DNScrypt Dnscrypt Proxy Installer For Asuswrt-Merlin(Nov.)

[Jack Yaz]

I seem to have exactly what this user described.

this looks like a problem in dnscrypt-proxy for dropping group privileges. might be worth reporting upstream: https://github.com/DNSCrypt/dnscrypt-proxy/issues

 

[panni]

OK, I've gotten much further now.

Before committing this line: => Do you want to remove any old relay setups (recommended)? [y/n]: n
I edited the generated toml file and commented out the privilege drop to nobody.

Then I continued with the installer and everything seems to have went through.

Mar 24 12:24:04 admin: Start dnscrypt-proxy
Mar 24 12:24:04 dnscrypt-proxy[2619]: dnscrypt-proxy 2.0.45
Mar 24 12:24:04 dnscrypt-proxy[2619]: Network connectivity detected
Mar 24 12:24:04 dnscrypt-proxy[2619]: Now listening to 127.0.1.1:53 [UDP]
Mar 24 12:24:04 dnscrypt-proxy[2619]: Now listening to 127.0.1.1:53 [TCP]
Mar 24 12:24:04 dnscrypt-proxy[2619]: Source [relays] loaded
Mar 24 12:24:05 dnscrypt-proxy[2619]: Source [public-resolvers] loaded
Mar 24 12:24:05 dnscrypt-proxy[2619]: Firefox workaround initialized
Mar 24 12:24:05 dnscrypt-proxy[2619]: [cs-dk] OK (DNSCrypt) - rtt: 31ms
Mar 24 12:24:05 dnscrypt-proxy[2619]: Server with the lowest initial latency: cs-dk (rtt: 31ms)
Mar 24 12:24:05 dnscrypt-proxy[2619]: dnscrypt-proxy is ready - live servers: 1

 

[SomeWhereOverTheRainBow]

I seem to have exactly what this user described.

So there is an issue with the dnscrypt-proxy dropping the appropriate privileges for some models. The dnscrypt-proxy should be able to run as nobody for the sake of the router. Otherwise permission files will have issues later on down the road for servers and relays.

 

[SomeWhereOverTheRainBow]

this looks like a problem in dnscrypt-proxy for dropping group privileges. might be worth reporting upstream: https://github.com/DNSCrypt/dnscrypt-proxy/issues

It is funny though because all the other arm7l (on the same dnscrypt-proxy 2 linux-arm branch) routers i have tested using the "nobody" user works.

it is only these newer model routers that have this newer kernal that seem to be having the issue.


I went ahead and open a bug report with dnscrypt-proxy 2 though.

 

[panni]

Yep seems to be working:

./dnscrypt-proxy -resolve heise.de
Resolving [heise.de] using 127.0.1.1 port 53

Resolver      : 136.244.97.114 (chewbacca.meganerd.nl.)

Canonical name: heise.de.

IPv4 addresses: 193.99.144.80
IPv6 addresses: 2a02:2e0:3fe:1001:302::

Name servers  : ns.heise.de., ns.s.plusline.de., ns.pop-hannover.de., ns.plusline.de., ns2.pop-hannover.net.
DNSSEC signed : no
Mail servers  : 1 mail servers found

HTTPS alias   : -
HTTPS info    : -

Host info     : -
TXT records   : google-site-verification=7V0tj7RnW0cPfzzAjBpk9b_5E0wPSIIWQFqn-IcxXwg, v=spf1 ip4:193.99.144.0/24 ip4:193.99.145.0/24 ip6:2a02:2e0:3fe:1001::/64 ip6:2a00:e68:14:800::/64 ip4:193.100.232.56 ip6:2a00:e68:14:801:bad::beef include:spf.dynect.net include:_spfdiv.heise.de include:_spf.intan.net ?all, apple-domain-verification=m53iQZB4O1uMxDGR, NqhRTIfrPGgq30dmx8FXOdhIQrKc063SrTotAg2FN52Bpv5dNAI9BIqsewfaGHqNW/aWB4mPUVmtg2r7STP3HQ==, wUIdRqARf1uNkZkPoWGdYvEmK408vvKC3HKme1h/rnswYDphj9Ytgwt6K1Df1PQnW64Oi3t9c9uKoo989wv8xw==

Thanks for the help.

