I have troubles with building latest version. I will try to solve the problem soon.
Topic: DNSCrypt setup — securing DNS communications
The content of this topic has been archived between 29 Mar 2018 and 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Page 3 of 6
Try this makefile
#
# Copyright (C) 2012 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=dnscrypt-proxy
PKG_VERSION:=1.3.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://download.dnscrypt.org/dnscrypt-proxy/
PKG_MD5SUM:=33cc94dd06d23f96b4bac3efd1b20c95
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
include $(INCLUDE_DIR)/package.mk
define Package/dnscrypt-proxy/Default
SECTION:=net
CATEGORY:=Network
SUBMENU:=IP Addresses and Names
URL:=https://github.com/opendns/dnscrypt-proxy
MAINTAINER:=Black Roland https://forum.openwrt.org/profile.php?id=82621
endef
define Package/dnscrypt-proxy
$(call Package/dnscrypt-proxy/Default)
TITLE:=A tool for securing communications between a client and a DNS resolver
endef
define Package/dnscrypt-proxy/description
The DNSCrypt protocol is very similar to DNSCurve, but focuses on
securing communications between a client and its first-level resolver.
While not providing end-to-end security, it protects the local network
(which is often the weakest link in the chain) against
man-in-the-middle attacks. It also provides some confidentiality to
DNS queries.
endef
define Package/hostip
$(call Package/dnscrypt-proxy/Default)
TITLE:=A tool for resolving a name to IPv4 or IPv6 addresses
endef
define Package/hostip/description
Sends a DNS query to a resolver, and prints the IP addresses for the given host name.
endef
define Build/Configure
$(call Build/Configure/Default, \
--prefix=/usr \
)
endef
TARGET_CFLAGS += \
-std=gnu99 \
-fPIC
MAKE_FLAGS += \
CFLAGS="$(TARGET_CFLAGS)"
define Package/dnscrypt-proxy/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/dnscrypt-proxy $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/dnscrypt-proxy.init $(1)/etc/init.d/dnscrypt-proxy
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/dnscrypt-proxy.config $(1)/etc/config/dnscrypt-proxy
endef
define Package/dnscrypt-proxy/conffiles
/etc/config/dnscrypt-proxy
endef
define Package/hostip/install
$(INSTALL_DIR) $(1)/usr/bin
$(CP) $(PKG_INSTALL_DIR)/usr/bin/hostip $(1)/usr/bin/
endef
$(eval $(call BuildPackage,dnscrypt-proxy))
$(eval $(call BuildPackage,hostip))and patch
diff -rupN dnscrypt-proxy-1.3.0-orig/src/libsodium/configure.ac dnscrypt-proxy-1.3.0-new/src/libsodium/configure.ac
--- dnscrypt-proxy-1.3.0-orig/src/libsodium/configure.ac 2013-04-22 23:20:37.000000000 +0300
+++ dnscrypt-proxy-1.3.0-new/src/libsodium/configure.ac 2013-05-17 09:55:08.576406577 +0300
@@ -144,6 +144,21 @@ AS_IF([test -d /usr/local/lib], [
LDFLAGS="$LDFLAGS -L/usr/local/lib"
])
+AC_MSG_CHECKING(for access to floating-point rounding mode)
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <fenv.h>
+ #pragma STDC FENV_ACCESS ON
+]], [[
+ const int previous_rounding_mode = fegetround();
+ fesetround(FE_TONEAREST);
+ fesetround(previous_rounding_mode);
+]])],
+[AC_MSG_RESULT(yes)
+ AC_DEFINE([HAVE_FENV_H], [1], [floating-point rounding mode is accessible])
+],
+[AC_MSG_RESULT(no)])
+
+
dnl Checks for typedefs, structures, and compiler characteristics.
AC_C_BIGENDIAN(
diff -rupN dnscrypt-proxy-1.3.0-orig/src/libsodium/src/libsodium/crypto_onetimeauth/poly1305/53/auth_poly1305_53.c dnscrypt-proxy-1.3.0-new/src/libsodium/src/libsodium/crypto_onetimeauth/poly1305/53/auth_poly1305_53.c
--- dnscrypt-proxy-1.3.0-orig/src/libsodium/src/libsodium/crypto_onetimeauth/poly1305/53/auth_poly1305_53.c 2013-04-22 20:54:56.000000000 +0300
+++ dnscrypt-proxy-1.3.0-new/src/libsodium/src/libsodium/crypto_onetimeauth/poly1305/53/auth_poly1305_53.c 2013-05-15 12:11:51.774641635 +0300
@@ -3,15 +3,18 @@
D. J. Bernstein
Public domain.
