DNScrypt dnscrypt installer for asuswrt

[Twiglets]

For Information:
(from https://github.com/DNSCrypt/dnscrypt-proxy/issues/960 )

Anonymized DNS can be implemented on top of all existing encrypted protocols, but DNSCrypt is by far the simplest and most efficient instantiation.

It only adds a header with a constant sequence followed by routing information (server IP+port) to unmodified DNSCrypt queries. Implementing it on top of an existing DNSCrypt implementation is trivial.

The overhead is minimal. Unlike DoH where headers may still reveal a lot of information about the client's identity, Anonymized DNSCrypt, by design, doesn't allow passing any information at all besides the strict minimum required for routing.

This means that if you are using DoT or DOH to communicate with the upstream server you are revealing *more* information than using DNSCrypt ONLY !!!

Specifically, 'cloudflare' does *not* support DNSCrypt so using Anonymized DNS does not give any gain over using DoT or DoH directly, until cloudflare supports DNSCrypt.*

*https://github.com/DNSCrypt/dnscrypt-proxy/issues/960#issuecomment-541847966

 

[HairyA00]

For Information:
(from https://github.com/DNSCrypt/dnscrypt-proxy/issues/960 )

Anonymized DNS can be implemented on top of all existing encrypted protocols, but DNSCrypt is by far the simplest and most efficient instantiation.

It only adds a header with a constant sequence followed by routing information (server IP+port) to unmodified DNSCrypt queries. Implementing it on top of an existing DNSCrypt implementation is trivial.

The overhead is minimal. Unlike DoH where headers may still reveal a lot of information about the client's identity, Anonymized DNSCrypt, by design, doesn't allow passing any information at all besides the strict minimum required for routing.

This means that if you are using DoT or DOH to communicate with the upstream server you are revealing *more* information than using DNSCrypt ONLY !!!

Specifically, 'cloudflare' does *not* support DNSCrypt so using Anonymized DNS does not give any gain over using DoT or DoH directly, until cloudflare supports DNSCrypt.*

*https://github.com/DNSCrypt/dnscrypt-proxy/issues/960#issuecomment-541847966

That being said, what's the ideal upstream provider you should be using? Anyone that directly supports DNSCrypt and DNSSEC?
https://dnscrypt.info/public-servers

quad9-dnscrypt-ip4-filter-pri?

 

[Twiglets]

That being said, what's the ideal upstream provider you should be using? Anyone that directly supports DNSCrypt and DNSSEC?
https://dnscrypt.info/public-servers

As far as I can understand it should be DNSCrypt ..... DNSSEC is optional (particularly as it is not universally used ... yet !!!)

 

[HairyA00]

As far as I can understand it should be DNSCrypt ..... DNSSEC is optional (particularly as it is not universally used ... yet !!!)

Dropping cloudflare, switching to quad9-dnscrypt-ip4-filter-pri. Will see if there are any differences...

 

[HairyA00]

@thelonelycoder is there any chance of pulling DNSCrypt back into amtm in a future release given this new feature of Anonymized DNS? Doesn't seem like the DNSCrypt team are stopping on new features, and if this feature works as advertised, it SOUNDS like a better option for "privacy" moreso than DoT, DoH, Unbound, etc. Unless of course you can answer the question, "with whom do you trust" with one of these commercial DNS providers. Just thinking aloud here.
https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt

I realize I don't need amtm to install it, but I have to say that amtm is such a clean package for managing installed scripts.

 

[Twiglets]

Dropping cloudflare, switching to quad9-dnscrypt-ip4-filter-pri. Will see if there are any differences...

The expectation is that performance will be roughly similar *but* as there is an additional hop of the 'DNS Repeater' the latency for DNS lookup will probably be greater.
The main point is that if you use 'Anonymized DNS' via DNSCrypt there should be 'no data' to collect that ties back to your IP Address.
(That is what the 'Sales Pitch' says !!! )

 

[HairyA00]

The expectation is that performance will be roughly similar *but* as there is an additional hop of the 'DNS Repeater' the latency for DNS lookup will probably be greater.
The main point is that if you use 'Anonymized DNS' via DNSCrypt there should be 'no data' to collect that ties back to your IP Address.
(That is what the 'Sales Pitch' says !!! )

Heh, anonymized DNS breaks the use of cisco's filters. Presumably because it's unknown where the requests are coming from!

 

[thelonelycoder]

@thelonelycoder is there any chance of pulling DNSCrypt back into amtm in a future release given this new feature of Anonymized DNS? Doesn't seem like the DNSCrypt team are stopping on new features, and if this feature works as advertised, it SOUNDS like a better option for "privacy" moreso than DoT, DoH, Unbound, etc. Unless of course you can answer the question, "with whom do you trust" with one of these commercial DNS providers. Just thinking aloud here.
https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt

I realize I don't need amtm to install it, but I have to say that amtm is such a clean package for managing installed scripts.

