A tale of dnscrypt-proxy2, Anonymized DNS and that one unsuspecting wrt

Solution here

A while back Anonymized-DNS came to be, by some arcane sorcery, which is more then nice have and behold, how? Well, let's see? (firmware: OpenWrt SNAPSHOT r13768-f632747704 & my config)

There are luci guide's in the 'how' above. But I'm point & click challenged, so;

opkg update
opkg install dnscrypt-proxy2

Check if ping's are in stock these trying times;

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=117 time=52.862 ms

ping google.com
PING google.com (172.217.21.174): 56 data bytes
64 bytes from 172.217.21.174: seq=0 ttl=117 time=34.457 ms
64 bytes from 172.217.21.174: seq=1 ttl=117 time=53.325 ms

Then:

uci add_list dhcp.@dnsmasq[0].server='127.0.0.53'
uci commit dhcp
/etc/init.d/dnsmasq restart

There be ping's still?

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=117 time=36.043 ms
64 bytes from 8.8.8.8: seq=1 ttl=117 time=41.248 ms

ping google.com
PING google.com (172.217.21.174): 56 data bytes
64 bytes from 172.217.21.174: seq=0 ttl=117 time=51.201 ms
64 bytes from 172.217.21.174: seq=1 ttl=117 time=51.591 ms

Noice.

We are supposed to fettle with config's, imagine that.

cp /etc/dnscrypt-proxy2/dnscrypt-proxy.toml /etc/config/

These are the changes I made to the default config:

#uncomment
server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']

#uncomment
lb_strategy = 'p2'

#uncomment
lb_estimator = true

#added
routes = [
   { server_name='*', via=[ 'anon-cs-fr', 'anon-cs-de', 'anon-cs-uk', 'anon-cs-sk', 'anon-ams-nl', 'anon-cs-md'] }

Stirr dnsmasq:

/etc/init.d/dnsmasq restart
logread -l 100 | grep dnsmasq

Says:

daemon.info dnsmasq[5108]: using nameserver 127.0.0.53#53

Pings?

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=117 time=66.195 ms
64 bytes from 8.8.8.8: seq=1 ttl=117 time=58.286 ms
ping google.com
PING google.com (172.217.21.174): 56 data bytes
64 bytes from 172.217.21.174: seq=0 ttl=117 time=52.225 ms
64 bytes from 172.217.21.174: seq=1 ttl=117 time=35.703 ms

Then, add: /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
To: /etc/sysupgrade.conf (For backup of org conf)

Add to /etc/config/dhcp:

        # Ignore ISP's DNS by not reading upstream servers from /etc/resolv.conf
        option noresolv '1'
        # Ensures that /etc/resolv.conf directs local system processes to use d>
        option localuse '1'
        # Disable because dnscrypt-proxy's block_undelegated already blocks RFC>
        option boguspriv '0'
        # Disable dnsmasq cache because we don't want to cache twice and the dn>
        option cachesize '0'

Test:

/etc/init.d/dnsmasq restart
 ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=117 time=80.016 ms
64 bytes from 8.8.8.8: seq=1 ttl=117 time=53.949 ms
root@wrt~# ping google.com
ping: bad address 'google.com'

Mkay..

logread -l 100 | grep dnsmasq

Wed Jul 29 18:03:30 2020 daemon.warn dnsmasq[5601]: Maximum number of concurrent DNS queries reached (max: 150)
Wed Jul 29 18:03:40 2020 daemon.warn dnsmasq[5601]: Maximum number of concurrent DNS queries reached (max: 150)
Wed Jul 29 18:03:50 2020 daemon.info dnsmasq-dhcp[5601]: DHCPREQUEST(br-lan) 192.168.99.3 00:1e:06:42:25:10
Wed Jul 29 18:03:50 2020 daemon.info dnsmasq-dhcp[5601]: DHCPACK(br-lan) 192.168.99.3 00:1e:06:42:25:10 CoreELEC
Wed Jul 29 18:03:50 2020 daemon.warn dnsmasq[5601]: Maximum number of concurrent DNS queries reached (max: 150)

Hm... what gives?

dnscrypt-proxy.toml

listen_addresses = ['127.0.0.53:53']

It's uncommented by default, at least mine was.

Verify the IP

127.0.0.*53:53*

Yep fiftythree.

option boguspriv '1'
# Disable dnsmasq cache because we don't want to cache twice and the dnscrypt-proxy cache is superior

You didn't note your firewall rules:

config redirect
option name 'Divert-DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'

config redirect
option name 'Divert-DNS, port 853'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'

config redirect
option name 'Divert-DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
1 Like

I stopped where I got the error, also those additions didn't make any difference. Struggle is real, Dear user.

