Can’t catch IPs for IPSET in router because of DNSCrypt on my PC

Because this is how it's designed.

  • ipset == generated from DNS lookups
    • router cannot see DNS lookups to because DNSCrypt == enabled
    • therefore, router cannot make ipsets
  • IP addresses == generated from NIC card of PC to gateway (router) reaching default route
    • your PC must always reach its IP gateway
    • your gateway knows all connections then
    • this is unchanged

(It might help to keep in mind that ipset is a part of the netfilter suite.)

Don't be confused. This is exactly how it's designed to work. If you hide DNS requests, your router can't see DNS requests to generate the ipsets. So DNS requests have nothing to do with your PC's NIC card trying to access its gateway to reach any hosts to make a request; or to connect to any results it received.

So to be clear:

  • If you want the OpenWrt router to make ipsets for DSCP tagging, you cannot run DNS encryption on the PC-level, it must be on the router. @jeff noted this:
  • If you want to hide all of the PC's IP traffic from the router, you must run a full VPN on the PC - with the caveat:
    • the router will not see any IP traffic (except to the VPN server); but
    • you then you cannot make your ipsets
1 Like

OHH! That's why haha. Well explained sir! :smiley:
So, ig there won't be any hack/workaround to force ipset to use (or provide) IP addresses generated from PC to gateway right?

No, as once you only have an IP address, you can't reliably determine the host name the client is trying to reach.

$ drill www.netflix.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19621
;; flags: qr rd ra ; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; www.netflix.com.	IN	A

;; ANSWER SECTION:
www.netflix.com.	1800	IN	CNAME	www.geo.netflix.com.
www.geo.netflix.com.	1800	IN	CNAME	www.us-west-2.prodaa.netflix.com.
www.us-west-2.prodaa.netflix.com.	60	IN	A	54.200.92.151
www.us-west-2.prodaa.netflix.com.	60	IN	A	34.209.100.67
www.us-west-2.prodaa.netflix.com.	60	IN	A	54.148.48.62
www.us-west-2.prodaa.netflix.com.	60	IN	A	54.191.94.148
www.us-west-2.prodaa.netflix.com.	60	IN	A	54.186.58.115
www.us-west-2.prodaa.netflix.com.	60	IN	A	54.68.141.65
www.us-west-2.prodaa.netflix.com.	60	IN	A	54.68.184.7
www.us-west-2.prodaa.netflix.com.	60	IN	A	54.69.246.67

$ drill -x 54.200.92.151
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 55823
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; 151.92.200.54.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
151.92.200.54.in-addr.arpa.	300	IN	PTR	ec2-54-200-92-151.us-west-2.compute.amazonaws.com.
2 Likes

You're absolutely correct. So I got only working option then to use DNSCrypt within the router & not PC anymore.

2 Likes

With "DNSCrypt" taken by me to mean "some kind of DNS encryption", yes.

2 Likes

Just one last question.
How much of free memory does dnscrypt-proxy need?

After manual installation when I try to run it gives me "fatal error: runtime: out of memory".
P.S. I've kept binary 'dnscrypt-proxy' file in /tmp location cuz of low space.

  • /tmp doesn't exist, it's RAM space (hence using memory) that disappears on reboot :warning:
  • Why did you manually install the binary anyways?
  • Why didn't you install it from the packages?

(BTW, if you compressed it, it will take memory to decompress.)

/tmp doesn't exist, it's RAM space (hence using memory) that disappears on reboot

Yes I'm aware of it but I got no choice except put it there due to less storage space available.

Why did you manually install the binary anyways?
Why didn't you install it from the packages

Bcz a lot of optimizations I've done to compact modules into small manageable size. Also when I try to install from opkg it gives "can't find package" error.

Lemme check that package again. I hope it does support Cloudflare DNS

1 Like

Should I choose this option too under that dnscrypt package?
"Enable Plugin support (includes Libdns & plugins packages)"

Building or assembling your own image would be a good way to resolve that.

See, for example

and similar pages

1 Like

Yes I've done all those steps :smiley:

  • Deal with extroot after hacking the hardware to support USB
  • Buy a new router (16/128 devices start around US$20)
1 Like

Ik that's the first thing in my mind. But if I could just manage to work DNSCrypt2 into my router then all hail! Lots of modules installed & running smoothly in the router of 4 MB flash with 32 MB RAM. I mean JEEZ :smiley: I mean great job to developers for making it so optimized!

You're unlikely to get any TLS library to fit into a router with 4 MB of flash (Edit: along with LuCI).

You're likely to run into memory (RAM) exhaustion problems if your ipset is of significant size.

4/32 devices were EOL a couple years ago and will not be supported with builds going forward.

A seven-year run (released in 2012) for a "race to the bottom" router (US$18) isn't bad at all.

If you really want to keep trying, have you already stripped LuCI from your build?

have you already stripped LuCI from your build?

I've considered that but it'll be difficult for me time to time configure settings on SSH. I'm still noob in Linux. So I kept it. Btw I'm trying to fit that given dnscrypt package into flash. But is it version 1 or 2? Does it support cloudflare DNS?

Extensibility issues

Barely enough Flash to accommodate OpenWrt firmware image

  • 4MB min (won't be able to install luci web interface) / 8MB better (will fit luci and some other applications)

  • 4MB can work, but are no fun to work with. >4MB will make you happier than 4MB or below.

  • 4MB devices can't fit anything noteworthy unless you use the Image Generator (Image Builder) (that requires a Linux system and some mild experience) or use Extroot. Experienced users creating custom builds may be able to Saving firmware space, but many packages won't ever fit no matter what you do.

  • If you want to be sure you can install at least a few additional software packages, 8MB (or more) of flash and 64MB (or more) of RAM are the only choice.

Most probably, you will not be able to install the following popular packages (and others) on a device with only 4MB flash:

  • VPNs and any other package requiring encryption

[...]

2 Likes

It's true. But I gotta use it for now what I've. Btw guys does that dnscrypt package support Cloudflare DNS? If not then I would just skip dnscrypt until I buy a new router.

I am not familiar with the setup and configuration of DNSCrypt.

I would just send traffic over a VPN or something (I do not trust most of the current companies providing encrypted DNS). You may want to search the forums for others who successfully setup DNSCrypt on their router:

https://forum.openwrt.org/search?q=dnscrypt

I'd personally buy a new router to solve the space issue.

Removing LuCI saves a lot of space!

:open_mouth:

What did you install!?!?

Screenshot%20from%202019-11-19%2013-53-32

What provider did you configure?

Don't panic haha :stuck_out_tongue: I mean protocol version 2
https://dnscrypt.info/protocol/

Edit:

Removing LuCI saves a lot of space!

I know I know but I'm not that tech savvy to change settings time to time without GUI. Luci is completely mandatory :sweat:

OK...I would surmise that DNSCrypt software speaks the DNSCrypt protocol...so I'm not sure how helpful the protocol whitepaper is.

From: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/README.md

Overview

A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt.

Feel free to read manuals and README.md files of software you choose to install on your device. There's likely more information on the "Enable Plugin support" button also.

Maybe you can finish major configs - then make a custom firmware to remove it when done.

1 Like