Any time I use the installer to configure anything I have to drop the nobody line before continuing with the final steps.


Offtopic: I've seen you only using the cloudflare DNS without any relays. Was this a test config or do you use it that way?
My current config chooses the servers automatically and I've set these server requirements:

## Require servers (from static + remote sources) to satisfy specific properties


# Use servers reachable over IPv4
ipv4_servers = true


# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = false


# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true


# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = false




## Require servers defined by remote sources to satisfy specific properties


# Server must support DNS security extensions (DNSSEC)
require_dnssec = false


# Server must not log user queries (declarative)
require_nolog = true


# Server must not enforce its own blocklist (for parental control, ads blocking...)
require_nofilter = true


# Server names to avoid even if they match all criteria
# disabled_server_names = []

I've enabled a couple of EU relays and left it at that. Is this a "valid"/"recommended" configuration I'm using?
Is there a counter argument against relays?

 

[SomeWhereOverTheRainBow]

Yep seems to be working:

./dnscrypt-proxy -resolve heise.de
Resolving [heise.de] using 127.0.1.1 port 53

Resolver      : 136.244.97.114 (chewbacca.meganerd.nl.)

Canonical name: heise.de.

IPv4 addresses: 193.99.144.80
IPv6 addresses: 2a02:2e0:3fe:1001:302::

Name servers  : ns.heise.de., ns.s.plusline.de., ns.pop-hannover.de., ns.plusline.de., ns2.pop-hannover.net.
DNSSEC signed : no
Mail servers  : 1 mail servers found

HTTPS alias   : -
HTTPS info    : -

Host info     : -
TXT records   : google-site-verification=7V0tj7RnW0cPfzzAjBpk9b_5E0wPSIIWQFqn-IcxXwg, v=spf1 ip4:193.99.144.0/24 ip4:193.99.145.0/24 ip6:2a02:2e0:3fe:1001::/64 ip6:2a00:e68:14:800::/64 ip4:193.100.232.56 ip6:2a00:e68:14:801:bad::beef include:spf.dynect.net include:_spfdiv.heise.de include:_spf.intan.net ?all, apple-domain-verification=m53iQZB4O1uMxDGR, NqhRTIfrPGgq30dmx8FXOdhIQrKc063SrTotAg2FN52Bpv5dNAI9BIqsewfaGHqNW/aWB4mPUVmtg2r7STP3HQ==, wUIdRqARf1uNkZkPoWGdYvEmK408vvKC3HKme1h/rnswYDphj9Ytgwt6K1Df1PQnW64Oi3t9c9uKoo989wv8xw==

Thanks for the help.

Any time I use the installer to configure anything I have to drop the nobody line before continuing with the final steps.


Offtopic: I've seen you only using the cloudflare DNS without any relays. Was this a test config or do you use it that way?
My current config chooses the servers automatically and I've set these server requirements:

## Require servers (from static + remote sources) to satisfy specific properties


# Use servers reachable over IPv4
ipv4_servers = true


# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = false


# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true


# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = false




## Require servers defined by remote sources to satisfy specific properties


# Server must support DNS security extensions (DNSSEC)
require_dnssec = false


# Server must not log user queries (declarative)
require_nolog = true


# Server must not enforce its own blocklist (for parental control, ads blocking...)
require_nofilter = true


# Server names to avoid even if they match all criteria
# disabled_server_names = []

I've enabled a couple of EU relays and left it at that. Is this a "valid"/"recommended" configuration I'm using?
Is there a counter argument against relays?

That was simply a test. There are multiple ways to configure. For me, that is the quickest way to test.

 

[SomeWhereOverTheRainBow]

Here is the GT-AX11000 Test

 Info:  JFFS custom scripts and configs are already enabled.
Info:  DNS Environment is Ready.
Info:  Choose what you want to do:
  1) Install/Update dnscrypt-proxy
  2) Uninstall dnscrypt-proxy
  3) Configure dnscrypt-proxy
  4) Set timezone
  5) Unset timezone
  6) Install (P)RNG
  7) Uninstall (P)RNG
  8) Install swap file
  9) Uninstall ALL
  q) Quit
=>  Please enter the number that designates your selection:, [1-9/q]: 1
Info:  This operation will install dnscrypt-proxy and related files (<6MB)
Info:  to jffs, no other data will be changed.
Info:  Also some start scripts will be installed/modified as required.

