Continual problem when using DNSCrypt - help!

No help sorry, but long time DNScrypt wannabeee ;- )

When I try to restart the DNSCrypt service, I get this

root@LEDE:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.25.1
udhcpc: sending discover
udhcpc: no lease, failing

Anybody know what's causing this? I just installed 17.01.2 fresh a couple days ago.

The sleep bit from here maybe. I always had to use this (1 second) but failure was consistent on every boot for me when I used dnscrypt.

Are you sure that the reboot does not help? Can you post logs before and after reboot when problem happened?

@anomeome
I confirmed this is set before posting

vi /etc/rc.local
sleep 10
/etc/init.d/dnscrypt-proxy start 

@AmbientSummer
I have tried rebooting several times. Some of those times after enabling, restarting DNSCrypt etc. Can you be so kind as to tell me how to pull the logs that are useful. Everything is at /var/log?

Alright, in case you don't solve the issue you may want to take a look at unbound

DNSCrypt does not require changes in '/etc/rc.local' or somewhere but '/etc/config/dnscrypt-proxy'.

Copy logs to file 'logread > /tmp/logread', copy file '/tmp/logread' to PC, carefully check for sensitive data in it and paste here.
Also content of '/etc/openwrt_release'.

changing DNS resolvers fixed it. Logs showed the resolver I was using was the problem. The certificates were no longer available or something.

@AmbientSummer
In the DNScrypt wiki, it says to set the sleep 10 function as I posted in my previous email. A previous problem I had was that DNSCrypt would fail to start without the sleep 10. Nothing has changed with this right? If DNScrypt fails to start after boot, this is the correct approach to fix it, right?

1 Like

Guys, does current DNSCrypt support two resolvers yet?

Is there any reason why I shouldn't activate

vi /etc/config/dnscrypt-proxy
config dnscrypt-proxy ns2

If you need help post logs.

Time problem probably. Or try another resolver. Cisco and yandex resolvers used in commercial products and very stable.[quote="okji, post:9, topic:4364"]
DNScrypt wiki
[/quote]
Openwrt wiki is obsolete.

Yes.

Yes it may not start due to network not being ready, but you can probably get away with less than 10 seconds. This will change frequently, I used to bake it into my build via a wget so I always had the current file, but would still get caught out when a provider abilites changed. cisco is consistent but no DNSSEC, so depends on your use case.

logread | grep dnscrypt

To enable the second nameserver (ns2), all I do is uncomment the second resolver at vi /etc/config/dnscrypt-proxy and then if ns1 fails, the change over will automatically occur? Or are there any other settings I need to configure? [Is the OpenWRT wiki still valid on this?]

I am also setting up dnscrypt in my router and if OP will not be against i will ask here for help.

I think i have setup correctly.
At first it was not working and then i changed resolver name in /etc/config/dnscrypt-proxy file to "cisco"

logread | grep dnscrypt reads this.
http://www.picz.ge/img/s3/1706/15/f/f6c023eabb1c.jpg

In my laptop i have static ip and i wrote in dns settings my routers ip address 10.0.0.1 and everything is working fine. Is this correct way to do this?
Also i have one question how can i force DHCP users to resolve dns queries with dnscrypt?

And one question if i uncomment this line "# option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'" will it use that file too?

You need configure dnsmasq to use second instance of dnscrypt. Something like this:

/etc/config/dhcp

config dnsmasq
        ...
        option noresolv '1'
        list server '127.0.0.1#29170'
        list server '127.0.0.1#29171'
        list server '127.0.0.1#29172'
        list server '/pool.ntp.org/77.88.8.8'
        list server '/pool.ntp.org/8.8.8.8'
        list server '/pool.ntp.org/2a02:6b8:0:1::feed:0ff'
        list server '/pool.ntp.org/2001:4860:4860::8844'
        ...

/etc/config/dnscrypt-proxy

config dnscrypt-proxy 'ns1'
        option address '127.0.0.1'
        option port '29170'
        option resolver 'yandex'
config dnscrypt-proxy 'ns2'
        option address '127.0.0.1'
        option port '29171'
        option resolver 'cisco'
config dnscrypt-proxy 'ns3'
        option address '127.0.0.1'
        option port '29172'
        option resolver 'cisco-ipv6'
1 Like

@anon20279570
follow this write-up I did and dnscrypt will work for you.

Alternatively, you can also consult this wiki: http://wiki.openwrt.org/inbox/dnscrypt?s[]=dnscrypt

Install & Configure DNSCrypt

  • install the dnscrypt-proxy package

    opkg update
    opkg install dnscrypt-proxy

  • configure proxy settings [select which resolvers (e.g., cisco) you want from here: https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv]

    vi /etc/config/dnscrypt-proxy

    config dnscrypt-proxy ns1
    option address '127.0.0.1'
    option port '5353'
    option resolver 'cisco'

    config dnscrypt-proxy ns2
    option address '127.0.0.1'
    option port '5454'
    option resolver '<2nd resolver here>'

    config dnscrypt-proxy ns3
    option address '127.0.0.1'
    option port '5555'
    option resolver '<3rd resolver here>'

  • create /etc/resolv-crypt.conf with a single line: options timeout:1

    vi /etc/resolv-crypt.conf

write "options timeout:1" without the quotes and save

  • slow dnscrypt startup so that it does not start before the network interface

    vi /etc/rc.local

add following TWO LINES above the line "exit 0"

sleep 4
/etc/init.d/dnscrypt-proxy start
  • edit dnsmasq so dnscrypt can get the time and resolve ns2

    vi /etc/config/dhcp
    under "config dnsmasq" add the following to the end of the list

    option resolvfile '/etc/resolv-crypt.conf'
    list server '127.0.0.1#5353'
    list server '127.0.0.1#5454'
    list server '/pool.ntp.org/208.67.222.222'

