worst case I default it and start over.

If I have mis interpreted, something please give me a pointer in the correct direction.

 

[Zastoff]

I admit, I have'nt read a lot of this topic. Actually quite a bit as you folk's got way above my head rather quickly. I like to stand back and look for a bit and observe. I still feel as if I am slightly out of my comfort level here. But hey gotta risk it for those rewards.

I am looking to pull the trigger and try the installer, however it sates "overrides how the f/w manages dns". I get why, no issue there. My main concern, is I use the custom dns filter rules. Will this block or alter those in any way. I have a few devices that I use this for Diversion bypassing.

I am thinking about pulling one of my mesh nodes offline and just giving it go. So no risk to the live network and the mrs wrath if I bork it up, severely. Worst case I default it and start over.

If I have mis interpreted, something please give me a pointer in the correct direction.

I guess you use LAN/DNS-Filter option for some clients(for bypassing Diversion or parental control), Those will not be affected by DNSCrypt-proxy

 

[bobpow]

Hi , I installed DNScrypt via the AMTM product and it loaded and setup just fine.

I have two questions :
1. How do I know it's working ? I do leaks tests and I see it resolving all over ?
2. I added the OPENDNS servers in place of my ISP servers,, do I need OPENDNS?
Thanks

 

[Zastoff]

Hi , I installed DNScrypt via the AMTM product and it loaded and setup just fine.

I have two questions :
1. How do I know it's working ? I do leaks tests and I see it resolving all over ?
2. I added the OPENDNS servers in place of my ISP servers,, do I need OPENDNS?
Thanks

1. Tried the checks in first post?
2. I have WAN DNS set to automatic (isp`s DNS) DNSCrypt-proxy ignore gui settings anyway if configured like that

 

[bobpow]

Thanks,
I didn't see the second command.
I ran
pidof dnscrypt-proxy
and it returned 116 so it seems to be working.