DNScrypt dnscrypt installer for asuswrt

[Zastoff]

that is what leads me to believe it is because of changes to this line from using double quotes to single quotes, because if you use any of these servers it makes a difference.

broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri']

Yea ok
Also suspected that, That's why i asked in a previous post what servers and how it was configured

 

[SomeWhereOverTheRainBow]

Yea ok
Also suspected that, That's why i asked in a previous post what servers and how it was configured

I am pretty sure that is the issue. He can test it by simply changing the lines to match the new versions. That is the problem with the whole .toml setup, any advanced changes that are done by the upstream to the file that do not incorporate support for their old legacy .toml setups causes this type of hiccup, unfortunately all we can do is recommend users to rerun reconfigure in this type of case, or to review the changes because doing such replaces the bad .toml file. or fixes any conflicts automatically.

 

[Zastoff]

I am pretty sure that is the issue. He can test it by simply changing the lines to match the new versions. That is the problem with the whole .toml setup, any advanced changes that are done by the upstream to the file that do not incorporate support for their old legacy .toml setups causes this type of hiccup, unfortunately all we can do is recommend users to rerun reconfigure in this type of case, or to review the changes because doing such replaces the bad .toml file. or fixes any conflicts automatically.

Updated the post about the new release

 

[SomeWhereOverTheRainBow]

Updated the post about the new release

If any one wants to take up the opportunity to support this dnscrypt-installer, I am welcome to testing out ideas to resolve this dilemma and at some point allowing accepting a pull request if the outcome resolves this issue.

 

[SMS786]

Yea ok
Also suspected that, That's why i asked in a previous post what servers and how it was configured

As promised, here is my dsncrypt-proxy.toml.err file, hopefully it provides more insights into what you were looking for:
I removed some commented out pseudocode in order to display it here..

##############################################
#                                            #
#        dnscrypt-proxy configuration        #
#                                            #
##############################################

##################################
#         Global settings        #
##################################

cert_ignore_timestamp = true

server_names = ['cloudflare']


listen_addresses = ['127.0.1.1:53']


## Maximum number of simultaneous client connections to accept

max_clients = 25000

user_name = 'nobody'


## Require servers (from static + remote sources) to satisfy specific properties

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = false

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true


## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions (DNSSEC)
require_dnssec = false

# Server must not log user queries (declarative)
require_nolog = false

# Server must not enforce its own blacklist (for parental control, ads blocking...)
require_nofilter = false

# Server names to avoid even if they match all criteria
disabled_server_names = []


force_tcp = false


## SOCKS proxy

# proxy = 'socks5://127.0.0.1:9050'


## HTTP/HTTPS proxy
## Only for DoH servers

# http_proxy = 'http://127.0.0.1:8888'


timeout = 5000


## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds

keepalive = 120


# blocked_query_response = 'refused'


## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'

lb_strategy = 'p2'

# lb_estimator = true


## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)

log_level = 2


## log file for the application

# log_file = 'dnscrypt-proxy.log'


## Use the system logger (syslog on Unix, Event Log on Windows)

# use_syslog = true


## Delay, in minutes, after which certificates are reloaded

cert_refresh_delay = 240


# dnscrypt_ephemeral_keys = false


## DoH: Disable TLS session tickets - increases privacy but also latency

# tls_disable_session_tickets = false



# tls_cipher_suite = [52392, 49199]


## Fallback resolvers


fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']


## Always use the fallback resolver before the system DNS settings.

ignore_system_dns = true


## Maximum time (in seconds) to wait for network connectivity before
## initializing the proxy.

netprobe_timeout = 120

netprobe_address = '9.9.9.9:53'

# offline_mode = false


# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"]


## Automatic log files rotation

# Maximum log files size in MB - Set to 0 for unlimited.
log_files_max_size = 10

# How long to keep backup files, in days
log_files_max_age = 7

# Maximum log files backups to keep (or 0 to keep all backups)
log_files_max_backups = 1



#########################
#        Filters        #
#########################


block_ipv6 = false

block_unqualified = true

block_undelegated = true

reject_ttl = 600

##################################################################################
#        Route queries for specific domains to a dedicated set of servers        #
##################################################################################

## See the `example-forwarding-rules.txt` file for an example

# forwarding_rules = 'forwarding-rules.txt'



###############################
#        Cloaking rules       #
###############################

# cloaking_rules = 'cloaking-rules.txt'

## TTL used when serving entries in cloaking-rules.txt

# cloak_ttl = 600


###########################
#        DNS cache        #
###########################

## Enable a DNS cache to reduce latency and outgoing traffic

cache = false


## Cache size

cache_size = 4096


## Minimum TTL for cached entries

cache_min_ttl = 2400


## Maximum TTL for cached entries

cache_max_ttl = 86400


## Minimum TTL for negatively cached entries

cache_neg_min_ttl = 60


## Maximum TTL for negatively cached entries

cache_neg_max_ttl = 600



##################################
#        Local DoH server        #
##################################

[local_doh]

## Addresses that the local DoH server should listen to

# listen_addresses = ['127.0.0.1:3000']

# path = "/dns-query"

# cert_file = "localhost.pem"
# cert_key_file = "localhost.pem"



###############################
#        Query logging        #
###############################

## Log client queries to a file

[query_log]


  # file = 'query.log'


  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'


  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.