*/
-
+#ifdef HAVE_FENV_H
#include <fenv.h>
+#endif
#include <stdint.h>
#include <stdlib.h>
#include "api.h"
#include "crypto_onetimeauth_poly1305_53.h"
+#ifdef HAVE_FENV_H
#pragma STDC FENV_ACCESS ON
+#endif
typedef uint8_t uchar;
typedef int32_t int32;
@@ -237,12 +240,14 @@ int crypto_onetimeauth(unsigned char *ou
register uint64 g3;
register uint64 g4;
+#ifdef HAVE_FENV_H
const int previous_rounding_mode = fegetround();
if (previous_rounding_mode != FE_TONEAREST) {
if (fesetround(FE_TONEAREST) != 0) {
return -1;
}
}
+#endif
r00 = *(uchar *) (r + 0);
constants = (char *) &poly1305_53_constants;
@@ -1626,10 +1631,13 @@ nomorebytes:;
f3 >>= 8;
*(uchar *) (out + 15) = f3;
+#ifdef HAVE_FENV_H
if (previous_rounding_mode != FE_TONEAREST &&
fesetround(previous_rounding_mode) != 0) {
abort();
}
+#endif
+
return 0;
}
diff -rupN dnscrypt-proxy-1.3.0-orig/src/libsodium/src/libsodium/sodium/core.c dnscrypt-proxy-1.3.0-new/src/libsodium/src/libsodium/sodium/core.c
--- dnscrypt-proxy-1.3.0-orig/src/libsodium/src/libsodium/sodium/core.c 2013-04-22 22:48:21.000000000 +0300
+++ dnscrypt-proxy-1.3.0-new/src/libsodium/src/libsodium/sodium/core.c 2013-05-13 14:17:24.000000000 +0300
@@ -13,8 +13,10 @@ sodium_init(void)
return 1;
}
initialized = 1;
+#ifdef HAVE_FENV_H
if (crypto_onetimeauth_pick_best_implementation() == NULL) {
return -1;
}
+#endif
return 0;
}In the patch, selecting the best implementation of onetimeauth is disabled and reference implementation is used. It makes the dnscrypt-proxy to start much much faster on low-end devices.
Does this implement DNSSEC? RFC 4033, RFC 4034, and RFC 4035.
(Last edited by zzz2002 on 22 May 2013, 21:06)
What am I missing if I am still using 1.2.1 and not 1.3.0?
Black Roland wrote:
I have troubles with building latest version. I will try to solve the problem soon.
Here is my variant.
omonar2, thanks for start acceleration patch!
(Last edited by ryzhov_al on 28 May 2013, 10:09)
dnscrypt-proxy 1.3.2 beta. sources and ar71xx binaries: https://www.dropbox.com/s/wnl0oj953j76f … t-proxy.7z
Ported from Entware repo. Thanks omonar2 for patch, I'll include this changes in next release.
Any chance of this making into the offcial repos? Or at least in http://www.ipkg.be/ ...
What are the "only and true one" version you guys are using currently? Looks like patch at http://patchwork.openwrt.org/patch/2389/ is quite old. What else is needed? Just a rebase with updated MD5?
I have no ipkg packaging experience, but I can work out a reroll for patchwork if I get some help.
Black Roland wrote:
dnscrypt-proxy 1.3.2 beta. sources and ar71xx binaries: https://www.dropbox.com/s/wnl0oj953j76f … t-proxy.7z
Ported from Entware repo. Thanks omonar2 for patch, I'll include this changes in next release.
Thank you very much.
would you please udpate dnscrypt-proxy from 1.3.2 to 1.33?
Davidwei wrote:
Black Roland wrote:dnscrypt-proxy 1.3.2 beta. sources and ar71xx binaries: https://www.dropbox.com/s/wnl0oj953j76f … t-proxy.7z
Ported from Entware repo. Thanks omonar2 for patch, I'll include this changes in next release.
