1 (edited by Black Roland 2013-01-29 13:49:00)

Topic: DNSCrypt setup — securing DNS communications

OpenDNS, the free DNS provider, offers new way to protect clients against attacks related to modification and manipulation of DNS traffic — DNSCrypt. The main objectives of DNSCrypt is full encryption of the communication channel between the client (you) and server (OpenDNS) — roughly as SSL is used to encrypt HTTP traffic. read more »


Current version: 1.2.1-1 [changelog]


INSTALLATION AND CONFIGURATION
Information about installation (for ar71xx) and configuration can be found on the wiki page: http://wiki.openwrt.org/inbox/dnscrypt

BUILDING FROM SOURCE
Using OpenWrt Buildroot – Installation complete these steps:
Prepare Buildroot

$ mkdir ~/openwrt
$ cd ~/openwrt
$ svn co svn://svn.openwrt.org/openwrt/trunk/
$ cd trunk

Using OpenWrt Feeds add a new source to your feeds.conf:

$ echo "src-git exopenwrt https://github.com/black-roland/exOpenWrt.git" >> feeds.conf

Download and install feeds:

$ ./scripts/feeds update -a
$ ./scripts/feeds install dnscrypt-proxy

Configure target system:

make menuconfig

Select Target System and Target Profile, for example:

Target System (Atheros AR7xxx/AR9xxx)  --->
    (X) Atheros AR7xxx/AR9xxx
Target Profile (TP-LINK TL-MR3220)  --->
    (X) TP-LINK TL-MR3220

Select dnscrypt-proxy and hostip (optionaly), exit and save changes:

Network  --->
    IP Addresses and Names  --->
        <*> dnscrypt-proxy
        <*> hostip

Now compile tools and toolchain

$ make tools/install
$ make toolchain/instal

Finally compile dnscrypt-proxy package:

$ make V=s package/feeds/exopenwrt/dnscrypt-proxy/{clean,compile}

Compiled dnscrypt-proxy_***_ar71xx.ipk package can be found in ~/openwrt/trunk/bin.


See also
DNSCrypt on wiki
DNS and DHCP configuration
OpenWrt Buildroot – Installation
How to Build a Single Package
OpenWrt Feeds

Links
My OpenWrt repo on GitHub
Introducing DNSCrypt
dnscrypt-proxy project on GitHub
Original Makefile (Thanks to ryzhovau)

Sorry for my poor English

2 (edited by Black Roland 2012-10-16 13:42:24)

Re: DNSCrypt setup — securing DNS communications

-

Sorry for my poor English

Re: DNSCrypt setup — securing DNS communications

I'm using this package and it appears to be working well plus it was easy to install and configure.

Can it be made an "official" OpenWRT package?

Re: DNSCrypt setup — securing DNS communications

Great How-To, but it seems that it has some memory leak, this is what happened after lots of requests: (15k?) (this is my entire kernel log from luci)

Well, for some time I will keep it disabled.