=>  Do you want to install dnscrypt-proxy to /jffs? [y/n]: y
Info:  Downloading installer
Info:  Downloading manager
Info:  Downloading dnscrypt-proxy-linux_arm64-2.0.45.tar.gz
linux-arm64/
linux-arm64/example-blocked-names.txt
linux-arm64/example-dnscrypt-proxy.toml
linux-arm64/dnscrypt-proxy
linux-arm64/example-blocked-ips.txt
linux-arm64/example-allowed-ips.txt
linux-arm64/example-captive-portals.txt
linux-arm64/localhost.pem
linux-arm64/example-cloaking-rules.txt
linux-arm64/example-forwarding-rules.txt
linux-arm64/LICENSE
linux-arm64/example-allowed-names.txt
Info:  Downloading public-resolvers.md
Info:  Downloading public-resolvers.md.minisig
Info:  Downloading relays.md
Info:  Downloading relays.md.minisig
Info:  Creating dnsmasq.postconf file
Info:  Configure dnsmasq.postconf file
Info:  Creating init-start file
Info:  Configure init-start file
Info:  Configuring dnscrypt-proxy...
=>  Do you want to redirect all DNS resolutions on your network through this proxy? [y/n]: n
=>  Do you want to use DNS server over IPv6 (yes only if your connection has IPv6)? [y/n]: n
Info:  Choose DNS resolving load balancing strategy:
  1) p2 (default)
  2) ph
  3) first
  4) random
=>  Select your mode, [1-4]: 1
=>  Do you want to use load balance estimator to adjust resolvers based on latency calculations? [y/n]: y
Info:  Choose how your DNS servers are selected:
  1) Automatically
  2) Manually
  3) Static
=>  Select your mode, [1-3]: 2
Info:  Available DNS servers:
***shortened for ease***
  27) cloudflare: Cloudflare DNS (anycast) - aka 1.1.1.1 / 1.0.0.1
  28) cloudflare-family: Cloudflare DNS (anycast) with malware protection and parental control - aka 1.1.1.3 / 1.0.0.3
  29) cloudflare-security: Cloudflare DNS (anycast) with malware blocking - aka 1.1.1.2 / 1.0.0.2
***shortened for ease****
=>  Please choose DNS server., [1-195]: 27
=>  Please choose next DNS server or press n to stop., [1-195/n]: 29
=>  Please choose next DNS server or press n to stop., [1-195/n]: n
Info:  Set the DNS server(s) for initializing dnscrypt-proxy
Info:  and router services (e.g. ntp) at boot
=>  Default is 9.9.9.9: 1.1.1.1
=>  2nd Default is 8.8.8.8: 1.0.0.1
=>  Set log level, default is 2, 0 is the most verbose, [0-6]: 0
Info:  Writing dnscrypt-proxy configuration...
Info:  Evaluating other possibilities for dnscrypt-proxy configuration...
Info:  Checking for Anonymized Dnscrypt Support.
..
...
....
.....
......
Info:  You may specify Wild-card Relay Support (server_name *) with option 1 (this supports only DNSCrypt Servers).
* Warning:  All DNSCRYPT Server traffic will be sent through same set of chosen Relays with Wild-Card Option.
Info:  Option 2 gives you the choice to Setup Relays per Dnscrypt-Server.
Info:  Option 3 allows you to skip relay configuration or remove old relays configurations.
* Warning:  Option 1 & 2 delete old relay configurations.
* Warning:  Issues may occur if you are not using same servers as defined in relays.
Info:  What do you want to do:
  1) All Servers with Wild-Card Relay Support.
  2) Pick Relays for DNSCRYPT servers (Per Server).
  3) Skip Setting-up/Modifying Relay Support.
=>  Your choice, [1-3]: 3
=>  Do you want to remove any old relay setups (recommended)? [y/n]: n
Info:  You chose to continue without setting up relays or modifying relay support.
Info:  Checking dnscrypt-proxy configuration...
[2021-03-24 07:48:36] [NOTICE] dnscrypt-proxy 2.0.45
[2021-03-24 07:48:36] [NOTICE] Dropping privileges
[2021-03-24 07:48:36] [NOTICE] Source [relays] loaded
[2021-03-24 07:48:36] [NOTICE] Source [public-resolvers] loaded
[2021-03-24 07:48:36] [NOTICE] Configuration successfully checked
Info:  Starting dnscrypt-proxy...
Info:  For dnscrypt-proxy version 2 to work reliably, you might also want to:
Info:   - Add swap
Info:   - Add a RNG
Info:   - Set your timezone
Info:  Operation completed. You can quit or continue
=====================================================

