Just wanted to share my experience with setting up DNSCrypt (a.k.a. "
dnscrypt-proxy" in LEDE) in case anyone has similar questions/problems along the way.
By default, LEDE is configured to use "
fvz-anyone" server, but because it does not have a valid certificate, the syslog is flooded with the following messages of DNSCrypt trying to refetch a valid certificate:
Wed Feb 7 22:01:24 2018 daemon.err dnscrypt-proxy: dnscrypt-proxy Unable to retrieve server certificates Wed Feb 7 22:01:25 2018 daemon.info dnscrypt-proxy: dnscrypt-proxy Refetching server certificates
An easy fix is to switch to another server (e.g. "
cisco"), but depending on your location, "
cisco" might not be the fastest choice. And since you want DNS requests to be resolved quickly, you need to measure which servers provide you with the best options. A quick search on the internet showed that we're in luck - Christian Hermann (https://github.com/bitbeans) had posted a nice little tool to measure connections to all the DNS severs in the DNSCrypt's csv-file and report them back with all the metrics: https://github.com/bitbeans/dnscrypt-measurement
Not only it reports the fastest servers first, it also provides all important metrics for those servers, so you can pick what you're comfortable with:
NoLogs, DNSSEC, Valid Certificate
The only downside of this nifty utility is that you need Windows machine to run it.
For me, the "Anatomical DNS, NoLogs: True, DNSSEC: True, Certificate Valid: True" was the best choice.
Another problem that stumbled upon was DNSCrypt refusing to start due to the low entropy of the router. It would print the following message in the syslog:
This system doesn't provide enough entropy to quickly generate high-quality random numbers Installing the rng-utils/rng-tools or haveged packages may help. On virtualized Linux environments, also consider using virtio-rng. The service will not start until enough entropy has been collected.
A simple way to check your machine's entropy is by getting the number from "
/proc/sys/kernel/random/entropy_avail" with "cat". Mine was at around 350, so I had install "
opkg install rng-tools # Configure rngd with the watermark of 1000: uci set system.@rngd.fill_watermark=1000 uci set system.@rngd.enabled=1 uci commit service rngd enable service rngd start
The above configuration change will be reflected at the "
/etc/config/system" file. Once started, you can see it run:
lede > ps w | grep rng 9340 root 984 S /sbin/rngd -f -r /dev/urandom -W 1000
Hope this helps someone.