[14074.160000] ath: skbuff alloc of size 1926 failed
[14074.160000] dnscrypt-proxy: page allocation failure: order:0, mode:0x4020
[14074.160000] Call Trace:[<802663e8>] 0x802663e8
[14074.160000] [<802663e8>] 0x802663e8
[14074.160000] [<800ad368>] 0x800ad368
[14074.160000] [<800af668>] 0x800af668
[14074.160000] [<802d0000>] 0x802d0000
[14074.160000] [<800d2e60>] 0x800d2e60
[14074.160000] [<80071ca4>] 0x80071ca4
[14074.160000] [<80267834>] 0x80267834
[14074.160000] [<800721e0>] 0x800721e0
[14074.160000] [<800d4838>] 0x800d4838
[14074.160000] [<801d6c44>] 0x801d6c44
[14074.160000] [<814bc0c0>] 0x814bc0c0
[14074.160000] [<801d6be8>] 0x801d6be8
[14074.160000] [<814bc0c0>] 0x814bc0c0
[14074.160000] [<81fa6d4c>] 0x81fa6d4c
[14074.160000] [<8008e064>] 0x8008e064
[14074.160000] [<8009659c>] 0x8009659c
[14074.160000] [<81fa4318>] 0x81fa4318
[14074.160000] [<80076300>] 0x80076300
[14074.160000] [<80076824>] 0x80076824
[14074.160000] [<80076a30>] 0x80076a30
[14074.160000] [<80089360>] 0x80089360
[14074.160000] [<80076c64>] 0x80076c64
[14074.160000] [<80062d2c>] 0x80062d2c
[14074.160000] 
[14074.160000] Mem-Info:
[14074.160000] Normal per-cpu:
[14074.160000] CPU    0: hi:    0, btch:   1 usd:   0
[14074.160000] active_anon:614 inactive_anon:18 isolated_anon:0
[14074.160000]  active_file:1164 inactive_file:1399 isolated_file:0
[14074.160000]  unevictable:0 dirty:0 writeback:0 unstable:0
[14074.160000]  free:68 slab_reclaimable:371 slab_unreclaimable:2725
[14074.160000]  mapped:473 shmem:56 pagetables:85 bounce:0
[14074.160000] Normal free:272kB min:720kB low:900kB high:1080kB active_anon:2456kB inactive_anon:72kB active_file:4656kB inactive_file:5596kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:32512kB mlocked:0kB dirty:0kB writeback:0kB mapped:1892kB shmem:224kB slab_reclaimable:1484kB slab_unreclaimable:10900kB kernel_stack:368kB pagetables:340kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
[14074.160000] lowmem_reserve[]: 0 0
[14074.160000] Normal: 54*4kB 1*8kB 1*16kB 1*32kB 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 272kB
[14074.160000] 2619 total pagecache pages
[14074.160000] 0 pages in swap cache
[14074.160000] Swap cache stats: add 0, delete 0, find 0/0
[14074.160000] Free swap  = 0kB
[14074.160000] Total swap = 0kB
[14074.160000] 8192 pages RAM
[14074.160000] 820 pages reserved
[14074.160000] 2465 pages shared
[14074.160000] 6165 pages non-shared
[14074.160000] SLUB: Unable to allocate memory on node -1 (gfp=0x20)
[14074.160000]   cache: kmalloc-4096, object size: 4096, buffer size: 4096, default order: 3, min order: 0
[14074.160000]   node 0: slabs: 0, objs: 0, free: 0
[14074.390000] ath: skbuff alloc of size 1926 failed
[14074.400000] dnscrypt-proxy: page allocation failure: order:0, mode:0x4020
[14074.400000] Call Trace:[<802663e8>] 0x802663e8
[14074.400000] [<802663e8>] 0x802663e8
[14074.400000] [<800ad368>] 0x800ad368
[14074.400000] [<800af668>] 0x800af668
[14074.400000] [<80194714>] 0x80194714
[14074.400000] [<802d0000>] 0x802d0000
[14074.400000] [<800d2e60>] 0x800d2e60
[14074.400000] [<80267834>] 0x80267834
[14074.400000] [<800721e0>] 0x800721e0
[14074.400000] [<80072200>] 0x80072200
[14074.400000] [<800d4838>] 0x800d4838
[14074.400000] [<801d6c44>] 0x801d6c44
[14074.400000] [<814bc0c0>] 0x814bc0c0
[14074.400000] [<801d6be8>] 0x801d6be8
[14074.400000] [<814bc0c0>] 0x814bc0c0
[14074.400000] [<81fa6d4c>] 0x81fa6d4c
[14074.400000] [<8008e064>] 0x8008e064
[14074.400000] [<8009659c>] 0x8009659c
[14074.400000] [<81fa4318>] 0x81fa4318
[14074.400000] [<80076300>] 0x80076300
[14074.400000] [<80076824>] 0x80076824
[14074.400000] [<80076a30>] 0x80076a30
[14074.400000] [<80089360>] 0x80089360
[14074.400000] [<80076c64>] 0x80076c64
[14074.400000] [<80062d2c>] 0x80062d2c
[14074.400000] 
[14074.400000] Mem-Info:
[14074.400000] Normal per-cpu:
[14074.400000] CPU    0: hi:    0, btch:   1 usd:   0
[14074.400000] active_anon:614 inactive_anon:18 isolated_anon:0
[14074.400000]  active_file:1164 inactive_file:1399 isolated_file:0
[14074.400000]  unevictable:0 dirty:0 writeback:0 unstable:0
[14074.400000]  free:68 slab_reclaimable:371 slab_unreclaimable:2725
[14074.400000]  mapped:473 shmem:56 pagetables:85 bounce:0
[14074.400000] Normal free:272kB min:720kB low:900kB high:1080kB active_anon:2456kB inactive_anon:72kB active_file:4656kB inactive_file:5596kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:32512kB mlocked:0kB dirty:0kB writeback:0kB mapped:1892kB shmem:224kB slab_reclaimable:1484kB slab_unreclaimable:10900kB kernel_stack:368kB pagetables:340kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
[14074.400000] lowmem_reserve[]: 0 0
[14074.400000] Normal: 54*4kB 1*8kB 1*16kB 1*32kB 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 272kB
[14074.400000] 2619 total pagecache pages
[14074.400000] 0 pages in swap cache
[14074.400000] Swap cache stats: add 0, delete 0, find 0/0
[14074.400000] Free swap  = 0kB
[14074.400000] Total swap = 0kB
[14074.400000] 8192 pages RAM
[14074.400000] 820 pages reserved
[14074.400000] 2465 pages shared