I will shortly post a test using the RT-AC68U and the RT-AC5300 which will be using the same dev files as @panni to test the privileges one more time.

 

[dave14305]

I believe your jffs2_enable should be reporting a 1 value if it is enabled properly, it does on all the routers i have tested.

jffs2_enable was removed in this commit:

rc: replace jffs2_enable with jffs2_on as used upstream · RMerl/asuswrt-merlin.ng@491b14c

Since we no longer allow users to enable/disable the jffs2 partition there is no point in using a different variable. The name change is old legacy code from back when we used to make it user conf...

github.com

 

[SomeWhereOverTheRainBow]

 Info:  JFFS custom scripts and configs are already enabled.
Info:  DNS Environment is Ready.
Info:  Choose what you want to do:
  1) Install/Update dnscrypt-proxy
  2) Uninstall dnscrypt-proxy
  3) Configure dnscrypt-proxy
  4) Set timezone
  5) Unset timezone
  6) Install (P)RNG
  7) Uninstall (P)RNG
  8) Install swap file
  9) Uninstall ALL
  q) Quit
=>  Please enter the number that designates your selection:, [1-9/q]: 1
Info:  This operation will install dnscrypt-proxy and related files (<6MB)
Info:  to jffs, no other data will be changed.
Info:  Also some start scripts will be installed/modified as required.

