A problem that I periodically have when I configure DNSCrypt is that after a period of time (sometimes months, other times weeks or shorter), DNS just stops works. I get a message like this in my web-browsers:
This site can’t be reached
<so and so website’s> server DNS address could not be found.
Checking the connection
Checking the proxy, firewall, and DNS configuration
A reboot does not fix the problem.
The following command produces no results
logread | grep "Proxying from"
The only way I can fix the problem and keep DNSCrypt is to reflash LEDE. Or I can forego DNSCrypt and go to Network > Interfaces > WAN edit > Advanced Settings > and input an address into the "Use custom DNS servers" field.
Does anyone know how to stop this from happening. This is not a new problem I used to have it with OpenWRT also.
I have tried rebooting several times. Some of those times after enabling, restarting DNSCrypt etc. Can you be so kind as to tell me how to pull the logs that are useful. Everything is at /var/log?
changing DNS resolvers fixed it. Logs showed the resolver I was using was the problem. The certificates were no longer available or something.
In the DNScrypt wiki, it says to set the sleep 10 function as I posted in my previous email. A previous problem I had was that DNSCrypt would fail to start without the sleep 10. Nothing has changed with this right? If DNScrypt fails to start after boot, this is the correct approach to fix it, right?
Time problem probably. Or try another resolver. Cisco and yandex resolvers used in commercial products and very stable.[quote="okji, post:9, topic:4364"]
Openwrt wiki is obsolete.
Yes it may not start due to network not being ready, but you can probably get away with less than 10 seconds. This will change frequently, I used to bake it into my build via a wget so I always had the current file, but would still get caught out when a provider abilites changed. cisco is consistent but no DNSSEC, so depends on your use case.
To enable the second nameserver (ns2), all I do is uncomment the second resolver at vi /etc/config/dnscrypt-proxy and then if ns1 fails, the change over will automatically occur? Or are there any other settings I need to configure? [Is the OpenWRT wiki still valid on this?]
In my laptop i have static ip and i wrote in dns settings my routers ip address 10.0.0.1 and everything is working fine. Is this correct way to do this?
Also i have one question how can i force DHCP users to resolve dns queries with dnscrypt?
And one question if i uncomment this line "# option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'" will it use that file too?
You need configure dnsmasq to use second instance of dnscrypt. Something like this:
option noresolv '1'
list server '127.0.0.1#29170'
list server '127.0.0.1#29171'
list server '127.0.0.1#29172'
list server '/pool.ntp.org/188.8.131.52'
list server '/pool.ntp.org/184.108.40.206'
list server '/pool.ntp.org/2a02:6b8:0:1::feed:0ff'
list server '/pool.ntp.org/2001:4860:4860::8844'
create /etc/resolv-crypt.conf with a single line: options timeout:1
write "options timeout:1" without the quotes and save
slow dnscrypt startup so that it does not start before the network interface
add following TWO LINES above the line "exit 0"
edit dnsmasq so dnscrypt can get the time and resolve ns2
under "config dnsmasq" add the following to the end of the list
option resolvfile '/etc/resolv-crypt.conf'
list server '127.0.0.1#5353'
list server '127.0.0.1#5454'
list server '/pool.ntp.org/220.127.116.11'
enable DNSCrypt for auto-boot
reboot router for changes to take effect
check if dnscrypt-proxy is set up and running
logread | grep -n "using nameserver"
you should see following after entering above command
390:Wed Jun 14 19:45:45 2017 daemon.info dnsmasq: using nameserver 18.104.22.168#53 for domain pool.ntp.org
391:Wed Jun 14 19:45:45 2017 daemon.info dnsmasq: using nameserver 127.0.0.1#5454
392:Wed Jun 14 19:45:45 2017 daemon.info dnsmasq: using nameserver 127.0.0.1#5353
verify that dnscrypt is proxying
logread | grep "Proxying from"
you should see following after running above command
Wed Jun 14 19:45:45 2017 daemon.notice dnscrypt-proxy: dnscrypt-proxy Proxying from 127.0.0.1:5353 to <DNS IP address here>
Wed Jun 14 19:45:45 2017 daemon.notice dnscrypt-proxy: dnscrypt-proxy Proxying from 127.0.0.1:5454 to <DNS IP address here>
I just want to know how do you use it on your computer? I configured mine with static ip address and in dns settings i wrote my routers ip 10.0.0.1. I do not know if this is correct way to do this, but PC is resolving hostnames so i think it's working.
But what about DHCP clients? How can i force them to use dnscrypt?
on linux, you can comment out entries in the dhclient.conf to ensure that a client is requesting from your local router (the router is acting as the DNS server). On Windows you have to edit something as well but I forget the exact details. I don't use Windows anymore.
go into your dhclient.conf and if there are entries like below, comment them out on your client machine.
sudo nano /etc/dhcp/dhclient.conf
comment out "prepend domain-name-servers 127.0.0.1;"
comment out "prepend domain-name-servers -DNS IP addresses here-"
To change your IP, in LEDE, edit the relevant field here:
Then LEDE says: "SSL support not available, please install one of the libustream-ssl-* libraries as well as the ca-bundle and ca-certificates packages."
(--Sigh... why all of this not automated with GUI like Tomato?)
3 . When I run the command: logread | grep dnscrypt
It reports that cisco (and various others) are insecure for various reasons (logging & lack of DNSCRYPT support, key rotation period may exceed recommended value, etc.)
Question: --Is there a comparison chart which would show all of the relevant features of the various servers?
4 . Regarding the test for signatures at: http://dnssec.vs.uni-due.de
Some servers which pass this test are failing the GRC signature test at: