What's new

DNSCrypt-Proxy version 2 and STUBBY add-ons for R7800/R9000

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Now, your question. I have no doubts in DNSCrypt 2 advantages. It is good, I do use it myself. Preferring vs other alternatives and as a test. I have doubts only in the way of concrete implementation used by author (respect to him of course). For me C/C++ is preferable way. But not Go for embedded devices.

In ASUS firmware DNSCrypt v2 (DoH) does not work with the latest version of dnsmasq v2.80, if you use DNSSEC, Traditional QoS, the internet does not work, I am tired and now I use the DNS of my VPN for the moment, but with Unbound / Stubby DoT I have not seen anyone complain about these problems.

I do not know if these problems exist in R7800, but I am interested in buying this router and I would like you to implement DoT, in the same way that Fork Asuswrt-Merlin has.
@Voxel Why do not you use Unbound/Stubby DoT on the router? and you can configure it through the web GUI. like this firmware:
dot-final-png.14208
 
Last edited:
In ASUS firmware DNSCrypt v2 (DoH) does not work with the latest version of dnsmasq v2.80

But why do you think that DNSCrypt v2 is DoH? Well, maybe I am not an expert but as far as I understand it is just DNSCrypt.

https://dnscrypt.info/faq/

Why use DNSCrypt?
. . .

Other protocols

[DNS over SSH]
. . .


DNS over TLS (RFC7858)
. . .

DNS over HTTPS (DoH)
. . .



DoH and DoT are in the section "other protocols"


I do not know if these problems exist in R7800,
To say true I do use DNSCrypt v2 mainly with my R9000. But it is working w/o any issues (current uptime is 9 days, since last reboot). The same codes as for R7800 so IMO it is like a test. I use servers supporting DNSSEC.

I am interested in buying this router
Just to note: probably you will be dissatisfied by its GUI (vs RMeriln's version for ASUS routers).

Voxel.
 
But why do you think that DNSCrypt v2 is DoH? Well, maybe I am not an expert but as far as I understand it is just DNSCrypt.
I know that DoH is not DNSCrypt v2 but it is the only one that supports this protocol.

To say true I do use DNSCrypt v2 mainly with my R9000. But it is working w/o any issues (current uptime is 9 days, since last reboot). The same codes as for R7800 so IMO it is like a test. I use servers supporting DNSSEC.
In Asuswrt-Merlin with the dnsmasq v2.79 it worked without problems, but since it updates to dnsmasq v2.80 it no longer works with DNSCrypt for me.

But in Stubby DoT with dnsmasq v2.80 there's no problem, from what I've read.

Just to note: probably you will be dissatisfied by its GUI (vs RMeriln's version for ASUS routers).
With that I do not have those problems that I mentioned before I will be happy.

At this moment I'm going to try the Fork version and if I do not like it, in case I had the same problems as the normal version of asuswrt-merlin, I will buy used/refurbished R7800.
 
Last edited:
In Asuswrt-Merlin with the dnsmasq v2.79 it worked without problems, but since it updates to dnsmasq v2.80 it no longer works with DNSCrypt for me.
Do not worry. NG migrated to 2.78 in fw for R9000 only few months ago. Using 2.39 for a very long time for all of their routers. I succeed to use this version 2.78 for R7800 but I do not think that it will be changed in few nearest years ;-). It is very problematic and dangerous to change some of the packages used by NG because of their own specific changes in these packages needed for other enclosed packages. dnsmasq is such a package. So... It is almost frozen ;-)

With that I do not have those problems that I mentioned before I will be happy.
OK. IMO R7800 is still one of the best routers (cost/performance). Still in the top of SNB review.

Voxel.
 
I've been reading a bit about this DoH vs DoT on the back of an android article. It seems Google is looking at incorporating DoT in Android P and of the 2, it's the less experimental and theoretically would have less overhead.

I'm not sure if this is why the ASUS/Merlin opted for this?
 
I've been reading a bit about this DoH vs DoT on the back of an android article. It seems Google is looking at incorporating DoT in Android P and of the 2, it's the less experimental and theoretically would have less overhead.

I'm not sure if this is why the ASUS/Merlin opted for this?

DoT is a standard protocol officially backed by the IETF. DoH is not, neither is DNSCrypt.
 
