Can’t catch IPs for IPSET in router because of DNSCrypt on my PC

Router: TP-Link TL-WR841N/ND v8

Kernel Version: 4.14.152

Build: latest master (18.06.5)

Short story:

Can’t mark DSCP on packets because router can’t identify encrypted DNS queries by DNSCrypt installed on my PC.

Long story:

I’ve installed Simple DNSCrypt on Windows which ensures keeping end-to-end DNS queries encrypted.

Have installed IPSET & other dependencies in router to mark DSCP packets.

Unfortunately, due to DNS encryption router can’t see streaming IPs, thus no filling of IPSet & no DSCP marks.

“ipset list” command shows 0 members. BUT without DNSCrypt on my PC DSCP marking works, ipset fills up.

The router I’m using is old but solid working fast af for my internet connection. There’s no free space to install DNSCrypt2 in router but have enough RAM space (12 MB minimum). Tried installing dnscrypt-proxy in RAM but it needs ca-bundle (with dependencies) which completely destroys no free space criteria.

Also, can’t fall back to ‘luci-app-dnscrypt-proxy’ because it doesn’t support Cloudflare DNS. (If it supports, I’ll take it!)

So, anyone has a workaround/tip on it?

P.S. Thanks again to OpenWrt developers & the whole community for their hard work!

Update : I managed to install dnscrypt-proxy with ca-bundle. But when I try to run it gives me "fatal error: runtime: out of memory".
At the same time router's memory:

Total Available: 12.60 MB
Free: 10.63 MB
Buffered: 1.56 MB
Cached: 5.36 MB

How much memory does dnscrypt-proxy need?

You failed to explain how DNS lookups from the client - has relation to your router creating an ipset. You also failed to explain why you need ipset.

  • Are you saying that you previously marked 53/udp packets?
  • Why did you setup an ipset - what does it do after a DNS lookup?
  • Why would you want to indicate that these packets are different after implementing encrypted DNS?

I surmise you could flag traffic to the IP of the server, instead of port?

I followed this post Ultimate SQM settings: Layer_cake + DSCP marks

Purpose? As the above post says to take most of the advantage of layer.cake

Why did you setup an ipset - what does it do after a DNS lookup?
I surmise you could flag traffic to the IP of the server, instead of port?

As explained in the post it creates hash list of IP addresses after DNS lookup as per traffic.
Port based DSCP marking is old & less scalable. Having ipset is better choice in my case I can just put the most common IPs in dnsmasq.conf file and done with it. No need to waste time setting up unreliable, unpredictable ports e.g. Discord.

That, by its very nature, prevents your router from doing anything based on DNS of that client.

If you want your router to be able to know the contents of its clients' DNS requests, clients can't use encrypted DNS directed at a remote host.

You could, for example, encrypt DNS from your router to remote servers, then adjust your clients to use your router-provided DNS.

Reverse DNS is unlikely to be of benefit, as so many sites use cloud-based hosting and/or CDN, which are unlikely to reverse-resolve into a meaningfully related host name.

1 Like

Exactly. But just to confirm you mean I should install DNSCrypt in my router instead on my PC so it'll decrypt DNS queries within the router itself & it might be able to see IPs & mark DSCP as per my requirement?

Rest of world <--- encrypted DNS ---> OpenWrt <--- your choice DNS ---> your clients

Edit: Using "normal" DNS between your OpenWrt DNS server and your clients makes catching the results through packet inspection possible directly. If you used encrypted DNS, you'd need some "hack" to either snoop loopback, or the DNS responses themselves from the DNS server.


How can I do that? Any idea?

Personally, I wouldn't -- I'm the only one that is going to be snooping my LAN (especially as I segregate guests and IoT devices to other VLANs). For me, there is no meaningful value to encrypted DNS between my clients and my local, DNS servers.

