DNScrypt dnscrypt installer for asuswrt
- Thread starter bigeyes0x0
- Start date
-
- Tags
- dnscrypt
Treadler
Very Senior Member
Hmmmm, no. A number of sites not reachable. Uninstalled dnscrypt & all is happy once more!
(No other changes made).
bigeyes0x0
Senior Member
More likely an issue with your chosen resolvers.
I have merged the dev code to master branch, now you can install it normally to get 2.0.16.
MasterBash
Regular Contributor
Here is why it seems to not be working for me...
eb 13 19:00:50 dnscrypt-proxy[724]: Timeout while waiting for network connectivity
Feb 13 19:00:50 dnscrypt-proxy[724]: Source [public-resolvers.md] loaded
Feb 13 19:00:50 dnscrypt-proxy[724]: dnscrypt-proxy 2.0.16
Feb 13 19:00:50 dnscrypt-proxy[724]: Dropping privileges
Feb 13 19:00:50 dnscrypt-proxy[1160]: Network not available yet -- waiting...
Feb 13 19:01:00 dnscrypt-proxy[1160]: Network connectivity detected
Feb 13 19:01:00 dnscrypt-proxy[1160]: Source [public-resolvers.md] loaded
Feb 13 19:01:00 dnscrypt-proxy[1160]: dnscrypt-proxy 2.0.16
Feb 13 19:01:00 dnscrypt-proxy[1160]: Now listening to 127.0.0.1:65053 [UDP]
Feb 13 19:01:00 dnscrypt-proxy[1160]: Now listening to 127.0.0.1:65053 [TCP]
Feb 13 19:01:01 dnscrypt-proxy[1160]: Get https://dns.cloudflare.com/dns-quer..._padding=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: x509: certificate has expired or is not yet valid
Feb 13 19:01:01 dnscrypt-proxy[1160]: dnscrypt-proxy is waiting for at least one server to be reachable
What seems to be happening is that dnscrypt is unable to get a cloudflare certificate because the time doesn't get updated after I boot the router, because it can't access internet to update the time with dnscrypt.
Is there a workaround for this?
I did set the time in dnscrypt, but it doesn't seem to be do anything.
eb 13 19:00:50 dnscrypt-proxy[724]: Timeout while waiting for network connectivity
Feb 13 19:00:50 dnscrypt-proxy[724]: Source [public-resolvers.md] loaded
Feb 13 19:00:50 dnscrypt-proxy[724]: dnscrypt-proxy 2.0.16
Feb 13 19:00:50 dnscrypt-proxy[724]: Dropping privileges
Feb 13 19:00:50 dnscrypt-proxy[1160]: Network not available yet -- waiting...
Feb 13 19:01:00 dnscrypt-proxy[1160]: Network connectivity detected
Feb 13 19:01:00 dnscrypt-proxy[1160]: Source [public-resolvers.md] loaded
Feb 13 19:01:00 dnscrypt-proxy[1160]: dnscrypt-proxy 2.0.16
Feb 13 19:01:00 dnscrypt-proxy[1160]: Now listening to 127.0.0.1:65053 [UDP]
Feb 13 19:01:00 dnscrypt-proxy[1160]: Now listening to 127.0.0.1:65053 [TCP]
Feb 13 19:01:01 dnscrypt-proxy[1160]: Get https://dns.cloudflare.com/dns-quer..._padding=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: x509: certificate has expired or is not yet valid
Feb 13 19:01:01 dnscrypt-proxy[1160]: dnscrypt-proxy is waiting for at least one server to be reachable
What seems to be happening is that dnscrypt is unable to get a cloudflare certificate because the time doesn't get updated after I boot the router, because it can't access internet to update the time with dnscrypt.
Is there a workaround for this?
I did set the time in dnscrypt, but it doesn't seem to be do anything.
Treadler
Very Senior Member
I think you’re correct. I’m finding Cloudflare has issues with, or without dnscrypt.
A shame, as Cloudflare is the fastest public resolver for me. I have had to change to my second best, speed wise, Quad9.
Not accessible via dnscrypt though?
snakebite3
Senior Member
You need to use an IP address for the NTP server instead of the domain name.
http://www.pool.ntp.org/zone/@
Pick your zone and then look up the ip for that domain.
Use PingInfoView to find best server
https://www.nirsoft.net/utils/multiple_ping_tool.html
Input all the ip addresses, ping them and use the one with lowest ping time.
Last edited:
@snakebite3 Thank you very much, if it works!
Last edited:
pattiri
Senior Member
snakebite3
Senior Member
XIII
Very Senior Member
Are you sure it's not the "issue" he already mentioned in the log?