[14074.400000] 6165 pages non-shared
[14074.400000] SLUB: Unable to allocate memory on node -1 (gfp=0x20)
[14074.400000]   cache: kmalloc-4096, object size: 4096, buffer size: 4096, default order: 3, min order: 0
[14074.400000]   node 0: slabs: 0, objs: 0, free: 0
[14074.640000] ath: skbuff alloc of size 1926 failed
[14074.640000] dnscrypt-proxy: page allocation failure: order:0, mode:0x4020
[14074.640000] Call Trace:[<802663e8>] 0x802663e8
[14074.640000] [<802663e8>] 0x802663e8
[14074.640000] [<800ad368>] 0x800ad368
[14074.640000] [<800af668>] 0x800af668
[14074.640000] [<802d0000>] 0x802d0000
[14074.640000] [<800d2e60>] 0x800d2e60
[14074.640000] [<80071ca4>] 0x80071ca4
[14074.640000] [<80267834>] 0x80267834
[14074.640000] [<800721e0>] 0x800721e0
[14074.640000] [<800d4838>] 0x800d4838
[14074.640000] [<801d6c44>] 0x801d6c44
[14074.640000] [<814bc0c0>] 0x814bc0c0
[14074.640000] [<801d6be8>] 0x801d6be8
[14074.640000] [<814bc0c0>] 0x814bc0c0
[14074.640000] [<81fa6d4c>] 0x81fa6d4c
[14074.640000] [<8008e064>] 0x8008e064
[14074.640000] [<8009659c>] 0x8009659c
[14074.640000] [<81fa4318>] 0x81fa4318
[14074.640000] [<80076300>] 0x80076300
[14074.640000] [<80076824>] 0x80076824
[14074.640000] [<80076a30>] 0x80076a30
[14074.640000] [<80089360>] 0x80089360
[14074.640000] [<80076c64>] 0x80076c64
[14074.640000] [<80062d2c>] 0x80062d2c
[14074.640000] 
[14074.640000] Mem-Info:
[14074.640000] Normal per-cpu:
[14074.640000] CPU    0: hi:    0, btch:   1 usd:   0
[14074.640000] active_anon:614 inactive_anon:18 isolated_anon:0
[14074.640000]  active_file:1164 inactive_file:1399 isolated_file:0
[14074.640000]  unevictable:0 dirty:0 writeback:0 unstable:0
[14074.640000]  free:68 slab_reclaimable:371 slab_unreclaimable:2725
[14074.640000]  mapped:473 shmem:56 pagetables:85 bounce:0
[14074.640000] Normal free:272kB min:720kB low:900kB high:1080kB active_anon:2456kB inactive_anon:72kB active_file:4656kB inactive_file:5596kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:32512kB mlocked:0kB dirty:0kB writeback:0kB mapped:1892kB shmem:224kB slab_reclaimable:1484kB slab_unreclaimable:10900kB kernel_stack:368kB pagetables:340kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
[14074.640000] lowmem_reserve[]: 0 0
[14074.640000] Normal: 54*4kB 1*8kB 1*16kB 1*32kB 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 272kB
[14074.640000] 2619 total pagecache pages
[14074.640000] 0 pages in swap cache
[14074.640000] Swap cache stats: add 0, delete 0, find 0/0
[14074.640000] Free swap  = 0kB
[14074.640000] Total swap = 0kB
[14074.640000] 8192 pages RAM
[14074.640000] 820 pages reserved
[14074.640000] 2465 pages shared
[14074.640000] 6165 pages non-shared
[14074.640000] SLUB: Unable to allocate memory on node -1 (gfp=0x20)
[14074.640000]   cache: kmalloc-4096, object size: 4096, buffer size: 4096, default order: 3, min order: 0
[14074.640000]   node 0: slabs: 0, objs: 0, free: 0
[14074.880000] ath: skbuff alloc of size 1926 failed
[14074.880000] dnscrypt-proxy: page allocation failure: order:0, mode:0x4020
[14074.880000] Call Trace:[<802663e8>] 0x802663e8
[14074.880000] [<802663e8>] 0x802663e8
[14074.880000] [<800ad368>] 0x800ad368
[14074.880000] [<800af668>] 0x800af668
[14074.880000] [<802d0000>] 0x802d0000
[14074.880000] [<800d2e60>] 0x800d2e60
[14074.880000] [<80071ca4>] 0x80071ca4
[14074.880000] [<80267834>] 0x80267834
[14074.880000] [<800721e0>] 0x800721e0
[14074.880000] [<800d4838>] 0x800d4838
[14074.880000] [<801d6c44>] 0x801d6c44
[14074.880000] [<814bc0c0>] 0x814bc0c0
[14074.880000] [<801d6be8>] 0x801d6be8
[14074.880000] [<814bc0c0>] 0x814bc0c0
[14074.880000] [<81fa6d4c>] 0x81fa6d4c
[14074.880000] [<8008e064>] 0x8008e064
[14074.880000] [<8009659c>] 0x8009659c
[14074.880000] [<81fa4318>] 0x81fa4318
[14074.880000] [<80076300>] 0x80076300
[14074.880000] [<80076824>] 0x80076824
[14074.880000] [<80076a30>] 0x80076a30
[14074.880000] [<80089360>] 0x80089360
[14074.880000] [<80076c64>] 0x80076c64
[14074.880000] [<80062d2c>] 0x80062d2c
[14074.880000] 
[14074.880000] Mem-Info:
[14074.880000] Normal per-cpu:
[14074.880000] CPU    0: hi:    0, btch:   1 usd:   0
[14074.880000] active_anon:614 inactive_anon:18 isolated_anon:0
[14074.880000]  active_file:1164 inactive_file:1399 isolated_file:0
[14074.880000]  unevictable:0 dirty:0 writeback:0 unstable:0
[14074.880000]  free:68 slab_reclaimable:371 slab_unreclaimable:2725
[14074.880000]  mapped:473 shmem:56 pagetables:85 bounce:0
[14074.880000] Normal free:272kB min:720kB low:900kB high:1080kB active_anon:2456kB inactive_anon:72kB active_file:4656kB inactive_file:5596kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:32512kB mlocked:0kB dirty:0kB writeback:0kB mapped:1892kB shmem:224kB slab_reclaimable:1484kB slab_unreclaimable:10900kB kernel_stack:368kB pagetables:340kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
[14074.880000] lowmem_reserve[]: 0 0
[14074.880000] Normal: 54*4kB 1*8kB 1*16kB 1*32kB 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 272kB
[14074.880000] 2619 total pagecache pages
