What's new

DNSCrypt is reborn!

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Always have to chuckle at DNSCrypt... much interest in this is due to a blog post on lifehacker by someone that was told by someone that it might be good...

There's no privacy protection in DNS - the DNS server still logs things. And DNSCrypt is mostly about ensuring that the lookup is valid and DNSSEC is more efficient at things, and more widely supported by the hyperscalers, which these days are the dominant players.

DNSCrypt developers never approached IETF, so there's no promise of it being a standard.
 
just a post so I get updates to the thread...in case anyone with an n66u tries this out.
There's a link 'Watch thread' on the upper right corner if you just want to receive notifications from a thread, without posting.

There's no privacy protection in DNS - the DNS server still logs things. And DNSCrypt is mostly about ensuring that the lookup is valid and DNSSEC is more efficient at things, and more widely supported by the hyperscalers, which these days are the dominant players.

I understand what your saying, but don't fully agree on the privacy part. At least it keeps my nosy ISP from keeping a tap on my DNS queries and it validates lookups. Having said that, OpenDNS, nowadays owned by Cisco (which is not particularly a non-dominant player imho) still offers no support for DNSSEC, as far as I'm aware, yet fully supports DNSCrypt (which they introduced) and webbased content filtering. Using Cisco DNS is fully anonymous, unless you decide otherwise by creating an account to personalize your content filtering settings. There are ways to opt-out of non-anymous data collection, based on new legislation, but I feel no need to do so myself, as that's the consequence of enabling OpenDNS stats.
 
There's no privacy protection in DNS - the DNS server still logs things.
It depends on if you believe the DNSCrypt resolvers file. There is a flag that indicates if the server is 'logging' or 'non-logging'. When I implemented it in my fork, I put in a filter for this in the server selection.
dnscrypt.PNG
 
Nah.. my static list has only 1 pre-configured resolver. It did test the whole csv list.

Only if you have the server_names line in dnscrypt-proxy hashed out (as mentioned in the comment above), like below (default .toml):

Code:
##################################
#         Global settings        #
##################################

## List of servers to use
## If this line is commented, all registered servers will be used

# server_names = ["dnscrypt.org-fr"]

Once you've determined which is fastest (or if you know beforehand which one you want to use), just replace the (short) name between the quotation marks and remove the hash. With the hash removed and multiple servers, seperated with commas, specified on the server_names, it'll only use these. There's no need to test 64 servers if you don't want to, everytime you reboot the router or restart dnscrypt-proxy.

My server_names section looks like this (and cisco is the fastest for me as well, but I wanted to use Cisco/OpenDNS beforehand):

Code:
##################################
#         Global settings        #
##################################

## List of servers to use
## If this line is commented, all registered servers will be used

server_names = ["cisco"]
 
Has he implemented the option to ignore timestamps from certs yet? That is necessary to properly integrate it for embedded devices without a RTC.

Not as far as I'm aware. Have you opened an issue to request it on Github? I've added (as suggested by @DonnyJohnny) the following to dnsmasq.conf.add, so it can sync time before dnscrypt-proxy checks timestamps:

Code:
no-resolv
server=127.0.0.1#65053
server=/pool.ntp.org/208.67.220.220
server=/raw.githubusercontent.com/208.67.220.220
 
There is a issue with the recent update likely after implementation of service install.

When we enter terminal (ssh) to killall dnscrypt-proxy and restart dnscrypt-proxy (daemonize = false). Dnscrypt-proxy will terminate once exit terminal.

If the dnscrypt-proxy is started by router at boot up, there is no issue.

To temporary resolve the issue, I have to set daemonize = true if I need to refresh the dnscrypt-proxy in terminal.

I realised if daemonize = true or start up at reboot, the process have a ppid=1
If daemonize = false and restart in terminal, the ppid is random number not equal to 1. And when terminal exit, the process is terminated.

Question:
There is an installation process only compatible with Linux (systemd, Upstart, SysV). What is asuswrt-Merlin system? Busybox/systemd?

When I try to use the installation of dnscrypt-proxy
dnscrypt-proxy -service install
I received the error
[FATAL] Failed to install DNSCrypt client proxy: open /etc/init.d/dnscrypt-proxy: no such file or directory
Where is this init.d in the context of asuswrt-merlin. How do we advise frank to implement installation for asuswrt-Merlin.



Is this the issue I am talking about reported by someone?
https://github.com/jedisct1/dnscrypt-proxy/issues/3
 
Last edited:
I believe it's /opt/etc/init.d if you have Entware installed.

You might want to have a look how the old dnscrypt-proxy is installed by Entware?
 
Correct. The old installer created a script s09dnscrypt in /opt/etc/init.d/ The downside for now is that, when ran in daemonize mode, we have no logging. And as far as I know, there's currently no decent way to stop it from running, as with the other services call through init.d.

@DonnyJohnny When starting it in the terminal, do you send it to the background by ending the command with &?
 
Correct. The old installer created a script s09dnscrypt in /opt/etc/init.d/ The downside for now is that, when ran in daemonize mode, we have no logging. And as far as I know, there's currently no decent way to stop it from running, as with the other services call through init.d.

@DonnyJohnny When starting it in the terminal, do you send it to the background by ending the command with &?

Yes it ends with “&”
Code:
killall dnscrypt-proxy
logger -t dnscrypt-proxy "Starting DNSCrypt-proxy"
/jffs/dnscrypt-proxy/dnscrypt-proxy -config /jffs/dnscrypt-proxy/dnscrypt-proxy.toml -loglevel 2 2>&1 | logger -t dnscrypt-proxy &

I believe it's /opt/etc/init.d if you have Entware installed.

You might want to have a look how the old dnscrypt-proxy is installed by Entware?
So we should check with Frank or entware-Ng developer for the implementation? So busybox doesn’t have init.d?
 
So we should check with Frank or entware-Ng developer for the implementation? So busybox doesn’t have init.d?

I think we can partially rewrite the old dnscrypt installer script to work on our devices with the new dnscrypt-proxy 2, using init.d to start it. Giving the rapid amount of developments I'd prefer waiting until it's stable, as writing an installer script now, might mean you can start over in about a week, if he keeps adding functionality at this pace...

We can however write a step by step guide, for those who are up to it, to get started with the current beta releases?
 
I resolved the issue of terminal log out terminate the process...
Command to use
Code:
nohup /jffs/dnscrypt-proxy/dnscrypt-proxy -config /jffs/dnscrypt-proxy/dnscrypt-proxy.toml -loglevel 2 2>&1 | logger -t dnscrypt-proxy &
nohup changed the ppid to 1, loading the process in background.
 
Beta 2 does not work for me on 384.3_alpha1-gf682bb3 (AC86U).

It removes /tmp/opt, making /opt/etc unreachable (breaking Entware).
 
I understand what your saying, but don't fully agree on the privacy part. At least it keeps my nosy ISP from keeping a tap on my DNS queries and it validates lookups. Having said that, OpenDNS, nowadays owned by Cisco (which is not particularly a non-dominant player imho) still offers no support for DNSSEC, as far as I'm aware, yet fully supports DNSCrypt (which they introduced) and webbased content filtering. Using Cisco DNS is fully anonymous, unless you decide otherwise by creating an account to personalize your content filtering settings. There are ways to opt-out of non-anymous data collection, based on new legislation, but I feel no need to do so myself, as that's the consequence of enabling OpenDNS stats.

It's really hard problem to solve, and the DNS and cloud community would really like to solve it.

It's really hard for folks to understand, esp in these days of the "cloud" and hyperscaling, with microservices and what not - to keep services up and running, they generally will fail open if things don't work.

This problem probably exceeds the scope of this thread...

To the comment about "keeping my ISP from keeping a tap..." - hate to say it, but guess what, they are, and have been for some time - DNS is only one item, but they can and do extract everything going across their network - so yes, the lookup may be "masked", but when they start seeing a bunch of traffic from "some inappropriate to some" website, they know the source and destination... and we won't going into carrier grade deep packet inspection tools and technologies that the operators use. When I was in carrier space, we generally used this for analytics and traffic shaping, but even with tech like DNSCrypt, DNSSec, SSL over HTTP, we can monitor and block traffic at a general or even down to a single user level...

