In attempting to start my router (on OpenWRT version 23.05) from scratch after altering the dnscrypt-proxy.toml file, I am unable to do anything with the DNScrypt config after conducting the following:
Uninstalled DNSCrypt
Performed a reset
Performed a reboot
Reflashed a factory image
Conducted a hard reset
Nothing has worked to restore access to the .toml file. I've even attempted to "point" the router to the config file and attempted to delete the existing file. The remainder of the OpenWRT image is unchanged and set at factory defaults.
Perhaps I'm doing the "pointing" incorrectly?
Is there a way to start with a fresh config file?
This is my first attempt at OpenWRT programming and I'm at my wits end here...
When I attempt to vim into the .toml file this way (which is how I was editing the file prior to having issues), I get a mostly blank screen:
vim dnscrypt-proxy.toml
I cannot access this way either:
vim /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
Here are the dnscrypt-proxy logs:
logread -e dnscrypt-proxy; netstat -l -n -p | grep -e dnscrypt-proxy
Fri Dec 22 05:15:44 2023 daemon.err dnscrypt-proxy[5011]: [2023-12-22 05:15:44] [NOTICE] Stopped.
Fri Dec 22 05:15:44 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:44] [NOTICE] dnscrypt-proxy 2.1.5
Fri Dec 22 05:15:45 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:45] [NOTICE] Network connectivity detected
Fri Dec 22 05:15:45 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:45] [NOTICE] Now listening to 127.0.0.53:53 [UDP]
Fri Dec 22 05:15:45 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:45] [NOTICE] Now listening to 127.0.0.53:53 [TCP]
Fri Dec 22 05:15:45 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:45] [NOTICE] Source [public-resolvers] loaded
Fri Dec 22 05:15:45 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:45] [NOTICE] Source [relays] loaded
Fri Dec 22 05:15:45 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:45] [NOTICE] Firefox workaround initialized
Fri Dec 22 05:15:45 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:45] [NOTICE] [cloudflare] OK (DoH) - rtt: 76ms
Fri Dec 22 05:15:46 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:46] [NOTICE] [google] OK (DoH) - rtt: 30ms
Fri Dec 22 05:15:46 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:46] [NOTICE] Sorted latencies:
Fri Dec 22 05:15:46 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:46] [NOTICE] - 30ms google
Fri Dec 22 05:15:46 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:46] [NOTICE] - 76ms cloudflare
Fri Dec 22 05:15:46 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:46] [NOTICE] Server with the lowest initial latency: google (rtt: 30ms)
Fri Dec 22 05:15:46 2023 daemon.err dnscrypt-proxy[6161]: [2023-12-22 05:15:46] [NOTICE] dnscrypt-proxy is ready - live servers: 2
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 6161/dnscrypt-proxy
udp 0 0 127.0.0.53:53 0.0.0.0:* 6161/dnscrypt-proxy
And here is what happens when attempting to check the resolver function:
dnscrypt-proxy -resolve google.com
[2023-12-22 05:16:13] [FATAL] Unable to load the configuration file [dnscrypt-proxy.toml] -- Maybe use the -config command-line switch?
What happens when you do: vim /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
Could you please share the error or screenshot?
When testing the resolver function you must specify your configuration file, or run the command from the directory that contains your configuration file.
root@OpenWrt:~# cd /etc/dnscrypt-proxy2/ root@OpenWrt:/etc/dnscrypt-proxy2# dnscrypt-proxy -resolve google.com
or root@OpenWrt:~# dnscrypt-proxy -config /etc/dnscrypt-proxy2/dnscrypt-proxy.toml -resolve google.com
And when I run your resolver command prompts I suspect this is because I reset/rebooted the router so DNScrypt files are not present?:
root@OpenWrt:~# ~#
The following connections are open:
#0 client-session (t4 r0 i0/0 o0/0 e[write]/4 fd 4/5/6 sock -1 cc -1)
cd /etc/dnscrypt-proxy2/
-ash: cd: can't cd to /etc/dnscrypt-proxy2/: No such file or directory
root@OpenWrt:~# /etc/dnscrypt-proxy2# dnscrypt-proxy -resolve google.com
-ash: /etc/dnscrypt-proxy2#: not found
root@OpenWrt:~#
root@OpenWrt:~# dnscrypt-proxy -config /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
-resolve google.com
-ash: dnscrypt-proxy: not found
The opkg update won't run either, so I cannot reinstall DNScrypt in CLI nor LuCi:
root@OpenWrt:~# opkg update
Downloading https://downloads.openwrt.org/releases/23.05.0/targets/ramips/mt7621/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.0/targets/ramips/mt7621/packages/Packages.gz
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/base/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/base/Packages.gz
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/luci/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/luci/Packages.gz
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/packages/Packages.gz
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/routing/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/routing/Packages.gz
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/telephony/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/telephony/Packages.gz
Collected errors:
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.0/targets/ramips/mt7621/packages/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/base/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/luci/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/packages/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/routing/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.0/packages/mipsel_24kc/telephony/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
Thank you. I think first you will need to get to a known working state on your router before I can help you with dnscrypt-proxy2. Would you please do a fresh install of OpenWrt? Once your router is functioning, please use these commands to install dnscrypt-proxy2:
Once you reach this point your router should be working with dnscrypt-proxy2. There are more tweaks that are good to do, but let's target getting to this point first.