[14074.880000] 0 pages in swap cache
[14074.880000] Swap cache stats: add 0, delete 0, find 0/0
[14074.880000] Free swap  = 0kB
[14074.880000] Total swap = 0kB
[14074.880000] 8192 pages RAM
[14074.880000] 820 pages reserved
[14074.880000] 2465 pages shared
[14074.880000] 6165 pages non-shared
[14074.880000] SLUB: Unable to allocate memory on node -1 (gfp=0x20)
[14074.880000]   cache: kmalloc-4096, object size: 4096, buffer size: 4096, default order: 3, min order: 0
[14074.880000]   node 0: slabs: 0, objs: 0, free: 0
[14075.120000] ath: skbuff alloc of size 1926 failed
[14075.120000] dnscrypt-proxy: page allocation failure: order:0, mode:0x4020
[14075.120000] Call Trace:[<802663e8>] 0x802663e8
[14075.120000] [<802663e8>] 0x802663e8
[14075.120000] [<800ad368>] 0x800ad368
[14075.120000] [<800af668>] 0x800af668
[14075.120000] [<802d0000>] 0x802d0000
[14075.120000] [<800d2e60>] 0x800d2e60
[14075.120000] [<80071ca4>] 0x80071ca4
[14075.120000] [<80267834>] 0x80267834
[14075.120000] [<800721e0>] 0x800721e0
[14075.120000] [<800d4838>] 0x800d4838
[14075.120000] [<801d6c44>] 0x801d6c44
[14075.120000] [<814bc0c0>] 0x814bc0c0
[14075.120000] [<801d6be8>] 0x801d6be8
[14075.120000] [<814bc0c0>] 0x814bc0c0
[14075.120000] [<81fa6d4c>] 0x81fa6d4c
[14075.120000] [<8008e064>] 0x8008e064
[14075.120000] [<8009659c>] 0x8009659c
[14075.120000] [<8006da01>] 0x8006da01
[14075.120000] [<81fa4318>] 0x81fa4318
[14075.120000] [<80076300>] 0x80076300
[14075.120000] [<80076824>] 0x80076824
[14075.120000] [<80076a30>] 0x80076a30
[14075.120000] [<80089360>] 0x80089360
[14075.120000] [<80076c64>] 0x80076c64
[14075.120000] [<80062d2c>] 0x80062d2c
[14075.120000] 
[14075.120000] Mem-Info:
[14075.120000] Normal per-cpu:
[14075.120000] CPU    0: hi:    0, btch:   1 usd:   0
[14075.120000] active_anon:614 inactive_anon:18 isolated_anon:0
[14075.120000]  active_file:1164 inactive_file:1399 isolated_file:0
[14075.120000]  unevictable:0 dirty:0 writeback:0 unstable:0
[14075.120000]  free:68 slab_reclaimable:371 slab_unreclaimable:2725
[14075.120000]  mapped:473 shmem:56 pagetables:85 bounce:0
[14075.120000] Normal free:272kB min:720kB low:900kB high:1080kB active_anon:2456kB inactive_anon:72kB active_file:4656kB inactive_file:5596kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:32512kB mlocked:0kB dirty:0kB writeback:0kB mapped:1892kB shmem:224kB slab_reclaimable:1484kB slab_unreclaimable:10900kB kernel_stack:368kB pagetables:340kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
[14075.120000] lowmem_reserve[]: 0 0
[14075.120000] Normal: 54*4kB 1*8kB 1*16kB 1*32kB 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 272kB
[14075.120000] 2619 total pagecache pages
[14075.120000] 0 pages in swap cache
[14075.120000] Swap cache stats: add 0, delete 0, find 0/0
[14075.120000] Free swap  = 0kB
[14075.120000] Total swap = 0kB
[14075.120000] 8192 pages RAM
[14075.120000] 820 pages reserved
[14075.120000] 2465 pages shared
[14075.120000] 6165 pages non-shared
[14075.120000] SLUB: Unable to allocate memory on node -1 (gfp=0x20)
[14075.120000]   cache: kmalloc-4096, object size: 4096, buffer size: 4096, default order: 3, min order: 0
[14075.120000]   node 0: slabs: 0, objs: 0, free: 0
[14075.360000] ath: skbuff alloc of size 1926 failed
[14075.360000] ath: skbuff alloc of size 1926 failed
[14075.370000] ath: skbuff alloc of size 1926 failed
[14075.370000] ath: skbuff alloc of size 1926 failed
[14075.380000] ath: skbuff alloc of size 1926 failed
[14075.380000] ath: skbuff alloc of size 1926 failed
[14075.390000] ath: skbuff alloc of size 1926 failed
[14075.390000] ath: skbuff alloc of size 1926 failed
[14075.400000] ath: skbuff alloc of size 1926 failed
[14075.400000] ath: skbuff alloc of size 1926 failed
[14075.410000] ath: skbuff alloc of size 1926 failed
[14075.410000] ath: skbuff alloc of size 1926 failed
[14075.420000] ath: skbuff alloc of size 1926 failed
[14075.420000] ath: skbuff alloc of size 1926 failed
[14075.420000] ath: skbuff alloc of size 1926 failed
[14075.430000] ath: skbuff alloc of size 1926 failed
[14075.430000] ath: skbuff alloc of size 1926 failed
[14075.440000] ath: skbuff alloc of size 1926 failed
[14075.440000] ath: skbuff alloc of size 1926 failed
[14075.450000] ath: skbuff alloc of size 1926 failed
[14075.450000] ath: skbuff alloc of size 1926 failed
[14075.460000] ath: skbuff alloc of size 1926 failed
[14075.460000] ath: skbuff alloc of size 1926 failed
[14075.470000] ath: skbuff alloc of size 1926 failed
[14075.470000] ath: skbuff alloc of size 1926 failed
[14075.480000] ath: skbuff alloc of size 1926 failed
[14075.480000] ath: skbuff alloc of size 1926 failed
[14075.490000] ath: skbuff alloc of size 1926 failed
[14075.490000] ath: skbuff alloc of size 1926 failed
[14075.500000] ath: skbuff alloc of size 1926 failed
[14075.500000] ath: skbuff alloc of size 1926 failed
[14075.500000] ath: skbuff alloc of size 1926 failed
[14075.510000] ath: skbuff alloc of size 1926 failed
[14075.510000] ath: skbuff alloc of size 1926 failed
[14075.520000] eth1: out of memory

