DNScrypt dnscrypt installer for asuswrt

[SomeWhereOverTheRainBow]

Need some assistance with my setup...

RT-AX88U running Diversion & DNSCrypt-Proxy

Requirements:
- All of my clients to go through DNSCrypt & Diversion Ad-Blocking
- 2 of my clients to totally bypass Diversion, but still use DNSCrypt.

On searching the forums and Diversion website; there is a suggested solution listed on Diversion FAQ here
.... It says that I set the DNS to 8.8.8.8, ... but I want the excluded clients to still use DNSCrypt-Proxy

Spoiler: Copied from Diversion FAQ

How to exclude a client from ad-blocking
In your router Web-UI, go to DNS-Filtering
- set 'Enable DNS-based Filtering' to ON
- set 'Global Filter Mode' to 'NO filtering'
- fill in 'Custom (user-defined) DNS 1' with, for example, Google's DNS 8.8.8.8
- select your client(s) in the Client List and set 'Filter Mode' 'Custom 1'
- click Apply

Now the client(s) in the Client list get the DNS from google and not from your router.

Q: What settings do I put in the DNS Filter section (or elsewhere)?

Seeking advise...

@SomeWhereOverTheRainBow
@Zastoff -

Follow the example to the letter and what you are trying to do should work. Any devices you set to the custom address will skip dns crypt and diversion. Since this is a diversion guide it is more appropriate that you move this to the diversion thread. Note they will not be able to skip diversion and still use dns crypt since they both pass through dnsmasq and the router itself. You will have to assign clients to a separate dns address altogether.

 

[dave14305]

Follow the example to the letter and what you are trying to do should work. Any devices you set to the custom address will skip dns crypt and diversion. Since this is a diversion guide it is more appropriate that you move this to the diversion thread.

He wants DNSCrypt-Proxy to listen on the LAN as well, so he can bypass Diversion for some clients.

 

[SomeWhereOverTheRainBow]

He wants DNSCrypt-Proxy to listen on the LAN as well, so he can bypass Diversion for some clients.

If you have directions for that you are welcome to share your methods. As far as it is setup now both dnscrypt proxy and diversion are handed off to dnsmasq.

 

[dave14305]

If you have directions for that you are welcome to share your methods. As far as it is setup now both dnscrypt proxy and diversion are handed off to dnsmasq.

I thought it would involve a change to listen_addresses to add a LAN IP like the Pixelserv IP on port 53. But I'm not that familiar with the rest of dnscrypt-proxy to be certain.

 

[SomeWhereOverTheRainBow]

I thought it would involve a change to listen_addresses to add a LAN IP like the Pixelserv IP on port 53. But I'm not that familiar with the rest of dnscrypt-proxy to be certain.

I am sure he could make a custom listen address for what he is trying to do, the down side is dnscrypt-proxy caching is disabled since it is handed to dnsmasq as well, so you may be taking a performance hit to those devices. Alternatively I recommend enabling diversions alternative block list and choosing a tiny custom blocklist, this will allow custom defined devices to use dnscrypt without taking any performance hit and prevent devices from being heavily impacted from diversion blocking.

 

[gspannu]

I thought it would involve a change to listen_addresses to add a LAN IP like the Pixelserv IP on port 53. But I'm not that familiar with the rest of dnscrypt-proxy to be certain.

So will something like this work...

The dnscrypt-proxy.toml listens on 127.0.0.0:53, but I think it does support multiple addresses.
So, could I edit the dnscrypt-proxy.toml and add say another address like 192.168.1.5:53 and then use that as the DNS address of the excluded client.

 

[SomeWhereOverTheRainBow]

So will something like this work...

The dnscrypt-proxy.toml listens on 127.0.0.0:53, but I think it does support multiple addresses.
So, could I edit the dnscrypt-proxy.toml and add say another address like 192.168.1.5:53 and then use that as the DNS address of the excluded client.

You should try the method I mentioned instead of trying to manipulate dnscrypt proxy potentially making your internet unusable.

 

[SomeWhereOverTheRainBow]

So will something like this work...

The dnscrypt-proxy.toml listens on 127.0.0.0:53, but I think it does support multiple addresses.
So, could I edit the dnscrypt-proxy.toml and add say another address like 192.168.1.5:53 and then use that as the DNS address of the excluded client.

Alternatively I recommend enabling diversions alternative block list and choosing a tiny custom blocklist, this will allow custom defined devices to use dnscrypt without taking any performance hit and prevent devices from being heavily impacted from diversion blocking.

 

[gspannu]

I am sure he could make a custom listen address for what he is trying to do, the down side is dnscrypt-proxy caching is disabled since it is handed to dnsmasq as well, so you may be taking a performance hit to those devices. Alternatively I recommend enabling diversions alternative block list and choosing a tiny custom blocklist, this will allow custom defined devices to use dnscrypt without taking any performance hit and prevent devices from being heavily impacted from diversion blocking.

