First, because it is not necessary: dnsmasq knows for what local domains it responds (look at the logs at boot). Second, there was no DNS-leak. Thirdly, the common file adb_list.overall is just loaded through the dnscryp-proxy.toml from the /tmp folder:
First, because it is not necessary: dnsmasq knows for what local domains it responds (look at the logs at boot).
You're correct - it knows about 7 local domains: one configured in domain option in /etc/config/dhcp and 6 others coming from https://github.com/openwrt/openwrt/blob/master/package/network/services/dnsmasq/files/rfc6761.conf. Its default configuration is not aware that queries for some "*.arpa" names belong to local network only and should not be forwarded to external DNS server. So, making changes to /etc/dnsmasq.conf is important.
Second, there was no DNS-leak.
The reason why you did not experience leaks was because your configuration has the following options set, which was not mentioned in the old wiki:
# Ignore ISP's DNS:
option noresolv '1'
# Change /etc/resolv.conf to direct local router processes to use local dnsmasq:
option localuse '1'
Thirdly, the common file adb_list.overall is just loaded through the dnscryp-proxy.toml from the /tmp folder
While there is nothing wrong with using /tmp/adb_list.overall file as the blacklist for DNSCrypt, it confuses people here who are trying to help you.
The point of this thread it to get a proper and safe configuration for DNSCrypt. If you have any suggestions on how to make it better and proper, please share them.
Yes, it does look like a loop between dnsmasq and dnscrypt. You must re-check your configuration and make sure that:
dnsmasq does not send requests about local network to dnscrypt - this is done through /etc/dnsmasq.conf changes described on the wiki
dnscrypt ignores requests about local network - this is done through blacklist.txt (instead of the forwarding-rules.txt that was listed in the old wiki)
make sure that blacklist.txt is placed in the same folder as dnscrypt-proxy.toml, so it gets picked up
you're using OpenWRT 18.06.2+ - this is needed for localuse option of dnsmasq
The 10.* + 192.168.* network layout should not matter. And QoS is also unrelated.
blacklist.txt (Same folder dnscrypt-proxy.toml, dnscrypt-proxy) Running on usb stick.
I use -config dnscrypt-proxy.toml. Using full path always.
I dont use cloaking, forward or whitelist.
Hello,
I tried this howto a couple of times, it does not work in my hands.
As stated by @windhere, a problem is with the 'option noresolv' setting:
with
option noresolv 0
cat /etc/resolv.conf
search lan
nameserver 127.0.0.1
However, also with 'option noresolv 0' the DNS servers as listed by www.dnsleaktest.com are all from the ISP. By contrast this: DNSSEC Resolver Test (http://dnssec.vs.uni-due.de/): "Yes, your DNS resolver validates DNSSEC signatures"
I have configured all several times, including prior complete reset to factory setting in order to avoid any interference with customised changes in configuration files.
Here is the dnsmasq section of my /etc/config/dhcp
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases' #option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option serversfile '/tmp/adb_list.overall'
# Ignore ISP's DNS:
option noresolv '1'
# Change /etc/resolv.conf to direct local router processes to use local dnsmasq:
option localuse '1'
list server '127.0.0.53'
The firewall was modified by copy/paste exactly as above. The CA-bundle is installed, same for blacklist.txt.
Also bizarre is:
dnscrypt-proxy -list
[2019-06-27 11:22:01] [FATAL] Unable to load the configuration file [dnscrypt-proxy.toml] -- Maybe use the -config command-line switch?
ls -l /etc/config/
....
-rw-r--r-- 1 root root 16242 Jun 27 11:38 dnscrypt-proxy.toml
it seems that the conf file is not used?! (verified it is toml and not tom1)
You're using OpenWRT 18.06.2 or newer. That's needed for the option localuse to work properly. The following command returns "8" on 18.06.2 build: grep -c localuse /etc/init.d/dnsmasq
I have not tried 18.06.3 yet, so let me know if you're using that.
Verify that DNSCrypt is configured properly by pointing it to the configuration file: dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check
and dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -list
Check that DNSCrypt is listening on 127.0.0.53:53 TCP/UDP:
> logread | grep dnscrypt | grep listening
Mon Jun 24 08:03:15 2019 daemon.notice dnscrypt-proxy[8288]: Now listening to 127.0.0.53:53 [UDP]
Mon Jun 24 08:03:15 2019 daemon.notice dnscrypt-proxy[8288]: Now listening to 127.0.0.53:53 [TCP]
Check that dnsmasq is using the proper server "127.0.0.53#53":
> logread | grep 'dnsmasq.*using nameserver'
Mon Jun 24 08:02:45 2019 daemon.info dnsmasq[8256]: using nameserver 127.0.0.53#53
Confirm that the auto-file points to the ISP-box, but the resolv.conf points to 127.0.0.1:
> cat /tmp/resolv.conf.auto
# Interface wan
nameserver 192.168.1.1
search router.home
> cat /tmp/resolv.conf
search lan
nameserver 127.0.0.1
Since resolv.conf file is only used by the processes on your OpenWRT machine (a.k.a. the router), all other clients are going to use whatever DHCP server instructs them to use. If you have a Windows client that uses the router as the DHCP server, check that it gets configured with "DNS Server" pointing to your router's IP - ipconfig /all
And verify that the router provides name resolutions for the Windows client: nslookup abc.com (it should print router's IP in the "Server Address")
This is important, because clicking on URL http://www.dnsleaktest.com/ happens on the Windows machine and router's firewall should redirect external DNS requests to DNSCrypt.
