What's new

DNScrypt dnscrypt installer for asuswrt

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I'm using DNSCrypt on a different router. Ever since 2.0.28, I eventually lose DNS when using cisco. I don't seem to have an issue with cloudflare. Has anyone tried cisco recently?
 
Its broken... perhaps the installer has issues

major issues and bugs since upgrading to 31... severs detected and correctly configured, then all querys rejected whether anonamized or not. it began when i tried killing dnscrypt "manager" pid to restart it because i always get an error (failed to restart) running service restart. After this dnscrypt would not function up reboot.

I restored to jffs with dnscrypt 29 beta 3... this worked shortly, and successfully updated to 31, when the problem began yet again... i then followed the exact same procedure, restored 29 beta 3 again however even that is broken now...

after reinstalling 31 it seems dnscrypt is not even getting any queries at all...

turning off "Connect to DNS Server automatically" I see the following dnsmasq.conf

Code:
/tmp/resolv.dnsmasq is empty,


pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=V
expand-hosts
bogus-priv
domain-needed
local=/V/
dhcp-range=lan,192.168.50.3,192.168.50.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.50.1
dhcp-option=lan,15,V
dhcp-option=lan,252,"\n"
dhcp-authoritative
stop-dns-rebind
address=/use-application-dns.net/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
 
Last edited:
reinstalling with delusions installer (and prior to, reinstalling diversion) resulted in queries sent to dnscrypt; however there was a *.* entry inserted into the blacklist I had to remove which I had not personally entered myself, and all results are "rejected", ok nevermind that was short lived....

Code:
 127.0.0.1    www.snbforums.com    A    REJECT    160ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    duckduckgo.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    duckduckgo.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    20ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    2ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    0ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    i.ytimg.com    A    REJECT    1ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    PASS    143ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    push.services.mozilla.com    A    PASS    77ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    identity.bitwarden.com    A    PASS    40ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    notifications.bitwarden.com    A    PASS    42ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    yt3.ggpht.com    A    PASS    37ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    pico.eset.com    A    PASS    38ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    www.snbforums.com    A    PASS    97ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    duckduckgo.com    A    PASS    39ms    quad9-dnscrypt-ip4-filter-alt
127.0.0.1    external-content.duckduckgo.com    A    PASS    41ms    quad9-dnscrypt-ip4-filter-alt
 
update, it appears the *.* block may have been the soul issue all along; this was responsible for the "reject" in the previous message:

Dnscrypt Blocklist.log

Code:
[2019-11-01 07:36:59]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:36:59]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:37:01]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:37:01]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:37:02]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:37:02]    127.0.0.1    www.snbforums.com    *.*
[2019-11-01 07:37:25]    127.0.0.1    duckduckgo.com    *.*
[2019-11-01 07:37:25]    127.0.0.1    duckduckgo.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
[2019-11-01 07:38:10]    127.0.0.1    i.ytimg.com    *.*
 
Edit:
Version 2.0.32/2.0.33 released
Update/install thru amtm
Workaround for a bug in Cisco servers has been implemented in this version @Sizzlechest

Edit2:
A good/safe way is to do a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router
 
Last edited:
Version 2.0.32 has been stable for more then 8 hours on my 87u and read about and was aware of the Openwrt(dnscrypt-proxy-linux_x86_64-2.0.32) issue
and suspected a new version be out soon. (Been checking the router several times today for issues and would have reported if any here)
Dont think dnscrypt-proxy-linux_arm-2.0.32 had that issue
But better to be safe and update ;) Thank you @DonnyJohnny
 
Last edited:
So to solve all the problems with installing dnscrypt with entware (or similar) then setting up various scripts to handle dnscrypt-proxy starting up including the ntp issue, I made my own installer for dnscrypt-proxy.

Requirements:
- ARM or MIPSEL based ASUS routers
- asuswrt-merlin firmwares or compatible
- jffs support and script enabled

Incompatibilities:
- No known issue

Current features:
- dnscrypt-proxy version 2 with DoH and DNSCrypt version 2 protocols, multiple resolvers, and other features
- Running as nobody through nonroot binary (using --user requires change to passwd)
- Support ARM and MIPSEL based routers
- Support OpenDNS dynamic IP update by entering your OpenDNS account information
- Handling ntp update at router boot up by starting dnscrypt-proxy with cert_ignore_timestamp option
- Redirect all DNS queries on your network to dnscrypt if user chooses to
- Install haveged/rngd for better speed with dnscrypt and other cryptographic applications
- Support various HW RNG such as TrueRNG (tested with v3), TrueRNGpro, OneRNG, EntropyKey
- Ability to setup a swap file
- Ability to setup timezone file (/etc/localtime) used by dnscrypt-proxy and other apps
- Ability to reconfigure dnscrypt-proxy without reinstalling unlike previous installer for dnscrypt-proxy version 1.x.x

Changelog:
https://github.com/thuantran/dnscrypt-asuswrt-installer/commits/master

Install/Update/Reconfig/Uninstall:
Run this command from ssh shell and following the prompt for dnscrypt-proxy version 2:
Code:
curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer ; rm installer
User can safely update from dnscrypt-proxy version 1 to version 2 with above command.