Dang! Good catch on the:
option boguspriv '1'
# Disable dnsmasq cache because we don't want to cache twice and the dnscrypt-proxy cache is superior

though! Got my hopes up real good!

Added the above to my firewall (see previous posts)

Changed some lines in: /etc/config/dnscrypt-proxy.toml

routes = [
   { server_name='google', via=['anon-cs-fr', 'anon-cs-de', 'anon-cs-uk'] },
   { server_name='scaleway-fr', via=[ 'anon-dnscrypt.uk-ipv4', 'anon-ibksturm', 'anon-kama'] },
   { server_name='yandex', via=['anon-sth-se', 'anon-meganerd', 'anon-cs-md'] },
   { server_name='cloudflare', via=['anon-yofiji-se-ipv4', 'anon-ams-nl', 'anon-cs-se'] },
   ]

And as I check the config with:
dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check

It goes:

[2020-07-30 06:08:35] [NOTICE] dnscrypt-proxy 2.0.44
[2020-07-30 06:08:35] [NOTICE] Source [public-resolvers] loaded
[2020-07-30 06:08:35] [NOTICE] Source [relays] loaded
[2020-07-30 06:08:35] [NOTICE] Anonymized DNS: routing [scaleway-fr] via [anon-dnscrypt.uk-ipv4 anon-ibksturm anon-kama]
[2020-07-30 06:08:35] [NOTICE] Anonymized DNS: routing [yandex] via [anon-sth-se anon-meganerd anon-cs-md]
[2020-07-30 06:08:35] [ERROR] DNS anonymization is only supported with the DNSCrypt protocol - Connections to [google] cannot be anonymized
[2020-07-30 06:08:35] [ERROR] DNS anonymization is only supported with the DNSCrypt protocol - Connections to [cloudflare] cannot be anonymized
[2020-07-30 06:08:35] [NOTICE] Configuration successfully checked

Which is alright, just change google and cloudflare in:

server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare'].

Still can't: ping google.com

Still ofc:

cat /etc/resolv.conf
search lan
nameserver 127.0.0.1

The default config works for me, so you should change options one by one and check name resolution after each modification if you want to set up Anonymized DNS.

And you have made the changes to /etc/config/dhcp ?

If I; mv /etc/config/dnscrypt-proxy.toml /etc/config/dnscrypt-proxy.tomlOLD

Then grab the config here = same, still no go. (you need to comment out three sections though)

If I use the file I have documented changes here in the thread = same, still no go.

If I remove the changes from /etc/config/dhcp = I can ping

If I ping with either my config or the default = pings are there.

So its not those proxy configs.
It's when I add: option noresolv '1' to /etc/config/dhcp

And... :

cat /etc/resolv.conf
search lan
nameserver 127.0.0.1

/etc/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

#config rule
#	option name 'Support-UDP-Traceroute'
#	option src 'wan'
#	option dest_port '33434:33689'
#	option proto 'udp'
#	option family 'ipv4'
#	option target 'REJECT'
#	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

#config zone
#	option name 'wan'
#	option input 'ACCEPT'
#	option output 'ACCEPT'
#	option forward 'ACCEPT'
#	option network 'lan wwan'
# Redirect unencrypted DNS queries to dnscrypt-proxy
# This will thwart manual DNS client settings and hardcoded DNS servers like in Google devices
config redirect
    option name 'Divert-DNS, port 53'
    option src 'lan'
    option proto 'tcp udp'
    option src_dport '53'
    option dest_port '53'
    option target 'DNAT'

# Block DNS-over-TLS over port 853
# Assuming you're not actually running a DoT stub resolver
config rule
    option name 'Reject-DoT, port 853'
    option src 'lan'
    option dest 'wan'
    list proto 'tcp udp'
    option dest_port '853'
    option target 'REJECT'

# Optional: Redirect queries for DNS servers running on non-standard ports. Can repeat for 9953, 1512, 54. Check https://github.com/parrotgeek1/ProxyDNS for examples.
# Warning: can break stuff, don't use this one if you run an mDNS server
config redirect
    option name 'Divert-DNS, port 5353'
    option src 'lan'
    option proto 'tcp udp'
    option src_dport '5353'
    option dest_port '53'
    option target 'DNAT'

/etc/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '0'
	option localservice '1'
	option listserver '127.0.0.53'
	option rebind_protection '0'
#quiet you!	
        option dnsforwardmax '9000'
#	option noresolv '1'
	option localuse '1'	
	option boguspriv '0'
	option cachesize '0'

config dhcp 'lan'
	option interface 'lan' 
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '100'
	option limit '150'
	option leasetime '15m'
	list dhcp_option '6,aDNS,orTWO'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config hosts list...