Support is still there, you say it in your quoted last sentence. Once this script is installed manually, it'll appear in the amtm options.
I'll watch this thread and will decide at the time when a new version of amtm is ready for release.

 

[HairyA00]

Support is still there, you say it in your quoted last sentence. Once this script is installed manually, it'll appear in the amtm options.
I'll watch this thread and will decide at the time when a new version of amtm is ready for release.

Awesome. Sounds great. Feature seems to work, and well. Been using it all day on a Pi-hole, but would love to use it on my RT-AC86U instead! Thanks for the advice, I will take a stab at this in a bit.

 

[SomeWhereOverTheRainBow]

Got it working

Oct 14 20:41:24 dnscrypt-proxy[29892]: dnscrypt-proxy 2.0.29-beta.1
Oct 14 20:41:24 dnscrypt-proxy[29892]: Network connectivity detected
Oct 14 20:41:24 dnscrypt-proxy[29892]: Source [public-resolvers.md] loaded
Oct 14 20:41:24 dnscrypt-proxy[29892]: Anonymized DNS: routing [ovpn2_ipv4] via [sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM]
Oct 14 20:41:24 dnscrypt-proxy[29892]: Anonymized DNS: routing [cloudflare] via [sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM]
Oct 14 20:41:24 dnscrypt-proxy[29892]: Firefox workaround initialized

edit: DoH server removed (cloudflare)

yea that DOH server shouldn't be able to use the function of Anonymized DNS as far as I know this is for only Dnscrypt servers correct?

I have read up on Anonymized DNS, but I have failed to see where this has taken DNSCrypt other than the mentioning of a UDP and TCP layer added. From what I understand any DNScrypt can take advantage of this provided they support the use of both UDP and TCP transport.( most of them should)
What key points have you taken from reading up on it?

 

[Zastoff]

Think the DoH server worked thru the relay..but gives away to much info to work as intended..(not sure)
And i think Anonymized DNS is more about making sure DNS servers do not logg (the correct info) since we cant know for sure what or if they save the info
I have read the links provided here and normally only use DNSCrypt servers (sometimes test other servers)

 

[Delusion]

I think I made Anonymized DNS work on router:

Oct 15 13:22:38 kostar: Start dnscrypt-proxy
Oct 15 13:22:38 dnscrypt-proxy[9923]: dnscrypt-proxy 2.0.29-beta.1
Oct 15 13:22:38 dnscrypt-proxy[9923]: Network connectivity detected
Oct 15 13:22:38 dnscrypt-proxy[9923]: Source [quad9-resolvers.md] loaded
Oct 15 13:22:38 dnscrypt-proxy[9923]: Anonymized DNS: routing [quad9-dnscrypt-ip4-nofilter-pri] via [sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM]
Oct 15 13:22:38 dnscrypt-proxy[9923]: Firefox workaround initialized
Oct 15 13:22:38 dnscrypt-proxy[9923]: Dropping privileges
Oct 15 13:22:38 dnscrypt-proxy[9923]: dnscrypt-proxy 2.0.29-beta.1
Oct 15 13:22:38 dnscrypt-proxy[9923]: Network connectivity detected
Oct 15 13:22:38 dnscrypt-proxy[9923]: Source [quad9-resolvers.md] loaded
Oct 15 13:22:38 dnscrypt-proxy[9923]: Anonymized DNS: routing [quad9-dnscrypt-ip4-nofilter-pri] via [sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM]
Oct 15 13:22:38 dnscrypt-proxy[9923]: Firefox workaround initialized
Oct 15 13:22:38 dnscrypt-proxy[9923]: Now listening to 127.0.0.1:65053 [UDP]
Oct 15 13:22:38 dnscrypt-proxy[9923]: Now listening to 127.0.0.1:65053 [TCP]
Oct 15 13:22:38 dnscrypt-proxy[9923]: [quad9-dnscrypt-ip4-nofilter-pri] OK (DNSCrypt) - rtt: 4ms
Oct 15 13:22:38 dnscrypt-proxy[9923]: Server with the lowest initial latency: quad9-dnscrypt-ip4-nofilter-pri (rtt: 4ms)
Oct 15 13:22:38 dnscrypt-proxy[9923]: dnscrypt-proxy is ready - live servers: 1

 

[Zastoff]