Thank you very much.
would you please udpate dnscrypt-proxy from 1.3.2 to 1.33?
I hope too.
+1, and bonus karma for publishing at ipkg.be 
I compiled dnscrypt-proxy 1.3.3 (with static linking to libsodium 0.4.5) for ar71xx and put it here: https://www.dropbox.com/s/tj3we2j9u8j30 … ar71xx.ipk
New 1.4.0 version.
For ar71xx you can use opkg repo. Add this to /etc/opkg.conf:
src/gz dnscrypt-proxy http://dl.dropbox.com/u/22711927/Permanently/openwrt/ar71xx/packagesAnd run:
$ opkg update
$ opkg install dnscrypt-proxyAdded new configuration option "resolver" (see NEWS). Default resolver is OpenDNS.
Sources can be found here: https://github.com/black-roland/exOpenW … er/package
Black Roland wrote:
Added new configuration option "resolver" (see NEWS). Default resolver is OpenDNS.
https://github.com/black-roland/exOpenW … proxy.init
start_instance () {
local section="$1"
config_get address "$section" 'address'
config_get port "$section" 'port'
config_get resolver_name "$section" 'resolver_name'
https://github.com/black-roland/exOpenW … oxy.config
config dnscrypt-proxy
option address '127.0.0.1'
option port '2053'
option resolver 'opendns'
looks like a typo in the option name, so custom resolvers can never be used, even if you specify option
-L /usr/share/dnscrypt-resolvers.csv \(Last edited by dartraiden on 2 May 2014, 23:48)
dartraiden wrote:
looks like a typo in the option name, so custom resolvers can never be used, even if you specify option
Oops. Fixed, thanks for report. Also added option for resolvers list file.
ar71xx repository moved to http://exopenwrt.and.in.net/ar71xx/packages (see README). Dropbox repo now is a mirror. NOTE If someone uses iodine, now it will be updated from my repository.
Thank you for the fix. I have updated russian page in wiki according to latest changes.
I just did an update to SVN r40678 and now if I do a make package/symlinks and/or make menuconfig, the process spits out the following error messages:
ERROR: please fix package/feeds/exopenwrt_git/dnscrypt-proxy/Makefile - see logs/package/feeds/exopenwrt_git/dnscrypt-proxy/dump.txt for detailsThe content of the log file has this message:
Makefile:5: *** missing separator. Stop.And, an excerpt of the offended Makefile is shown below:
1 include $(TOPDIR)/rules.mk
2
3 PKG_NAME:=dnscrypt-proxy
4 PKG_VERSION:=1.4.0
5 <<<<<<< HEAD
6 PKG_RELEASE:=2.E
7 =======
8 PKG_RELEASE:=3.E
9 >>>>>>> d6119b588bef3bae510fc400b6f9449ef867d996
10
11 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
12 PKG_SOURCE_URL:=http://download.dnscrypt.org/dnscrypt-proxy
13 PKG_MD5SUM:=40b5b73f5042330b86084460d7c839c6Has anyone seen this?
mazilo wrote:
And, an excerpt of the offended Makefile is shown below:
1 include $(TOPDIR)/rules.mk 2 3 PKG_NAME:=dnscrypt-proxy 4 PKG_VERSION:=1.4.0 5 <<<<<<< HEAD 6 PKG_RELEASE:=2.E 7 ======= 8 PKG_RELEASE:=3.E 9 >>>>>>> d6119b588bef3bae510fc400b6f9449ef867d996 10 11 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 12 PKG_SOURCE_URL:=http://download.dnscrypt.org/dnscrypt-proxy 13 PKG_MD5SUM:=40b5b73f5042330b86084460d7c839c6Has anyone seen this?
Commit unmerged. Try to remove this lines: 5, 6, 7, 9.
Or you can do:
$ cd feeds/exopenwrt_git
$ git checkout -fThank you very much for your quick response. After a git checkout -f, the problem went away. However, when I did a git pull, it spitted out the following unpleasant messages:
[debian@Debian:/opt/openwrt-svn-trunk 2338%] ~ ( cd feeds/exopenwrt_git ; git pull )
U package/dnscrypt-proxy/Makefile
U package/dnscrypt-proxy/files/dnscrypt-proxy.config
U package/dnscrypt-proxy/files/dnscrypt-proxy.init
Pull is not possible because you have unmerged files.
Please, fix them up in the work tree, and then use 'git add/rm <file>'
as appropriate to mark resolution, or use 'git commit -a'.
[debian@Debian:/opt/openwrt-svn-trunk 2339%] ~mazilo wrote:
Thank you very much for your quick response. After a git checkout -f, the problem went away. However, when I did a git pull, it spitted out the following unpleasant messages:
You can try recreate feeds repositories with:
$ ./scripts/feeds clean
$ ./scripts/feeds update -a
$ ./scripts/feeds install -aBlack Roland wrote:
mazilo wrote:Thank you very much for your quick response. After a git checkout -f, the problem went away. However, when I did a git pull, it spitted out the following unpleasant messages:
You can try recreate feeds repositories with:
$ ./scripts/feeds clean $ ./scripts/feeds update -a $ ./scripts/feeds install -a
R U sure?
libsodium updated to 0.7.0 version. Also now there are two ar71xx repositories: trunk and Attitude Adjustment.
trunk
src/gz exopenwrt http://exopenwrt.and.in.net/trunk/ar71xx/packages/exOpenWrtBarrier Breaker
src/gz exopenwrt http://exopenwrt.and.in.net/barrier_breaker/ar71xx/packages/exOpenWrtAttitude Adjustment
src/gz exopenwrt http://exopenwrt.and.in.net/attitude_adjustment/ar71xx/packagesChange accordingly.
thanks for your great work!
I had compiled your code from git source, then installed packages to my router (AR9344) with BB release.
it works good when starting it from command line: /etc/init.d/dnscrypt-proxy start.
however, I noticed that it can't be started with router boot up even though i have enable it by:" /etc/init.d/dnscrypt-proxy enable".
how can i diagnostic the problem? by the way. latest dnscrypts 1.4.3 and libsodium 1.0.2 had been release with serveral CVE fix.
(Last edited by pupie on 28 Jan 2015, 02:36)
pupie wrote:
however, I noticed that it can't be started with router boot up even though i have enable it by:" /etc/init.d/dnscrypt-proxy enable".
how can i diagnostic the problem?
thanks for your timely reply! ;-)
So this can be resolved by editing source code.
update for dnscrypt-proxy 1.4.3:
openwrt/bb/feeds/exOpenWrt/package/dnscrypt-proxy/Makefile
PKG_NAME:=dnscrypt-proxy
PKG_VERSION:=1.4.3
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://download.dnscrypt.org/dnscrypt-proxy
PKG_MD5SUM:=2ec9829589c909ad88eb68f6642d18f6
/home/colin/openwrt/bb/feeds/exOpenWrt/package/dnscrypt-proxy/files/dnscrypt-proxy.init
START=99
update for libsodium 1.0.2:
openwrt/bb/feeds/exOpenWrt/package/libsodium/Makefile
PKG_NAME:=libsodium
PKG_VERSION:=1.0.2
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://download.dnscrypt.org/libsodium/releases
PKG_MD5SUM:=dc40eb23e293448c6fc908757738003f
if /etc/rc.d/S50dnscrypt-proxy exists after removing old packges just delete it manually. and enable dnscrypt-proxy again, new S99dnscrypt-proxy will be created.
Charles_Brown wrote:
pupie wrote:however, I noticed that it can't be started with router boot up even though i have enable it by:" /etc/init.d/dnscrypt-proxy enable".
how can i diagnostic the problem?
(Last edited by pupie on 28 Jan 2015, 03:32)
Being an OpenWRT newbie I'd like to make a suggestion for others looking for help and perhaps as a suggestion to add on the DNSCrypt wiki page.
Be sure to set the Time Zone on your device before launching DNSCrypt!
After configuring DNSCrypt according to the wiki I was having a lot of trouble having DNSCrypt-proxy starting after a warm or cold boot. Changing the init.d START values for sysntpd, dnscrypt-proxy or dnsmasq didn't help. I still had to manually start DNSCrypt-proxy every time. However the whole issue went away after I set the correct Time Zone (I don't know how I neglected this in the first place). So hopefully this info helps out any others having similar problems.
Page 3 of 6