DNScrypt Dnscrypt Proxy Installer For Asuswrt-Merlin(Nov.)

[Zastoff]

Yeah this problem began when 'manager' began taking over the restart process using /jffs/dnscrypt/manager dnscrypt-start

Never used to see "user defined signal 1" or manager doing the restart before.

Did a couple of restarts on dnscrypt-proxy now and in the log on the router the restart only take ~1sec
I used the

service restart_dnscrypt-proxy

&

/jffs/dnscrypt/manager dnscrypt-start

Both restart the proxy in the same time in router log but the "/jffs/dnscrypt/manager dnscrypt-start" takes a longer time to finish in the ssh client..
Maybe @SomeWhereOverTheRainBow have a idea on it or can explain it more when he is online.

Spoiler: From syslog

Mar 15 17:22:13 RT-AX88U-6C58 manager[18935]: Warning: dnscrypt-proxy is dead; manager[18935] will start it!
Mar 15 17:22:13 RT-AX88U-6C58 manager[18935]: Starting dnscrypt-proxy from manager[18935].
Mar 15 17:22:13 RT-AX88U-6C58 rc_service: service 19311:notify_rc restart_dnsmasq
Mar 15 17:22:13 RT-AX88U-6C58 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
Mar 15 17:22:13 RT-AX88U-6C58 dnscrypt-proxy[19308]: dnscrypt-proxy 2.1.1
Mar 15 17:22:14 RT-AX88U-6C58 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Mar 15 17:22:14 RT-AX88U-6C58 dnscrypt-proxy[19308]: Network connectivity detected
Mar 15 17:22:14 RT-AX88U-6C58 dnscrypt-proxy[19308]: Dropping privileges
..
Mar 15 17:22:14 RT-AX88U-6C58 dnscrypt-proxy[19308]: Server with the lowest initial latency: sth-dnscrypt-se (rtt: 25ms)
Mar 15 17:22:14 RT-AX88U-6C58 dnscrypt-proxy[19308]: dnscrypt-proxy is ready - live servers: 5
Mar 15 17:22:14 RT-AX88U-6C58 Diversion: restarted Dnsmasq to apply settings
Mar 15 17:22:14 RT-AX88U-6C58 custom_script: Running /jffs/scripts/service-event-end (args: restart dnsmasq)

 

[SomeWhereOverTheRainBow]

Yeah this problem began when 'manager' began taking over the restart process using /jffs/dnscrypt/manager dnscrypt-start

Never used to see "user defined signal 1" or manager doing the restart before.

Yep it would be better if you try

service restart_dnscrypt-proxy

The old method hangs because it attaches itself to the terminal session itself. While the service command does not. It fully runs in the background.

 

[Boji]

Yep it would be better if you try

service restart_dnscrypt-proxy

The old method hangs because it attaches itself to the terminal session itself. While the service command does not. It fully runs in the background.

Upon restarting dnscrypt now, diversion then restarts dnsmasq as well. That usually takes 20x longer to restart than dnscrypt. Was this always the case? I would expect I'd have noticed that before, because dnsmasq and its 1.5 million entries takes longer to restart than dnscrypt. If manager can restart dnscrypt without reloading dnsmasq that would be great, because its completely unnecessary.

 

[Boji]

Everything is 100% confirmed to have always been the case, perhaps it was the sudden jump in size of oisd hosts; I can test if this is the case.

 

[SomeWhereOverTheRainBow]

Everything is 100% confirmed to have always been the case, perhaps it was the sudden jump in size of oisd hosts; I can test if this is the case.

It was whenever the manager was restarted by the installer. Now it is ran as a service so it is incorporated to ensure dnsmasq entry is available within dnsmasq.conf upon starting the dnscrypt proxy service and that it gets removed properly if you decide you to stop the service. Let me clarify, dnscrypt-proxy is now ran similar to a service. As such, if you stop the service you would have no dns if you do not refresh dnsmasq. Otherwise, that is why dnsmasq is restarted, because a restart is simply a stop and subsequent start. dnscrypt-proxy relies on dnsmasq to be the forwarder for dnscrypt-proxy to be considered your upstream.

