DNScrypt dnscrypt installer for asuswrt

[skeal]

Better clarity now I have had time to look at it. This code in firewall-start is being run more than once at boot causing excessive pre-routing logs. Not sure if its a security issue or not.

[ -x /jffs/dnscrypt/manager ] && /jffs/dnscrypt/manager fw-rules

Can we add some check code to see if this has been run or not? With the end result being that that instruction only gets run once.

 

[bigeyes0x0]

Router handles dns m8, all fields left blank. Happens to all devices i use such as PC, laptop and server. All set to dhcp but the router gives the same ip to them via dhcp tables.

Sent from my SM-G920F using Tapatalk

Can you do an extended test at https://www.dnsleaktest.com/ and check the result for any DNS that you haven't set in the installer. Knowing what they are might actually get us somewhere guessing where the leak comes from.

 

[bigeyes0x0]

Better clarity now I have had time to look at it. This code in firewall-start is being run more than once at boot causing excessive pre-routing logs. Not sure if its a security issue or not.

[ -x /jffs/dnscrypt/manager ] && /jffs/dnscrypt/manager fw-rules

Can we add some check code to see if this has been run or not? With the end result being that that instruction only gets run once.

I will take a look at this.

 

[bigeyes0x0]

@skeal It doesn't happen for me. I guess there's something on your config causing firewall-start to be called twice. Anyway, should be fixed in my latest beta code.

@all beta installer now supports rc3.

 

[GoNz0]

Can you do an extended test at https://www.dnsleaktest.com/ and check the result for any DNS that you haven't set in the installer. Knowing what they are might actually get us somewhere guessing where the leak comes from.

I ran the extended test and it gives a single virginmedia server, so it's ignoring dnscrypt and using my isp instead

Sent from my SM-G920F using Tapatalk

 

[bigeyes0x0]

@GoNz0 what's your output of:

cat /etc/dnsmasq.conf
cat /tmp/resolv.conf
ps|grep dnscrypt-proxy

 

[GoNz0]

@GoNz0 what's your output of:

cat /etc/dnsmasq.conf
cat /tmp/resolv.conf
ps|grep dnscrypt-proxy

I had to use pastebin thanks to flawed forum security blocking me

https://pastebin.com/0zsi2KcE

 

[GoNz0]

To add, I have just set "WAN DNS Setting" to 192.168.1.1 (the router) and

C:\Windows\system32>nslookup -type=txt debug.opendns.com
Server:  Router
Address:  192.168.1.1
Non-authoritative answer:
debug.opendns.com       text =
        "server m37.lon"
debug.opendns.com       text =
        "flags 20 0 8050 3950000000000000000"
debug.opendns.com       text =
        "originid 19592237"
debug.opendns.com       text =
        "actype 2"
debug.opendns.com       text =
        "bundle 5670731"
debug.opendns.com       text =
        "source 82.1.22.110:33973"
debug.opendns.com       text =
        "dnscrypt enabled (713156774457306E)"

I have never had to do this before so I'm a little stumped why I have to tell it to do this despite telling the dnscrypt settings to route all DNS queries through dnscrypt

 

[bigeyes0x0]

@GoNz0 Do you have VPN? Otherwise this seems to be a quirk with >=382 branch. Can you do another command for me and get me the System Log in webui printed out by dnsmasq:

service restart_dnsmasq

 

[GoNz0]

@GoNz0 Do you have VPN? Otherwise this seems to be a quirk with >=382 branch. Can you do another command for me and get me the System Log in webui printed out by dnsmasq:

service restart_dnsmasq

I am on the 384 beta branch now as I gave on on the 382 a while back. I decided to give this another go once I updated to 384.

I did the command twice, once with the dns servers set to 192.168.1.1 and again after removing them.

For now it is working. Even after a reboot

VPN wise I have openVPN installed on this laptop, it isn't active though as I only run it to RDP into servers, I had ruled that out by logging into my games PC and server.

https://pastebin.com/eM3LrVmg

 

[bigeyes0x0]

@GoNz0
No VPN on the actual router though, right?

Anyway I think I caught the issue, something is weird with dnsmasq on your firmware version. It doesn't honor the no-resolv directive I believe as there's no line like this logged: "warning: ignoring resolv-file flag because no-resolv is set" . Can you also double check once again that:
1. /etc/dnsmasq.conf contains no-resolv
2. The log when restarting dnsmasq does not contain "warning: ignoring resolv-file flag because no-resolv is set"

I have some idea to fix this but let's make sure first.

 

[skeal]

Better clarity now I have had time to look at it. This code in firewall-start is being run more than once at boot causing excessive pre-routing logs. Not sure if its a security issue or not.

[ -x /jffs/dnscrypt/manager ] && /jffs/dnscrypt/manager fw-rules

Can we add some check code to see if this has been run or not? With the end result being that that instruction only gets run once.

This is fixed in rc3! Thank you sir!

 

[bigeyes0x0]

@GoNz0 I have pushed a new version on beta that tries to fix your leaky issue. Please go back to your default WAN DNS settings that you had leaky DNS before and try to update dnscrypt-proxy with my installer. Also answer my previous questions, just wanna make sure.

@all: the change is kinda drastic, it works on my branch 380, dunno how it acts for those on >= 382, it might brick your network lol.

 

[GoNz0]

@GoNz0
No VPN on the actual router though, right?

Anyway I think I caught the issue, something is weird with dnsmasq on your firmware version. It doesn't honor the no-resolv directive I believe as there's no line like this logged: "warning: ignoring resolv-file flag because no-resolv is set" . Can you also double check once again that:
1. /etc/dnsmasq.conf contains no-resolv
2. The log when restarting dnsmasq does not contain "warning: ignoring resolv-file flag because no-resolv is set"

I have some idea to fix this but let's make sure first.

1, it does contain no-resolv on line 7
2, it isn't there, just the following

https://pastebin.com/0rbYjw56

I will update in a few hours as I have to go out now, thanks for the help so far.


*edit
by the way I can't install a swap file to my usb storage, does it need to be a certain file format to allow it?

 

[GoNz0]

Installed and rebooted b4 I go out and I have internet still along with the welcome.opendns.com landing page saying I'm secure

 

[bigeyes0x0]

Installed and rebooted b4 I go out and I have internet still along with the welcome.opendns.com landing page saying I'm secure

Did you restore your WAN DNS settings to the previous leaky one?

 

[skeal]

Installed just now rc3 again and it is fine. Running awesome using DoH.

 

[GoNz0]

Did you restore your WAN DNS settings to the previous leaky one?

I did earlier, removed them so it would default to my isp.

Sent from my SM-G920F using Tapatalk

 

[M@rco]

by the way I can't install a swap file to my usb storage, does it need to be a certain file format to allow it?

A swapfile can be installed on any ext2/3/4 filesystem. The dnscrypt-proxy installer can do it for you, amtm can do it, SkyNet can do it and you can also create it manually.

 

[Ashish Gupta]

Recently upgraded the firmware on a 68u to 384.beta
DNScrypt with server set as google and wan dns set as 192.168.1.1 was working fine. DNSleak showed approx 60 google servers and no other servers. After upgrading the firmware DOH doesn't work anymore. nslookup yahoo.com in SSH doesn't resolve the address. I removed the dnscrypt directory and reinstalled RC3 but google as the server still doesn't work. I changed the server to cisco in the config file and restarted the service and it started working again.

I have already preresolved dns.google.com in /jffs/configs/dnsmasq.conf.add by adding the below lines.

server=/dns.google.com/8.8.8.8
server=/download.dnscrypt.info/8.8.8.8

TIA