Hi
updated my Asus RT-N66u tonight from 20e9 to 22e2 this evening. flashed and rebooted ok but had a few issues with dnscrypt:
thought I'd have a try at enabling dnscrypt. I enabled it and selected various different dnscrypt resolvers but each time my DNS was still resolving from OpenDNS (208.67.220.220 / 208.67.200.200) which is configured on the WAN page. so even though dnscrypt was enabled it wasn't being used ? did some further digging, I had to disable "Enable DNS based Filtering" on the Parental control section. Usually I have this 'On' and pointing at 'Router' to ensure all DNS traffic goes via the router and people can't bypass filtering by putting their own custom DNS on their devices. When disabling the DNS based filtering the DNSCrypt appears to work fine with OpenDNS. is there a way to use DNSCrypt in conjuction with DNS Based Filtering if it's pointing at the router?
Sorry, but I can't recreate this. Once you enable DNSCrypt, the WAN DNS servers are replaced with the DNSCrypt servers in dnsmasq (127.0.0.1:65053). dnsleaktest.com then showed the DNSCrypt server whether or not the DNSFilter global router setting was enabled.
To see what may be going on, I need to see
killall -s USR1 dnsmasq (this will dump the dnsmasq stats to the syslog so we can verify the DNSCrypt servers are correctly set)
iptables -t nat -nvL (both with and without DNSFilter)
Also, if you are using a VPN Client, that can affect things as well.
second issue is that the update script dnscrypt-update-resolvers.sh script doesn't work for me. It throws an error that https is not supported in curl :
ASUS:/tmp/home/root# dnscrypt-update-resolvers.sh
Updating the list of public DNSCrypt resolvers...
curl: (1) Protocol https not supported or disabled in libcurl
Download failed
mv: can't rename '/jffs/etc/dnscrypt-resolvers.csv.tmp': No such file or directory
Done
as a workaround I've manually downloaded the csv file and transferred it across to /jffs/etc using winscp.
Sorry, but again I can't recreate.
ASUSWRT-Merlin RT-AC68U_3.0.0.4 Wed Jan 11 18:22:20 UTC 2017
admin@AC68P-06650:/tmp/home/root# dnscrypt-update-resolvers.sh
Updating the list of public DNSCrypt resolvers...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 31960 100 31960 0 0 18413 0 0:00:01 0:00:01 --:--:-- 37292
Done
Are you sure you don't have another curl installed, maybe via entware? What's the result of entering
which curl
thirdly, would be good if possible to manually specify DNSCrypt resolvers by custom IP address. for example, only one Cisco OpenDNS server is available to select in the dnscrypt settings which points to 208.67.220.220, but the other OpenDNS server 208.67.222.222 also supports DNSCrypt and would be good to have as a Secondary.
I'm torn on this one.....it's not just the ip, it's also a port and a key that would need to be entered. Currently one way around it would be to edit the resolvers file in /jffs and add your server info. But I'm not sure this will remain possible in the future once I add signature verification to that file.