=>  Do you want to install dnscrypt-proxy to /jffs? [y/n]: y
Info:  Downloading installer
Info:  Downloading manager
Info:  Downloading dnscrypt-proxy-linux_arm-2.0.45.tar.gz
linux-arm/
linux-arm/example-blocked-names.txt
linux-arm/example-dnscrypt-proxy.toml
linux-arm/dnscrypt-proxy
linux-arm/example-blocked-ips.txt
linux-arm/example-allowed-ips.txt
linux-arm/example-captive-portals.txt
linux-arm/localhost.pem
linux-arm/example-cloaking-rules.txt
linux-arm/example-forwarding-rules.txt
linux-arm/LICENSE
linux-arm/example-allowed-names.txt
Info:  Downloading public-resolvers.md
Info:  Downloading public-resolvers.md.minisig
Info:  Downloading relays.md
Info:  Downloading relays.md.minisig
Info:  Creating dnsmasq.postconf file
Info:  Configure dnsmasq.postconf file
Info:  Creating init-start file
Info:  Configure init-start file
Info:  Configuring dnscrypt-proxy...
=>  Do you want to redirect all DNS resolutions on your network through this proxy? [y/n]: n
=>  Do you want to use DNS server over IPv6 (yes only if your connection has IPv6)? [y/n]: n
Info:  Choose DNS resolving load balancing strategy:
  1) p2 (default)
  2) ph
  3) first
  4) random
=>  Select your mode, [1-4]: 1
=>  Do you want to use load balance estimator to adjust resolvers based on latency calculations? [y/n]: y
Info:  Choose how your DNS servers are selected:
  1) Automatically
  2) Manually
  3) Static
=>  Select your mode, [1-3]: 2
Info:  Available DNS servers:
*******Shortened for Your eyes******
  27) cloudflare: Cloudflare DNS (anycast) - aka 1.1.1.1 / 1.0.0.1
  28) cloudflare-family: Cloudflare DNS (anycast) with malware protection and parental control - aka 1.1.1.3 / 1.0.0.3
  29) cloudflare-security: Cloudflare DNS (anycast) with malware blocking - aka 1.1.1.2 / 1.0.0.2
****shortened for your eyes....******
=>  Please choose DNS server., [1-195]: 27
=>  Please choose next DNS server or press n to stop., [1-195/n]: 29
=>  Please choose next DNS server or press n to stop., [1-195/n]: n
Info:  Set the DNS server(s) for initializing dnscrypt-proxy
Info:  and router services (e.g. ntp) at boot
=>  Default is 9.9.9.9: 1.1.1.1
=>  2nd Default is 8.8.8.8: 1.0.0.1
=>  Set log level, default is 2, 0 is the most verbose, [0-6]: 0
Info:  Writing dnscrypt-proxy configuration...
Info:  Evaluating other possibilities for dnscrypt-proxy configuration...
Info:  Checking for Anonymized Dnscrypt Support.
..
...
....
.....
......
Info:  You may specify Wild-card Relay Support (server_name *) with option 1 (this supports only DNSCrypt Servers).
* Warning:  All DNSCRYPT Server traffic will be sent through same set of chosen Relays with Wild-Card Option.
Info:  Option 2 gives you the choice to Setup Relays per Dnscrypt-Server.
Info:  Option 3 allows you to skip relay configuration or remove old relays configurations.
* Warning:  Option 1 & 2 delete old relay configurations.
* Warning:  Issues may occur if you are not using same servers as defined in relays.
Info:  What do you want to do:
  1) All Servers with Wild-Card Relay Support.
  2) Pick Relays for DNSCRYPT servers (Per Server).
  3) Skip Setting-up/Modifying Relay Support.
=>  Your choice, [1-3]: 3
=>  Do you want to remove any old relay setups (recommended)? [y/n]: n
Info:  You chose to continue without setting up relays or modifying relay support.
Info:  Checking dnscrypt-proxy configuration...
[2021-03-24 12:07:49] [NOTICE] dnscrypt-proxy 2.0.45
[2021-03-24 12:07:49] [NOTICE] Dropping privileges
[2021-03-24 12:07:49] [NOTICE] Source [public-resolvers] loaded
[2021-03-24 12:07:49] [NOTICE] Source [relays] loaded
[2021-03-24 12:07:49] [NOTICE] Configuration successfully checked
Info:  Starting dnscrypt-proxy...
Info:  For dnscrypt-proxy version 2 to work reliably, you might also want to:
Info:   - Add swap
Info:   - Add a RNG
Info:   - Set your timezone
Info:  Operation completed. You can quit or continue
=====================================================

@dave14305 @Jack Yaz @panni @Zastoff @RMerlin



So apparently it drops privileges fine on the RT-AC68U using the same dnscrypt-proxy 2 build as the RT-AX58U. Both are ARMv7 architecture using the same dnscrypt-proxy 2 linux-arm. So there has to be something different in the Kernals of the RT-AX56U and RT-AX58U preventing this from dropping privileges the way it is currently done. There is some suggestions that this may be linked to CONFIG_MULTIUSER=y not added to the kernal at build time. (Pardon any ignorance if not, I am not aware of the kernal build processes for asuswrt-merlin), But I have reviewed the kernal build files for both models and it contains the proper CONFIG_MULTIUSER=y flag.


Haveged Should be working as well, but it is not for the RT-AX56U and RT-AX58U which is probably linked to this same privilege issue.

 

[RMerlin]

I can see the same thing with dnsmasq which fails to switch to nobody on the RT-AX58U.

I'll have to see if that kernel option can be enabled without breaking anything else (kernel options are always tricky to change).

 

[RMerlin]

CONFIG_MULTIUSER is already enabled.

admin@RT-AX58U-E588:/tmp/home/root# zcat /proc/config.gz | grep CONFIG_MULTIUSER
CONFIG_MULTIUSER=y

 

[RMerlin]

The issue seem to be random, because now it no longer happens on my RT-AX58U. Joy...

False alarm actually, dnsmasq does drop privileges properly. Looks like a bug specific to dnscrypt then IMHO, not the firmware.