  # ignored_qtypes = ['DNSKEY', 'NS']



############################################
#        Suspicious queries logging        #
############################################

[nx_log]

  ## Path to the query log file (absolute, or relative to the same directory as the config file)

  # file = 'nx.log'


  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'



######################################################
#        Pattern-based blocking (blacklists)        #
######################################################



[blacklist]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

  # blacklist_file = 'blacklist.txt'


  ## Optional path to a file logging blocked queries

  # log_file = 'blocked.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



###########################################################
#        Pattern-based IP blocking (IP blacklists)        #
###########################################################


[ip_blacklist]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

  # blacklist_file = 'ip-blacklist.txt'


  ## Optional path to a file logging blocked queries

  # log_file = 'ip-blocked.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



######################################################
#   Pattern-based whitelisting (blacklists bypass)   #
######################################################


[whitelist]

  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file)

  # whitelist_file = 'whitelist.txt'


  ## Optional path to a file logging whitelisted queries

  # log_file = 'whitelisted.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



##########################################
#        Time access restrictions        #
##########################################


[schedules]

  # [schedules.'time-to-sleep']
  # mon = [{after='21:00', before='7:00'}]
  # tue = [{after='21:00', before='7:00'}]
  # wed = [{after='21:00', before='7:00'}]
  # thu = [{after='21:00', before='7:00'}]
  # fri = [{after='23:00', before='7:00'}]
  # sat = [{after='23:00', before='7:00'}]
  # sun = [{after='21:00', before='7:00'}]

  # [schedules.'work']
  # mon = [{after='9:00', before='18:00'}]
  # tue = [{after='9:00', before='18:00'}]
  # wed = [{after='9:00', before='18:00'}]
  # thu = [{after='9:00', before='18:00'}]
  # fri = [{after='9:00', before='17:00'}]



#########################
#        Servers        #
#########################


[sources]

  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = '[redacted]' // By user
  prefix = ''

  ## Anonymized DNS relays

  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
  cache_file = 'relays.md'
  minisign_key = '[redacted]' // By user
  refresh_delay = 72
  prefix = ''

  ## Quad9 over DNSCrypt - https://quad9.net/

#########################################
#        Servers with known bugs        #
#########################################

[broken_implementations]


broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri']



################################
#   TLS Client Authentication  #
################################

[tls_client_auth]

# creds = [
#    { server_name='myserver', client_cert='client.crt', client_key='client.key' },
# ]



################################
#        Anonymized DNS        #
################################

[anonymized_dns]


#    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
#    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
# ]


[static]

  # [static.'myserver']
  # stamp = 'sdns:[redacted]' // By user

 

[SomeWhereOverTheRainBow]

As promised, here is my dsncrypt-proxy.toml.err file, hopefully it provides more insights into what you were looking for:
I removed some commented out pseudocode in order to display it here..

##############################################
#                                            #
#        dnscrypt-proxy configuration        #
#                                            #
##############################################

##################################
#         Global settings        #
##################################

cert_ignore_timestamp = true

server_names = ['cloudflare']


listen_addresses = ['127.0.1.1:53']


## Maximum number of simultaneous client connections to accept

max_clients = 25000

user_name = 'nobody'


## Require servers (from static + remote sources) to satisfy specific properties

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = false

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true


## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions (DNSSEC)
require_dnssec = false

# Server must not log user queries (declarative)
require_nolog = false

# Server must not enforce its own blacklist (for parental control, ads blocking...)
require_nofilter = false

# Server names to avoid even if they match all criteria
disabled_server_names = []


force_tcp = false


## SOCKS proxy

# proxy = 'socks5://127.0.0.1:9050'


## HTTP/HTTPS proxy
## Only for DoH servers

# http_proxy = 'http://127.0.0.1:8888'


timeout = 5000


## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds

keepalive = 120


# blocked_query_response = 'refused'


## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'

lb_strategy = 'p2'

# lb_estimator = true


## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)

log_level = 2


## log file for the application

# log_file = 'dnscrypt-proxy.log'


## Use the system logger (syslog on Unix, Event Log on Windows)

# use_syslog = true


## Delay, in minutes, after which certificates are reloaded

cert_refresh_delay = 240


# dnscrypt_ephemeral_keys = false


## DoH: Disable TLS session tickets - increases privacy but also latency

# tls_disable_session_tickets = false



# tls_cipher_suite = [52392, 49199]


## Fallback resolvers


fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']


## Always use the fallback resolver before the system DNS settings.

ignore_system_dns = true


## Maximum time (in seconds) to wait for network connectivity before
## initializing the proxy.

netprobe_timeout = 120

netprobe_address = '9.9.9.9:53'

# offline_mode = false


# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"]


## Automatic log files rotation

# Maximum log files size in MB - Set to 0 for unlimited.
log_files_max_size = 10

# How long to keep backup files, in days
log_files_max_age = 7

# Maximum log files backups to keep (or 0 to keep all backups)
log_files_max_backups = 1



#########################
#        Filters        #
#########################


block_ipv6 = false

block_unqualified = true

block_undelegated = true

reject_ttl = 600

##################################################################################
#        Route queries for specific domains to a dedicated set of servers        #
##################################################################################

## See the `example-forwarding-rules.txt` file for an example

# forwarding_rules = 'forwarding-rules.txt'



###############################
#        Cloaking rules       #
###############################

# cloaking_rules = 'cloaking-rules.txt'

## TTL used when serving entries in cloaking-rules.txt

# cloak_ttl = 600


###########################
#        DNS cache        #
###########################

## Enable a DNS cache to reduce latency and outgoing traffic

cache = false


## Cache size

cache_size = 4096


## Minimum TTL for cached entries

cache_min_ttl = 2400


## Maximum TTL for cached entries

cache_max_ttl = 86400


## Minimum TTL for negatively cached entries

cache_neg_min_ttl = 60


## Maximum TTL for negatively cached entries

cache_neg_max_ttl = 600



##################################
#        Local DoH server        #
##################################

[local_doh]

## Addresses that the local DoH server should listen to

# listen_addresses = ['127.0.0.1:3000']

# path = "/dns-query"

# cert_file = "localhost.pem"
# cert_key_file = "localhost.pem"



###############################
#        Query logging        #
###############################

## Log client queries to a file

[query_log]


  # file = 'query.log'


  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'


  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.