 

[Boji]

It was whenever the manager was restarted by the installer. Now it is ran as a service so it is incorporated to ensure dnsmasq entry is available within dnsmasq.conf upon starting the dnscrypt proxy service and that it gets removed properly if you decide you to stop the service. Let me clarify, dnscrypt-proxy is now ran similar to a service. As such, if you stop the service you would have no dns if you do not refresh dnsmasq. Otherwise, that is why dnsmasq is restarted, because a restart is simply a stop and subsequent start. dnscrypt-proxy relies on dnsmasq to be the forwarder for dnscrypt-proxy to be considered your upstream.

What are the benefits, if any, of running it as a service?

"Now its ran as a service to ensure dnsmasq entry is available within dnsmasq.conf upon starting the dnscrypt proxy service"

For updating "/jffs/dnscrypt/resolv.dnsmasq" server=x.x.x.x?. This is a set it and forget it for most, I haven't changed it in 4 years.

I have never once had the entry not available in dnsmasq, not once. If I know how to edit the server, I can run a manual reset of dnsmasq

I restart dnscrypt, sometimes dozens of times a day while testing my blocklists, updating the cloaking-rules, whitelists, and removing false positives. The speed in which this was possible made dnscrypt my goto for many of my blocked domains, because divesrion/dnsmasq takes way too long to process lists. The latest updates made this process take 10-20x longer, and an unnecessary burden. Is there any command I can use to pull the older version of dnscryptinstaller from github? Can you add an option to make it a service or legacy setup from the installer menu? That would be greatly appreciated. Thank you for your time.

 

[SomeWhereOverTheRainBow]

What are the benefits, if any, of running it as a service?

"Now its ran as a service to ensure dnsmasq entry is available within dnsmasq.conf upon starting the dnscrypt proxy service"

For updating "/jffs/dnscrypt/resolv.dnsmasq" server=x.x.x.x?. This is a set it and forget it for most, I haven't changed it in 4 years.

I have never once had the entry not available in dnsmasq, not once. If I know how to edit the server, I can run a manual reset of dnsmasq

I restart dnscrypt, sometimes dozens of times a day while testing my blocklists, updating the cloaking-rules, whitelists, and removing false positives. The speed in which this was possible made dnscrypt my goto for many of my blocked domains, because divesrion/dnsmasq takes way too long to process lists. The latest updates made this process take 10-20x longer, and an unnecessary burden. Is there any command I can use to pull the older version of dnscryptinstaller from github? Can you add an option to make it a service or legacy setup from the installer menu? That would be greatly appreciated. Thank you for your time.

So to be honest I am not having any of these issues you are experiencing. I don't see any actual reason to change anything. It seems as it is a direct result of your dnsmasq environment produced by running diversion standard using a big size block list.

The benefit is that dnscrypt-proxy doesn't run as a slave of the terminal subshell it is started from. Also, it can be stopped, started, and restarted as some users in the past have requested to be able todo. It should have change in no other manner than such. It just so happens to stop the service and still have dns service after stopping the service, dnsmasq has to be restarted to allow the hand over for routers dns service to work. Your issue is created from using a larger than necessary block list along side diversion and any additional filters you have created using dnscrypt proxy. I recommend using a smaller list for Diversion and your issue should go away. (Or switch to Diversion lite if you are using standard.).

 

[SomeWhereOverTheRainBow]

Can you add an option to make it a service or legacy setup from the installer menu? That would be greatly appreciated. Thank you for your time.

But if most users agree, I can convert the installer and corresponding files back to their complete respective legacy (4 years ago) files which will result in any additions I have contributed being removed including, but not limited to the addition of relay and odoh menu options and version checking features. The installer will go back to only installing the version listed in the github at the time.

 

[Boji]

But if most users agree, I can convert the installer and corresponding files back to their complete respective legacy (4 years ago) files.

Your issue is created from using a larger than necessary block list along side diversion and any additional filters you have created using dnscrypt proxy. I recommend using a smaller list for Diversion and your issue should go away. (Or switch to Diversion lite if you are using standard.).

I'd rather not compromise my security and privacy with smaller lists, especially considering they were working perfectly fine all along and catching things smaller lists have failed to.