This is my /etc/config/dnscrypt-proxy.toml (which is default + my above edits) without all lines starting with #, made with notepad++ and search/replace through regexp: ^(\s)(#|;).(\r\n|\r|\n)?

Then proofread by eye.

server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
  
listen_addresses = ['127.0.0.53:53']
 
max_clients = 250

ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
 
require_dnssec = false
require_nolog = true
require_nofilter = true
disabled_server_names = []
  
force_tcp = false
 
timeout = 5000
 
keepalive = 30

lb_strategy = 'p2'

lb_estimator = true

cert_refresh_delay = 240
    
fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
 
ignore_system_dns = true
  
netprobe_timeout = 60
 
netprobe_address = '9.9.9.9:53'
 
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
   
block_ipv6 = false
 
block_unqualified = true
 
block_undelegated = true
 
reject_ttl = 600
 
cache = true
 
cache_size = 4096
 
cache_min_ttl = 2400
 
cache_max_ttl = 86400
 
cache_neg_min_ttl = 60
 
cache_neg_max_ttl = 600
  
[local_doh]
   
[query_log]
 
format = 'tsv'
  
[nx_log]
 
format = 'tsv'
  
[schedules]
    
[sources]
 
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  prefix = ''
 
  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''
   
[broken_implementations]
  
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
  
[doh_client_x509_auth]
   
[anonymized_dns]
  
routes = [
   { server_name='google', via=['anon-cs-fr', 'anon-cs-de', 'anon-cs-uk'] },
   { server_name='scaleway-fr', via=[ 'anon-dnscrypt.uk-ipv4', 'anon-ibksturm', 'anon-kama'] },
   { server_name='yandex', via=['anon-sth-se', 'anon-meganerd', 'anon-cs-md'] },
   { server_name='cloudflare', via=['anon-yofiji-se-ipv4', 'anon-ams-nl', 'anon-cs-se'] },
   ]
 
skip_incompatible = false
    
[dns64]

[static]
dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check
[2020-07-30 08:54:58] [NOTICE] dnscrypt-proxy 2.0.44
[2020-07-30 08:54:59] [NOTICE] Source [public-resolvers] loaded
[2020-07-30 08:54:59] [NOTICE] Source [relays] loaded
[2020-07-30 08:54:59] [ERROR] DNS anonymization is only supported with the DNSCrypt protocol - Connections to [cloudflare] cannot be anonymized
[2020-07-30 08:54:59] [NOTICE] Anonymized DNS: routing [scaleway-fr] via [anon-dnscrypt.uk-ipv4 anon-ibksturm anon-kama]
[2020-07-30 08:54:59] [NOTICE] Anonymized DNS: routing [yandex] via [anon-sth-se anon-meganerd anon-cs-md]
[2020-07-30 08:54:59] [ERROR] DNS anonymization is only supported with the DNSCrypt protocol - Connections to [google] cannot be anonymized
[2020-07-30 08:54:59] [NOTICE] Configuration successfully checked

So I removed dnscrypt-proxy
Both:
/etc/dnscrypt-proxy2/dnscrypt-proxy.toml
/etc/config/dnscrypt-proxy.toml

Installed dnscrypt-proxy again (commandline)
cp /etc/dnscrypt-proxy2/dnscrypt-proxy.toml /etc/config/
Uncommented: server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
Checked if: listen_addresses = ['127.0.0.53:53'] was uncommented, yes as default.

cat /etc/resolv.conf
search lan
nameserver 127.0.0.1

Ping works

After adding: # Ignore ISP's DNS by not reading upstream servers from /etc/resolv.conf
    option noresolv '1'

Ping google.com = no.

Is there something wrong with my setup?

If I reboot and issue:

/etc/init.d/dnscrypt-proxy restart
root@wrt:~# logread | grep dnscrypt-proxy
Thu Jul 30 13:12:41 2020 daemon.err dnscrypt-proxy[1227]: [2020-07-30 11:12:41] [NOTICE] dnscrypt-proxy 2.0.44
Thu Jul 30 13:12:42 2020 daemon.err dnscrypt-proxy[1227]: [2020-07-30 11:12:42] [NOTICE] Network connectivity detected
Thu Jul 30 13:12:42 2020 daemon.err dnscrypt-proxy[1227]: [2020-07-30 11:12:42] [FATAL] listen udp 127.0.0.53:53: bind: address already in use
Thu Jul 30 13:12:43 2020 daemon.err dnscrypt-proxy[3219]: [2020-07-30 11:12:43] [NOTICE] dnscrypt-proxy 2.0.44
Thu Jul 30 13:12:43 2020 daemon.err dnscrypt-proxy[3219]: [2020-07-30 11:12:43] [NOTICE] Network connectivity detected
Thu Jul 30 13:12:43 2020 daemon.err dnscrypt-proxy[3219]: [2020-07-30 11:12:43] [FATAL] listen udp 127.0.0.53:53: bind: address already in use