First thing let's make a backup of your dnscrypt-proxy2.toml file.
cd /etc/dnscrypt-proxy2
cp dnscrypt-proxy.toml dnscrypt-proxy.toml.backup
If you ever need to recover after editing your dnscrypt-proxy.toml file, use this to restore from backup and restart dnscrypt-proxy:
cd /etc/dnscrypt-proxy2
cp dnscrypt-proxy.toml.backup dnscrypt-proxy.toml
/etc/init.d/dnscrypt-proxy restart
After you have backed up your configuration, you can run though the "Recommended tweaks" section at the link I shared above. Take it one step at a time, and if anything stops working, worst case you can revert your dnscrypt-proxy.toml file using the steps above start new again.
When you have finished applying the "Recommended tweaks" that you want and ensure everything is working properly, you can move on to "Making things go fast" if you wish. Nothing is required in this section if you wish to skip it.
When I input your backup command prompt, I now have a string leading my inputs (/etc/dnscrypt-proxy2# )...is this normal or do I need to do something to revert back to normal CLI input?:
root@OpenWrt:~# cd /etc/dnscrypt-proxy2
root@OpenWrt:/etc/dnscrypt-proxy2# cp dnscrypt-proxy.toml dnscrypt-proxy.toml.ba
ckup
root@OpenWrt:/etc/dnscrypt-proxy2#
The command prompt shows you your current directory path. You are currently in the /etc directory and it's subdirectory /dnscrypt-proxy2. (/etc/dnscrypt-proxy2)
If you just type cd
and press enter that will take you back to the root directory. (in this case represented by ~) or you can just type exit and press enter if you are done to end the session.
You might want to read up a bit on Linux directories and how they work. Here are a couple of links from a quick Internet search. They are not OpenWrt specific but should still be helpful. There is much more out there.
Prevent DNS leaks outside of dnscrypt-proxy and disable dnsmasq cache
Completely disable ISP's DNS servers
You can use dns leak test to ensure only the dns servers specified in your dnscrypt-proxy.toml are being used.
By default, that should be: server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
You should only see these listed in the test and not your ISP's servers. If you want to narrow that down, a split between google and cloudflare is a good common configuration: server_names = ['google','cloudflare']
or you can just pick one provider server_names = ['cloudflare']
For
Force LAN clients to send DNS queries to dnscrypt-proxy
The last results you posted, the line: Resolver : 5.255.105.24 (nl.dc-team.com.)
is the actual dns server that was used. I don't recognize that provider. You might want to limit dnscrypt-proxy to one dns provider and then test again to ensure they match.
For
Ensure NTP (Network Time Protocol) can work without DNS
DNSCrypt-proxy requires the correct time to be able to work. If your router retains the time during a power outage, you might not need to do this, but there is no harm doing it anyway.
To test it, power off your router and then power it back on. If you can reach the Internet after that, it is working.
If you get stuck and cannot reach the Internet, you can set the time manually using the date command.
All of that information makes sense to my beginner's brain.
To add some detail to what I'm attempting to accomplish now that I have DNScrypt/DNScrypt-proxy installed:
Install Unbound DNS on the router to self-host my DNS server. This should shield my IP address, since I'm not having to trust a DNS provider/server, as I would be my own server. I believe it would also provide DNSSEC, QNAME minimization, and DNS-over-TLS 1.3.
Install VPN
My research tells me this is the most private way to resolve DNS.
My perceived alternative to that is:
Set the default server as a DNScrypt server (which is why I did the Ensure NTP (Network Time Protocol) can work without DNS option
Unfortunately, we have reached the end of what I have performed and that I am familiar with. I haven't installed or configured Unbound or VPN on OpenWrt.
DNSCrypt is encrypted, and I believe DNS over TLS (DoT) is a duplication/alternative of/to DNSCrypt.
Anyway, I would suggest starting a new thread for these new items and hopefully someone more experienced with those items can assist you.