DoT is a standard protocol officially backed by the IETF. DoH is not, neither is DNSCrypt.

Thanks for letting us know.

@Voxel Would be interesting to know if this is possible through Entware as a replacement for DNSCrypt, but I'm way out of my league with this.
 
@Voxel Would be interesting to know if this is possible through Entware as a replacement for DNSCrypt, but I'm way out of my league with this.
As I wrote DNSCrypt Proxy-2 is no a candidate for inclusion into firmware because of its size.

There are several DoT packages in Entware. One of them is stubby.

https://github.com/getdnsapi/stubby

So maybe (candidate). You can try to play with it using Entware.

https://www.voxel-firmware.com/Downloads/Voxel/html/entware.html
https://www.voxel-firmware.com/Down...are-3x-Voxel/stubby_0.2.2-1_cortex-a15-3x.ipk

Voxel.
 
As I wrote DNSCrypt Proxy-2 is no a candidate for inclusion into firmware because of its size.

There are several DoT packages in Entware. One of them is stubby.

https://github.com/getdnsapi/stubby

So maybe (candidate). You can try to play with it using Entware.

https://www.voxel-firmware.com/Downloads/Voxel/html/entware.html
https://www.voxel-firmware.com/Down...are-3x-Voxel/stubby_0.2.2-1_cortex-a15-3x.ipk

Voxel.

Sorry, what I mean is if Stubby (for example) is small in size, this could be incorporated into the firmware instead of the original DNSCrypt, or whether it would remain something for people to install and experiment with. Either way, I'll wait for someone that knows what they're doing to test it out and feedback before I dip my toe in :p
 
Last edited:
Tried to install last night
Just upgraded router to 60sf firmware

Having a problem:

root@R7800:/$ /etc/init.d/ dnscrypt-proxy-2 enable

/bin/ash: /etc/init.d/: Permission denied


root@R7800:/etc/init.d$ dnscrypt-proxy-2 enable

[2018-09-13 13:22:08] [FATAL] Unable to load the configuration file [dnscrypt-proxy.toml] -- Maybe use the -config command-line switch?

and
root@R7800:/etc/init.d$ /etc/init.d/dnscrypt-proxy-2 start

Terminated



any ideas?
Thanks
 
Having a problem:

root@R7800:/$ /etc/init.d/ dnscrypt-proxy-2 enable

/bin/ash: /etc/init.d/: Permission denied
Sorry. There was a misprint in my instruction. Space symbol. Correct command:

Code:
/etc/init.d/dnscrypt-proxy-2 enable


and
root@R7800:/etc/init.d$ /etc/init.d/dnscrypt-proxy-2 start

Terminated

Message is misleading, agree. It is started but message is from dnsmasq start/stop.

So try to

/etc/init.d/dnscrypt-proxy-2 enable

(w/o space) and reboot your router.

Voxel.
 
Sorry. There was a misprint in my instruction. Space symbol. Correct command:

Code:
/etc/init.d/dnscrypt-proxy-2 enable




Message is misleading, agree. It is started but message is from dnsmasq start/stop.

So try to

/etc/init.d/dnscrypt-proxy-2 enable

(w/o space) and reboot your router.

Voxel.
Thanks for the quick reply, will give it a go tonight, which is about 12 hours from now my time.

Randy
 
Hello, confirming Stubby is working fine. Although I expected that my dns-queries would go to 1.1.1.1, they go to 162.158.108.154. But that's also a Cloudflare address. So I guess some sort of round-robin.

What I wanted to say to Voxel is:
- Thanks for your builds. They work flawlessly
- Your readme file for Stubby R9000 is not correct. The filenames do not match with what's in the readme.

Thanks again. ;)
 
Hello, confirming Stubby is working fine. Although I expected that my dns-queries would go to 1.1.1.1, they go to 162.158.108.154. But that's also a Cloudflare address. So I guess some sort of round-robin.

What I wanted to say to Voxel is:
- Thanks for your builds. They work flawlessly
- Your readme file for Stubby R9000 is not correct. The filenames do not match with what's in the readme.

Thanks again. ;)
Thank you for your report. readme is corrected.

Voxel.
 
Hi @Voxel

Firstly, Thank you to your work!

My question is, how I can check that DNSCrypt actually working perfect? I use Win 10 Enterprise.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top