More test servers is available for Anonymized DNS

sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM (test relay only)

sdns://gRE1MS4xNTguMTA2LjQyOjQ0Mw (suami, operated by lucenera)

sdns://gRE1MS4xNS4xMDYuMTc2OjQ0Mw (charis, operated by lucenera)

sdns://gRExODguNjAuMjUyLjE2OjQ0M (maintained by @ibksturm)
 
sdns://gRMxNzQuMTM4LjI5LjE3NToxNDQz (anon-tiarap Singapore)

sdns://gSBbMjQwMDo2MTgwOjA6ZDA6OjVmNzM6NDAwMV06MTQ0Mw (anon-tiarap-ipv6 Singapore)

Spoiler: DNSCrypt log

Oct 15 18:47:33 dnscrypt-proxy[21906]: dnscrypt-proxy 2.0.29-beta.1
Oct 15 18:47:33 dnscrypt-proxy[21906]: Network connectivity detected
Oct 15 18:47:33 dnscrypt-proxy[21906]: Source [public-resolvers.md] loaded
Oct 15 18:47:33 dnscrypt-proxy[21906]: Anonymized DNS: routing [quad9-dnscrypt-ip4-filter-pri] via [sdns://gRE1MS4xNTguMTA2LjQyOjQ0Mw]
Oct 15 18:47:33 dnscrypt-proxy[21906]: Anonymized DNS: routing [ovpn2_ipv4] via [sdns://gRE1MS4xNS4xMDYuMTc2OjQ0Mw]
Oct 15 18:47:33 dnscrypt-proxy[21906]: Anonymized DNS: routing [dnscrypt.eu-dk] via [sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM]
Oct 15 18:47:33 dnscrypt-proxy[21906]: Firefox workaround initialized
Oct 15 18:47:33 dnscrypt-proxy[21906]: Now listening to 127.0.0.1:65053 [UDP]
Oct 15 18:47:33 dnscrypt-proxy[21906]: Now listening to 127.0.0.1:65053 [TCP]
Oct 15 18:47:33 dnscrypt-proxy[21906]: [quad9-dnscrypt-ip4-filter-pri] OK (DNSCrypt) - rtt: 50ms
Oct 15 18:47:33 dnscrypt-proxy[21906]: [ovpn2_ipv4] OK (DNSCrypt) - rtt: 18ms
Oct 15 18:47:33 dnscrypt-proxy[21906]: [dnscrypt.eu-dk] OK (DNSCrypt) - rtt: 20ms
Oct 15 18:47:33 dnscrypt-proxy[21906]: Sorted latencies:
Oct 15 18:47:33 dnscrypt-proxy[21906]: - 18ms ovpn2_ipv4
Oct 15 18:47:33 dnscrypt-proxy[21906]: - 20ms dnscrypt.eu-dk
Oct 15 18:47:33 dnscrypt-proxy[21906]: - 50ms quad9-dnscrypt-ip4-filter-pri
Oct 15 18:47:33 dnscrypt-proxy[21906]: Server with the lowest initial latency: ovpn2_ipv4 (rtt: 18ms)
Oct 15 18:47:33 dnscrypt-proxy[21906]: dnscrypt-proxy is ready - live servers: 3

 

[Delusion]

More test servers is available for Anonymized DNS

sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM (test relay only, operated by me)

sdns://gRE1MS4xNTguMTA2LjQyOjQ0Mw (suami, operated by lucenera)

sdns://gRE1MS4xNS4xMDYuMTc2OjQ0Mw (charis, operated by lucenera)

Spoiler: DNSCrypt log

Oct 15 18:47:33 dnscrypt-proxy[21906]: dnscrypt-proxy 2.0.29-beta.1
Oct 15 18:47:33 dnscrypt-proxy[21906]: Network connectivity detected
Oct 15 18:47:33 dnscrypt-proxy[21906]: Source [public-resolvers.md] loaded
Oct 15 18:47:33 dnscrypt-proxy[21906]: Anonymized DNS: routing [quad9-dnscrypt-ip4-filter-pri] via [sdns://gRE1MS4xNTguMTA2LjQyOjQ0Mw]
Oct 15 18:47:33 dnscrypt-proxy[21906]: Anonymized DNS: routing [ovpn2_ipv4] via [sdns://gRE1MS4xNS4xMDYuMTc2OjQ0Mw]
Oct 15 18:47:33 dnscrypt-proxy[21906]: Anonymized DNS: routing [dnscrypt.eu-dk] via [sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM]
Oct 15 18:47:33 dnscrypt-proxy[21906]: Firefox workaround initialized
Oct 15 18:47:33 dnscrypt-proxy[21906]: Now listening to 127.0.0.1:65053 [UDP]
Oct 15 18:47:33 dnscrypt-proxy[21906]: Now listening to 127.0.0.1:65053 [TCP]
Oct 15 18:47:33 dnscrypt-proxy[21906]: [quad9-dnscrypt-ip4-filter-pri] OK (DNSCrypt) - rtt: 50ms
Oct 15 18:47:33 dnscrypt-proxy[21906]: [ovpn2_ipv4] OK (DNSCrypt) - rtt: 18ms
Oct 15 18:47:33 dnscrypt-proxy[21906]: [dnscrypt.eu-dk] OK (DNSCrypt) - rtt: 20ms
Oct 15 18:47:33 dnscrypt-proxy[21906]: Sorted latencies:
Oct 15 18:47:33 dnscrypt-proxy[21906]: - 18ms ovpn2_ipv4
Oct 15 18:47:33 dnscrypt-proxy[21906]: - 20ms dnscrypt.eu-dk
Oct 15 18:47:33 dnscrypt-proxy[21906]: - 50ms quad9-dnscrypt-ip4-filter-pri
Oct 15 18:47:33 dnscrypt-proxy[21906]: Server with the lowest initial latency: ovpn2_ipv4 (rtt: 18ms)
Oct 15 18:47:33 dnscrypt-proxy[21906]: dnscrypt-proxy is ready - live servers: 3