  # ignored_qtypes = ['DNSKEY', 'NS']



############################################
#        Suspicious queries logging        #
############################################

[nx_log]

  ## Path to the query log file (absolute, or relative to the same directory as the config file)

  # file = 'nx.log'


  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'



######################################################
#        Pattern-based blocking (blacklists)        #
######################################################



[blacklist]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

  # blacklist_file = 'blacklist.txt'


  ## Optional path to a file logging blocked queries

  # log_file = 'blocked.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



###########################################################
#        Pattern-based IP blocking (IP blacklists)        #
###########################################################


[ip_blacklist]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

try starting with a new config, as your .toml is not heavily customized, it should be easy for you just to tell it to use cloudflare again from the installer. They have added/modified several sections that are missing in your current .toml file

##EDIT###
I read the forum back some and noticed you already attempted to try with a new config file, the only thing i could recommend is attempting to screenshot what the terminal says when you attempt to update and get the .toml file issue as the terminal usually displays alot more than logs do.

 

[SMS786]

try starting with a new config, as your .toml is not heavily customized, it should be easy for you just to tell it to use cloudflare again from the installer. They have added/modified several sections that are missing in your current .toml file

##EDIT###
I read the forum back some and noticed you already attempted to try with a new config file, the only thing i could recommend is attempting to screenshot what the terminal says when you attempt to update and get the .toml file issue as the terminal usually displays alot more than logs do.

Appreciate it. For now, I reverted back to 2.0.39 and will look into the logs tomorrow hopefully.

 

[Zastoff]

