First, because it is not necessary: dnsmasq knows for what local domains it responds (look at the logs at boot). Second, there was no DNS-leak. Thirdly, the common file adb_list.overall is just loaded through the dnscryp-proxy.toml from the /tmp folder:
blacklist_file = '/tmp/adb_list.overall'
Let's break it down:
First, because it is not necessary: dnsmasq knows for what local domains it responds (look at the logs at boot).
You're correct - it knows about 7 local domains: one configured in domain option in /etc/config/dhcp and 6 others coming from https://github.com/openwrt/openwrt/blob/master/package/network/services/dnsmasq/files/rfc6761.conf. Its default configuration is not aware that queries for some "*.arpa" names belong to local network only and should not be forwarded to external DNS server. So, making changes to /etc/dnsmasq.conf is important.
Second, there was no DNS-leak.
The reason why you did not experience leaks was because your configuration has the following options set, which was not mentioned in the old wiki:
# Ignore ISP's DNS:
option noresolv '1'
# Change /etc/resolv.conf to direct local router processes to use local dnsmasq:
option localuse '1'
Thirdly, the common file adb_list.overall is just loaded through the dnscryp-proxy.toml from the /tmp folder
You seem to be trying to mix the configuration for OpenWRT's Adblock (which generates and uses file /tmp/adb_list.overall) with the blacklist generator for DNSCrypt v2 (which suggests to use /etc/config/blacklist.txt file and have it generated through the provided python script : https://github.com/jedisct1/dnscrypt-proxy/blob/master/utils/generate-domains-blacklists/domains-blacklist-all.conf).
While there is nothing wrong with using /tmp/adb_list.overall file as the blacklist for DNSCrypt, it confuses people here who are trying to help you.
The point of this thread it to get a proper and safe configuration for DNSCrypt. If you have any suggestions on how to make it better and proper, please share them.
Hey guys!
Im still having loop. >.<
I did everything, except some peculiarities from my lan:
10.0.0.1/255.255.255.224
192.168.1.2:1 Modem<->Router (to dsl modem get ntp)
QoS
I follow: https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-on-OpenWRT
Updated from this post.
Look:
Some hint?
Many thanks!
Yes, it does look like a loop between dnsmasq and dnscrypt. You must re-check your configuration and make sure that:
/etc/dnsmasq.conf changes described on the wikiblacklist.txt (instead of the forwarding-rules.txt that was listed in the old wiki)blacklist.txt is placed in the same folder as dnscrypt-proxy.toml, so it gets picked uplocaluse option of dnsmasqThe 10.* + 192.168.* network layout should not matter. And QoS is also unrelated.
Hey!
dnsmasq.conf
dhcp-option=252,"\n"
server=/lan/
server=/internal/
server=/intranet/
server=/private/
server=/workgroup/
server=/10.in-addr.arpa/
server=/16.172.in-addr.arpa/
server=/168.192.in-addr.arpa/
server=/254.169.in-addr.arpa/
server=/d.f.ip6.arpa/
blacklist.txt (Same folder dnscrypt-proxy.toml, dnscrypt-proxy) Running on usb stick.
I use -config dnscrypt-proxy.toml. Using full path always.
I dont use cloaking, forward or whitelist.
Command:
dnscrypt-proxy -config dnscrypt-proxy.toml
Config file pass on -check.
I remove all my firewall custom rules.
blacklist.txt
*.test
*.onion
*.localhost
*.local
*.invalid
*.bind
*.lan
*.internal
*.intranet
*.private
*.workgroup
*.10.in-addr.arpa
*.16.172.in-addr.arpa
*.168.192.in-addr.arpa
*.254.169.in-addr.arpa
*.d.f.ip6.arpa
dhcp:
option localservice '1'
list addnhosts '/plugin_root/adblock/block.hosts'
option noresolv '1'
option localuse '1'
list server '127.0.0.53'
resolv.conf
search lan
nameserver 127.0.0.1
Many Thanks!
Hello,
I tried this howto a couple of times, it does not work in my hands.
As stated by @wind here, a problem is with the 'option noresolv' setting:
with
option noresolv 1
cat /etc/resolv.conf
'# Interface wan
nameserver 217.0.43.113
nameserver 217.0.43.97
ISP DNS servers. Changing the option I get:
option noresolv 0
cat /etc/resolv.conf
search lan
nameserver 127.0.0.1
However, also with 'option noresolv 0' the DNS servers as listed by www.dnsleaktest.com are all from the ISP. By contrast this: DNSSEC Resolver Test (http://dnssec.vs.uni-due.de/): "Yes, your DNS resolver validates DNSSEC signatures"
I have configured all several times, including prior complete reset to factory setting in order to avoid any interference with customised changes in configuration files.
Here is the dnsmasq section of my /etc/config/dhcp
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
#option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option serversfile '/tmp/adb_list.overall'
# Ignore ISP's DNS:
option noresolv '1'
# Change /etc/resolv.conf to direct local router processes to use local dnsmasq:
option localuse '1'
list server '127.0.0.53'
The firewall was modified by copy/paste exactly as above. The CA-bundle is installed, same for blacklist.txt.
