router cannot see DNS lookups to because DNSCrypt == enabled
therefore, router cannot make ipsets
IP addresses == generated from NIC card of PC to gateway (router) reaching default route
your PC must always reach its IP gateway
your gateway knows all connections then
this is unchanged
(It might help to keep in mind that ipset is a part of the netfilter suite.)
Don't be confused. This is exactly how it's designed to work. If you hide DNS requests, your router can't see DNS requests to generate the ipsets. So DNS requests have nothing to do with your PC's NIC card trying to access its gateway to reach any hosts to make a request; or to connect to any results it received.
So to be clear:
If you want the OpenWrt router to make ipsets for DSCP tagging, you cannot run DNS encryption on the PC-level, it must be on the router. @jeff noted this:
If you want to hide all of the PC's IP traffic from the router, you must run a full VPN on the PC - with the caveat:
the router will not see any IP traffic (except to the VPN server); but
OHH! That's why haha. Well explained sir!
So, ig there won't be any hack/workaround to force ipset to use (or provide) IP addresses generated from PC to gateway right?
No, as once you only have an IP address, you can't reliably determine the host name the client is trying to reach.
$ drill www.netflix.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19621
;; flags: qr rd ra ; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.netflix.com. IN A
;; ANSWER SECTION:
www.netflix.com. 1800 IN CNAME www.geo.netflix.com.
www.geo.netflix.com. 1800 IN CNAME www.us-west-2.prodaa.netflix.com.
www.us-west-2.prodaa.netflix.com. 60 IN A 54.200.92.151
www.us-west-2.prodaa.netflix.com. 60 IN A 34.209.100.67
www.us-west-2.prodaa.netflix.com. 60 IN A 54.148.48.62
www.us-west-2.prodaa.netflix.com. 60 IN A 54.191.94.148
www.us-west-2.prodaa.netflix.com. 60 IN A 54.186.58.115
www.us-west-2.prodaa.netflix.com. 60 IN A 54.68.141.65
www.us-west-2.prodaa.netflix.com. 60 IN A 54.68.184.7
www.us-west-2.prodaa.netflix.com. 60 IN A 54.69.246.67
$ drill -x 54.200.92.151
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 55823
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 151.92.200.54.in-addr.arpa. IN PTR
;; ANSWER SECTION:
151.92.200.54.in-addr.arpa. 300 IN PTR ec2-54-200-92-151.us-west-2.compute.amazonaws.com.
Just one last question.
How much of free memory does dnscrypt-proxy need?
After manual installation when I try to run it gives me "fatal error: runtime: out of memory".
P.S. I've kept binary 'dnscrypt-proxy' file in /tmp location cuz of low space.
/tmp doesn't exist, it's RAM space (hence using memory) that disappears on reboot
Yes I'm aware of it but I got no choice except put it there due to less storage space available.
Why did you manually install the binary anyways?
Why didn't you install it from the packages
Bcz a lot of optimizations I've done to compact modules into small manageable size. Also when I try to install from opkg it gives "can't find package" error.
Lemme check that package again. I hope it does support Cloudflare DNS
Ik that's the first thing in my mind. But if I could just manage to work DNSCrypt2 into my router then all hail! Lots of modules installed & running smoothly in the router of 4 MB flash with 32 MB RAM. I mean JEEZ I mean great job to developers for making it so optimized!
I've considered that but it'll be difficult for me time to time configure settings on SSH. I'm still noob in Linux. So I kept it. Btw I'm trying to fit that given dnscrypt package into flash. But is it version 1 or 2? Does it support cloudflare DNS?
Barely enough Flash to accommodate OpenWrt firmware image
4MB min (won't be able to install luci web interface) / 8MB better (will fit luci and some other applications)
4MB can work, but are no fun to work with. >4MB will make you happier than 4MB or below.
4MB devices can't fit anything noteworthy unless you use the Image Generator (Image Builder) (that requires a Linux system and some mild experience) or use Extroot. Experienced users creating custom builds may be able to Saving firmware space, but many packages won't ever fit no matter what you do.
If you want to be sure you can install at least a few additional software packages, 8MB (or more) of flash and 64MB (or more) of RAM are the only choice.
Most probably, you will not be able to install the following popular packages (and others) on a device with only 4MB flash:
It's true. But I gotta use it for now what I've. Btw guys does that dnscrypt package support Cloudflare DNS? If not then I would just skip dnscrypt until I buy a new router.
I am not familiar with the setup and configuration of DNSCrypt.
I would just send traffic over a VPN or something (I do not trust most of the current companies providing encrypted DNS). You may want to search the forums for others who successfully setup DNSCrypt on their router:
Feel free to read manuals and README.md files of software you choose to install on your device. There's likely more information on the "Enable Plugin support" button also.
Maybe you can finish major configs - then make a custom firmware to remove it when done.