OpenWrt Forum Archive

Topic: Help with dnscrypt and dnsmasq pleas

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
tapper
19 Jan 2015, 11:49

Hi i am trying to use dnscrypt proxy. I have it installed and set up but cant get it to work with dnsmasq. In the wikie for dnscrypt it says you have to change the file at /etc/config/dhcp. From here:
http://wiki.openwrt.org/inbox/dnscrypt
Start snip!
" Assuming you are using dnsmasq, edit the bold lines in /etc/config/dhcp
config dnsmasq
    option domainneeded         1
    option boguspriv            1
    option filterwin2k          0
    option localise_queries     1
    option rebind_protection    1
    option rebind_localhost     1
    option local                '/lan/'
    option domain               'lan'
    option expandhosts          1
    option nonegcache           0
    option authoritative        1
    option readethers           1
    option leasefile            '/tmp/dhcp.leases'
#   option resolvfile           '/tmp/resolv.conf.auto'
    option noresolv             1
    list server                 '127.0.0.1#2053'
    list server                 '/pool.ntp.org/208.67.222.222'
#   list server                 '208.67.222.222'
#   list server                 '208.67.220.220'

We have disabled /tmp/resolv.conf.auto file since it instruct dnsmasq to use your ISP's DNS.

noresolv option also disables /etc/resolv.conf file for similar reason.

127.0.0.1#2053 is the DNSCrypt address.

/pool.ntp.org/208.67.222.222 adds an exception for pool.ntp.org, which will be resolved through the standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise it will not resolve any domain, including pool.ntp.org. So if your device's time was incorrect, it could never update its time, and therefore DNSCrypt would never work. So we set this exception so that pool.ntp.org queries will always bypass DNSCrypt and resolve with the standard unencrypted OpenDNS method.
Reboot router or restart dnsmasq for the changes to take effect. "
End snip!

Now i have tryed copying and pasting that dhcp text in to /etc/config/dhcp but it stops my router from resolving dns.

Here is my what i have at /etc/config/dhcp to start with:
snip!

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    list addnhosts '/etc/block.hosts'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '6h'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

End snip!
I think it mite have some thing too do with NTP server the one i am using is 0.europe.pool.ntp.org wich is at 46.4.24.238 I think.

Can some one help me to get my /etc/config/dhcp correct please?

Post #2
tapper
20 Jan 2015, 23:38

Bump! any one no what i need to do? If it's about layout then pleas let me no i am reading this shit with a screen reader as i am blind.

Post #3
Narfed
20 Jan 2015, 23:57

I just finished getting this working on my setup and noticed that I had to manually start the dnscrypt service every time and it did not survive a router reboot even with it being enabled in /etc/rc.d directory(supposedly after config file changes /etc/init.d/dnscrypt-proxy enable should make it work on reboot...which it doesn't appear too on mine)  It seems like dnscrypt daemon does not stick when executed before the network interfaces(?) or perhaps dnsmasq comes online.  Either way it doesn't stick when done through the standard process.  I tried it in rc.local and was still too soon.  I eventually installed the at package and what I put in my /etc/rc.local file.

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
echo "/etc/init.d/dnscrypt-proxy start" | at now + 1 minutes
exit 0

this seemed to do the trick...although I actually just logged onto the forum to ask if there was a more elegant and reliable way to get it up and running...such as chaining onto the end of interfaces coming up...not sure exactly why it won't start earlier than certain network interface daemons coming up but seems to be the case...something where you don't have to wait a minute smile or have it fail if network takes longer to come up

so if you want to get it going how I did you should
opkg update
opkg install at

then change your dhcp to the recommended

then modify rc.local as above

then reboot

also will see dnscrypt-proxy running in ps output if it's going

hope this helps and hopefully someone has a better solution but for now this works for me...I'm guessing that's what's happening in your situation as well.

Post #4
tapper
21 Jan 2015, 01:56

Hi thanks for your post.

I am not shore what at is but wen i tried to install it i get.
Collected errors:
* opkg_install_cmd: Cannot install package at.
Unknown package 'at'.
Success

Can you pleas post up what my /etc/config/dhcp should look like pleas.
I am using opendns for dns and the line that says "    list addnhosts '/etc/block.hosts'" is for a grate adblocking script i have running. I will try again but i don't want to be pissing in the wind if my dhcp file is wrong lol thanks Tapper.

Post #5
tapper
21 Jan 2015, 02:00

Info on my firmware and hardware:
Gargoyle Version:1.7.X (Built 20150109-0720 git@da35789)
Model:TP-Link TL-WDR3600 v1
OpenWrt revision r43694            |
| Built January 09

Post #6
Narfed
21 Jan 2015, 05:08

My friend said he was able to get it working without the at package but still needed to add it to the rc.local for his dnscrypt
so you need this in your rc.local
/etc/init.d/dnscrypt-proxy start

if that doesn't work then try the at version...did you run the opkg update before you did the opkg install at?  Keep in mind you need your dns in a functional state to do opkg update (as it calls dns servers) so you may need to get your router's dns back to a working functionality first to do that.

The dhcp file(which is a separate issue) when you are ready to tackle dnscrypt again should be

your /etc/config/dhcp should be when trying to get dnscrypt working
config dnsmasq
    option domainneeded         1
    option boguspriv            1
    option filterwin2k          0
    option localise_queries     1
    option rebind_protection    1
    option rebind_localhost     1
    option local                '/lan/'
    option domain               'lan'
    option expandhosts          1
    option nonegcache           0
    option authoritative        1
    option readethers           1
    option leasefile            '/tmp/dhcp.leases'
#   option resolvfile           '/tmp/resolv.conf.auto'
    option noresolv             1
    list server                 '127.0.0.1#2053'
    list server                 '/pool.ntp.org/208.67.222.222'
#   list server                 '208.67.222.222'
#   list server                 '208.67.220.220'
    list addnhosts '/etc/block.hosts'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '6h'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

then reboot  or /etc/init.d/dnsmasq restart from the command line.  I haven't tried a blocklist with dnscrypt so you may have to test it.

Post #7
tapper
21 Jan 2015, 17:23

Hi Narfed
thanks for getting back to me and thanks for the dhcp file. I am sad to say i still can't get it to work. I cant find out what the package at is. So i tried to put the line "/etc/init.d/dnscrypt-proxy start" in to my rc.local.  but wen i used the dhcp file that you put up i still can't get it to work. iI am about to give up on dnscrypt lol. do you think it could be my adblock script braking things? Here is the script i use: 
https://gist.github.com/teffalump/7227752
I don't no what else i can try!

Post #8
tapper
22 Jan 2015, 16:59

Any one else have any ideas? I need to keep dnscrypt running after a reboot.

Post #9
dziny
22 Jan 2015, 20:20

You can write a short cron job. test whether dnscrypt runs if not start it.

Post #10
tapper
22 Jan 2015, 20:57

Hi dziny
I am not good at that stuff lol could telle me what to paste in to my cron file pleas.

Post #11
Charles_Brown
26 Jan 2015, 15:55
Narfed wrote:

hope this helps and hopefully someone has a better solution...

A slightly cleaner solution:

1) Edit /etc/init.d/dnscrypt-proxy and change START=50 to START=99
2) Delete or rename /etc/rc.d/S50dnscrypt-proxy to S99dnscrypt-proxy

Narfed wrote:

not sure exactly why it won't start earlier than certain network interface daemons coming up but seems to be the case

At startup and every 60 minutes, it needs to make a WAN connection, so maybe it fails to start if the WAN interface has not yet initialised.

(Last edited by Charles_Brown on 28 Jan 2015, 12:13)

The discussion might have continued from here.