DNSCrypt is reborn!

[XIII]

I’m not sure yet I want to spend much effort on DNSCrypt.

Currently trying DNS over TLS using unbound instead.

 

[M@rco]

It actually isn't that much of an effort. Logging to syslog is now implemented and various options are now configurable, all in one file. You just have to make sure not to install it as a service (yet).

 

[M@rco]

It depends on if you believe the DNSCrypt resolvers file. There is a flag that indicates if the server is 'logging' or 'non-logging'. When I implemented it in my fork, I put in a filter for this in the server selection.
View attachment 11618

These options are now configurable in the config file of dnscrypt-proxy as well:

## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions
require_dnssec = false

# Server must not log user queries
require_nolog = false

# Server must not enforce its own blacklist (for parental control, ads blocking...)
require_nofilter = false

 

[DonnyJohnny]

Noob question..
How does opening more listening ports helps in using dnscrypt-proxy? The term “local socket” = port?

Does listening more port cost more memory used?

 

[deddc23efb]

There's a link 'Watch thread' on the upper right corner if you just want to receive notifications from a thread, without posting.



I understand what your saying, but don't fully agree on the privacy part. At least it keeps my nosy ISP from keeping a tap on my DNS queries and it validates lookups. Having said that, OpenDNS, nowadays owned by Cisco (which is not particularly a non-dominant player imho) still offers no support for DNSSEC, as far as I'm aware, yet fully supports DNSCrypt (which they introduced) and webbased content filtering. Using Cisco DNS is fully anonymous, unless you decide otherwise by creating an account to personalize your content filtering settings. There are ways to opt-out of non-anymous data collection, based on new legislation, but I feel no need to do so myself, as that's the consequence of enabling OpenDNS stats.[/QUOTE

Keep in mind that nothing on the Internet is free. Cisco data mines your DNS requests at the server (encrypted or not on the way there) for their cloud and system based DPI.

/dedd

 

[M@rco]

Has he implemented the option to ignore timestamps from certs yet? That is necessary to properly integrate it for embedded devices without a RTC.

He has now: https://github.com/jedisct1/dnscrypt-proxy/commit/8bcba92f97c5a378c7090043ea51c1cd1da520f0

 

[M@rco]

It seems @bigeyes0x0 original thread has come back to life, so it might be worth considering to continue there. That way we can share our experience in the original dnscrypt thread and (hopefully) keep up to date with @bigeyes0x0 progress.

The thread can be found here: https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-18#post-374146

 

[bigeyes0x0]

Note of the timeout in the toml file seems to indicate that if there is no queries , it will terminate the dnscrypt-proxy. Default is 2500. I set to 4500. I think the process timeout when I set the cert refresh to 60min instead of 30 min.. the 2500 (41.67min) timeout and terminate the process.

I will monitor again.

@bigeyes0x0 , can u not that the existing installer is using old link to csv.
New link is
https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v1/dnscrypt-resolvers.csv

Link fixed in the installer.

The timeout you said is likely for query timeout.

 

[sfx2000]

@sfx2000 Thank you for your extensive reply. I know you're right. At least theoretically and technically. There are differences though, because in the EU we have (at least for now) different legislation. I've been a jr. security officer for one of the largest Dutch internet Service Providers for several years, even though it's some time ago, before 9/11 that is.

Tapping customer traffic at ISP level is still bound to very strict rules. It's some time ago it was my daytime job and things have changed, but they're still not allowed to do so without permission from a magistrate, judicial authorization is mandatory. Authorization will only be given if it involves a fellony punishable by at least a 4 years sentence. After 9/11 it has become somewhat easier to get a court order to do so, however taps are nowadays being placed using a mobile interception system owned by the Dutch National Police, configured and only accessible by a member of the cybercrime unit of the Dutch National Police. Even the ISP doesn't get to see the information intercepted (which wasn't the case when I did it back then, as I just gathered the info and had to upload it as an encrypted file to a dedicated server).

And you're right, this is beyond the scope of this thread and it's a complex subject. It's more a matter of trying to do what you can do, but I fully agree, it's not even close to waterproof... Our privacy is definitely at stake, but that's apparently for many the price they're willing to pay for (a false sense of) security.

I used to work for one of the largest telco's in the world... 9/11 changed everything... and then social networking changed it again...

I'm just saying - one can't hide - facebook, amazon, google, netflix, apple - they all know about things, where one is, what they're doing, etc - the logs from the ISP's - which takes a legal document, just confirms things.

Something like DNSCrypt - it's validation for a lookup, but it's not going to do anything to protect one's privacy - that's gone, serious, it's kaput, over and out, roger that...

 

[Protik]

Correct me if I am wrong. Following the thread for last few days, I get the idea that this tool is for experienced users only. And the developers or the current users do not have the time to write a tutorial on how to use it.

Sent from my Moto G (5) Plus using Tapatalk

 

[bigeyes0x0]

The problem is the new dnscrypt-proxy is still in beta and development moving is rather fast there. Writing a tutorial or updating my own script to support the new version was not a good idea until just now.

I'm working on updating my installer script. For the tutorial I'm sure some of the more experience users will come to do it sooner or later.

EDIT: I dunno why my posts keep getting flagged for admin approval, can someone do something about it

 

[M@rco]

Correct me if I am wrong. Following the thread for last few days, I get the idea that this tool is for experienced users only. And the developers or the current users do not have the time to write a tutorial on how to use it.

I'd be more than happy to correct you

This tool is not for experienced users only, it's just developing very rapidly with expanding possibilities on a daily base. As you can see in my post a few posts above yours, I'm referring to the thread of the installer for dnscrypt-proxy for Asuswrt by @bigeyes0x0, Bigeyes0x0 is currently in contact with the developer of dnscrypt-proxy v2, Frank Denis, to get his original v1 installer script working with v2. So it's just a matter of time (and keeping an eye on the other thread). Sure, I can outline what I've done manually to get it up and running (which works great btw), but it would be a manual process which is most likely not suitable for every user. It means manually extracting the archive, editing some files, creating folders, getting the contents of the archive in the right place etcetera. Not a big deal, but it'll take you some time. Most likely by the time I'm done writing it down, a new beta has been released. Furthermore, how I've currently done it, it's not compliant with the guidelines @RMerlin has given for installing scripts, which I want to respect, but I don't have enough knowledge to understand everything. Given the fact that I'm a scripting noob and @bigeyes0x0 is way more experienced, I think it would be best to wait for his installer script. I think it'll be definitely worth it. it just takes some patience.

 

[DonnyJohnny]

Correct me if I am wrong. Following the thread for last few days, I get the idea that this tool is for experienced users only. And the developers or the current users do not have the time to write a tutorial on how to use it.

Sent from my Moto G (5) Plus using Tapatalk

I have wrote a simple quick start in my first post.
https://www.snbforums.com/threads/dnscrypt-is-reborn.43869/

 

[M@rco]

I have wrote a simple quick start in my first post.
https://www.snbforums.com/threads/dnscrypt-is-reborn.43869/

Thanks for the effort @DonnyJohnny. Is it running as a daemon without issues now?

Edit: maybe there's something missing at the end? I see

Add this along first line. ( all

in the last few lines in your instructions? Not sure what should have been there?

Edit 2: Might as well put a link to the installer thread as soon as it's finished, so people don't have to go through this entire thread to find out there's an installer to run it as a service...

 

[DonnyJohnny]

Thanks for the effort @DonnyJohnny. Is it running as a daemon without issues now?

Edit: maybe there's something missing at the end? I see

Add this along first line. ( all

in the last few lines in your instructions? Not sure what should have been there?

Edit 2: Might as well put a link to the installer thread as soon as it's finished, so people don't have to go through this entire thread to find out there's an installer to run it as a service...

Edited the post.
just to remind people all sh file must have #!/bin/sh as first line.

I have no problem running it as daemonize = true.

If i turn it as false, some time after 1hr or so, the process get terminated by itself.
Maybe it is due to memory issue and the process is forced terminated.
i did experiment lowering the cache size from 256 to 128. it seems better but i didnt do comprehensive test on it.
To be safe i do daemonize = true and one thing good is no spamming of syslog with the refresh of cert.

 

[M@rco]

EDIT: I dunno why my posts keep getting flagged for admin approval, can someone do something about it

Same here, it's because there has been a lot of spam activity (see message on top of the page). I think over half of my messages gets flagged and it can take hours before approval, which is kind of annoying, but apparently necessairy...

 

[bigeyes0x0]

BETA release for BETA https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-19#post-375531

 

[WaVeR]

New one is written in GO, which consumes too much resources on embedded systems

ryzhov_al,

Since the last firmware update 380.69_2 on AC66U, I'm not able to start dnscrypt:

/tmp/home/root# dnscrypt-proxy --local-address=127.0.0.1:65053 --daemonize -R cisco
/tmp/mnt/sda1/asusware/sbin/dnscrypt-proxy: can't load library 'libsodium.so.18'

Before updating the firmware, I checked if there's any package update before and nothing was updated

Installed packages:
dnscrypt-proxy - 1.9.5-7
dnscrypt-proxy-resolvers - 1.9.5+git-20170530-60baef4-7
libldns - 1.6.17-2
libsodium - 1.0.16-1

Any workaround ?

Thanks in advance

 

[WaVeR]

ryzhov_al,

Since the last firmware update 380.69_2 on AC66U, I'm not able to start dnscrypt:



Before updating the firmware, I checked if there's any package update before and nothing was updated

Installed packages:
dnscrypt-proxy - 1.9.5-7
dnscrypt-proxy-resolvers - 1.9.5+git-20170530-60baef4-7
libldns - 1.6.17-2
libsodium - 1.0.16-1

Any workaround ?

Thanks in advance

As workaround:

I managed to solve it by creating a symlink:

/tmp/mnt/sda1/asusware/lib# ln -s libsodium.so.23.1.0 libsodium.so.18

/tmp/mnt/sda1/asusware/etc/init.d# dnscrypt-proxy --local-address=127.0.0.1:65053 --daemonize -R cisco
Tue Jan 30 14:46:06 2018 [INFO] - [cisco] does not support DNS Security Extensions
Tue Jan 30 14:46:06 2018 [WARNING] - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern

 

[M@rco]

Since the last firmware update 380.69_2 on AC66U, I'm not able to start dnscrypt:

Hi @WaVeR, out of curiosity: any particular reason why you keep using the 'old' version of dnscrypt-proxy? Dnscrypt-proxy v2 (allthough still in beta) works like a charm and it's actually not that much of a resource hungry process. It's using around 3.6 Mb currently on my RT-AC68U, it's stable and it's fast. You might consider looking at the installer @bigeyes0x0 wrote, which can be found in this post: https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-19#post-375531 It'll save you some future hassle as it doesn't depend on other packages and development is evolving quickly. Beta 12 is in the making: https://github.com/jedisct1/dnscrypt-proxy