If you want to use dnscrypt-proxy version 1, run this command:
Code:
curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/dnscrypt-proxy-v1/installer && sh installer dnscrypt-proxy-v1; rm installer

How to check if it works

If you use OpenDNS, run this command on Windows cmd
Code:
nslookup -type=txt debug.opendns.com
You should see something like
Code:
"dnscrypt enabled (717473654A614970)"
in result.
Otherwise running this command:
Code:
pidof dnscrypt-proxy
will return a number.

How to report issue:
I need following directory and files:
Code:
/jffs/dnscrypt
/jffs/scripts/dnsmasq.postconf
/jffs/scripts/firewall-start
/jffs/scripts/wan-start
One can use this command to create a tar archive of these files:
Code:
echo .config > exclude-files; tar -cvf dnscrypt.tar -X exclude-files /jffs/dnscrypt /jffs/scripts/dnsmasq.postconf /jffs/scripts/firewall-start /jffs/scripts/wan-start ; rm exclude-files
in current directory and send me the archive for debug.

I also need follwoing information:
- Which dns server you selected during dnscrypt installtion
- Which router you're using
- Firmware and its version

How I made this:
- Use dnscrypt-proxy binary packages from https://github.com/jedisct1/dnscrypt-proxy
- Compiling and stripping required binaries using firmware building toolchain from asuswrt-merlin
- Write the installer script with stuffs inspired from entware-setup.sh from asuswrt-merlin
- You can look at all the stuffs here https://github.com/thuantran/dnscrypt-asuswrt-installer

I have just installed v1 but dnscrypt-resolvers.csv is containing only "404: Not Found"!
How to uninstall or solve this problem?
 
Last edited:
I have just installed v1 but dnscrypt-resolvers.csv is containing only "404: Not Found"!
How to uninstall or solve this problem?
This fix should work for DNSCrypt v1 or run install line again then you should get option to uninstall, If possible use DNSCrypt v2 ;) (Recommend update v2 thru amtm for latest version)

Something like this for v1
 
Last edited:
And for uninstall the script, I can't find it anywhere...
Could you tell me, just in case I need it.
Found this:
Uninstall:
Just remove /jffs/dnscrypt directory and restart your router (For DNSCrypt ver 1)
Link
 
Found this:
Uninstall:
Just remove /jffs/dnscrypt directory and restart your router (For DNSCrypt ver 1)
Link

But there are some lines in at least one of these as far as I can see...
/jffs/scripts/dnsmasq.postconf
/jffs/scripts/firewall-start
/jffs/scripts/wan-start
 
Beta release 2.0.34-beta.1

  • Blacklisted names are now also blocked if they appear in CNAME pointers.
  • DNSCrypt-proxy can now act as a local DoH server. Firefox can be configured to use it, so that ESNI can be enabled without bypassing your DNS proxy.
Some extra info: Link

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router
 
Last edited:
Beta release 2.0.34-beta.1

  • Blacklisted names are now also blocked if they appear in CNAME pointers.
  • DNSCrypt-proxy can now act as a local DoH server. Firefox can be configured to use it, so that ESNI can be enabled without bypassing your DNS proxy.
Some extra info: Link

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router

Wonder doh(cloudflare) with esni better or anonymised DNScrypt better?

What u all think?
 
A step in the right direction for DNSCrypt-proxy with ESNI support
Guess only Firefox is needed with 2.0.34-beta.1 and some extra settings
Link DNSCrypt wiki (Local DoH Server & Firefox settings)
Note that the actual resolvers don't have to be Cloudflare's, and don't have to use the DoH protocol either. ESNI is perfectly compatible with DNSCrypt and Anonymized DNSCrypt.

But also note that the ESNI specification is still a work in progress. What is currently implemented in Firefox is an early prototype. Enabling ESNI triggers an additional DNS lookup for every domain, even on websites that do not support it (aka, the vast majority). It may also break some websites.

I will use Anonymised DNSCrypt for now.(Dont use Firefox)
Would be nice with a Load-balancing strategy: 'p2' , 'ph', 'fastest' or 'random' for relays
For each server, a random relay from the set is chosen when the proxy starts, and the same relay will be used until the proxy is restarted. Relay randomization and failover will be implemented in future versions.
Added to init-start for randomization o_O (every friday @02.05) or set it as you like https://crontab.guru/
# DNSCrypt-proxy Restart
cru a DNSCryptRestart "5 2 * * 5 /jffs/dnscrypt/manager dnscrypt-start" #DNSCrypt_Restart#
CryptoStorms relays and servers feels a bit unstable..
Some cryptostorm servers and relays have now been removed from resolvers.md & relays.md (non-responsive) Also charis/saumi servers/relays removed
 
Last edited:
Version 2.0.34 Released
Update/install thru amtm

DoH Server & Firefox ESNI wiki
Anonymized DNS wiki

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top