From my syslog from first try to install 2.0.40

Spoiler: Syslog DNSCrypt-proxy

Tried to install 2.0.40
Mar 21 13:28:59 izzt: Start dnscrypt-proxy
Mar 21 13:29:24 izzt: Warning: dnscrypt-proxy is dead
Mar 21 13:29:24 izzt: Start dnscrypt-proxy
Mar 21 13:29:26 httpd: Restoring JFFS backup...
Mar 21 13:29:32 httpd: JFFS restore completed
Mar 21 13:30:04 dnscrypt-proxy[248]: dnscrypt-proxy 2.0.39
Mar 21 13:30:04 dnscrypt-proxy[248]: Network not available yet -- waiting...
Mar 21 13:30:04 WAN_Connection: ISP's DHCP did not function properly.
Mar 21 13:30:07 dnscrypt-proxy[248]: Network connectivity detected
Mar 21 13:30:07 dnscrypt-proxy[248]: System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolvers over tcp
Mar 21 13:30:07 dnscrypt-proxy[248]: Fallback resolvers didn't respond - Trying with the system resolver as a last resort
Mar 21 13:30:07 dnscrypt-proxy[248]: Unable to resolve [raw.githubusercontent.com] - Make sure that the system resolver works, or that `fallback_resolver` has been set to a resolver that can be reached
Mar 21 13:30:07 dnscrypt-proxy[248]: System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolvers over tcp
Mar 21 13:30:07 dnscrypt-proxy[248]: Fallback resolvers didn't respond - Trying with the system resolver as a last resort
Mar 21 13:30:07 dnscrypt-proxy[248]: Unable to resolve [download.dnscrypt.info] - Make sure that the system resolver works, or that `fallback_resolver` has been set to a resolver that can be reached
Mar 21 13:30:07 dnscrypt-proxy[248]: Unable to retrieve source [public-resolvers]: [lookup download.dnscrypt.info on [::1]:53: dial udp [::1]:53: connect: network is unreachable]
Mar 21 13:30:07 dnscrypt-proxy[248]: lookup download.dnscrypt.info on [::1]:53: dial udp [::1]:53: connect: network is unreachable
Mar 21 13:32:31 ntpd: Initial clock set
Mar 21 13:32:32 izzt: Warning: dnscrypt-proxy is dead
Mar 21 13:32:33 izzt: Start dnscrypt-proxy
Mar 21 13:32:35 dnscrypt-proxy[1219]: dnscrypt-proxy 2.0.39
Mar 21 13:32:35 dnscrypt-proxy[1219]: Network connectivity detected
Mar 21 13:32:37 dnscrypt-proxy[1219]: Source [public-resolvers] loaded
Mar 21 13:32:37 dnscrypt-proxy[1219]: Source [relays] loaded
Mar 21 13:32:37 dnscrypt-proxy[1219]: Anonymized DNS: routing [dnscrypt.eu-dk] via [anon-cs-se anon-cs-fi]
Mar 21 13:32:37 dnscrypt-proxy[1219]: Anonymized DNS: routing [sth-dnscrypt-se] via [anon-cs-fi anon-cs-se]
Mar 21 13:32:37 dnscrypt-proxy[1219]: Firefox workaround initialized
Mar 21 13:32:37 dnscrypt-proxy[1219]: Now listening to 127.0.1.1:53 [UDP]
Mar 21 13:32:37 dnscrypt-proxy[1219]: Now listening to 127.0.1.1:53 [TCP]
Mar 21 13:32:37 dnscrypt-proxy[1219]: [dnscrypt.eu-dk] OK (DNSCrypt) - rtt: 29ms
Mar 21 13:32:37 dnscrypt-proxy[1219]: [sth-dnscrypt-se] OK (DNSCrypt) - rtt: 25ms
Mar 21 13:32:37 dnscrypt-proxy[1219]: [ovpn2] OK (DNSCrypt) - rtt: 17ms
Mar 21 13:32:47 dnscrypt-proxy[1219]: [ovpn1] OK (DNSCrypt) - rtt: 23ms
Mar 21 13:32:47 dnscrypt-proxy[1219]: Sorted latencies:
Mar 21 13:32:47 dnscrypt-proxy[1219]: - 17ms ovpn2
Mar 21 13:32:47 dnscrypt-proxy[1219]: - 23ms ovpn1
Mar 21 13:32:47 dnscrypt-proxy[1219]: - 25ms sth-dnscrypt-se
Mar 21 13:32:47 dnscrypt-proxy[1219]: - 29ms dnscrypt.eu-dk
Mar 21 13:32:47 dnscrypt-proxy[1219]: Server with the lowest initial latency: ovpn2 (rtt: 17ms)
Mar 21 13:32:47 dnscrypt-proxy[1219]: dnscrypt-proxy is ready - live servers: 4
Reinstalled 2.0.40
Mar 21 18:15:46 izzt: Start dnscrypt-proxy
Mar 21 18:15:46 dnscrypt-proxy[6558]: dnscrypt-proxy 2.0.40
Mar 21 18:15:46 dnscrypt-proxy[6558]: Network connectivity detected
Mar 21 18:15:46 dnscrypt-proxy[6558]: Source [relays] loaded
Mar 21 18:15:46 dnscrypt-proxy[6558]: Source [public-resolvers] loaded
Mar 21 18:15:46 dnscrypt-proxy[6558]: Firefox workaround initialized
Mar 21 18:15:46 dnscrypt-proxy[6558]: Now listening to 127.0.1.1:53 [UDP]
Mar 21 18:15:46 dnscrypt-proxy[6558]: Now listening to 127.0.1.1:53 [TCP]
Mar 21 18:15:46 dnscrypt-proxy[6558]: [ovpn1] OK (DNSCrypt) - rtt: 11ms
Mar 21 18:15:46 dnscrypt-proxy[6558]: [ovpn2] OK (DNSCrypt) - rtt: 17ms
Mar 21 18:15:46 dnscrypt-proxy[6558]: Sorted latencies:
Mar 21 18:15:46 dnscrypt-proxy[6558]: - 11ms ovpn1
Mar 21 18:15:46 dnscrypt-proxy[6558]: - 17ms ovpn2
Mar 21 18:15:46 dnscrypt-proxy[6558]: Server with the lowest initial latency: ovpn1 (rtt: 11ms)
Mar 21 18:15:46 dnscrypt-proxy[6558]: dnscrypt-proxy is ready - live servers: 2
Reconfigured from default toml
Mar 21 18:19:56 dnscrypt-proxy[6558]: Stopped.
Mar 21 18:19:56 izzt: Start dnscrypt-proxy
Mar 21 18:19:57 dnscrypt-proxy[9106]: dnscrypt-proxy 2.0.40
Mar 21 18:19:57 dnscrypt-proxy[9106]: Network connectivity detected
Mar 21 18:19:57 dnscrypt-proxy[9106]: Source [public-resolvers] loaded
Mar 21 18:19:57 dnscrypt-proxy[9106]: Source [relays] loaded
Mar 21 18:19:57 dnscrypt-proxy[9106]: Firefox workaround initialized
Mar 21 18:19:57 dnscrypt-proxy[9106]: Now listening to 127.0.1.1:53 [UDP]
Mar 21 18:19:57 dnscrypt-proxy[9106]: Now listening to 127.0.1.1:53 [TCP]
Mar 21 18:19:57 dnscrypt-proxy[9106]: [cs-swe] OK (DNSCrypt) - rtt: 19ms
Mar 21 18:19:57 dnscrypt-proxy[9106]: [sth-dnscrypt-se] OK (DNSCrypt) - rtt: 11ms
Mar 21 18:19:57 dnscrypt-proxy[9106]: [dnscrypt.eu-dk] OK (DNSCrypt) - rtt: 20ms
Mar 21 18:19:57 dnscrypt-proxy[9106]: Sorted latencies:
Mar 21 18:19:57 dnscrypt-proxy[9106]: - 11ms sth-dnscrypt-se
Mar 21 18:19:57 dnscrypt-proxy[9106]: - 19ms cs-swe
Mar 21 18:19:57 dnscrypt-proxy[9106]: - 20ms dnscrypt.eu-dk
Mar 21 18:19:57 dnscrypt-proxy[9106]: Server with the lowest initial latency: sth-dnscrypt-se (rtt: 11ms)
Mar 21 18:19:57 dnscrypt-proxy[9106]: dnscrypt-proxy is ready - live servers: 3
Changed dnscrypt_ephemeral_keys = true and restarted the proxy
Mar 21 18:21:19 dnscrypt-proxy[9106]: Stopped.
Mar 21 18:21:19 izzt: Start dnscrypt-proxy
Mar 21 18:21:19 dnscrypt-proxy[9734]: dnscrypt-proxy 2.0.40
Mar 21 18:21:19 dnscrypt-proxy[9734]: Network connectivity detected
Mar 21 18:21:19 dnscrypt-proxy[9734]: Source [relays] loaded
Mar 21 18:21:19 dnscrypt-proxy[9734]: Source [public-resolvers] loaded
Mar 21 18:21:19 dnscrypt-proxy[9734]: Firefox workaround initialized
Mar 21 18:21:19 dnscrypt-proxy[9734]: Now listening to 127.0.1.1:53 [UDP]
Mar 21 18:21:19 dnscrypt-proxy[9734]: Now listening to 127.0.1.1:53 [TCP]
Mar 21 18:21:19 dnscrypt-proxy[9734]: [cs-swe] OK (DNSCrypt) - rtt: 19ms
Mar 21 18:21:19 dnscrypt-proxy[9734]: [sth-dnscrypt-se] OK (DNSCrypt) - rtt: 12ms
Mar 21 18:21:19 dnscrypt-proxy[9734]: [dnscrypt.eu-dk] OK (DNSCrypt) - rtt: 22ms
Mar 21 18:21:19 dnscrypt-proxy[9734]: Sorted latencies:
Mar 21 18:21:19 dnscrypt-proxy[9734]: - 12ms sth-dnscrypt-se
Mar 21 18:21:19 dnscrypt-proxy[9734]: - 19ms cs-swe
Mar 21 18:21:19 dnscrypt-proxy[9734]: - 22ms dnscrypt.eu-dk
Mar 21 18:21:19 dnscrypt-proxy[9734]: Server with the lowest initial latency: sth-dnscrypt-se (rtt: 12ms)
Mar 21 18:21:19 dnscrypt-proxy[9734]: dnscrypt-proxy is ready - live servers: 3

