What's new

DNScrypt dnscrypt installer for asuswrt

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Anyone has a 86U, please run this command on ssh and tell me the result:
Code:
uname -m
TIA
Don't have one but AB-Solution uses this case statement:
Code:
    case "$(uname -m)" in
        armv7l)       (all ARM routers);;
        mips)        (all MIPSEL routers);;
        aarch64)    (86U);;
    esac
 
Yeah... milestone version from dnscrypt-proxy beta 11
DOH for Google activated.
Note that you need to pre-resolve dns.google.com in dnsmasq.
Add the following in /jffs/configs/dnsmasq.conf.add
server=/dns.google.com/8.8.8.8
Then type, service restart_dnsmasq

Good luck and have fun!

For reading interest what is DOH
https://www.theregister.co.uk/2017/12/14/protecting_dns_privacy/
https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-02#section-7.1


** I know Google do logging.. but even so, they have the fastest server and I think most redundancy and in term of security... one of the best? So for now I will use it till more public resolver supporting DOH
 
I don’t want to start a new thread for this..
Just asking here if anybody see this..
How to see if dns queries is indeed being query via Port 443 and encrypted and NOT via port 53.

In Windows, we have wireshark to see this. But I know that from client to router the query is still via 53, unencrypted. I want to know from router to resolver.

Use tcpdump from entware? How? What is the command?

Or what other program from entware? How?
 
Yeah... milestone version from dnscrypt-proxy beta 11
DOH for Google activated.
Note that you need to pre-resolve dns.google.com in dnsmasq.
Add the following in /jffs/configs/dnsmasq.conf.add
server=/dns.google.com/8.8.8.8
Then type, service restart_dnsmasq

Good luck and have fun!

For reading interest what is DOH
https://www.theregister.co.uk/2017/12/14/protecting_dns_privacy/
https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-02#section-7.1


** I know Google do logging.. but even so, they have the fastest server and I think most redundancy and in term of security... one of the best? So for now I will use it till more public resolver supporting DOH

how do you set it up accurately?
a for dnscrypt installation?
 
beta11 and Google DOH added :)

Hi and thanks for the latest release. I installed beta 10 yesterday and 11 today, and have noticed that the dnscrypt process times out every 30mins or so. The only way to restore it is to restart the dnscrypt process by running ./manager dnscrypt-start - the output from the logs / shell:

Code:
Jan 28 07:24:16 dnscrypt-proxy[3499]: [scaleway-fr] OK (crypto v2) - rtt: 115ms
Jan 28 07:24:16 dnscrypt-proxy[3499]: [securedns] OK (crypto v1) - rtt: 139ms
Jan 28 07:24:16 dnscrypt-proxy[3499]: [google] OK (DoH) - rtt: 550ms
Jan 28 07:24:16 dnscrypt-proxy[3499]: Server with the lowest initial latency: scaleway-fr (rtt: 115ms)

Code:
/jffs/dnscrypt# killall: dnscrypt-proxy: no process killed

68u running RMerlin's alpha2
 
I mean exactly this DOH mode :)
this is so configured : require_nolog = true
If I am not wrong, that require no log is meant for time where you didn’t specific any preferred dns server u using, the app will based on the criteria u defined like dnssec true, no log true, etc and search through the entire list of resolvers and choose for u.

However when u define the preferred dns server, in this case, Google. It should be in doh mode. In the syslog, u should see that the app is using Google doh. U can further confirm it via ipleak.net to see if you are using Google dns and if there is any leak like using other than Google, ie your isp dns.

From my googling and reading, the app will be sending the queries to dns.google.com via port 443 encrypted mode.

I posted a question above asking for help to confirm if this is really working.
 
Hi and thanks for the latest release. I installed beta 10 yesterday and 11 today, and have noticed that the dnscrypt process times out every 30mins or so. The only way to restore it is to restart the dnscrypt process by running ./manager dnscrypt-start - the output from the logs / shell:

Code:
Jan 28 07:24:16 dnscrypt-proxy[3499]: [scaleway-fr] OK (crypto v2) - rtt: 115ms
Jan 28 07:24:16 dnscrypt-proxy[3499]: [securedns] OK (crypto v1) - rtt: 139ms
Jan 28 07:24:16 dnscrypt-proxy[3499]: [google] OK (DoH) - rtt: 550ms
Jan 28 07:24:16 dnscrypt-proxy[3499]: Server with the lowest initial latency: scaleway-fr (rtt: 115ms)

Code:
/jffs/dnscrypt# killall: dnscrypt-proxy: no process killed

68u running RMerlin's alpha2

@bigeyes0x0 please look into this.
I would suggest using daemonize mode. If I am not in daemonize mode, the process will terminate itself. The frequency of termination is random.

I suspect it is due to memory management as the dnscrypt-proxy have cache and taking up memory. Linux kernel memory management is doing its work to maintain stability and terminate Low priority application.
 
@bigeyes0x0 please look into this.
I would suggest using daemonize mode. If I am not in daemonize mode, the process will terminate itself. The frequency of termination is random.

I suspect it is due to memory management as the dnscrypt-proxy have cache and taking up memory. Linux kernel memory management is doing its work to maintain stability and terminate Low priority application.

I have the same setup as yours but I don't think it's memory related as I have 152MB free with 3GB swap partition, which is unutilized. I'm leaning more towards either a failed query that causes the instance to crash/stop serving requests while still showing an active pid/process (tested chosen servers manually and they were responding) or as you have rightly pointed out, daemonize mode is required which I have not yet enabled ... testing continues.

Cheers
 
I installed beta 10 yesterday and 11 today, and have noticed that the dnscrypt process times out every 30mins or so. The only way to restore it is to restart the dnscrypt process by running ./manager dnscrypt-start

@bigeyes0x0 please look into this.
I would suggest using daemonize mode. If I am not in daemonize mode, the process will terminate itself. The frequency of termination is random.

I don't have this issue? I used @bigeyes0x0 's installer this morning for the first time to install beta11 (I had it manually set up before) and it has been running for over 3 hours now (started 8:34 AM CET, it's now 11:41 AM CET). See screenshot below. It's also running in daemon mode. Haven't changed anything in the config, except adjusting the loglevel back to 2.

8n9RURZ.png


Edit, make that 2 hours, given the uptime. Somewhere, something is probably calculating with GMT instead of GMT+1 :D
 
I don’t want to start a new thread for this..
Just asking here if anybody see this..
How to see if dns queries is indeed being query via Port 443 and encrypted and NOT via port 53.

In Windows, we have wireshark to see this. But I know that from client to router the query is still via 53, unencrypted. I want to know from router to resolver.

Use tcpdump from entware? How? What is the command?

Or what other program from entware? How?

You need to capture the packet going out of the router WAN port. Easiest thing to do if you have non PPPoE WAN is to use a smart switch before the router and just dup the port to another and wireshark on that.

Regarding the dnscrypt-proxy being killed, it's either the router ran out of memory or some error in the process itself. This is why I have added swap support in my script and still have log_level at 2.

@AtAM1: First you need to enable swap. If there's still problem please set log level at 0 to see if there's any error in the process.

P.S. DOH mode seems to be rather memory intensive.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top