 

[SomeWhereOverTheRainBow]

The issue seem to be random, because now it no longer happens on my RT-AX58U. Joy...

False alarm actually, dnsmasq does drop privileges properly. Looks like a bug specific to dnscrypt then IMHO, not the firmware.

I am going to do some digging around as this issue seems to only happen with the RT-AX58U and RT-AX56U and dnscrypt-proxy 2 .. So whatever is happening is exclusive between the two. As I have tested with RT-AC68U, RT-AC5300, and RT-AC3100. They work perfectly fine with dropping privileges. Each one uses the same dnscrypt proxy2 build as the RT-AX58U and RT-AX56U. There has to be something missing here.

I could try running as $(nvram get http_username), but I am not sure the impact. I will have to test it. Then I would need someone with one of the two models to test as well to verify it can work as such.

Edit:
Never mind I see running as user nobody had its intended security purpose.

 

[SomeWhereOverTheRainBow]

I am talking with the Developer of Dnscrypt-proxy. I need a user with a RT-AX56U or the RT-AX58U to recreate this issue. Once they have, I need them to type into the terminal

cd /jffs/dncrypt && ./dnscrypt-proxy -list

And then provide me with the output. This will provide me with the appropriate error codes needed to give the developer for troubleshoot this better.

@panni @farhanito

 

[panni]

OK, seems like this will not get fixed unless we have a newer kernel or a custom build of DNSCrypt-Proxy with the correct syscall for dropping privileges.

Damn shame. I guess I'll have to trust that binary now by running it with full privileges.

@SomeWhereOverTheRainBow why does it work on the AC68U, though? Does that router run a newer kernel?

 

[SomeWhereOverTheRainBow]

The RT-AC68U has an older kernel known not to have issue with GO, in some cases kernel 4.1 has issues with GO from my understanding, and it appears the RT-AX56U and RT-AX58U are one of those cases. So far with the models I can test, the Dnscrypt-Proxy2 works with the RT-AX88U, GT-AX11000, RT-AC5300, RT-AC3100, RT-AC68U(R), RT-AC56. Those are all the models I can personally say it works on. I imagine it would work for the AC88U and AC86U, but I have not been able to confirm for those models. I know it works for the RT-AC87U. @Zastoff can tell you about that.

 

[SomeWhereOverTheRainBow]

OK, seems like this will not get fixed unless we have a newer kernel or a custom build of DNSCrypt-Proxy with the correct syscall for dropping privileges.

Damn shame. I guess I'll have to trust that binary now by running it with full privileges.

@SomeWhereOverTheRainBow why does it work on the AC68U, though? Does that router run a newer kernel?

I know you wanted to take advantage of DNScrypt-proxy 2 and I hope overtime the bug issue gets worked out between dnscrypt-proxy2 and the RT-AX56U and 58U, but if you still want dns privacy, you should be able to take advantage of using the builtin Stubby provided by Asuswrt-Merlin firmware. It offers the same level of protection, but uses a different protocol.

 

[DonnyJohnny]

I am no developer or programming knowledge. Just playing around with the building own source.
Dnscrypt-proxy last update was 4 Jan. Since then, lot of misc updates. not sure what are they but i supposed it should make it better.
I followed the instruction from

Building from source

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols. - DNSCrypt/dnscrypt-proxy

github.com

and built it for my RT-86U (Linux-ARM8) ONLY
My compiled source is built based on this commit f9cecd1

Do not ignore ODoH encryption errors · DNSCrypt/dnscrypt-proxy@31f4d7a

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols. - Do not ignore ODoH encryption errors · DNSCrypt/dnscrypt-proxy@31f4d7a

github.com

Uploaded the file (note that the version everything still the same as i didn't modify anything)

dnscryptproxy - FileLeaks

Upload your files anonymously and free on FileLeaks! We prevent from getting you traceback & delete all informations that could help with it!

fileleaks.com

(Linux-ARM8) ONLY

Instruction
- Backup your existing dnscrypt-proxy located in /jffs/dnscrypt
- copy my file into the folder. (permission should be 0755, same as the exisitng)
- I checked the changes done on dnscrypt-proxy.toml, other than some new explanations, the only changes is