Ah... this is interesting.
So could I enable Alternative Block list; and make it completely empty (in effect, no ad-blocking at all).
I think this approach will yield the same end result and benefits of Dnsmasq caching...
How do I make an absolutely empty blocking list; basically everything white-listed?

 

[SomeWhereOverTheRainBow]

Ah... this is interesting.
So could I enable Alternative Block list; and make it completely empty (in effect, no ad-blocking at all).
I think this approach will yield the same end result and benefits of Dnsmasq caching...
How do I make an absolutely empty blocking list; basically everything white-listed?

You could use a simple tiny list like this one

https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt

It only has 37 domains.

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow , @dave14305

Thank you gentlemen, much appreciated.
I will give this as go... and report back.

First you have to enable fast switch, then you pick a custom list for it, then you enable alternative block list and assign an unused ip address to it, then you add that Ip to custom 1 on dnsfilter and assign a filter for each device you want to use it.

 

[gspannu]

First you have to enable fast switch, then you pick a custom list for it, then you enable alternative block list and assign an unused ip address to it, then you add that I'm to custom 1 on dnsfilter and assign a filter for each device you want to use it.

@SomeWhereOverTheRainBow , @dave14305

Thank you, much appreciated.

 

[gspannu]

So will something like this work...
The dnscrypt-proxy.toml listens on 127.0.0.0:53, but I think it does support multiple addresses.
So, could I edit the dnscrypt-proxy.toml and add say another address like 192.168.1.5:53 and then use that as the DNS address of the excluded client.

Alternatively I recommend enabling diversions alternative block list and choosing a tiny custom blocklist, this will allow custom defined devices to use dnscrypt without taking any performance hit and prevent devices from being heavily impacted from diversion blocking.

• So I tried the 2nd Option... and it works as expected.
• At some point, I will try the first option as well and update here...

Thanks: @SomeWhereOverTheRainBow & @dave14305

 

[SomeWhereOverTheRainBow]

• So I tried the 2nd Option... and it works as expected.
• At some point, I will try the first option as well and update here...

Thanks: @SomeWhereOverTheRainBow & @dave14305

I appreciate your feedback. Keep me updated on how well it works. I highly encourage the use of Diversions features as @thelonelycoder has made it simple. He has streamlined everything to be user friendly and easy to use. DNSMASQ (through diversion) is your most flexible means of taking care of this issue.

 

[DonnyJohnny]

Dnscrypt-proxy update version: 2.0.43
https://github.com/DNSCrypt/dnscrypt-proxy/releases

• Built-in support for DNS64 translation has been implemented. (Contributed by Sergey Smirnov, thanks!)
• Connections to DoH servers can be authenticated using TLS client certificates (Contributed by Kevin O'Sullivan, thanks!)
• Multiple stamps are now allowed for a single server in resolvers and relays lists.
• Android: the time zone for log files is now set to the system time zone.
• Quite a lot of updates and additions have been made to the example domain block lists. Thanks to IceCodeNew!
• Cached configuration files can now be temporarily used if they are out of date, but bootstraping is impossible. Contributed by lifenjoiner, thanks!
• Precompiled macOS binaries are now notarized.
• generate-domains-blacklists now tries to deduplicate entries clobbered by wildcard rules. Thanks to Huhni!
• generate-domains-blacklists can now directly write lists to a file with the -o command-line option.
• cache files are now downloaded as the user the daemon will be running as. This fixes permission issues at startup time.
• Forwarded queries are now subject to global timeouts, and can be forced to use TCP.
• The ct parameter has been removed from DoH queries, as Google doesn't require it any more.
• Service installation is now supported on FreeBSD.
• When stored into a file, service logs now only contain data from the most recent launch. This can be changed with the new log_file_latest option.

 

[SomeWhereOverTheRainBow]

Dnscrypt-proxy update version: 2.0.43
https://github.com/DNSCrypt/dnscrypt-proxy/releases

• Built-in support for DNS64 translation has been implemented. (Contributed by Sergey Smirnov, thanks!)
• Connections to DoH servers can be authenticated using TLS client certificates (Contributed by Kevin O'Sullivan, thanks!)
• Multiple stamps are now allowed for a single server in resolvers and relays lists.
• Android: the time zone for log files is now set to the system time zone.
• Quite a lot of updates and additions have been made to the example domain block lists. Thanks to IceCodeNew!
• Cached configuration files can now be temporarily used if they are out of date, but bootstraping is impossible. Contributed by lifenjoiner, thanks!
• Precompiled macOS binaries are now notarized.
• generate-domains-blacklists now tries to deduplicate entries clobbered by wildcard rules. Thanks to Huhni!
• generate-domains-blacklists can now directly write lists to a file with the -o command-line option.
• cache files are now downloaded as the user the daemon will be running as. This fixes permission issues at startup time.
• Forwarded queries are now subject to global timeouts, and can be forced to use TCP.
• The ct parameter has been removed from DoH queries, as Google doesn't require it any more.
• Service installation is now supported on FreeBSD.
• When stored into a file, service logs now only contain data from the most recent launch. This can be changed with the new log_file_latest option.