System log:

May 19 22:50:09 OpenWrt kern.info kernel: emory on node -1 (gfp=0x20)
May 19 22:50:09 OpenWrt kern.warn kernel: [14073.920000]   cache: kmalloc-4096, object size: 4096, buffer size: 4096, default order: 3, min order: 0
May 19 22:50:09 OpenWrt kern.warn kernel: [14073.920000]   node 0: slabs: 0, objs: 0, free: 0
May 19 22:50:09 OpenWrt kern.err kernel: [14074.160000] ath: skbuff alloc of size 1926 failed
May 19 22:50:09 OpenWrt kern.warn kernel: [14074.160000] dnscrypt-proxy: page allocation failure: order:0, mode:0x4020
May 19 22:50:09 OpenWrt kern.warn kernel: [14074.160000] Call Trace:[<802663e8>] 0x802663e8
May 19 22:50:09 OpenWrt kern.warn kernel: [14074.160000] [<802663e8>] 0x802663e8
May 19 22:50:09 OpenWrt kern.warn kernel: [14074.160000] [<800ad368>] 0x800ad368
May 19 22:50:09 OpenWrt kern.warn kernel: [14074.160000] [<800af668>] 0x800af668
May 19 22:50:09 OpenWrt kern.warn kernel: [14074.160000] [<802d0000>] 0x802d0000
May 19 22:50:09 OpenWrt kern.warn kernel: [14074.160000] [<800d2e60>] 0x800d2e60
May 19 22:50:09 OpenWrt kern.warn kernel: [14074.160000] [<80071ca4>] 0x80071ca4