Code:
- CHANGED: Since dnsmasq 2.80, dnsmasq now ensures that unsigned
DNS replies received with DNSSEC enabled are legitimate.
If your upstream DNS doesn't support DNSSEC, this means
all replies from signed zones will be considered
invalid. Make sure you only enable DNSSEC if your
upstream DNS servers do support it. This behaviour is
a bit slower, but far more secure than the old default.XIII
Very Senior Member
Missed the original post, but now that it's quoted recently:
https://www.reddit.com/r/sysadmin/comments/2hn435/dnssec_vs_dnscrypt/
Why not? Isn't DoH for encryption and DNSSEC for validation?
https://www.reddit.com/r/sysadmin/comments/2hn435/dnssec_vs_dnscrypt/
Makaveli
Very Senior Member
XIII
Very Senior Member
I’m afraid I don’t know...
I switched to unbound when DNSCrypt (v1) seemed dead. When DNSCrypt v2 was introduced it did not support DNSSEC so I did not move back then. After that I never thought about it again...
Cloudflare DNS in the v384.6 or Newer and Recommendations
For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
If you reboot the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, in Network Map -> Internet status shows Disconnected or the internet not work. That happens because:
I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.
I also recommend this:
01. LAN -> DHCP Server:
02. WAN:
03. Administration -> System:
04. In DNSCrypt v2 these are the only DNS servers that support DoH and five of them (aaflalo-me, cloudflare, gridns-sg and doh-cleanbrowsing) do not have full support with DNSSEC for now.
I recommend using another DNS server than these five:
(I tested the DNS servers one by one with DNSSEC enabled and works without problems) (2018/07/31)
05. When you install DNSCrypt and Manually choose the DNS servers that no log, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use any of these DNS servers:
(because they have full support with DNSSEC) [Do not use 1.1.1.1]
06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
Thanks to @RMerlin @snakebite3 @pattiri and @XIII
For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
Code:
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?If you reboot the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, in Network Map -> Internet status shows Disconnected or the internet not work. That happens because:
I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.
I also recommend this:
01. LAN -> DHCP Server:
- Enable DNSSEC support: Yes
- Enable DNS Rebind protection: Yes
- After Enable both, you have to Apply.
02. WAN:
- Connect to DNS Server automatically: No
- DNS Server1: 84.200.69.80 or 8.8.8.8 or 9.9.9.9
- DNS Server2: 84.200.70.40 or 8.8.4.4 or 149.112.112.112
- Use any of these DNS servers (DNS.WATCH or Google or Quad9), because they have full support with DNSSEC, to install DNSCrypt without problems.
03. Administration -> System:
- Use an IP address for the NTP server instead of the domain name as @snakebite3 recommends and teaches, Example:
04. In DNSCrypt v2 these are the only DNS servers that support DoH and five of them (aaflalo-me, cloudflare, gridns-sg and doh-cleanbrowsing) do not have full support with DNSSEC for now.
I recommend using another DNS server than these five:
(I tested the DNS servers one by one with DNSSEC enabled and works without problems) (2018/07/31)
05. When you install DNSCrypt and Manually choose the DNS servers that no log, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use any of these DNS servers:
. 84.200.69.80 or 8.8.8.8 or 9.9.9.9
(because they have full support with DNSSEC) [Do not use 1.1.1.1]
06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
Thanks to @RMerlin @snakebite3 @pattiri and @XIII
Last edited:
Do not use auto and do not use Cloudflare DNS for now, use another DNS server, read my post #4 and #5
https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-53#post-420342
Last edited:
Similar threads
Similar threads
Similar threads
-
-
TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (THREAD #1 CLOSED)
- Started by Viktor Jaep
- Replies: 556
-
amtm amtm 5.0 - the Asuswrt-Merlin Terminal Menu, November 17, 2024- Started by thelonelycoder
- Replies: 61
-
Entware Possible to install jdownloader on asuswrt-merlin router with entware??
- Started by JeyJ
- Replies: 9
-
Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14
- Started by WRobertE
- Replies: 10
-
scMerlin scMerlin 2.5.8 - Service and script control menu for Asuswrt-Merlin, October 20, 2024
- Started by thelonelycoder
- Replies: 85
-
uKasa uKasa - A utility script that manages Kasa smart outlets and switches with Asuswrt-Merlin routers- Started by JGrana
- Replies: 29
-
Updated Hue Utility - huetil Control and manage your Hue system from Asuswrt-Merlin or Raspbian
- Started by JGrana
- Replies: 1