  • enable DNSCrypt for auto-boot

    /etc/init.d/dnscrypt-proxy enable

reboot router for changes to take effect

  • troubleshooting
    check if dnscrypt-proxy is set up and running

    logread | grep -n "using nameserver"

you should see following after entering above command

390:Wed Jun 14 19:45:45 2017 daemon.info dnsmasq[1991]: using nameserver 208.67.222.222#53 for domain pool.ntp.org 
391:Wed Jun 14 19:45:45 2017 daemon.info dnsmasq[1991]: using nameserver 127.0.0.1#5454
392:Wed Jun 14 19:45:45 2017 daemon.info dnsmasq[1991]: using nameserver 127.0.0.1#5353

verify that dnscrypt is proxying

logread | grep "Proxying from"

you should see following after running above command

Wed Jun 14 19:45:45 2017 daemon.notice dnscrypt-proxy[2005]: dnscrypt-proxy Proxying from 127.0.0.1:5353 to <DNS IP address here>
Wed Jun 14 19:45:45 2017 daemon.notice dnscrypt-proxy[2006]: dnscrypt-proxy Proxying from 127.0.0.1:5454 to <DNS IP address here>

conduct a DNS Randomness test
https://www.grc.com/dns/dns.htm
https://www.dns-oarc.net/oarc/services/dnsentropy/

see if your DNS Resolver resolves DNSSEC signatures
http://dnssec.vs.uni-due.de/

4 Likes

Dnscrypt works for me.

I have configured evrything as you said.

I just want to know how do you use it on your computer? I configured mine with static ip address and in dns settings i wrote my routers ip 10.0.0.1. I do not know if this is correct way to do this, but PC is resolving hostnames so i think it's working.

But what about DHCP clients? How can i force them to use dnscrypt?

on linux, you can comment out entries in the dhclient.conf to ensure that a client is requesting from your local router (the router is acting as the DNS server). On Windows you have to edit something as well but I forget the exact details. I don't use Windows anymore.

go into your dhclient.conf and if there are entries like below, comment them out on your client machine.

sudo nano /etc/dhcp/dhclient.conf

comment out "prepend domain-name-servers 127.0.0.1;"
comment out "prepend domain-name-servers -DNS IP addresses here-"

To change your IP, in LEDE, edit the relevant field here:

vi /etc/config/network

There is no such line in my /etc/dhcp/dhclient.conf

The are only these lines

option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers;
timeout 300

follow this write-up I did and dnscrypt will work for you.


1. It appears that you omitted an instruction:

In /etc/config/dnscrypt-proxy
you must uncomment: option resolvers_list
or else when you query: logread | grep "Proxying from"
you only get:

Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]: Proxying from 127.0.0.1:5353 to 208.67.220.220:443
(i.e. OpenDNS is your resolver instead of the preferred one)

reference: https://forum.openwrt.org/viewtopic.php?pid=351471


2. The server names must be present in the local resolvers list. However, the local list at present does not match the internet list and some of the servers are not found:

"I sent pull request with updated resolvers list. d0wn servers should work after update. You always can update resolvers manually by executing:"

wget 'https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv' -O /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv

reference: https://forum.openwrt.org/viewtopic.php?pid=342500#p342500

Then LEDE says: "SSL support not available, please install one of the libustream-ssl-* libraries as well as the ca-bundle and ca-certificates packages."

(--Sigh... why all of this not automated with GUI like Tomato?)


3 . When I run the command: logread | grep dnscrypt
It reports that cisco (and various others) are insecure for various reasons (logging & lack of DNSCRYPT support, key rotation period may exceed recommended value, etc.)

Question:
--Is there a comparison chart which would show all of the relevant features of the various servers?


4 . Regarding the test for signatures at: http://dnssec.vs.uni-due.de
Some servers which pass this test are failing the GRC signature test at:

https://www.grc.com/dns/dns.htm
with the error:
"Extra Anti-Spoofing: unknown (Unable to obtain server fingerprint.)"

Question:
--Is the GRC test broken?


5 . The GRC spoofability test also says:
Alphabetic Case: all lower (An improvement could be created by mixing case.)

Question:
--How would you remedy this?


6 . Is it correct that DNScrypt server failures would fail over to OpenDNS with this configuration?


7 . add these to lines to stop devices on your network like android phones using hard coded dns servers.
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 53

https://forum.openwrt.org/viewtopic.php?pid=351461#p351461


related threads (for general reference):




https://forum.openwrt.org/viewtopic.php?pid=342500#p342500
https://forum.openwrt.org/viewtopic.php?pid=351461#p351461
https://www.leowkahman.com/2016/05/23/openwrt-encrypted-dns-lookup-using-multiple-dnscrypt-servers/
https://wiki.openwrt.org/inbox/dnscrypt

thank you both for yours posts :slight_smile:

Adding the ntp servers in dnsmasq made it not work.NTP servers were set as DNS forwarders in Luci>Network>DHCP and DNS>DNS Forwarding, but didn't appear in Luci>System>NTP servers; is this to be expected?

To remove DNS leaks from ISP one needs to use the command
uci network.wan.dns='x.x.x.x'
and
vi /etc/network/config
wan interface
option peerdns '0'
priority.. well kinda: