DNScrypt dnscrypt installer for asuswrt

[Sizzlechest]

I'm using DNSCrypt on a different router. Ever since 2.0.28, I eventually lose DNS when using cisco. I don't seem to have an issue with cloudflare. Has anyone tried cisco recently?

 

[dugaduga]

Its broken... perhaps the installer has issues

major issues and bugs since upgrading to 31... severs detected and correctly configured, then all querys rejected whether anonamized or not. it began when i tried killing dnscrypt "manager" pid to restart it because i always get an error (failed to restart) running service restart. After this dnscrypt would not function up reboot.

I restored to jffs with dnscrypt 29 beta 3... this worked shortly, and successfully updated to 31, when the problem began yet again... i then followed the exact same procedure, restored 29 beta 3 again however even that is broken now...

after reinstalling 31 it seems dnscrypt is not even getting any queries at all...

turning off "Connect to DNS Server automatically" I see the following dnsmasq.conf

/tmp/resolv.dnsmasq is empty,


pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=V
expand-hosts
bogus-priv
domain-needed
local=/V/
dhcp-range=lan,192.168.50.3,192.168.50.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.50.1
dhcp-option=lan,15,V
dhcp-option=lan,252,"\n"
dhcp-authoritative
stop-dns-rebind
address=/use-application-dns.net/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp

 

[dugaduga]

reinstalling with delusions installer (and prior to, reinstalling diversion) resulted in queries sent to dnscrypt; however there was a *.* entry inserted into the blacklist I had to remove which I had not personally entered myself, and all results are "rejected", ok nevermind that was short lived....

 127.0.0.1    www.snbforums.com    A    REJECT    160ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    duckduckgo.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    duckduckgo.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    20ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    2ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    PASS    143ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    push.services.mozilla.com    A    PASS    77ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    identity.bitwarden.com    A    PASS    40ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    notifications.bitwarden.com    A    PASS    42ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    yt3.ggpht.com    A    PASS    37ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    pico.eset.com    A    PASS    38ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    PASS    97ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    duckduckgo.com    A    PASS    39ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    external-content.duckduckgo.com    A    PASS    41ms    quad9-dnscrypt-ip4-filter-alt

 

[dugaduga]

update, it appears the *.* block may have been the soul issue all along; this was responsible for the "reject" in the previous message:

Dnscrypt Blocklist.log

[2019-11-01 07:36:59]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:36:59]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:37:01]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:37:01]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:37:02]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:37:02]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:37:25]    127.0.0.1    duckduckgo.com    *.*
[2019-11-01 07:37:25]    127.0.0.1    duckduckgo.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*

 

[Zastoff]

Alot more relays to choose from for Anonymized DNSCrypt
https://www.reddit.com/r/dnscrypt/comments/dq2q0z/we_now_have_40_relays_all_around_the_world/

 

[SomeWhereOverTheRainBow]

Alot more relays to choose from for Anonymized DNSCrypt
https://www.reddit.com/r/dnscrypt/comments/dq2q0z/we_now_have_40_relays_all_around_the_world/

now if they can just get that working to support DoH as well, then all of the proxy can be sent via the relays.

 

[Zastoff]

Edit:
Version 2.0.32/2.0.33 released
Update/install thru amtm
Workaround for a bug in Cisco servers has been implemented in this version @Sizzlechest

Edit2:
A good/safe way is to do a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router

 

[DonnyJohnny]

Version 2.0.32 released
Update/install thru amtm
Workaround for a bug in Cisco servers has been implemented in this version @Sizzlechest

2.0.33 is out... 32 seems to keep crashing and restarting... some bugs with logging not specify.

https://github.com/DNSCrypt/dnscrypt-proxy/issues/1053

 

[Zastoff]

Version 2.0.32 has been stable for more then 8 hours on my 87u and read about and was aware of the Openwrt(dnscrypt-proxy-linux_x86_64-2.0.32) issue
and suspected a new version be out soon. (Been checking the router several times today for issues and would have reported if any here)
Dont think dnscrypt-proxy-linux_arm-2.0.32 had that issue
But better to be safe and update Thank you @DonnyJohnny

 

[Mircica]

So to solve all the problems with installing dnscrypt with entware (or similar) then setting up various scripts to handle dnscrypt-proxy starting up including the ntp issue, I made my own installer for dnscrypt-proxy.

Requirements:
- ARM or MIPSEL based ASUS routers
- asuswrt-merlin firmwares or compatible
- jffs support and script enabled

Incompatibilities:
- No known issue

Current features:
- dnscrypt-proxy version 2 with DoH and DNSCrypt version 2 protocols, multiple resolvers, and other features
- Running as nobody through nonroot binary (using --user requires change to passwd)
- Support ARM and MIPSEL based routers
- Support OpenDNS dynamic IP update by entering your OpenDNS account information
- Handling ntp update at router boot up by starting dnscrypt-proxy with cert_ignore_timestamp option
- Redirect all DNS queries on your network to dnscrypt if user chooses to
- Install haveged/rngd for better speed with dnscrypt and other cryptographic applications
- Support various HW RNG such as TrueRNG (tested with v3), TrueRNGpro, OneRNG, EntropyKey
- Ability to setup a swap file
- Ability to setup timezone file (/etc/localtime) used by dnscrypt-proxy and other apps
- Ability to reconfigure dnscrypt-proxy without reinstalling unlike previous installer for dnscrypt-proxy version 1.x.x

Changelog:
https://github.com/thuantran/dnscrypt-asuswrt-installer/commits/master

Install/Update/Reconfig/Uninstall:
Run this command from ssh shell and following the prompt for dnscrypt-proxy version 2:

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer ; rm installer

User can safely update from dnscrypt-proxy version 1 to version 2 with above command.