5 (edited by Black Roland 2012-05-20 10:13:09)

Re: DNSCrypt setup — securing DNS communications

lagonauta, I also noticed an increase of VSZ after several incorrect certificate requests. I'll try write a bug report to the author.
How much memory is available on your router (run free command)?

https://github.com/opendns/dnscrypt-proxy/issues/8

Sorry for my poor English

Re: DNSCrypt setup — securing DNS communications

Black Roland wrote:

lagonauta, I also noticed an increase of VSZ after several incorrect certificate requests. I'll try write a bug report to the author.
How much memory is available on your router (run free command)?

https://github.com/opendns/dnscrypt-proxy/issues/8

Here it is: (with dnscrypt disabled)

             total         used         free       shared      buffers
Mem:         29488        26684         2804            0         2160
-/+ buffers:              24524         4964
Swap:            0            0            0

Re: DNSCrypt setup — securing DNS communications

lagonauta, Try with --max-active-requests=64 option. Please test using a different values (less than 64).
Sample init script (/etc/init.d/dnscrypt-proxy):

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2012 OpenWrt.org

START=50

LISTEN_ADDR=127.0.0.1
LISTEN_PORT=2053

start() {
    service_start /usr/sbin/dnscrypt-proxy -d \
        -a $LISTEN_ADDR \
        -P $LISTEN_PORT \
        --max-active-requests=64 \
        -u nobody
}

stop() {
    service_stop /usr/sbin/dnscrypt-proxy
}

On my router after >1000 queries the memory does not increase.

Sorry for my poor English

Re: DNSCrypt setup — securing DNS communications

Thanks, I will test tomorrow smile

But won't this hinder the performance?

Re: DNSCrypt setup — securing DNS communications

lagonauta, Insignificantly. If you are single router user, the performance will not change. For me benchmark test are similar.

Sorry for my poor English

10 (edited by ryzhov_al 2012-05-22 07:17:07)

Re: DNSCrypt setup — securing DNS communications

Black Roland wrote:

lagonauta, Insignificantly. If you are single router user, the performance will not change. For me benchmark test are similar.

Yes. It does not matter whether we like it or not, it depends on available RAM on a router. Let me quote DNSCrypt's author:

jedisct1 wrote:

Also, by default, dnscrypt accepts and processes up to 250 parallel connections. That can take up to 15 Mb RAM.

If this is way too much for your device, lower this value to something more reasonable (each connection needs 64 Kb) with --max-active-requests=...

PS Glad my package is useful for someone.
PPS Package updated to v0.9.4. Is it better to link it with a nacl library from packages instead of bundled one? Or it may causes performance decrease?

The Entware. A modern Optware replacement.

11 (edited by lagonauta 2012-05-23 00:07:47)

Re: DNSCrypt setup — securing DNS communications

Here it is like seven router users, hehe. Will test anyway smile

EDIT:

It seems that after some time the process just kills itself o.O
I couldn't find it with the command top, and my browser was resolving the names. But according to OpenDNS website I wasn't using it!

I have nothing on my log about that, it was full of wireless authentications.
Will keep monitoring.

EDIT2:

Just confirmed: it is killing itself and not writing anything on the log.
I am using latest version here, and I compiled it myself.

12 (edited by Black Roland 2012-05-27 10:12:39)

Re: DNSCrypt setup — securing DNS communications

lagonauta, I thought this problem only for me smile It is segmentation fault error. I don't know reason of this, but I try to test latest git version. P.S. 0.9.3 version works fine: http://bit.ly/LtkQxE

UPD
I think this bug in libuv, but I don't know how to fix it. PC version works good.