Same error upon both commands (show only one here):
dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check
[2019-06-30 13:50:01] [FATAL] Near line 259 (last key parsed 'ipv4_servers'): Key 'ipv4_servers' has already been defined.
Death Silence . No output at all
Plenty of matching lines
This is the output with "option noresolv '1' "in /etc/config/dhpc. No name resolution but, i.e. can't call any website by its name.
> **cat /tmp/resolv.conf.auto**
'# Interface wan
nameserver 217.0.43.113
nameserver 217.0.43.97
> **cat /tmp/resolv.conf**
search lan
nameserver 127.0.0.1
The setting of option noresolv 'to either 0 or 1 in /etc/config/dhpc appears to me as the main issue. It corresponds to @wind's evidence back in Feb 2018. But without further commenting on it, it seems to be no issue to him any longer. However, as far as I can understand, there were no changes on dnsmasq since.
Apperently, the dnsmasq had been updated after 18.06.2 release and that's where the handling of localuse option was fixed. So, please definitely have it updated:
opkg update; opkg upgrade dnsmasq
or just install all updates and restart the router:
But that's not the only problem in your environment. When your DNSCrypt runs configuration checks, it exits with fatal error. You must fix its configuration and make sure that it starts up fine and listens on 127.0.0.53:53 TCP/UDP.
The remaining puzzling thing is what exactly your dnsmasq using for the server, since it should not be able to connect to the absent DNSCrypt, but you also said that the log shows many messages that it uses it. Is "127.0.0.53#53" really what your dnsmasq is using?
> logread | grep 'dnsmasq.*using nameserver'
Mon Jun 24 08:02:45 2019 daemon.info dnsmasq[8256]: using nameserver 127.0.0.53#53
I am wondering whether this is a matter of the cpu architecture. I spent several hours to find out whether my router is MIPS, ARM, something different?
cat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 108.75
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
SoC is a Qualcomm Atheros IPQ4018, the device is described here.
From the releases page I selected '-linux-arm-' and installed it. I tested also '-freebsd-armv7-' and '-linux-mips-2.0-', which did not work for different reasons.
@oscar, you picked the right CPU architecture and that's why "dnsmasq -check" runs fine and that's the important point to now check your configuration:
Make sure that the configuration file "/etc/config/dnscrypt-proxy.toml" has the syslog option enabled (since it's off by default), so you can see the output of the daemon in the syslog and figure out its health:
use_syslog = true
Restart the daemon and make sure that the process was started with proper config file:
/etc/init.d/dnscrypt-proxy restart; ps w | grep dnscrypt
the output of "ps" should look like this: "/usr/sbin/dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -child"
Hello @wind
'1.' & '2.' are as described. syslog = true is already set in the example file
'3.' does not return the "-child" whatever. The entire output is:
/etc/init.d/dnscrypt-proxy restart; ps w | grep dnscrypt
11899 root 783m R /usr/sbin/dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml
11900 root 1164 R /bin/sh /etc/rc.common /etc/init.d/dnscrypt-proxy running
11905 root 1064 S grep dnscrypt
The trigger for no-DNS-servers-at-all/ISP-DNS-servers is the noresolv option in /etc/config/dhcp. '0' will block all DNS resolutions.
Hmmm ... I guess the "-child" option is used by the process to switch credentials from root to the user configured in user_name option. You're probably not using it.
So, we need to make DNSCrypt to produce some output information about its progress/status. So, do this for now:
Stop the daemon: /etc/init.d/dnscrypt-proxy stop
Comment out syslog option from the toml-file
Run DNSCrypt on the command line to see its output: /usr/sbin/dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -loglevel 3 (change the logging level higher if you need to. "2" is the default)
UPDATE: initially I got the error message, but today I reinstalled the whole system, recoverd the configurations from backup, and then did the check again, this time it seems to almost work!
/usr/sbin/dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -loglevel 2
[2019-07-06 13:55:35] [NOTICE] Network connectivity detected
[2019-07-06 13:55:35] [NOTICE] Source [public-resolvers.md] loaded
[2019-07-06 13:55:35] [NOTICE] dnscrypt-proxy 2.0.25
[2019-07-06 13:55:35] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2019-07-06 13:55:35] [NOTICE] Now listening to 127.0.0.53:53 [UDP]
[2019-07-06 13:55:35] [NOTICE] Now listening to 127.0.0.53:53 [TCP]
[2019-07-06 13:55:36] [NOTICE] [cloudflare] OK (DoH) - rtt: 15ms
......followed by dozens of servers.....
[2019-07-06 13:56:10] [NOTICE] Sorted latencies:
yeah.....
[2019-07-06 13:56:10] [NOTICE] dnscrypt-proxy is ready - live servers: 67
^C[2019-07-06 14:01:29] [NOTICE] Stopped.
And then finally, started dnscrypt-proxy, tested it as per Wiki and tadam, everything but DNSsec resolver test fine (No, your DNS resolver does NOT validate DNSSEC signatures)
Whatever I made wrong, I kept all modified files from the beginning, a typo can therefore be excluded.
Initial reply, obsolete...
/usr/sbin/dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -loglevel 2
[2019-07-05 21:07:26] [NOTICE] Network connectivity detected
[2019-07-05 21:07:26] [NOTICE] Source [public-resolvers.md] loaded
[2019-07-05 21:07:26] [NOTICE] dnscrypt-proxy 2.0.25
[2019-07-05 21:07:26] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2019-07-05 21:07:26] [FATAL] listen udp 127.0.0.1:53: bind: address already in use
No idea what the last line means, but it does not sound to good....