Hm.. just reboot:

Thu Jul 30 13:23:12 2020 daemon.err dnscrypt-proxy[1227]: [2020-07-30 11:23:12] [FATAL] listen udp 127.0.0.53:53: bind: address already in use
Thu Jul 30 13:23:12 2020 daemon.err dnscrypt-proxy[1227]: [2020-07-30 11:23:12] [NOTICE] Network connectivity detected
Thu Jul 30 13:23:12 2020 daemon.err dnscrypt-proxy[1227]: [2020-07-30 11:23:12] [NOTICE] dnscrypt-proxy 2.0.44

(A tool to sort dnscrypt servers by the grace of ping.)

I had to change the portnumber.
Working configs:

/etc/dnscrypt-proxy2/dnscrypt-proxy.toml

server_names = ['soltysiak', 'dnscrypt.eu-dk', 'acsacsar-ams-ipv4', 'dnscrypt.eu-nl']
  
listen_addresses = ['127.0.0.42:4242']
 
max_clients = 250
  
 
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
 
require_dnssec = true
require_nolog = true
require_nofilter = true
disabled_server_names = []
  
force_tcp = false
 
timeout = 5000
 
keepalive = 30

lb_strategy = 'p2'

lb_estimator = true

cert_refresh_delay = 240
    
fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
 
ignore_system_dns = true
  
netprobe_timeout = 60
 
netprobe_address = '9.9.9.9:53'
 
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
   
block_ipv6 = false
 
block_unqualified = true
 
block_undelegated = true
 
reject_ttl = 600
   
 
cache = true
 
cache_size = 4096
 
cache_min_ttl = 2400
 
cache_max_ttl = 86400
 
cache_neg_min_ttl = 60
 
cache_neg_max_ttl = 600
  
[local_doh]
   
[query_log]
 
format = 'tsv'
  
[nx_log]
 
format = 'tsv'
    
  
[schedules]
    
[sources]
 
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  prefix = ''
 
  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''
   
[broken_implementations]
  
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
  
[doh_client_x509_auth]
   
[anonymized_dns]
  
routes = [
   { server_name='acsacsar-ams-ipv4', via=['anon-cs-fr', 'anon-cs-de', 'anon-cs-uk'] },
   { server_name='dnscrypt.eu-dk', via=[ 'anon-dnscrypt.uk-ipv4', 'anon-ibksturm', 'anon-kama'] },
   { server_name='soltysiak', via=['anon-sth-se', 'anon-meganerd', 'anon-cs-md'] },
   { server_name='dnscrypt.eu-nl', via=['anon-yofiji-se-ipv4', 'anon-ams-nl', 'anon-cs-se'] },
   ]
 
skip_incompatible = false
    
[dns64]

[static]

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '0'
	option localservice '1'
	option rebind_protection '0'
	option dnsforwardmax '9000'
	option noresolv '1'
	option localuse '1'
	option cachesize '0'
	list server '127.0.0.42#4242'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '100'
	option limit '150'
	option leasetime '15m'
	list dhcp_option '6,192.168.42.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

#config rule
#	option name 'Support-UDP-Traceroute'
#	option src 'wan'
#	option dest_port '33434:33689'
#	option proto 'udp'
#	option family 'ipv4'
#	option target 'REJECT'
#	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

#config zone
#	option name 'wan'
#	option input 'ACCEPT'
#	option output 'ACCEPT'
#	option forward 'ACCEPT'
#	option network 'lan wwan'
# Redirect unencrypted DNS queries to dnscrypt-proxy
# This will thwart manual DNS client settings and hardcoded DNS servers like in Google devices
config redirect
    option name 'Divert-DNS, port 53'
    option src 'lan'
    option proto 'tcp udp'
    option src_dport '4242'
    option dest_port '53'
    option target 'DNAT'

# Block DNS-over-TLS over port 853
# Assuming you're not actually running a DoT stub resolver
config rule
    option name 'Reject-DoT, port 853'
    option src 'lan'
    option dest 'wan'
    list proto 'tcp udp'
    option dest_port '853'
    option target 'REJECT'

# Optional: Redirect queries for DNS servers running on non-standard ports. Can repeat for 9953, 1512, 54. Check https://github.com/parrotgeek1/ProxyDNS for examples.
# Warning: can break stuff, don't use this one if you run an mDNS server
config redirect
    option name 'Divert-DNS, port 4242'
    option src 'lan'
    option proto 'tcp udp'
    option src_dport '4242'
    option dest_port '53'
    option target 'DNAT'
3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.