Sorry for my poor English

13 (edited by ryzhov_al 2012-06-08 14:55:03)

Re: DNSCrypt setup — securing DNS communications

Black Roland, please test last version with my patch.

I suspect it's my fault initially. I turned off  -fstack-protector but forgot about -D_FORTIFY_SOURCE=2, also removed some weird linker flags.

dnscrypt-proxy 0.9.5 tested for two days under quite heavy load (~8000 DNS names resolved) and there is no sign of memleak (under Valgrind too). Memory heap raised from 60 to 600Kb and stops growing at this point.

The Entware. A modern Optware replacement.

Re: DNSCrypt setup — securing DNS communications

ryzhov_al, Without any changes sad
Makefile:

#
# Copyright (C) 2006-2012 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#

include $(TOPDIR)/rules.mk

PKG_NAME:=dnscrypt-proxy
PKG_VERSION:=0.9.5
PKG_RELEASE:=1

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://github.com/opendns/dnscrypt-proxy/downloads
PKG_MD5SUM:=446c3063bcc5af09e94d2d686781592a
PKG_INSTALL:=1

include $(INCLUDE_DIR)/package.mk

define Package/dnscrypt-proxy
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=IP Addresses and Names
  DEPENDS:= +libpthread
  TITLE:=A tool for securing DNS requests
  URL:=http://www.opendns.com/technology/dnscrypt
endef

define Package/dnscrypt-proxy/description
dnscrypt-proxy is a slight variation on DNSCurve.
DNSCurve improves the confidentiality and integrity of DNS requests using
high-speed high-security elliptic-curve cryptography. Best of all, DNSCurve
has very low overhead and adds virtually no latency to queries.
endef

define Package/dnscrypt-proxy/install
    $(INSTALL_DIR) $(1)/usr/sbin
    $(CP) $(PKG_INSTALL_DIR)/usr/sbin/dnscrypt-proxy $(1)/usr/sbin/
    $(INSTALL_DIR) $(1)/etc/init.d
    $(INSTALL_BIN) ./files/dnscrypt-proxy.init $(1)/etc/init.d/dnscrypt-proxy
endef

$(eval $(call BuildPackage,dnscrypt-proxy))

Sorry for my poor English

Re: DNSCrypt setup — securing DNS communications

Black Roland wrote:

Without any changes sad

It crashed in a one hour? Leaks out and die?
Please, put a line in cron's job for a while:

 $ cat /proc/`pidof dnscrypt-proxy`/smaps | awk 'NR%8==1,NR%8==3 >> /tmp/dnscrypt-memusage.log

We must show to Frank Denis how it leaks (if it really leaks).

The Entware. A modern Optware replacement.

Re: DNSCrypt setup — securing DNS communications

ryzhov_al, ? ???? ????????? ?????? ??? ?????? ??? ????? ? ????? (? ?? VSZ). ?? ??????? ?????? ? lagonauta ????? (????? ?????? ?????? ?? ???????). ?????? ????????? ?????? ??????, ???????????.

English: nothing interesting smile

Sorry for my poor English

17 (edited by ryzhov_al 2012-06-18 13:56:36)

Re: DNSCrypt setup — securing DNS communications

Yes, there is libuv memory leak fix commit, but it useless:

- Dnscrypt-proxy 0.9.5 + new libuv (with leak fix) - leaks!
- Dnscrypt-proxy 0.9.5 + old libuv (like in 0.9.3) - leaks!

Now we may drop libuv-driven version because there is libevent-driven version released. We tested it, looks cool:

- no leaks!
- 20% smaller binary size,
- less RAM consumption.

Makefiles here.

The Entware. A modern Optware replacement.

Re: DNSCrypt setup — securing DNS communications

Added latest Git version: 1e7edae (Makefile) (ipk) (Changelog)
Please test with -u nobody option

Sorry for my poor English

19 (edited by buffl 2012-06-18 19:54:01)

Re: DNSCrypt setup — securing DNS communications

Black Roland wrote:

Added latest Git version: 1e7edae (Makefile) (ipk) (Changelog)
Please test with -u nobody option