But if most users agree, I can convert the installer and corresponding files back to their complete respective legacy (4 years ago) files.

I'd appreciate that, or better, an option to choose between one or the other, for the best of both worlds and so that everyone can benefit, otherwise in my circumstance, while dnscryptinstaller was very useful for me until recently, has become redundant and problematic, and I will learn how to install it manually rather than use it in its current form.

Also, is there a way to create a secondary repo with the former code?

 

[SomeWhereOverTheRainBow]

I'd rather not compromise my security and privacy with smaller lists, especially considering they were working perfectly fine all along and catching things smaller lists have failed to.



I'd appreciate that, or better, an option to choose between one or the other, for the best of both worlds and so that everyone can benefit, otherwise in my circumstance, while dnscryptinstaller was very useful for me until recently, has become redundant and problematic, and I will learn how to install it manually rather than use it in its current form.

Also, is there a way to create a secondary repo with the former code?

Yea If you have a problem with how it is done, you are welcome to "do it yourself". The installer is provided as free to use. And you can use it as such. I don't plan to make any more changes unless the majority of users request it, or dnscrypt proxy devs do something new that requires it. I highly recommend you doing it yourself if you find that you need to be in 100 percent control.

Here is the guide I recommend you starting with if you want to do it yourself.

Secure DNS queries using DNSCrypt

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[Zastoff]

As written before installer/dnscrypt-proxy works really good with my setup and i use diversion with medium + 1 extra list & skynet, Restart process takes ~1sec, do not experience any down time when this happens on any clients.

 

[SomeWhereOverTheRainBow]

As written before installer/dnscrypt-proxy works really good with my setup and i use diversion with medium + 1 extra list & skynet, Restart process takes ~1sec, do not experience any down time when this happens on any clients.

Yea I wasn't having any issues either on my test. I was even using the big diversion list running standard block list. Keep in mind @Boji was using other list they have setup in dnscrypt proxy as well including cloaking. I imagine that it is the combination of that particular setup causing strain on their router. Simply because all those list have to be loaded into memory every time they feel the need to whitelist something. The router isn't made of unlimited resources as I imagine this user just figured out. It just seems odd they didn't discover it before with all the restarts of dnsmasq being done everytime something gets added to the whitelist in diversion.

 

[Boji]

Here is the guide I recommend you starting with if you want to do it yourself.

Secure DNS queries using DNSCrypt

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Thanks for the tips! Unless there is a way to revive your previous installer, I'll do myself the honor.

As written before installer/dnscrypt-proxy works really good with my setup and i use diversion with medium + 1 extra list & skynet, Restart process takes ~1sec, do not experience any down time when this happens on any clients.

The router isn't made of unlimited resources as I imagine this user just figured out. It just seems odd they didn't discover it before with all the restarts of dnsmasq being done everytime something gets added to the whitelist in diversion.

I guess you missed it, or misunderstood me, ill quote myself for you.

I restart dnscrypt, sometimes dozens of times a day while testing my blocklists, updating the cloaking-rules, whitelists, and removing false positives. The speed in which this was possible made dnscrypt my goto for many of my blocked domains, because divesrion/dnsmasq takes way too long to process lists. The latest updates made this process take 10-20x longer, and an unnecessary burden.

dnsmasq and its 1.5 million entries takes longer to restart than dnscrypt. If manager can restart dnscrypt without reloading dnsmasq that would be great, because its completely unnecessary.

4 years without any problem with dnscrypt. It used to take 5-6 seconds to restart. Dnscrypt allows me to enable and disable entries or edit its lists in a matter of seconds. This worked flawless for years now, so I'm happy to go the custom route.

I see the last commit before service integration was 2.3.4. I just set amtm's dnscrypt.mod to read only, and look for "https://github.com/thuantran/dnscry...tree/e76af9187cc06e2c288957e3c1232704597a44e9", copied the necessary files over manually and a little tweak, should be good for, well, as long as it works..

 

[SomeWhereOverTheRainBow]

Thanks for the tips! Unless there is a way to revive your previous installer, I'll do myself the honor.



I guess you missed it, or misunderstood me, ill quote myself for you.





4 years without any problem with dnscrypt. It used to take 5-6 seconds to restart. Dnscrypt allows me to enable and disable entries or edit its lists in a matter of seconds. This worked flawless for years now, so I'm happy to go the custom route.

I see the last commit before service integration was 2.3.4. I just set amtm's dnscrypt.mod to read only, and look for "https://github.com/thuantran/dnscry...tree/e76af9187cc06e2c288957e3c1232704597a44e9", copied the necessary files over manually and a little tweak, should be good for, well, as long as it works..

Yep, I don't think we misunderstood. As I understand it, you believe the router has endless resources and should be able to load 1.5 million entries in seconds, or that a script which is provided free should accommodate your specific needs of router fiasco.

I am glad you figured out something that works for you, but I also hope you find a better means of doing what you are able to do somewhere down the line.

Best wishes.

 

[Boji]

Yep, I don't think we misunderstood. As I understand it, you believe the router has endless resources and should be able to load 1.5 million entries in seconds, or that a script which is provided free should accommodate your specific needs of router fiasco.

I am glad you figured out something that works for you, but I also hope you find a better means of doing what you are able to do somewhere down the line.

Best wishes.

I don't see the benefit in reloading 1.5 million entries (or even a few) after they have already been loaded, when I'm dealing with dnscrypt, and not dnsmasq. I have accepted dnsmasq's speed as it is for years now with the limited resources of the router. The majority of users use the limited resources offered by the 68u. My current list is actually closer to 2 million entries after the latest oisd update, and, sacrificing security, or adding extra cpu cycles and unnecessary overhead on top of that doesn't match the benefit to cost ratio of the new features. Dnscrypt proxy already had a method of stopping and restarting. So not having dnscrypt-proxy run as a slave to the terminal seems to be the only alleged benefit, of which I don't know what that is. A menu option to pull the old manager would suffice.

It could read in big red letters "use legacy manager if you want to use the dnsmasq block lists size you want, use the other manager if you want to use the dnsmasq block list size I want you to use"

The benefit is that dnscrypt-proxy doesn't run as a slave of the terminal subshell it is started from. Also, it can be stopped, started, and restarted as some users in the past have requested to be able todo. It should have change in no other manner than such. It just so happens to stop the service and still have dns service after stopping the service, dnsmasq has to be restarted to allow the hand over for routers dns service to work.

and Earlier:

Now its ran as a service to ensure dnsmasq entry is available within dnsmasq.conf upon starting the dnscrypt proxy service

Ahh, so now its run as a service to ensure dnsmasq has to restart? Or is the former.

What is the real world gain of not having dnscrypt-proxy run as a slave to the terminal subshell?

 

[Boji]

I am glad you figured out something that works for you, but I also hope you find a better means of doing what you are able to do somewhere down the line.

I forked your installer, and and got everything working as good as new. Except Dnscrypt-proxy-installer fails to download (p)rng. Looks like its pointing to the wrong github directory or something. Happens on your branch also.

 

[SomeWhereOverTheRainBow]

I don't see the benefit in reloading 1.5 million entries (or even a few) after they have already been loaded, when I'm dealing with dnscrypt, and not dnsmasq. I have accepted dnsmasq's speed as it is for years now with the limited resources of the router. The majority of users use the limited resources offered by the 68u. My current list is actually closer to 2 million entries after the latest oisd update, and, sacrificing security, or adding extra cpu cycles and unnecessary overhead on top of that doesn't match the benefit to cost ratio of the new features. Dnscrypt proxy already had a method of stopping and restarting. So not having dnscrypt-proxy run as a slave to the terminal seems to be the only alleged benefit, of which I don't know what that is. A menu option to pull the old manager would suffice.

It could read in big red letters "use legacy manager if you want to use the dnsmasq block lists size you want, use the other manager if you want to use the dnsmasq block list size I want you to use"


and Earlier:


Ahh, so now its run as a service to ensure dnsmasq has to restart? Or is the former.

What is the real world gain of not having dnscrypt-proxy run as a slave to the terminal subshell?