Mar 22 06:27:46 izzt: Randomization: Health Check.
Mar 22 06:27:46 izzt: Start dnscrypt-proxy
Mar 22 06:27:46 dnscrypt-proxy[9734]: Stopped.
Mar 22 06:27:46 dnscrypt-proxy[21971]: dnscrypt-proxy 2.0.40
Mar 22 06:27:46 dnscrypt-proxy[21971]: Network connectivity detected
Mar 22 06:27:46 dnscrypt-proxy[21971]: Source [relays] loaded
Mar 22 06:27:46 dnscrypt-proxy[21971]: Source [public-resolvers] loaded
Mar 22 06:27:46 dnscrypt-proxy[21971]: Firefox workaround initialized
Mar 22 06:27:46 dnscrypt-proxy[21971]: Now listening to 127.0.1.1:53 [UDP]
Mar 22 06:27:46 dnscrypt-proxy[21971]: Now listening to 127.0.1.1:53 [TCP]
Mar 22 06:27:46 dnscrypt-proxy[21971]: [cs-swe] OK (DNSCrypt) - rtt: 19ms
Mar 22 06:27:46 dnscrypt-proxy[21971]: [dnscrypt.eu-dk] OK (DNSCrypt) - rtt: 21ms
Mar 22 06:27:46 dnscrypt-proxy[21971]: [sth-dnscrypt-se] OK (DNSCrypt) - rtt: 13ms
Mar 22 06:27:46 dnscrypt-proxy[21971]: Sorted latencies:
Mar 22 06:27:46 dnscrypt-proxy[21971]: - 13ms sth-dnscrypt-se
Mar 22 06:27:46 dnscrypt-proxy[21971]: - 19ms cs-swe
Mar 22 06:27:46 dnscrypt-proxy[21971]: - 21ms dnscrypt.eu-dk
Mar 22 06:27:46 dnscrypt-proxy[21971]: Server with the lowest initial latency: sth-dnscrypt-se (rtt: 13ms)
Mar 22 06:27:46 dnscrypt-proxy[21971]: dnscrypt-proxy is ready - live servers: 3

Worked fine for 17hours now
https://www.reddit.com/user/jedisct1/comments/

 

[Zastoff]

Now did a complete reinstall of DNSCrypt-proxy

Spoiler: Uninstall reboot new install

=> Please enter the number that designates your selection:, [1-9/q]: 9
Info: This operation will cleanup everything installed by this script (except swap)

=> Do you want to continue? [y/n]: y

Rebooting router

This installs dnscrypt installer
on your router.

Authors: bigeyes0x0, SomeWhereOverTheRainBow
https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/
_____________________________________________

Continue? [1=Yes e=Exit] 1

Info: Detected ARMv7 architecture.
Info: DNS Environment is Ready.
Info: JFFS custom scripts and configs are already enabled
Info: Choose what you want to do:
1) Install/Update dnscrypt-proxy
2) Uninstall dnscrypt-proxy
3) Configure dnscrypt-proxy
4) Set timezone
5) Unset timezone
6) Install (P)RNG
7) Uninstall (P)RNG
8) Install swap file
9) Uninstall ALL
q) Quit
=> Please enter the number that designates your selection:, [1-9/q]: 1
Info: This operation will install dnscrypt-proxy and related files (<6MB)
Info: to jffs, no other data will be changed.
Info: Also some start scripts will be installed/modified as required.

=> Do you want to install dnscrypt-proxy to /jffs? [y/n]: y
Info: installer is up to date. Skipping...
Info: Downloading manager
Info: Downloading dnscrypt-proxy-linux_arm-2.0.40.tar.gz
linux-arm/
linux-arm/dnscrypt-proxy
linux-arm/LICENSE
linux-arm/example-cloaking-rules.txt
linux-arm/example-dnscrypt-proxy.toml
linux-arm/example-blacklist.txt
linux-arm/example-whitelist.txt
linux-arm/localhost.pem
linux-arm/example-ip-blacklist.txt
linux-arm/example-forwarding-rules.txt
Info: Downloading public-resolvers.md
Info: Downloading public-resolvers.md.minisig
Info: Downloading relays.md
Info: Downloading relays.md.minisig
Info: Configure dnsmasq.postconf file
Info: Configure init-start file
Info: Configuring dnscrypt-proxy...
=> Do you want to redirect all DNS resolutions on your network through this proxy? [y/n]: y
...
Info: Checking dnscrypt-proxy configuration...
[2020-03-22 11:19:12] [NOTICE] dnscrypt-proxy 2.0.40
[2020-03-22 11:19:12] [NOTICE] Network connectivity detected
[2020-03-22 11:19:12] [NOTICE] Source [relays] loaded
[2020-03-22 11:19:12] [NOTICE] Source [public-resolvers] loaded
[2020-03-22 11:19:12] [NOTICE] Configuration successfully checked
Info: Starting dnscrypt-proxy...
From Syslog
Mar 22 12:19:13 izzt: Start dnscrypt-proxy
Mar 22 11:19:13 dnscrypt-proxy[5784]: dnscrypt-proxy 2.0.40
Mar 22 11:19:13 dnscrypt-proxy[5784]: Network connectivity detected
Mar 22 11:19:13 dnscrypt-proxy[5784]: Source [public-resolvers] loaded
Mar 22 11:19:13 dnscrypt-proxy[5784]: Source [relays] loaded
Mar 22 11:19:13 dnscrypt-proxy[5784]: Firefox workaround initialized
Mar 22 11:19:13 dnscrypt-proxy[5784]: Dropping privileges
Mar 22 11:19:13 dnscrypt-proxy[5784]: dnscrypt-proxy 2.0.40
Mar 22 11:19:13 dnscrypt-proxy[5784]: Network connectivity detected
Mar 22 11:19:13 dnscrypt-proxy[5784]: Source [public-resolvers] loaded
Mar 22 11:19:13 dnscrypt-proxy[5784]: Source [relays] loaded
Mar 22 11:19:13 dnscrypt-proxy[5784]: Firefox workaround initialized
Mar 22 11:19:13 dnscrypt-proxy[5784]: Now listening to 127.0.1.1:53 [UDP]
Mar 22 11:19:13 dnscrypt-proxy[5784]: Now listening to 127.0.1.1:53 [TCP]
Mar 22 11:19:13 dnscrypt-proxy[5784]: [cs-swe] OK (DNSCrypt) - rtt: 19ms
Mar 22 11:19:13 dnscrypt-proxy[5784]: [dnscrypt.eu-dk] OK (DNSCrypt) - rtt: 21ms
Mar 22 11:19:13 dnscrypt-proxy[5784]: Sorted latencies:
Mar 22 11:19:13 dnscrypt-proxy[5784]: - 19ms cs-swe
Mar 22 11:19:13 dnscrypt-proxy[5784]: - 21ms dnscrypt.eu-dk
Mar 22 11:19:13 dnscrypt-proxy[5784]: Server with the lowest initial latency: cs-swe (rtt: 19ms)
Mar 22 11:19:13 dnscrypt-proxy[5784]: dnscrypt-proxy is ready - live servers: 2