Thanks. I added them. I got tired of DoT, it added alot of overhead, only few domains (3-4) worked fine while others were disconnecting regularly every few minutes and come back after 2-3 seconds . I am glad to see that here all servers work and feels much faster\smoother ( I use vpn so I notice).

 

[HairyA00]

I still need to install DNSCrypt. How well does this play with the new DoT feature? Should I set that stuff to none in WAN and just go upstream to 9.9.9.9 for the initial installation? Any suggestions? @Zastoff already reached out to me personally with install instructions.

 

[Zastoff]

I still need to install DNSCrypt. How well does this play with the new DoT feature? Should I set that stuff to none in WAN and just go upstream to 9.9.9.9 for the initial installation? Any suggestions? @Zastoff already reached out to me personally with install instructions.

Dns privacy protocol=none
Don't think you need to change anything else
When dnscrypt-proxy is installed
Also install Rng (haveged) & set timezone in DNSCrypt-proxy menu

 

[thelonelycoder]

Here is the code:-

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer ; rm installer

Does the installer all the work for anonymizing DNS queries or would one have to additionally install/update packages after running it.
I'm asking to determine if I should reactivate the install option in amtm for this threads script.

 

[Zastoff]

Does the installer all the work for anonymizing DNS queries or would one have to additionally install/update packages after running it.
I'm asking to determine if I should reactivate the install option in amtm for this threads script.

Installer is on version 2.0.23 at the moment, For anonymizing DNS it needs to be updated to 2.0.29-beta.1 and no additional packages needed but to get Anonymized DNS working, In DNSCrypt (SSH) you need to edit dnscrypt-proxy.toml

server_names = ['dnscrypt.eu-dk']

################################
#        Anonymized DNS        #
################################

[anonymized_dns]

## Define one or more routes, i.e. indirect ways to reach servers.
## A set of possible relay servers is assigned to each DNS resolver.
## A relay can be specified as a DNS Stamp (either a relay stamp, or a
## DNSCrypt stamp), an IP:port, a hostname:port, or a server name, if
## the server is in the servers_list.

 routes = [  
    { server_name='dnscrypt.eu-dk', via=['sdns://gRE1MS4xNTguMTA2LjQyOjQ0Mw'] }
 ]

edit:
Maybe @bigeyes0x0 could update installer to be able to handle Anonymized DNS thru dnscrypt menu

 

[thelonelycoder]

Installer is on version 2.0.23 at the moment, For anonymizing DNS it needs to be updated to 2.0.29-beta.1 and no additional packages needed but to get Anonymized DNS working, In DNSCrypt (SSH) you need to edit dnscrypt-proxy.toml

server_names = ['dnscrypt.eu-dk']

################################
#        Anonymized DNS        #
################################

[anonymized_dns]

## Define one or more routes, i.e. indirect ways to reach servers.
## A set of possible relay servers is assigned to each DNS resolver.
## A relay can be specified as a DNS Stamp (either a relay stamp, or a
## DNSCrypt stamp), an IP:port, a hostname:port, or a server name, if
## the server is in the servers_list.

 routes = [  
    { server_name='dnscrypt.eu-dk', via=['sdns://gRE1MS4xNTguMTA2LjQyOjQ0Mw'] }
 ]

A couple of sed commands will do that then.
Let me see how I can do that automated before the installer kicks in.

 

[DonnyJohnny]

Do note that currently the anonymized dns does not support IPv6 as there is no IPv6 relay for now.

also note that anonymized dns only work with DNScrypt for now.