If you want to use dnscrypt-proxy version 1, run this command:

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/dnscrypt-proxy-v1/installer && sh installer dnscrypt-proxy-v1; rm installer

How to check if it works
If you use OpenDNS, run this command on Windows cmd

nslookup -type=txt debug.opendns.com

You should see something like

"dnscrypt enabled (717473654A614970)"

in result.
Otherwise running this command:

pidof dnscrypt-proxy

will return a number.

How to report issue:
I need following directory and files:

/jffs/dnscrypt
/jffs/scripts/dnsmasq.postconf
/jffs/scripts/firewall-start
/jffs/scripts/wan-start

One can use this command to create a tar archive of these files:

echo .config > exclude-files; tar -cvf dnscrypt.tar -X exclude-files /jffs/dnscrypt /jffs/scripts/dnsmasq.postconf /jffs/scripts/firewall-start /jffs/scripts/wan-start ; rm exclude-files

in current directory and send me the archive for debug.

I also need follwoing information:
- Which dns server you selected during dnscrypt installtion
- Which router you're using
- Firmware and its version

How I made this:
- Use dnscrypt-proxy binary packages from https://github.com/jedisct1/dnscrypt-proxy
- Compiling and stripping required binaries using firmware building toolchain from asuswrt-merlin
- Write the installer script with stuffs inspired from entware-setup.sh from asuswrt-merlin
- You can look at all the stuffs here https://github.com/thuantran/dnscrypt-asuswrt-installer

I have just installed v1 but dnscrypt-resolvers.csv is containing only "404: Not Found"!
How to uninstall or solve this problem?

 

[Zastoff]

I have just installed v1 but dnscrypt-resolvers.csv is containing only "404: Not Found"!
How to uninstall or solve this problem?

This fix should work for DNSCrypt v1 or run install line again then you should get option to uninstall, If possible use DNSCrypt v2 (Recommend update v2 thru amtm for latest version)

Something like this for v1

Spoiler: Edit version1 script

1) curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/dnscrypt-proxy-v1/installer
2) nano installer
3) Change line 148 to
https://raw.githubusercontent.com/dyne/dnscrypt-proxy/master/dnscrypt-resolvers.csv
save and exit (ctrl+x)
4) sh installer ; rm installer

 

[Mircica]

Thank you so much!
It worked so nicely...
rm installer is for uninstall, isn't it?

 

[Zastoff]

Thank you so much!
It worked so nicely...
rm installer is for uninstall, isn't it?

it only removes installer file

 

[Mircica]

it only removes installer file

And for uninstall the script, I can't find it anywhere...
Could you tell me, just in case I need it.

 

[Zastoff]

And for uninstall the script, I can't find it anywhere...
Could you tell me, just in case I need it.

Found this:
Uninstall:
Just remove /jffs/dnscrypt directory and restart your router (For DNSCrypt ver 1)
Link

 

[Mircica]

Found this:
Uninstall:
Just remove /jffs/dnscrypt directory and restart your router (For DNSCrypt ver 1)
Link

But there are some lines in at least one of these as far as I can see...
/jffs/scripts/dnsmasq.postconf
/jffs/scripts/firewall-start
/jffs/scripts/wan-start

 

[Zastoff]

Beta release 2.0.34-beta.1

• Blacklisted names are now also blocked if they appear in CNAME pointers.
• DNSCrypt-proxy can now act as a local DoH server. Firefox can be configured to use it, so that ESNI can be enabled without bypassing your DNS proxy.

Some extra info: Link

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router

 

[DonnyJohnny]

Beta release 2.0.34-beta.1

• Blacklisted names are now also blocked if they appear in CNAME pointers.
• DNSCrypt-proxy can now act as a local DoH server. Firefox can be configured to use it, so that ESNI can be enabled without bypassing your DNS proxy.

Some extra info: Link

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router

Wonder doh(cloudflare) with esni better or anonymised DNScrypt better?

What u all think?

 

[Zastoff]

A step in the right direction for DNSCrypt-proxy with ESNI support
Guess only Firefox is needed with 2.0.34-beta.1 and some extra settings
Link DNSCrypt wiki (Local DoH Server & Firefox settings)

Note that the actual resolvers don't have to be Cloudflare's, and don't have to use the DoH protocol either. ESNI is perfectly compatible with DNSCrypt and Anonymized DNSCrypt.

But also note that the ESNI specification is still a work in progress. What is currently implemented in Firefox is an early prototype. Enabling ESNI triggers an additional DNS lookup for every domain, even on websites that do not support it (aka, the vast majority). It may also break some websites.

I will use Anonymised DNSCrypt for now.(Dont use Firefox)
Would be nice with a Load-balancing strategy: 'p2' , 'ph', 'fastest' or 'random' for relays

For each server, a random relay from the set is chosen when the proxy starts, and the same relay will be used until the proxy is restarted. Relay randomization and failover will be implemented in future versions.

Added to init-start for randomization (every friday @02.05) or set it as you like https://crontab.guru/

Spoiler: DNSCrypt-Restart

# DNSCrypt-proxy Restart
cru a DNSCryptRestart "5 2 * * 5 /jffs/dnscrypt/manager dnscrypt-start" #DNSCrypt_Restart#

CryptoStorms relays and servers feels a bit unstable..
Some cryptostorm servers and relays have now been removed from resolvers.md & relays.md (non-responsive) Also charis/saumi servers/relays removed

 

[Zastoff]

Version 2.0.34 Released
Update/install thru amtm

DoH Server & Firefox ESNI wiki
Anonymized DNS wiki

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router