Some still have issues with version 2.0.40
Please do a backup of JFFS in webui before this update, For easy rollback if something is not working with this version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router

 

[DonnyJohnny]

Now did a complete reinstall of DNSCrypt-proxy

Spoiler: Uninstall reboot new install

=> Please enter the number that designates your selection:, [1-9/q]: 9
Info: This operation will cleanup everything installed by this script (except swap)

=> Do you want to continue? [y/n]: y

Rebooting router

This installs dnscrypt installer
on your router.

Authors: bigeyes0x0, SomeWhereOverTheRainBow
https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/
_____________________________________________

Continue? [1=Yes e=Exit] 1

Info: Detected ARMv7 architecture.
Info: DNS Environment is Ready.
Info: JFFS custom scripts and configs are already enabled
Info: Choose what you want to do:
1) Install/Update dnscrypt-proxy
2) Uninstall dnscrypt-proxy
3) Configure dnscrypt-proxy
4) Set timezone
5) Unset timezone
6) Install (P)RNG
7) Uninstall (P)RNG
8) Install swap file
9) Uninstall ALL
q) Quit
=> Please enter the number that designates your selection:, [1-9/q]: 1
Info: This operation will install dnscrypt-proxy and related files (<6MB)
Info: to jffs, no other data will be changed.
Info: Also some start scripts will be installed/modified as required.

=> Do you want to install dnscrypt-proxy to /jffs? [y/n]: y
Info: installer is up to date. Skipping...
Info: Downloading manager
Info: Downloading dnscrypt-proxy-linux_arm-2.0.40.tar.gz
linux-arm/
linux-arm/dnscrypt-proxy
linux-arm/LICENSE
linux-arm/example-cloaking-rules.txt
linux-arm/example-dnscrypt-proxy.toml
linux-arm/example-blacklist.txt
linux-arm/example-whitelist.txt
linux-arm/localhost.pem
linux-arm/example-ip-blacklist.txt
linux-arm/example-forwarding-rules.txt
Info: Downloading public-resolvers.md
Info: Downloading public-resolvers.md.minisig
Info: Downloading relays.md
Info: Downloading relays.md.minisig
Info: Configure dnsmasq.postconf file
Info: Configure init-start file
Info: Configuring dnscrypt-proxy...
=> Do you want to redirect all DNS resolutions on your network through this proxy? [y/n]: y
...
Info: Checking dnscrypt-proxy configuration...
[2020-03-22 11:19:12] [NOTICE] dnscrypt-proxy 2.0.40
[2020-03-22 11:19:12] [NOTICE] Network connectivity detected
[2020-03-22 11:19:12] [NOTICE] Source [relays] loaded
[2020-03-22 11:19:12] [NOTICE] Source [public-resolvers] loaded
[2020-03-22 11:19:12] [NOTICE] Configuration successfully checked
Info: Starting dnscrypt-proxy...
From Syslog
Mar 22 12:19:13 izzt: Start dnscrypt-proxy
Mar 22 11:19:13 dnscrypt-proxy[5784]: dnscrypt-proxy 2.0.40
Mar 22 11:19:13 dnscrypt-proxy[5784]: Network connectivity detected
Mar 22 11:19:13 dnscrypt-proxy[5784]: Source [public-resolvers] loaded
Mar 22 11:19:13 dnscrypt-proxy[5784]: Source [relays] loaded
Mar 22 11:19:13 dnscrypt-proxy[5784]: Firefox workaround initialized
Mar 22 11:19:13 dnscrypt-proxy[5784]: Dropping privileges
Mar 22 11:19:13 dnscrypt-proxy[5784]: dnscrypt-proxy 2.0.40
Mar 22 11:19:13 dnscrypt-proxy[5784]: Network connectivity detected
Mar 22 11:19:13 dnscrypt-proxy[5784]: Source [public-resolvers] loaded
Mar 22 11:19:13 dnscrypt-proxy[5784]: Source [relays] loaded
Mar 22 11:19:13 dnscrypt-proxy[5784]: Firefox workaround initialized
Mar 22 11:19:13 dnscrypt-proxy[5784]: Now listening to 127.0.1.1:53 [UDP]
Mar 22 11:19:13 dnscrypt-proxy[5784]: Now listening to 127.0.1.1:53 [TCP]
Mar 22 11:19:13 dnscrypt-proxy[5784]: [cs-swe] OK (DNSCrypt) - rtt: 19ms
Mar 22 11:19:13 dnscrypt-proxy[5784]: [dnscrypt.eu-dk] OK (DNSCrypt) - rtt: 21ms
Mar 22 11:19:13 dnscrypt-proxy[5784]: Sorted latencies:
Mar 22 11:19:13 dnscrypt-proxy[5784]: - 19ms cs-swe
Mar 22 11:19:13 dnscrypt-proxy[5784]: - 21ms dnscrypt.eu-dk
Mar 22 11:19:13 dnscrypt-proxy[5784]: Server with the lowest initial latency: cs-swe (rtt: 19ms)
Mar 22 11:19:13 dnscrypt-proxy[5784]: dnscrypt-proxy is ready - live servers: 2

