Can’t mark DSCP on packets because router can’t identify encrypted DNS queries by DNSCrypt installed on my PC.
Long story:
I’ve installed Simple DNSCrypt on Windows which ensures keeping end-to-end DNS queries encrypted.
Have installed IPSET & other dependencies in router to mark DSCP packets.
Unfortunately, due to DNS encryption router can’t see streaming IPs, thus no filling of IPSet & no DSCP marks.
“ipset list” command shows 0 members. BUT without DNSCrypt on my PC DSCP marking works, ipset fills up.
The router I’m using is old but solid working fast af for my internet connection. There’s no free space to install DNSCrypt2 in router but have enough RAM space (12 MB minimum). Tried installing dnscrypt-proxy in RAM but it needs ca-bundle (with dependencies) which completely destroys no free space criteria.
Also, can’t fall back to ‘luci-app-dnscrypt-proxy’ because it doesn’t support Cloudflare DNS. (If it supports, I’ll take it!)
So, anyone has a workaround/tip on it?
P.S. Thanks again to OpenWrt developers & the whole community for their hard work!
Update : I managed to install dnscrypt-proxy with ca-bundle. But when I try to run it gives me "fatal error: runtime: out of memory".
At the same time router's memory:
Purpose? As the above post says to take most of the advantage of layer.cake
Why did you setup an ipset - what does it do after a DNS lookup?
I surmise you could flag traffic to the IP of the server, instead of port?
As explained in the post it creates hash list of IP addresses after DNS lookup as per traffic.
Port based DSCP marking is old & less scalable. Having ipset is better choice in my case I can just put the most common IPs in dnsmasq.conf file and done with it. No need to waste time setting up unreliable, unpredictable ports e.g. Discord.
That, by its very nature, prevents your router from doing anything based on DNS of that client.
If you want your router to be able to know the contents of its clients' DNS requests, clients can't use encrypted DNS directed at a remote host.
You could, for example, encrypt DNS from your router to remote servers, then adjust your clients to use your router-provided DNS.
Reverse DNS is unlikely to be of benefit, as so many sites use cloud-based hosting and/or CDN, which are unlikely to reverse-resolve into a meaningfully related host name.
Exactly. But just to confirm you mean I should install DNSCrypt in my router instead on my PC so it'll decrypt DNS queries within the router itself & it might be able to see IPs & mark DSCP as per my requirement?
Rest of world <--- encrypted DNS ---> OpenWrt <--- your choice DNS ---> your clients
Edit: Using "normal" DNS between your OpenWrt DNS server and your clients makes catching the results through packet inspection possible directly. If you used encrypted DNS, you'd need some "hack" to either snoop loopback, or the DNS responses themselves from the DNS server.
Personally, I wouldn't -- I'm the only one that is going to be snooping my LAN (especially as I segregate guests and IoT devices to other VLANs). For me, there is no meaningful value to encrypted DNS between my clients and my local, DNS servers.
If I were to attempt it, I'd start with running Wireshark with a remote capture on your router's loopback to see if the information is there. I run unbound for my DNS and not on my OpenWrt router, so I don't have any idea what logging information is available from dnsmasq.
I run unbound and stubby on a server OS, independent of my OpenWrt installs. That is not a requirement at all, just a choice of how I manage my network and its security.
There should be several "tutorials" on the forum here on setting up various "secure" DNS configurations under OpenWrt.
I'm not sure what problem you're trying to solve, end-to-end, but encrypted DNS from your OpenWrt device to rest-of-world, and unencrypted DNS for your clients should let you "snoop" the DNS to make decisions on your OpenWrt system's firewall behavior.
I want encrypted DNS queries (Real world <----->router). For that I've installed DNSCrypt on my PC bcz I couldn't make it run on my router. +
I want to mark DSCP to packets coming from various IP addresses. For this I'm using ipset.
BUT due to encryption from real world to PC my router is unable to identify IP addresses. Hence it can not mark DSCP to incoming/outgoing packets.
So if I e.g. if I go to www.yoututbe.com DNS resolves it to an IP address & fills up in the ipset hash list. Same goes for other traffic. The real benefit of this is that IP address changes for the domain time to time. So it's ideal solution to use ipset instead of fixed IP addresses/ports to set DSCP tags. Just add youtube.com in ipset you'd be done with it.
Just a follow up question.
I just checked in Status>Realtime Graph>Connections it lists all the traffic with the IPs currently connected to. How is this possible when I'm using DNSCrypt on my PC?
I'll be honest, I'm still somewhat confused - and perhaps that's why you think IP connections should not appear...but if you're adding ipsets in order to perform DSCP tagging - it seems you're aware that your router would be able to track your IP traffic.
Nonetheless, any time you make a connection, the router knows. Regarding your DNSCrypt requests, the only thing hidden is the contents of the requests, it's still known that you connected to a DNSCrypt-enabled DNS server. Further, connections of subsequent lookups (like CNAME resolution) and access to the results will also be seen.
So basically, you'll need to run a VPN on the client to hide traffic from the router as you describe. Then, you should only see one connection to the VPN server (if you use its IP in the config). Be aware, if you hide your IP traffic from the router, it cannot perform the tagging you seem to desire!