#!/bin/sh /etc/rc.common

START=50

LISTEN_ADDR=127.0.0.1
LISTEN_PORT=2053

start() {
        /usr/sbin/dnscrypt-proxy -d \
                -a $LISTEN_ADDR \
                -P $LISTEN_PORT \
                -n 64
                -u nobody
}

stop() {
        /usr/sbin/dnscrypt-proxy
}

~
~
~
~
root@OpenWrt:/# /etc/init.d/dnscrypt-proxy stop
[INFO] Generating a new key pair
[ERROR] Unable to bind: 127.0.0.1:53 (TCP)
root@OpenWrt:/# /etc/init.d/dnscrypt-proxy start
/etc/rc.common: line 78: -u: not found
root@OpenWrt:/# /etc/init.d/dnscrypt-proxy stop
[INFO] Generating a new key pair
[ERROR] Unable to bind: 127.0.0.1:53 (TCP)
root@OpenWrt:/# /etc/init.d/dnscrypt-proxy start
/etc/rc.common: line 78: -u: not found
root@OpenWrt:/#

Re: DNSCrypt setup — securing DNS communications

buffl wrote:


                -n 64
                -u nobody

You missed "\" symbol, please try this init-script:

# cat /etc/init.d/dnscrypt-proxy
#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2012 OpenWrt.org

START=50

LISTEN_ADDR=127.0.0.1
LISTEN_PORT=2053

start() {
    service_start /usr/sbin/dnscrypt-proxy -d \
        -a $LISTEN_ADDR \
        -P $LISTEN_PORT \
        -n 64 \
        -u nobody
}

stop() {
    service_stop /usr/sbin/dnscrypt-proxy
}

or this command:

# dnscrypt-proxy -P 2053 -u nobody

It is for me:

# dnscrypt-proxy -P 2053 -u nobody
[INFO] Generating a new key pair
[INFO] Stopping proxy
[INFO] TCP listener shut down
Segmentation fault
# dmesg | tail -1
[  110.370000] warning: process `dnscrypt-proxy' used the deprecated sysctl system call with 1.40.6.

Sorry for my poor English

Re: DNSCrypt setup — securing DNS communications

I can't bring up dnscrypt at boot.Notice these in system log:
Jun 19 06:21:12 OpenWrt daemon.info dnscrypt-proxy[1172]: Generating a new key pair
Jun 19 06:21:13 OpenWrt daemon.err dnscrypt-proxy[1172]: Unable to bind [127.0.0.1] (TCP)
Full log is here:
http://pastebin.com/bGt1e4Hi

Anyone kind enough to help?

Sorry for my english,too:)

22 (edited by Black Roland 2012-06-19 08:13:49)

Re: DNSCrypt setup — securing DNS communications

axishero, 0.9.3 version with standard init.d/dnscrypt-proxy script? I think 2053 port is already in use (# netstat  -a -n for check), or permissions denied.
In /etc/init.d/dncrypt-proxy try to change LISTEN_PORT to any another more than 1024 (and in /etc/config/dhcp too) or change dnscrypt-proxy arguments (remove -u nobody):

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2012 OpenWrt.org

START=50

LISTEN_ADDR=127.0.0.1
LISTEN_PORT=7953

start() {
        service_start /usr/sbin/dnscrypt-proxy -d \
                -a $LISTEN_ADDR \
                -P $LISTEN_PORT \
                -n 64

}

stop() {
        service_stop /usr/sbin/dnscrypt-proxy
}

Sorry for my poor English

Re: DNSCrypt setup — securing DNS communications

Black Roland wrote:

It is for me:
# dnscrypt-proxy -P 2053 -u nobody
[INFO] Generating a new key pair
[INFO] Stopping proxy
[INFO] TCP listener shut down
Segmentation fault
# dmesg | tail -1
[  110.370000] warning: process `dnscrypt-proxy' used the deprecated sysctl system call with 1.40.6.

corrected

root@OpenWrt:/# dnscrypt-proxy -P 2053 -u nobody
[INFO] Generating a new key pair
[ERROR] Unable to bind: 127.0.0.1:2053 (TCP)
root@OpenWrt:/# dmesg | tail -1
ar71xx-wdt: enabling watchdog timer

Re: DNSCrypt setup — securing DNS communications

buffl, It works normal with error? O_o

buffl wrote:

[ERROR] Unable to bind: 127.0.0.1:2053 (TCP)

Sorry for my poor English

Re: DNSCrypt setup — securing DNS communications

Black Roland wrote:

axishero, 0.9.3 version with standard init.d/dnscrypt-proxy script? I think 2053 port is already in use (# netstat  -a -n for check), or permissions denied.

I am using the init script from your #1 post.
Dnscrypt can't be up at boot.But it can be up by ssh into and '/etc/init.d/dnscrypt-proxy start' after boot.For this case,it's running on tplink wr1041n which has only one switch named eth0 divided into eth0.1 and eth0.2 as wan and lan.