Guys don't update to this too soon. There is a memory leak and the binaries are not properly compiled for linux-arm and arm64 devices. I set the installer detectable dnscrypt-version back to 2.0.42 until the issue is resolved. I have opened an issue on dnscrypt-proxy 2's devs github. The issue involves dnscrypt-proxy 2 not properly binding to addresses.

 

[SomeWhereOverTheRainBow]

On a Better Note!..
DI_VERSION="v2.1.6" IS HERE!
Release Features:

• Ability to create a Backup ( option b|B)
• Ability to restore/install from Backup ( option r|R) or ( reinstall fresh with backup located in JFFS)
• Fixes to existing code
• Fixes to Static Servers Usage
• Fixes to Relay Usage.

Special Thanks! go to
@Zastoff for encouragement/testing
@L&LD for the many likes.
@DonnyJohnny for relevant finds.

 

[DonnyJohnny]

Guys don't update to this too soon. There is a memory leak and the binaries are not properly compiled for linux-arm and arm64 devices. I set the installer detectable dnscrypt-version back to 2.0.42 until the issue is resolved. I have opened an issue on dnscrypt-proxy 2's devs github. The issue involves dnscrypt-proxy 2 not properly binding to addresses.

Regards the memory leak, I think it is about the cache issue which was disabled when using the installer?
https://github.com/DNSCrypt/dnscrypt-proxy/issues/1352

what do u mean by not properly binding to address?
I am able to surf via dnscrypt-proxy?
https://github.com/DNSCrypt/dnscrypt-proxy/issues/1354

 

[maghuro]

I installed this. Configured it. Then I made a backup.
Then I removed it.
I rebooted router.
I installed it again and tried to restore the backup.
Error attached.

 

[Zastoff]

I installed this. Configured it. Then I made a backup.
Then I removed it.
I rebooted router.
I installed it again and tried to restore the backup.
Error attached.

Restore worked fine for me

Spoiler: Restore from menu

Info: Detected ARMv7 architecture.
Info: JFFS custom scripts and configs are already enabled
Info: DNS Environment is Ready.
Info: DI_VERSION=v2.1.6
Info: DNSCRYPT_VER=2.0.42
Info: Manager file is Up-To-Date!
Info: Choose what you want to do:
1) Install/Update dnscrypt-proxy
2) Uninstall dnscrypt-proxy
3) Configure dnscrypt-proxy
4) Set timezone
5) Unset timezone
6) Install (P)RNG
7) Uninstall (P)RNG
8) Install swap file
9) Uninstall ALL
b) Backup
r) Restore
q) Quit
=> Please enter the number that designates your selection:, [1-9/b/r/q]: r
Info: This operation will allow you to restore everything!
=> Do you want to continue? [y/n]: y
Info: Please wait a moment.
Info: Please hold on while the latest local files are updated..
Info: installer is up to date. Skipping...
Info: manager is up to date. Skipping...
Info: Downloading public-resolvers.md
Info: Downloading public-resolvers.md.minisig
Info: relays.md is up to date. Skipping...
Info: relays.md.minisig is up to date. Skipping...
Info: dnsmasq.postconf file already configured
Info: init-start file already configured
Info: Configuring dnscrypt-proxy...
Info: Checking dnscrypt-proxy configuration...
[2020-06-10 09:53:48] [NOTICE] dnscrypt-proxy 2.0.42
[2020-06-10 09:53:48] [NOTICE] Network connectivity detected
[2020-06-10 09:53:48] [NOTICE] Source [relays] loaded
[2020-06-10 09:53:48] [NOTICE] Source [public-resolvers] loaded
[2020-06-10 09:53:48] [NOTICE] Anonymized DNS: routing everything via [anon-cs-se anon-sth-se]
[2020-06-10 09:53:48] [NOTICE] Configuration successfully checked
Info: Found previous dnscrypt-proxy config file
=> Do you want to use this file without reconfiguring? [y/n]: y
Info: Use previous settings file
Info: Starting dnscrypt-proxy...
Info: Backup restored!
Info: Operation completed. You can quit or continue
=====================================================


Info: Choose what you want to do:
1) Install/Update dnscrypt-proxy
2) Uninstall dnscrypt-proxy
3) Configure dnscrypt-proxy
4) Set timezone
5) Unset timezone
6) Install (P)RNG
7) Uninstall (P)RNG
8) Install swap file
9) Uninstall ALL
b) Backup
r) Restore
q) Quit
=> Please enter the number that designates your selection:, [1-9/b/r/q]:

Make sure you updated to the latest version of the installer
(Did not uninstall on this try before restore)
Edit:
Maybe you need to select option 1(install/update) and it will detect a backup from there and get the option to restore. Not at home atm