Correction the original dnscrypt ran process had no true way of stopping itself unless you also manage to effectively kill the manager process along with it. The manager ran in the background to keep it alive. (Still does) , but the service stop kills both.

Again, I am so glad you found something that works for you.

I see no real reason to invest in your approach to blocking I use either diversion or dnscrypt , but not both.

If you wish to further discuss how to setup dnscrypt proxy as your way of running it, I suggest starting another thread about such matters as you already know our stand point here.

Best wishes.

 

[Boji]

Correction the original dnscrypt ran process had no true way of stopping itself unless you also manage to effectively kill the manager process along with it. The manager ran in the background to keep it alive. (Still does) , but the service stop kills both.

How come? I see the manager kills other things,

killall -q -9 haveged jitterentropy-rngd rngd

I see no real reason to invest in your approach to blocking I use either diversion or dnscrypt , but not both.

1. Dnscrypt doesn't offer diversions powerful realtime monitoring/reporting features.
   
   
2. 
   As fail-safe. On my system, Dnsmasq occasionally allows blocked domains through, whereas dnscrypt has never failed me
3. 
   Dnscrypt processes and loads much quicker than diversion/dnsmasq, even with larger lists, saving me hours of resources and downtime without compromising security.
4. 
   Dnscrypt allows wildcards+logging, blocking first-party tracking scripts that use dns cloaking/cnamecloaking/cname redirects. Chrome is unable to defend against these, Dnsmsasq does not either.
5. 
   I've detected and reported thousands of zero day trackers, ads and analytics using dnscrypt's wildcard blocking+logging while using a 1.5+ million blocklist in diversion.

If you wish to further discuss how to setup dnscrypt proxy as your way of running it, I suggest starting another thread about such matters as you already know our stand point here.

I'm not sure if I do. I'm good. I've already got it working. Thanks for the olive branch of helpful and eager support for your users, I am truly humbled by your character.

 

[SomeWhereOverTheRainBow]

I'm not sure if I do. I'm good. I've already got it working. Thanks for the olive branch of helpful and eager support for your users, I am truly humbled by your character.

By extension that olive branch fits as is "freeware" -as is. I have no animosity towards you as an eager user, however not all users match the eager stamina you put forth in your setup. I imagine if they did, I would already have droves of eager users such as your self talking about the same issue. Instead here you present yourself, being the eager user. As humble and eager as you are, I have yet the same stamina usage as yourself. So I don't have a solution at this time. Feel free to check back in the future though as I do keep this running for all users, eager or not.
Best wishes

 

[Swistheater]

1. Dnscrypt doesn't offer diversions powerful realtime monitoring/reporting features.
   
   
2. 
   As fail-safe. On my system, Dnsmasq occasionally allows blocked domains through, whereas dnscrypt has never failed me
3. 
   Dnscrypt processes and loads much quicker than diversion/dnsmasq, even with larger lists, saving me hours of resources and downtime without compromising security.
4. 
   Dnscrypt allows wildcards+logging, blocking first-party tracking scripts that use dns cloaking/cnamecloaking/cname redirects. Chrome is unable to defend against these, Dnsmsasq does not either.
5. 
   I've detected and reported thousands of zero day trackers, ads and analytics using dnscrypt's wildcard blocking+logging while using a 1.5+ million blocklist in diversion.

Wow! and it is a wonder anything gets through! I tried this once, and crashed the router big time!

I'm not sure if I do. I'm good. I've already got it working. Thanks for the olive branch of helpful and eager support for your users, I am truly humbled by your character.

Maybe you can advise the forum on how to properly overlap DNS Adblockers..

What other types of blockers are you using? Do you have overlapping blockers on each device as well?

By extension that olive branch fits as is "freeware" -as is. I have no animosity towards you as an eager user, however not all users match the eager stamina you put forth in your setup. I imagine if they did, I would already have droves of eager users such as your self talking about the same issue. Instead here you present yourself, being the eager user. As humble and eager as you are, I have yet the same stamina usage as yourself. So I don't have a solution at this time. Feel free to check back in the future though as I do keep this running for all users, eager or not.
Best wishes

Did you just do an update?