Some still have issues with version 2.0.40
Please do a backup of JFFS in webui before this update, For easy rollback if something is not working with this version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router

uninstalled and reinstalled.
working. will monitor if there is any hiccup later on.

but don't understand why it doesn't work from using the update earlier on.

anyway good advice on doing a backup of /jffs for easy restore.

cheers

 

[SomeWhereOverTheRainBow]

uninstalled and reinstalled.
working. will monitor if there is any hiccup later on.

but don't understand why it doesn't work from using the update earlier on.

anyway good advice on doing a backup of /jffs for easy restore.

cheers

Yea it was because the first release for the arm version of dnscrypt-proxy 2 was not fully compiled, so it was failing even with people running on raspberry pis, someone reported it and now it is properly compiled., unfortunately hiccups can happen like this where the upstream's compiled version has not been tested before they release it. With that being said, I wish there was a way to dry run test the dnscrypt-proxy before it ever replaces the old version... I will come up with something at some point.

 

[Zastoff]

New version of DNSCrypt-proxy v2 released--> 2.0.41
Update/install thru amtm & di

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router

 

[dugaduga]

Something suspicious about the latest dnscrypt updates, broke all anonymization on big tech servers such as cisco, quad9, and others that were working fine for me since relays inception.

He later edited his latest dnscrypt release and allowed quad9 to function as it should after I filed an issue

jedisct1 had claimed

"And yes, if packets are dropped during the fragment test, anonymization will be disabled"

The fragment test is an automated test. See the latest 2.0.41 release ->

"Runtime detection of support for fragments was actually enabled."

You see it in the log as for example

[cisco] is incompatible with anonymization

He locked all discussion and discourse on the entire project when asked if anonymization was automatically broken or disabled by the latest feature set, would not answer it unless he already (kind of) did when he said

"And yes, if packets are dropped during the fragment test, anonymization will be disabled"

Shelves are clean out of diapers "DNSCrypt locked as too heated and limited conversation to collaborators now".

https://github.com/DNSCrypt/dnscrypt-proxy/issues/1253
https://github.com/DNSCrypt/dnscrypt-proxy/issues/1251

So I'm not sure if it is safe using servers that dnscrypt logs state are "incompatible with anonymization"; Has he disabled the anonymization for these servers? Just to be safe I disabled them for this purpose.

Its still not entirely clear to me but, what he lead me to understand was that

"If a 1450 bytes query is sent to these servers, it will go through.
If a 1500 bytes query is sent to these servers, they currently ignore it and will not sent a response."

From what I understand this 1500 byte query is not breaking anonymity but reliability, very very rarely. For me it was working perfectly fine, 99.99% of the time until these latest updates. He insisted that it wasn't, but that does not change the fact. I don't know if he is breaking anonymization entirely on those servers to make up for that 0.01% packet loss issue; but so far the fix is much worse than the alleged problem.

 

[SomeWhereOverTheRainBow]

Something suspicious about the latest dnscrypt updates, broke all anonymization on big tech servers such as cisco, quad9, and others that were working fine for me since relays inception.

He later edited his latest dnscrypt release and allowed quad9 to function as it should after I filed an issue

jedisct1 had claimed

The fragment test is an automated test. See the latest 2.0.41 release ->

You see it in the log as for example

He locked all discussion and discourse on the entire project when asked if anonymization was automatically broken or disabled by the latest feature set, would not answer it unless he already (kind of) did when he said

Shelves are clean out of diapers "DNSCrypt locked as too heated and limited conversation to collaborators now".

https://github.com/DNSCrypt/dnscrypt-proxy/issues/1253
https://github.com/DNSCrypt/dnscrypt-proxy/issues/1251

So I'm not sure if it is safe using servers that dnscrypt logs state are "incompatible with anonymization"; Has he disabled the anonymization for these servers? Just to be safe I disabled them for this purpose.

Its still not entirely clear to me but, what he lead me to understand was that

"If a 1450 bytes query is sent to these servers, it will go through.
If a 1500 bytes query is sent to these servers, they currently ignore it and will not sent a response."

From what I understand this 1500 byte query is not breaking anonymity but reliability, very very rarely. For me it was working perfectly fine, 99.99% of the time until these latest updates. He insisted that it wasn't, but that does not change the fact. I don't know if he is breaking anonymization entirely on those servers to make up for that 0.01% packet loss issue; but so far the fix is much worse than the alleged problem.

Yea I always knew there would always be a "certain" set of servers that would not work properly with anonymous relays, I added a warning as a disclaimer in the installer, this has to do with the query size of the servers, they are having to use a feature called broken_query_padding this is not full proof fix for the issues tho. Make sure your .toml is up-to-date with these correct settings from the example .toml file before trying to use those servers.
Directly from the horses mouth

If a 1450 bytes query is sent to these servers, it will go through.
If a 1500 bytes query is sent to these servers, they currently ignore it and will not sent a response.

For Cisco, this is a regression that was introduced a couple months ago.

For cleanbrowsing, quad9, qualityology.com, sth-dnscrypt-se, ams-dnscrypt-nl and freetsa.org, it may have been around forever. What they all have in common is a large certificate TTL, so I guess they don't run the same software as others. I know quad9 is using dnsdist, so this is likely where the issue has to be fixed.

Correctly handling any query size is required for anonymization to work reliably.

Instead of removing these servers, I'm currently trying to do my best to implement workarounds so that, at least without anonymization, they can be used reliably.

https://github.com/DNSCrypt/dnscrypt-proxy/issues/1253#issuecomment-604299822

 

[SomeWhereOverTheRainBow]

So apparently these servers use an outdated/incompatible/incomplete dnscrypt setup that is hindering compatibility with dnscrypt-proxy 2 and also preventing proper compatibility with anonymous relays.