Also bizarre is:
dnscrypt-proxy -list
[2019-06-27 11:22:01] [FATAL] Unable to load the configuration file [dnscrypt-proxy.toml] -- Maybe use the -config command-line switch?
ls -l /etc/config/
....
-rw-r--r-- 1 root root 16242 Jun 27 11:38 dnscrypt-proxy.toml
it seems that the conf file is not used?! (verified it is toml and not tom1)
cat /etc/init.d/dnscrypt-proxy |grep CONFIG
CONFIGFILE=/etc/config/dnscrypt-proxy.toml
procd_set_param command "$PROG" -config "$CONFIGFILE"
procd_set_param file "$CONFIGFILE
I don't understand this. Hope someone can advise?
Cheers
Oscar
@oscar, please check the following:
localuse to work properly. The following command returns "8" on 18.06.2 build: grep -c localuse /etc/init.d/dnsmasqdnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -checkdnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -list> logread | grep dnscrypt | grep listening Mon Jun 24 08:03:15 2019 daemon.notice dnscrypt-proxy[8288]: Now listening to 127.0.0.53:53 [UDP] Mon Jun 24 08:03:15 2019 daemon.notice dnscrypt-proxy[8288]: Now listening to 127.0.0.53:53 [TCP]
dnsmasq is using the proper server "127.0.0.53#53":
> logread | grep 'dnsmasq.*using nameserver' Mon Jun 24 08:02:45 2019 daemon.info dnsmasq[8256]: using nameserver 127.0.0.53#53
resolv.conf points to 127.0.0.1:
> cat /tmp/resolv.conf.auto # Interface wan nameserver 192.168.1.1 search router.home > cat /tmp/resolv.conf search lan nameserver 127.0.0.1
resolv.conf file is only used by the processes on your OpenWRT machine (a.k.a. the router), all other clients are going to use whatever DHCP server instructs them to use. If you have a Windows client that uses the router as the DHCP server, check that it gets configured with "DNS Server" pointing to your router's IP - ipconfig /allnslookup abc.com (it should print router's IP in the "Server Address")cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='18.06.2'
DISTRIB_REVISION='r7676-cddd7b4c77'
DISTRIB_TARGET='ipq40xx/generic'
DISTRIB_ARCH='arm_cortex-a7_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt 18.06.2 r7676-cddd7b4c77'
DISTRIB_TAINTS=''
Unfortunately not:
grep -c localuse /etc/init.d/dnsmasq
0
Same error upon both commands (show only one here):
dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check
[2019-06-30 13:50:01] [FATAL] Near line 259 (last key parsed 'ipv4_servers'): Key 'ipv4_servers' has already been defined.
Death Silence 
. No output at all
Plenty of matching lines
This is the output with "option noresolv '1' "in /etc/config/dhpc. No name resolution but, i.e. can't call any website by its name.
> **cat /tmp/resolv.conf.auto**
'# Interface wan
nameserver 217.0.43.113
nameserver 217.0.43.97
> **cat /tmp/resolv.conf**
search lan
nameserver 127.0.0.1This is the output with "option noresolv '0' "in /etc/config/dhpc. Name resolution is up again, i.e. I can call www.internet.com
cat /tmp/resolv.conf.auto
'# Interface wan
nameserver 217.0.43.113
nameserver 217.0.43.97
cat /tmp/resolv.conf
search lan
nameserver 127.0.0.1
The setting of option noresolv 'to either 0 or 1 in /etc/config/dhpc appears to me as the main issue. It corresponds to @wind's evidence back in Feb 2018. But without further commenting on it, it seems to be no issue to him any longer. However, as far as I can understand, there were no changes on dnsmasq since.
Puzzling....
Apperently, the dnsmasq had been updated after 18.06.2 release and that's where the handling of localuse option was fixed. So, please definitely have it updated:
opkg update; opkg upgrade dnsmasq
or just install all updates and restart the router:
opkg update; opkg list-upgradable | cut -d' ' -f1 | xargs --no-run-if-empty opkg upgrade
But that's not the only problem in your environment. When your DNSCrypt runs configuration checks, it exits with fatal error. You must fix its configuration and make sure that it starts up fine and listens on 127.0.0.53:53 TCP/UDP.
dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check
The remaining puzzling thing is what exactly your dnsmasq using for the server, since it should not be able to connect to the absent DNSCrypt, but you also said that the log shows many messages that it uses it. Is "127.0.0.53#53" really what your dnsmasq is using?
> logread | grep 'dnsmasq.*using nameserver'
Mon Jun 24 08:02:45 2019 daemon.info dnsmasq[8256]: using nameserver 127.0.0.53#53
First of all, thank you very much for helping me on this matter.