(if that sounds scary - yes, it is, and yes, the ISP's have that capability, in many countries it's a regulatory requirement - goes under the name of Lawful Intercept, and in the US, it's covered by CALEA)

And that's at the carrier level... when we look at state level assets, like the GFW and others - that's an order of magnitude of capability that even the big players on the internet cannot compare to. As an example, the GFW knows everything that passes thru it, so folks using VPN's or other things like ShadowSocks, they put up with it, until it reaches a level where things are no longer politically acceptable.

There are seven layers in the OSI stack - any ISP worth their salt is tracking all of them, logging some for general purposes for performance reason, and logging all if one is a "person of interest" - put all the pieces together, a picture forms for anybody on the internet. And we won't talk about "little brothers" like Facebook and other social networks, or the dark cloud that is matching metadate to known user profiles that have been nabbed via big data breaches.

We're in a world of Big Data, AI, and Machine Learning - using DNSCrypt or DNSSEC, or TOR/VPN - you're not going to compete against a motivated ISP, Little Brother, or a State Agency - there is no privacy...

Best thing that DNSCrypt or DNSSEC can do is validate the lookup for a host from your client, but even then, it's not a given - scary word in DNSCrypt is the word DNSCrypt-Proxy - that means all bets are off...

And those that consider VPN providers or whatever - "we don't keep logs" - yes they do - metadata is what it is - some try to break the puzzle into pieces, but your ISP has all the parts, and the info and analytics let's them do it in a fairly easy manner...

Just calling it as it is - that DNSCrypt or DNSSEC can protect your privacy, it can't, there are ways...
 
That would be awesome @bigeyes0x0! It'll save me the time needed to follow a course 'Shell scripting for dummies". If possible, could you keep the OpenDNS IP updater in a possible dnscrypt installer v2?
 
Beta 3 has been released. The developer has asked not to do any more feature requests for the time being, so he can focus on a stable v2 release.
 
Note of the timeout in the toml file seems to indicate that if there is no queries , it will terminate the dnscrypt-proxy. Default is 2500. I set to 4500. I think the process timeout when I set the cert refresh to 60min instead of 30 min.. the 2500 (41.67min) timeout and terminate the process.

I will monitor again.

@bigeyes0x0 , can u not that the existing installer is using old link to csv.
New link is
https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v1/dnscrypt-resolvers.csv
 
Last edited:
@sfx2000 Thank you for your extensive reply. I know you're right. At least theoretically and technically. There are differences though, because in the EU we have (at least for now) different legislation. I've been a jr. security officer for one of the largest Dutch internet Service Providers for several years, even though it's some time ago, before 9/11 that is.

Tapping customer traffic at ISP level is still bound to very strict rules. It's some time ago it was my daytime job and things have changed, but they're still not allowed to do so without permission from a magistrate, judicial authorization is mandatory. Authorization will only be given if it involves a fellony punishable by at least a 4 years sentence. After 9/11 it has become somewhat easier to get a court order to do so, however taps are nowadays being placed using a mobile interception system owned by the Dutch National Police, configured and only accessible by a member of the cybercrime unit of the Dutch National Police. Even the ISP doesn't get to see the information intercepted (which wasn't the case when I did it back then, as I just gathered the info and had to upload it as an encrypted file to a dedicated server).

And you're right, this is beyond the scope of this thread and it's a complex subject. It's more a matter of trying to do what you can do, but I fully agree, it's not even close to waterproof... Our privacy is definitely at stake, but that's apparently for many the price they're willing to pay for (a false sense of) security.
 
That would be awesome @bigeyes0x0! It'll save me the time needed to follow a course 'Shell scripting for dummies". If possible, could you keep the OpenDNS IP updater in a possible dnscrypt installer v2?
The OpenDNS IP updater is a modular feature so don't worry, it has nothing to do with v2 of dnscrypt-proxy.
 
Beta 2 does not work for me on 384.3_alpha1-gf682bb3 (AC86U).

It removes /tmp/opt, making /opt/etc unreachable (breaking Entware).

I've got beta 4 running without issues. Just make sure you do not install the service as suggested, as it will break things for sure. I'll try to post my way of setting it up manually this weekend.
 
Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top