 

[Zastoff]

Spoiler: DNSCrypt-proxy 2.0.42

Info: New DNSCRYPT_VER=2.0.42 Available!
Info: Updating DNSCRYPT_VER=2.0.41 to 2.0.42 .
Info: Downloading dnscrypt-proxy-linux_arm-2.0.42.tar.gz
Info: Checking dnscrypt-proxy configuration...
[2020-03-26 18:57:09] [NOTICE] dnscrypt-proxy 2.0.42
[2020-03-26 18:57:09] [NOTICE] Network connectivity detected
[2020-03-26 18:57:09] [NOTICE] Source [public-resolvers] loaded
[2020-03-26 18:57:09] [NOTICE] Source [relays] loaded
[2020-03-26 18:57:09] [NOTICE] Configuration successfully checked
Info: Starting dnscrypt-proxy...
Mar 26 18:59:38 izzt: Start dnscrypt-proxy
Mar 26 18:59:38 dnscrypt-proxy[17337]: dnscrypt-proxy 2.0.42
Mar 26 18:59:38 dnscrypt-proxy[17337]: Network connectivity detected
Mar 26 18:59:38 dnscrypt-proxy[17337]: Source [public-resolvers] loaded
Mar 26 18:59:38 dnscrypt-proxy[17337]: Source [relays] loaded
Mar 26 18:59:38 dnscrypt-proxy[17337]: Firefox workaround initialized
Mar 26 18:59:38 dnscrypt-proxy[17337]: Now listening to 127.0.1.1:53 [UDP]
Mar 26 18:59:38 dnscrypt-proxy[17337]: Now listening to 127.0.1.1:53 [TCP]
Mar 26 18:59:38 dnscrypt-proxy[17337]: [ovpn1-Static] OK (DNSCrypt) - rtt: 13ms
Mar 26 18:59:38 dnscrypt-proxy[17337]: [dnscrypt.eu-dk] OK (DNSCrypt) - rtt: 21ms
Mar 26 18:59:38 dnscrypt-proxy[17337]: [cs-swe] OK (DNSCrypt) - rtt: 20ms
Mar 26 18:59:38 dnscrypt-proxy[17337]: [ovpn2-Static] OK (DNSCrypt) - rtt: 19ms
Mar 26 18:59:38 dnscrypt-proxy[17337]: Sorted latencies:
Mar 26 18:59:38 dnscrypt-proxy[17337]: - 13ms ovpn1-Static
Mar 26 18:59:38 dnscrypt-proxy[17337]: - 19ms ovpn2-Static
Mar 26 18:59:38 dnscrypt-proxy[17337]: - 20ms cs-swe
Mar 26 18:59:38 dnscrypt-proxy[17337]: - 21ms dnscrypt.eu-dk
Mar 26 18:59:38 dnscrypt-proxy[17337]: Server with the lowest initial latency: ovpn1-Static (rtt: 13ms)
Mar 26 18:59:38 dnscrypt-proxy[17337]: dnscrypt-proxy is ready - live servers: 4

New version of DNSCrypt-proxy v2 released--> 2.0.42
Update/install thru amtm & di

Recommend doing a backup of JFFS in webui before update, For easy rollback if something is not working with a newer version
Administration - Restore/Save/Upload Setting: Backup JFFS partition: Save

Restore JFFS backup if needed and reboot router

 

[dugaduga]

Even if anonamization relay packets are not responded to if they are over 1500 byte packets, at least they rarely happened, if ever, and still remained anonamous, the new updates de-anonamized everyone without their knowledge. Should have been optional to disable the anonymous relay instead of automated. However he released a work around:

here is the update :

New option in the [anonymized_dns] section: skip_incompatible, to ignore resolvers incompatible with Anonymized DNS instead of using them without a relay.

and

The current versions of the dnsdist load balancer (presumably used by quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net, opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more) is preventing queries over 1500 bytes from being received over UDP.
Temporary workarounds have been introduced to improve reliability with these resolvers for regular DNSCrypt. Unfortunately, anonymized DNS cannot be reliable until the issue is fixed server-side.
dnsdist authors are aware of it and are working on a fix already have a fix.

However given his software now includes this auto de-anonamyzing/skipping_incompatible feature, any future DNS server could exploit this with a DoS/de-anonamization attack.

 

[SomeWhereOverTheRainBow]

Even if anonamization relay packets are not responded to if they are over 1500 byte packets, at least they rarely happened, if ever, and still remained anonamous, the new update de-anonamized everyone without their knowledge, stupid move. Should have been optional to disable the anonymous relay instead of automated. However he released a work around:

here is the update :

and

However given his software now includes this auto de-anonamyzing feature, any future DNS server could exploit this as DoS/de-anonamization with users using ill configured toml files.

The question of who can you trust will always exist. I wish it was more transparent about what can be done, but at the moment users are at the mercy of those servers.

 

[Zastoff]

Even if anonamization relay packets are not responded to if they are over 1500 byte packets, at least they rarely happened, if ever, and still remained anonamous, the new updates de-anonamized everyone without their knowledge. Should have been optional to disable the anonymous relay instead of automated. However he released a work around:

here is the update :

and

However given his software now includes this auto de-anonamyzing/skipping_incompatible feature, any future DNS server could exploit this with a DoS/de-anonamization attack.

Guess you can try to use version 2.0.31 until servers have been updated
(should be before broken_query_padding was added)
The fault/bug on these server's udp is there until they(server side) apply the update that fixes this..I do not recommend to downgrade to a older version of DNSCrypt-proxy

 

[dugaduga]

This can be exploited by a MITM, middle box blocking packets over 1500 bytes between the anonamous relay and DNS server as well. https://github.com/DNSCrypt/dnscrypt-proxy/issues/1255 and exploited to affect any DNS server over relay no matter what. And if he keeps this feature onboard after the fix is in for the servers, then I would consider it an inbuilt exploit.