If I were to attempt it, I'd start with running Wireshark with a remote capture on your router's loopback to see if the information is there. I run unbound for my DNS and not on my OpenWrt router, so I don't have any idea what logging information is available from dnsmasq.

1 Like

I was just gonna mention about luci-app-unbound. How this is different from DNSCrypt?

That is a GUI plug-in, that will (should) then bring in services.

unbound alone, doesn't supply "all" variants of encrypted DNS. See, for example,

I run unbound and stubby on a server OS, independent of my OpenWrt installs. That is not a requirement at all, just a choice of how I manage my network and its security.

There should be several "tutorials" on the forum here on setting up various "secure" DNS configurations under OpenWrt.


DNS over HTTPS with Dnsmasq and https-dns-proxy

I think this will be enough for my need instead of DNSCrypt. I can install it on router then might solve my issue. What do you think?

I'm not sure what problem you're trying to solve, end-to-end, but encrypted DNS from your OpenWrt device to rest-of-world, and unencrypted DNS for your clients should let you "snoop" the DNS to make decisions on your OpenWrt system's firewall behavior.

1 Like

I want encrypted DNS queries (Real world <----->router). For that I've installed DNSCrypt on my PC bcz I couldn't make it run on my router.
I want to mark DSCP to packets coming from various IP addresses. For this I'm using ipset.
BUT due to encryption from real world to PC my router is unable to identify IP addresses. Hence it can not mark DSCP to incoming/outgoing packets.

I'm just curious....again, what are you blocking, and how do DNS lookups populate an ipset list.

Are you blocking SPAM, gambling...YouTube...?

I'm sorry I don't follow you. I'm not blocking anything.
I've added these lines in dnsmasq.conf.


So if I e.g. if I go to DNS resolves it to an IP address & fills up in the ipset hash list. Same goes for other traffic. The real benefit of this is that IP address changes for the domain time to time. So it's ideal solution to use ipset instead of fixed IP addresses/ports to set DSCP tags. Just add in ipset you'd be done with it.

1 Like

Just a follow up question.
I just checked in Status>Realtime Graph>Connections it lists all the traffic with the IPs currently connected to. How is this possible when I'm using DNSCrypt on my PC?

I'll be honest, I'm still somewhat confused - and perhaps that's why you think IP connections should not appear...but if you're adding ipsets in order to perform DSCP tagging - it seems you're aware that your router would be able to track your IP traffic.

Nonetheless, any time you make a connection, the router knows. Regarding your DNSCrypt requests, the only thing hidden is the contents of the requests, it's still known that you connected to a DNSCrypt-enabled DNS server. Further, connections of subsequent lookups (like CNAME resolution) and access to the results will also be seen.

So basically, you'll need to run a VPN on the client to hide traffic from the router as you describe. Then, you should only see one connection to the VPN server (if you use its IP in the config). Be aware, if you hide your IP traffic from the router, it cannot perform the tagging you seem to desire!

1 Like

So router is populating IP addresses using CNAME resolution? Because DNS queries are encrypted from PC.

Be aware, if you hide your IP traffic from the router, it cannot perform the tagging you seem to desire!

Yes, I'm aware of it :smiley:

HUH! No. I have no clue what you're taking about again. Let's remove the CNAME remark:

"Unless you use a VPN, any IP connections will be seen by your router, including your connections to the DNSCrypt server."

Your router shouldn't be able to collect any DNS lookups from your PC, they're encrypted, correct?

So why did you make a post about catching IPs for ipsets if you don't want the router to see any IP traffic or DNS lookups from the PC?

  1. DNSCrypt on PC disabled = Router shows traffic IP Addresses + IPset works perfectly.
  2. DNSCrypt on PC enabled= Router still shows traffic IP Addresses + BUT IPset doesn't work.



Your router shouldn't be able to collect any DNS lookups from your PC, they're encrypted, correct?

Yes exactly. That's why I'm confused. Encrypted as in I'm using DNSCrypt no VPN for the record.