Rename fallback_resolvers to bootstrap_resolvers · DNSCrypt/dnscrypt-proxy@c500287

Clarify what they are used for. Remove the legacy `fallback_resolver`.

github.com

fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
changed to
bootstrap_resolvers = ['9.9.9.9:53', '8.8.8.8:53']

Once u done the above, you can restart your dnscrypt
/jffs/dnscrypt/manager dnscrypt-start



For easily modification of file and transferring of file between router and windows, u can also use Winscp

WinSCP

WinSCP is a popular free SFTP and FTP client for Windows, a powerful file manager that will improve your productivity. It supports also local-local mode and FTPS, S3, SCP and WebDAV protocols. Power users can automate WinSCP using .NET assembly.

winscp.net

 

[Zastoff]

I am no developer or programming knowledge. Just playing around with the building own source.
Dnscrypt-proxy last update was 4 Jan. Since then, lot of misc updates. not sure what are they but i supposed it should make it better.
I followed the instruction from

Building from source

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols. - DNSCrypt/dnscrypt-proxy

github.com

and built it for my RT-86U (Linux-ARM8) ONLY

Uploaded the file (note that the version everything still the same as i didn't modify anything)

dnscryptproxy - FileLeaks

Upload your files anonymously and free on FileLeaks! We prevent from getting you traceback & delete all informations that could help with it!

fileleaks.com

(Linux-ARM8) ONLY

Instruction
- Backup your existing dnscrypt-proxy located in /jffs/dnscrypt
- copy my file into the folder. (permission should be 0755, same as the exisitng)
- I checked the changes done on dnscrypt-proxy.toml, other than some new explanations, the only changes is

Rename fallback_resolvers to bootstrap_resolvers · DNSCrypt/dnscrypt-proxy@c500287

Clarify what they are used for. Remove the legacy `fallback_resolver`.

github.com

fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
changed to
bootstrap_resolvers = ['9.9.9.9:53', '8.8.8.8:53']

Once u done the above, you can restart your dnscrypt
/jffs/dnscrypt/manager dnscrypt-start



For easily modification of file and transferring of file between router and windows, u can also use Winscp

WinSCP

WinSCP is a popular free SFTP and FTP client for Windows, a powerful file manager that will improve your productivity. It supports also local-local mode and FTPS, S3, SCP and WebDAV protocols. Power users can automate WinSCP using .NET assembly.

winscp.net

Nicely done @DonnyJohnny
Have you had time to look at the added ODoH? Does it work in your Linux-ARM8 version?

https://www.reddit.com/r/dnscrypt/comments/mggx9x

A interesting fork on DNSCrypt-proxy (Maybe it has a more working version of ODoH atm)

 

[DonnyJohnny]

Nicely done @DonnyJohnny
Have you had time to look at the added ODoH? Does it work in your Linux-ARM8 version?

https://www.reddit.com/r/dnscrypt/comments/mggx9x

A interesting fork on DNSCrypt-proxy (Maybe it has a more working version of ODoH atm)

I assumed the compiled source is built based on this commit f9cecd1

Do not ignore ODoH encryption errors · DNSCrypt/dnscrypt-proxy@31f4d7a

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols. - Do not ignore ODoH encryption errors · DNSCrypt/dnscrypt-proxy@31f4d7a

github.com

In theory, the file already is ODOH ready but i don't know how to play with the toml file.

dnscrypt-proxy/.ci at master · DNSCrypt/dnscrypt-proxy

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols. - DNSCrypt/dnscrypt-proxy

github.com

Also note that they using different listening port of 5300. so in Router we need to make dnsmasq listen to this port.

dnscrypt-proxy/.ci/test2-dnscrypt-proxy.toml at master · DNSCrypt/dnscrypt-proxy

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols. - DNSCrypt/dnscrypt-proxy

github.com

I am no developer. totally no knowledge. anyone good can try to figure it out with the toml.

But as jedisct1 mentioned, this oDOH is built similiar to Anonymized DNScrypt and very few relay server supporting it. also i think currently only cloudflare working on it.

So maybe just wait for 2.0.46 to be official with more servers supporting oDOH