A problem that I periodically have when I configure DNSCrypt is that after a period of time (sometimes months, other times weeks or shorter), DNS just stops works. I get a message like this in my web-browsers:
This site can’t be reached
<so and so website’s> server DNS address could not be found.
Try:
Checking the connection
Checking the proxy, firewall, and DNS configuration
ERR_NAME_NOT_RESOLVED
A reboot does not fix the problem.
The following command produces no results
logread | grep "Proxying from"
The only way I can fix the problem and keep DNSCrypt is to reflash LEDE. Or I can forego DNSCrypt and go to Network > Interfaces > WAN edit > Advanced Settings > and input an address into the "Use custom DNS servers" field.
Does anyone know how to stop this from happening. This is not a new problem I used to have it with OpenWRT also.
vi /etc/rc.local
sleep 10
/etc/init.d/dnscrypt-proxy start
@AmbientSummer
I have tried rebooting several times. Some of those times after enabling, restarting DNSCrypt etc. Can you be so kind as to tell me how to pull the logs that are useful. Everything is at /var/log?
DNSCrypt does not require changes in '/etc/rc.local' or somewhere but '/etc/config/dnscrypt-proxy'.
Copy logs to file 'logread > /tmp/logread', copy file '/tmp/logread' to PC, carefully check for sensitive data in it and paste here.
Also content of '/etc/openwrt_release'.
changing DNS resolvers fixed it. Logs showed the resolver I was using was the problem. The certificates were no longer available or something.
@AmbientSummer
In the DNScrypt wiki, it says to set the sleep 10 function as I posted in my previous email. A previous problem I had was that DNSCrypt would fail to start without the sleep 10. Nothing has changed with this right? If DNScrypt fails to start after boot, this is the correct approach to fix it, right?
Time problem probably. Or try another resolver. Cisco and yandex resolvers used in commercial products and very stable.[quote="okji, post:9, topic:4364"]
DNScrypt wiki
[/quote]
Openwrt wiki is obsolete.
Yes it may not start due to network not being ready, but you can probably get away with less than 10 seconds. This will change frequently, I used to bake it into my build via a wget so I always had the current file, but would still get caught out when a provider abilites changed. cisco is consistent but no DNSSEC, so depends on your use case.
To enable the second nameserver (ns2), all I do is uncomment the second resolver at vi /etc/config/dnscrypt-proxy and then if ns1 fails, the change over will automatically occur? Or are there any other settings I need to configure? [Is the OpenWRT wiki still valid on this?]
In my laptop i have static ip and i wrote in dns settings my routers ip address 10.0.0.1 and everything is working fine. Is this correct way to do this?
Also i have one question how can i force DHCP users to resolve dns queries with dnscrypt?
And one question if i uncomment this line "# option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'" will it use that file too?
You need configure dnsmasq to use second instance of dnscrypt. Something like this:
/etc/config/dhcp
config dnsmasq
...
option noresolv '1'
list server '127.0.0.1#29170'
list server '127.0.0.1#29171'
list server '127.0.0.1#29172'
list server '/pool.ntp.org/77.88.8.8'
list server '/pool.ntp.org/8.8.8.8'
list server '/pool.ntp.org/2a02:6b8:0:1::feed:0ff'
list server '/pool.ntp.org/2001:4860:4860::8844'
...
create /etc/resolv-crypt.conf with a single line: options timeout:1
vi /etc/resolv-crypt.conf
write "options timeout:1" without the quotes and save
slow dnscrypt startup so that it does not start before the network interface
vi /etc/rc.local
add following TWO LINES above the line "exit 0"
sleep 4
/etc/init.d/dnscrypt-proxy start
edit dnsmasq so dnscrypt can get the time and resolve ns2
vi /etc/config/dhcp
under "config dnsmasq" add the following to the end of the list
option resolvfile '/etc/resolv-crypt.conf'
list server '127.0.0.1#5353'
list server '127.0.0.1#5454'
list server '/pool.ntp.org/208.67.222.222'
enable DNSCrypt for auto-boot
/etc/init.d/dnscrypt-proxy enable
reboot router for changes to take effect
troubleshooting
check if dnscrypt-proxy is set up and running
logread | grep -n "using nameserver"
you should see following after entering above command
390:Wed Jun 14 19:45:45 2017 daemon.info dnsmasq[1991]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
391:Wed Jun 14 19:45:45 2017 daemon.info dnsmasq[1991]: using nameserver 127.0.0.1#5454
392:Wed Jun 14 19:45:45 2017 daemon.info dnsmasq[1991]: using nameserver 127.0.0.1#5353
verify that dnscrypt is proxying
logread | grep "Proxying from"
you should see following after running above command
Wed Jun 14 19:45:45 2017 daemon.notice dnscrypt-proxy[2005]: dnscrypt-proxy Proxying from 127.0.0.1:5353 to <DNS IP address here>
Wed Jun 14 19:45:45 2017 daemon.notice dnscrypt-proxy[2006]: dnscrypt-proxy Proxying from 127.0.0.1:5454 to <DNS IP address here>
I just want to know how do you use it on your computer? I configured mine with static ip address and in dns settings i wrote my routers ip 10.0.0.1. I do not know if this is correct way to do this, but PC is resolving hostnames so i think it's working.
But what about DHCP clients? How can i force them to use dnscrypt?
on linux, you can comment out entries in the dhclient.conf to ensure that a client is requesting from your local router (the router is acting as the DNS server). On Windows you have to edit something as well but I forget the exact details. I don't use Windows anymore.
go into your dhclient.conf and if there are entries like below, comment them out on your client machine.
sudo nano /etc/dhcp/dhclient.conf
comment out "prepend domain-name-servers 127.0.0.1;"
comment out "prepend domain-name-servers -DNS IP addresses here-"
To change your IP, in LEDE, edit the relevant field here:
follow this write-up I did and dnscrypt will work for you.
1. It appears that you omitted an instruction:
In /etc/config/dnscrypt-proxy
you must uncomment: option resolvers_list
or else when you query: logread | grep "Proxying from"
you only get:
Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]: Proxying from 127.0.0.1:5353 to 208.67.220.220:443
(i.e. OpenDNS is your resolver instead of the preferred one)
2. The server names must be present in the local resolvers list. However, the local list at present does not match the internet list and some of the servers are not found:
"I sent pull request with updated resolvers list. d0wn servers should work after update. You always can update resolvers manually by executing:"
Then LEDE says: "SSL support not available, please install one of the libustream-ssl-* libraries as well as the ca-bundle and ca-certificates packages."
(--Sigh... why all of this not automated with GUI like Tomato?)
3 . When I run the command: logread | grep dnscrypt
It reports that cisco (and various others) are insecure for various reasons (logging & lack of DNSCRYPT support, key rotation period may exceed recommended value, etc.)
Question: --Is there a comparison chart which would show all of the relevant features of the various servers?
4 . Regarding the test for signatures at: http://dnssec.vs.uni-due.de
Some servers which pass this test are failing the GRC signature test at: