DNSCrypt-Proxy version 2 and STUBBY add-ons for R7800/R9000

[HowIFix]

Now, your question. I have no doubts in DNSCrypt 2 advantages. It is good, I do use it myself. Preferring vs other alternatives and as a test. I have doubts only in the way of concrete implementation used by author (respect to him of course). For me C/C++ is preferable way. But not Go for embedded devices.

In ASUS firmware DNSCrypt v2 (DoH) does not work with the latest version of dnsmasq v2.80, if you use DNSSEC, Traditional QoS, the internet does not work, I am tired and now I use the DNS of my VPN for the moment, but with Unbound / Stubby DoT I have not seen anyone complain about these problems.

I do not know if these problems exist in R7800, but I am interested in buying this router and I would like you to implement DoT, in the same way that Fork Asuswrt-Merlin has.

@Voxel Why do not you use Unbound/Stubby DoT on the router? and you can configure it through the web GUI. like this firmware:

• [Fork] Asuswrt-Merlin 374.43 LTS releases (V34E3)

 

[Voxel]

In ASUS firmware DNSCrypt v2 (DoH) does not work with the latest version of dnsmasq v2.80

But why do you think that DNSCrypt v2 is DoH? Well, maybe I am not an expert but as far as I understand it is just DNSCrypt.

https://dnscrypt.info/faq/

Why use DNSCrypt?
. . .

Other protocols

[DNS over SSH]
. . .

DNS over TLS (RFC7858)
. . .

DNS over HTTPS (DoH)
. . .


DoH and DoT are in the section "other protocols"

I do not know if these problems exist in R7800,

To say true I do use DNSCrypt v2 mainly with my R9000. But it is working w/o any issues (current uptime is 9 days, since last reboot). The same codes as for R7800 so IMO it is like a test. I use servers supporting DNSSEC.

I am interested in buying this router

Just to note: probably you will be dissatisfied by its GUI (vs RMeriln's version for ASUS routers).

Voxel.

 

[HowIFix]

But why do you think that DNSCrypt v2 is DoH? Well, maybe I am not an expert but as far as I understand it is just DNSCrypt.

I know that DoH is not DNSCrypt v2 but it is the only one that supports this protocol.

To say true I do use DNSCrypt v2 mainly with my R9000. But it is working w/o any issues (current uptime is 9 days, since last reboot). The same codes as for R7800 so IMO it is like a test. I use servers supporting DNSSEC.

In Asuswrt-Merlin with the dnsmasq v2.79 it worked without problems, but since it updates to dnsmasq v2.80 it no longer works with DNSCrypt for me.

But in Stubby DoT with dnsmasq v2.80 there's no problem, from what I've read.

Just to note: probably you will be dissatisfied by its GUI (vs RMeriln's version for ASUS routers).

With that I do not have those problems that I mentioned before I will be happy.

At this moment I'm going to try the Fork version and if I do not like it, in case I had the same problems as the normal version of asuswrt-merlin, I will buy used/refurbished R7800.

 

[Voxel]

In Asuswrt-Merlin with the dnsmasq v2.79 it worked without problems, but since it updates to dnsmasq v2.80 it no longer works with DNSCrypt for me.

Do not worry. NG migrated to 2.78 in fw for R9000 only few months ago. Using 2.39 for a very long time for all of their routers. I succeed to use this version 2.78 for R7800 but I do not think that it will be changed in few nearest years ;-). It is very problematic and dangerous to change some of the packages used by NG because of their own specific changes in these packages needed for other enclosed packages. dnsmasq is such a package. So... It is almost frozen ;-)

With that I do not have those problems that I mentioned before I will be happy.

OK. IMO R7800 is still one of the best routers (cost/performance). Still in the top of SNB review.

Voxel.

 

[gobble]

I've been reading a bit about this DoH vs DoT on the back of an android article. It seems Google is looking at incorporating DoT in Android P and of the 2, it's the less experimental and theoretically would have less overhead.

I'm not sure if this is why the ASUS/Merlin opted for this?

 

[RMerlin]

I've been reading a bit about this DoH vs DoT on the back of an android article. It seems Google is looking at incorporating DoT in Android P and of the 2, it's the less experimental and theoretically would have less overhead.

I'm not sure if this is why the ASUS/Merlin opted for this?

DoT is a standard protocol officially backed by the IETF. DoH is not, neither is DNSCrypt.

 

[gobble]

DoT is a standard protocol officially backed by the IETF. DoH is not, neither is DNSCrypt.

Thanks for letting us know.

@Voxel Would be interesting to know if this is possible through Entware as a replacement for DNSCrypt, but I'm way out of my league with this.

 

[Voxel]

@Voxel Would be interesting to know if this is possible through Entware as a replacement for DNSCrypt, but I'm way out of my league with this.

As I wrote DNSCrypt Proxy-2 is no a candidate for inclusion into firmware because of its size.

There are several DoT packages in Entware. One of them is stubby.

https://github.com/getdnsapi/stubby

So maybe (candidate). You can try to play with it using Entware.

https://www.voxel-firmware.com/Downloads/Voxel/html/entware.html
https://www.voxel-firmware.com/Down...are-3x-Voxel/stubby_0.2.2-1_cortex-a15-3x.ipk

Voxel.

 

[gobble]

As I wrote DNSCrypt Proxy-2 is no a candidate for inclusion into firmware because of its size.

There are several DoT packages in Entware. One of them is stubby.

https://github.com/getdnsapi/stubby

So maybe (candidate). You can try to play with it using Entware.

https://www.voxel-firmware.com/Downloads/Voxel/html/entware.html
https://www.voxel-firmware.com/Down...are-3x-Voxel/stubby_0.2.2-1_cortex-a15-3x.ipk

Voxel.

Sorry, what I mean is if Stubby (for example) is small in size, this could be incorporated into the firmware instead of the original DNSCrypt, or whether it would remain something for people to install and experiment with. Either way, I'll wait for someone that knows what they're doing to test it out and feedback before I dip my toe in

 

[Voxel]

Either way, I'll wait for someone that knows what they're doing to test it out and feedback before I dip my toe in

OK, let's wait . Stubby:

https://www.voxel-firmware.com/Downloads/Voxel/R7800-Voxel-firmware/Stubby/readme.txt
https://www.voxel-firmware.com/Downloads/Voxel/R9000-Voxel-firmware/Stubby/readme.txt

Voxel.

 

[randytsuch]

Tried to install last night
Just upgraded router to 60sf firmware

Having a problem:

root@R7800:/$ /etc/init.d/ dnscrypt-proxy-2 enable

/bin/ash: /etc/init.d/: Permission denied


root@R7800:/etc/init.d$ dnscrypt-proxy-2 enable

[2018-09-13 13:22:08] [FATAL] Unable to load the configuration file [dnscrypt-proxy.toml] -- Maybe use the -config command-line switch?

and
root@R7800:/etc/init.d$ /etc/init.d/dnscrypt-proxy-2 start

Terminated



any ideas?
Thanks

 

[Voxel]

Having a problem:

root@R7800:/$ /etc/init.d/ dnscrypt-proxy-2 enable

/bin/ash: /etc/init.d/: Permission denied

Sorry. There was a misprint in my instruction. Space symbol. Correct command:

/etc/init.d/dnscrypt-proxy-2 enable

and
root@R7800:/etc/init.d$ /etc/init.d/dnscrypt-proxy-2 start

Terminated

Message is misleading, agree. It is started but message is from dnsmasq start/stop.

So try to

/etc/init.d/dnscrypt-proxy-2 enable

(w/o space) and reboot your router.

Voxel.

 

[randytsuch]

Sorry. There was a misprint in my instruction. Space symbol. Correct command:

/etc/init.d/dnscrypt-proxy-2 enable

Message is misleading, agree. It is started but message is from dnsmasq start/stop.

So try to

/etc/init.d/dnscrypt-proxy-2 enable

(w/o space) and reboot your router.

Voxel.

Thanks for the quick reply, will give it a go tonight, which is about 12 hours from now my time.

Randy

 

[Arnout Verbeken]

Hello, confirming Stubby is working fine. Although I expected that my dns-queries would go to 1.1.1.1, they go to 162.158.108.154. But that's also a Cloudflare address. So I guess some sort of round-robin.

What I wanted to say to Voxel is:
- Thanks for your builds. They work flawlessly
- Your readme file for Stubby R9000 is not correct. The filenames do not match with what's in the readme.

Thanks again.

 

[Voxel]

Hello, confirming Stubby is working fine. Although I expected that my dns-queries would go to 1.1.1.1, they go to 162.158.108.154. But that's also a Cloudflare address. So I guess some sort of round-robin.

What I wanted to say to Voxel is:
- Thanks for your builds. They work flawlessly
- Your readme file for Stubby R9000 is not correct. The filenames do not match with what's in the readme.

Thanks again.

Thank you for your report. readme is corrected.

Voxel.

 

[Tume]

Hi @Voxel

Firstly, Thank you to your work!

My question is, how I can check that DNSCrypt actually working perfect? I use Win 10 Enterprise.

 

[Voxel]

Hi @Voxel

Firstly, Thank you to your work!

My question is, how I can check that DNSCrypt actually working perfect? I use Win 10 Enterprise.

There are a lot of free dnsleat tests. E.g. check the browser from your Win 10 Enterprise:

https://www.perfect-privacy.com/dns-leaktest/

You should see DNS you selected in DNSCrypt instead of your ISP.

Voxel.

 

[ajp2k14]

DNS over HTTPS now a standard?

https://datatracker.ietf.org/doc/rfc8484/

 

[RMerlin]

DNS over HTTPS now a standard?

https://datatracker.ietf.org/doc/rfc8484/

Unfortunately.

I'm not the only one to think this is a bad idea:

https://www.theregister.co.uk/2018/...oh_as_dns_privacy_feature_becomes_a_standard/

 

[ajp2k14]

Unfortunately.

I'm not the only one to think this is a bad idea:

https://www.theregister.co.uk/2018/...oh_as_dns_privacy_feature_becomes_a_standard/

Yupp, saw that one too. Hard to control, I just dread the day when devices are hardcoded to use it and bypass my dns-proxy... even worse in an enterprise environment.