So I did an update to dnsmasq from v.2.80-1.2 to v2.80-1.4. Rebootet the entire system and ran the checks:
dnscrypt-proxy -resolve google.com
Resolving [google.com]
Domain exists: probably not, or blocked by the proxy
Canonical name: -
IP addresses: -
TXT records: -
dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check
[2019-07-04 07:03:01] [NOTICE] Network connectivity detected
[2019-07-04 07:03:01] [NOTICE] Source [public-resolvers.md] loaded
[2019-07-04 07:03:01] [NOTICE] Configuration successfully checked
grep -c localuse /etc/init.d/dnsmasq
8
logread | grep 'dnsmasq.using nameserver' (asterix before using disappears in blockquote mode)
Thu Jul 4 09:08:08 2019 daemon.info dnsmasq[20021]: using nameserver 127.0.0.53#53
DNScrypt is NOT listening to anythinglogread | grep dnscrypt | grep listening
niente, nada, rien, nothing, nichts, nic, ingenting
cat /etc/resolv.conf
search lan
nameserver 127.0.0.1
My interpretation is that dnscrypt-proxy is not running, or not using the modified toml file in /etc/config?
Cheers
I am wondering whether this is a matter of the cpu architecture. I spent several hours to find out whether my router is MIPS, ARM, something different?
cat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 108.75
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
SoC is a Qualcomm Atheros IPQ4018, the device is described here.
From the releases page I selected '-linux-arm-' and installed it. I tested also '-freebsd-armv7-' and '-linux-mips-2.0-', which did not work for different reasons.
@oscar, you picked the right CPU architecture and that's why "dnsmasq -check" runs fine and that's the important point to now check your configuration:
/etc/init.d/dnscrypt-proxy file looks like this: https://raw.githubusercontent.com/etam/DNS-over-HTTPS-for-OpenWRT/master/dnscrypt-proxy, so it properly passes the configuration file "/etc/config/dnscrypt-proxy.toml" to the daemon./etc/config/dnscrypt-proxy.toml" has the syslog option enabled (since it's off by default), so you can see the output of the daemon in the syslog and figure out its health:use_syslog = true
/etc/init.d/dnscrypt-proxy restart; ps w | grep dnscrypt
/usr/sbin/dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -child"Hello @wind
'1.' & '2.' are as described. syslog = true is already set in the example file
'3.' does not return the "-child" whatever. The entire output is:
/etc/init.d/dnscrypt-proxy restart; ps w | grep dnscrypt
11899 root 783m R /usr/sbin/dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml
11900 root 1164 R /bin/sh /etc/rc.common /etc/init.d/dnscrypt-proxy running
11905 root 1064 S grep dnscrypt
The trigger for no-DNS-servers-at-all/ISP-DNS-servers is the noresolv option in /etc/config/dhcp. '0' will block all DNS resolutions.
You may have seen my alternative approach, which also failed. I remain interested in getting dnscript-proxy running.
Hmmm ... I guess the "-child" option is used by the process to switch credentials from root to the user configured in user_name option. You're probably not using it.
So, we need to make DNSCrypt to produce some output information about its progress/status. So, do this for now:
/etc/init.d/dnscrypt-proxy stopsyslog option from the toml-file/usr/sbin/dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -loglevel 3 (change the logging level higher if you need to. "2" is the default)UPDATE: initially I got the error message, but today I reinstalled the whole system, recoverd the configurations from backup, and then did the check again, this time it seems to almost work!
/usr/sbin/dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -loglevel 2
[2019-07-06 13:55:35] [NOTICE] Network connectivity detected
[2019-07-06 13:55:35] [NOTICE] Source [public-resolvers.md] loaded
[2019-07-06 13:55:35] [NOTICE] dnscrypt-proxy 2.0.25
[2019-07-06 13:55:35] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2019-07-06 13:55:35] [NOTICE] Now listening to 127.0.0.53:53 [UDP]
[2019-07-06 13:55:35] [NOTICE] Now listening to 127.0.0.53:53 [TCP]
[2019-07-06 13:55:36] [NOTICE] [cloudflare] OK (DoH) - rtt: 15ms
......followed by dozens of servers.....
[2019-07-06 13:56:10] [NOTICE] Sorted latencies:
yeah.....
[2019-07-06 13:56:10] [NOTICE] dnscrypt-proxy is ready - live servers: 67
^C[2019-07-06 14:01:29] [NOTICE] Stopped.
And then finally, started dnscrypt-proxy, tested it as per Wiki and tadam, everything but DNSsec resolver test fine (No, your DNS resolver does NOT validate DNSSEC signatures)
Whatever I made wrong, I kept all modified files from the beginning, a typo can therefore be excluded.
Initial reply, obsolete...
/usr/sbin/dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -loglevel 2
[2019-07-05 21:07:26] [NOTICE] Network connectivity detected
[2019-07-05 21:07:26] [NOTICE] Source [public-resolvers.md] loaded
[2019-07-05 21:07:26] [NOTICE] dnscrypt-proxy 2.0.25
[2019-07-05 21:07:26] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2019-07-05 21:07:26] [FATAL] listen udp 127.0.0.1:53: bind: address already in use
No idea what the last line means, but it does not sound to good....
That means that something else took the address and port. Run this to find out:
netstat -nap | grep LISTEN
That would probably be dnsmasq. You connote have both dnscrypt-proxy and dnsmasq using the same address and port. Have your dnscrypt-proxy use
listen_addresses = ['127.0.0.55:5555']
And then configure dnsamasq forward to
list server '127.0.0.55#5555'