OpenWrt Forum Archive

Topic: DNSCrypt setup — securing DNS communications

The content of this topic has been archived between 29 Mar 2018 and 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

That's what I did now, but I can't get DNScrypt to work. My clients are not resolving URLs when it is in use.

With below file dnscrypt-proxy, DNScrypt seems to work when I start it. It shows me that the certificate is valid and the service is running on the specific port.


/etc/init.d/dnscrypt-proxy

#!/bin/sh /etc/rc.common

START=50
USE_PROCD=1
PROG=/usr/sbin/dnscrypt-proxy

start_service() {
dnscrypt-proxy --local-address=127.0.0.1:5353 --resolver-address=82.211.31.248:443 --provider-name=2.dnscrypt-cert.de.d0wn.biz --provider-key=D4A8:6FB5:AA0C:2B6B:8C13:8C29:7F69:F9C8:29C8:E157:F279:6FC7:7366:290F:2A80:0AD2 --daemonize
dnscrypt-proxy --local-address=127.0.0.1:5354 --resolver-address=185.137.15.105:443 --provider-name=2.dnscrypt-cert.de2.d0wn.biz --provider-key=8C62:691A:A7EA:69D3:8A25:86AA:2715:87F0:9B11:9159:0663:55FC:1CD0:61C5:C863:1940 --daemonize
}

service_triggers() {
        procd_add_reload_trigger 'dnscrypt-proxy'

The problems seems to be my dnsmasq config, could someone help me?

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option nonwildcard '0'
        option noresolv '1'
        list server '127.0.0.1#5353'
        list server '127.0.0.1#5354'
        list server '/pool.ntp.org/208.67.222.222'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '200'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

If I add the Google DNS with following command, my DNS is working again (for sure not with DNScrypt, that's not what I want to achieve):

list server '8.8.8.8'

(Last edited by johndoe on 30 Oct 2016, 07:59)

I sent pull request with updated resolvers list. d0wn servers should work after update. You always can update resolvers manually by executing:

wget 'https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv' -O /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
johndoe wrote:

That's what I did now, but I can't get DNScrypt to work. My clients are not resolving URLs when it is in use.

With below file dnscrypt-proxy, DNScrypt seems to work when I start it. It shows me that the certificate is valid and the service is running on the specific port.

Can you provide `logread` command output?

Also try to restore `/etc/init.d/dnscrypt-proxy` and update `dnscrypt-resolvers.csv` as described in the previous post.

Hi,

I am having problems getting dnscrypt-proxy to work on my WNDR4300 router.  It is currently loaded with the stock version of OpenWrt Chaos Calmer 15.05.

I have installed dnscrypt-proxy as per the instructions on the github page. Which seems to install the following versions of the software dnscrypt-proxy    1.7.0-1.E, dnscrypt-proxy-resolvers 1.7.0-1.E-2016-08-01-..30b and libsodium 1.0.11-1.E. 
But I never receive a "Proxying from" message in my system log, and I am unable to do a dig/nslookup.  They both fail with server timeouts.

I have also tried manually updating the updated resolvers list as suggested early in this thread, with the same results. As well as trying different resolvers.

This is what I currently receive in my system log.
Wed Nov 30 10:12:25 2016 user.info syslog: - [fvz-anyone] does not support DNS Security Extensions
Wed Nov 30 10:12:25 2016 user.info syslog: + Namecoin domains can be resolved
Wed Nov 30 10:12:25 2016 user.info syslog: + Provider supposedly doesn't keep logs
Wed Nov 30 10:12:25 2016 daemon.notice dnscrypt-proxy[26653]: Starting dnscrypt-proxy 1.7.0
Wed Nov 30 10:12:25 2016 daemon.info dnscrypt-proxy[26653]: Generating a new session key pair
Wed Nov 30 10:12:25 2016 daemon.info dnscrypt-proxy[26653]: Done

Any thoughts on what might be going on?

Did you update your dhcp.@dnsmasq[0].server settings?

Thanks for responding,  I am not sure if I am reading your question correctly or not.  But if you were asking if I changed the settings in my /etc/config/dhcp file, I did make the changes as per the wiki.

config dnsmasq
    option domainneeded         1
    option boguspriv            1
    option filterwin2k          0
    option localise_queries     1
    option rebind_protection    1
    option rebind_localhost     1
    option local                '/lan/'
    option domain               'lan'
    option expandhosts          1
    option nonegcache           0
    option authoritative        1
    option readethers           1
    option leasefile            '/tmp/dhcp.leases'
#   option resolvfile           '/tmp/resolv.conf.auto'
    option noresolv             1
    list server                 '127.0.0.1#5353'
    list server                 '/pool.ntp.org/208.67.222.222'

And in dnscrypt-proxy settings you've set the instance to run on port 5353?

Yes, I my setttings file is.

config dnscrypt-proxy ns1
    option address         '127.0.0.1'
    option port            '5353'
    #option resolver       'fvz-anyone'
    #option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
    # Ephemeral keys option requires extra CPU cycles and can cause huge system load.
    #option ephemeral_keys '0'

#config dnscrypt-proxy ns2
#    option address         '127.0.0.1'
#    option port            '5454'
#    #option resolver       'd0wn-random-ns1'
#    #option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
#    #option ephemeral_keys '0'

Per the wiki (at https://wiki.openwrt.org/inbox/dnscrypt)  I should be able to check that dnscrypt-proxy is working. by issuing the following.  Is this still true? 

logread | grep "Proxying from"

Is this still true?  Because I don't receive any "Proxying from" messages. I have tried various resolvers, and have updated the resolvers_list per this forum.

I'd uncomment resolver and resolver list and try to restart dnscrypt.

As far as I remember the OpenWrt official repository package is older than current LEDE package and doesn't allow multiple dnscrypt instances, I remember the OpenWrt dnscrypt-proxy config file looking a bit different.

Where did you get the dnscrypt-proxy package from and did you retain a copy of the original config?

I have dnscrypt working, but I don't get any "Proxying from" messages in the logread output.

So is the DNS resolution working for you or not at the moment?

Sorry I seem to have confused you.  I am using the most recent version of the package from BlackRoland's Repository.  (https://github.com/black-roland/exOpenWrt)

dnscrypt-proxy    1.7.0-1.E
dnscrypt-proxy-resolvers    1.7.0-1.E-2016-08-01-..30b
libsodium    1.0.11-1.E

I have already tried uncommenting the resolver and resolver list settings, as well as trying different resolver.  Always with the same result, timeouts when trying to resolve a dns query, so no dns resolutions.

However, I think I may have determined my problem. Under /etc/services I saw that mDNS is using port 5353 for both TCP and UDP protocols. So I tried changing my dnscrypt-proxy port to 5454 and now all is working fine. I do get the "Proxying from" messages and dns queries are resolving just fine.  So it looks like their might be a conflict in port numbers between the ZeroConf Daemon (avahi) and the default port for dnscrypt-proxy.

Thanks for all the help.

Please make the instruction as to connect the Google DNS
but I can not figure out how to do it.
Help!

Rumit wrote:

Please make the instruction as to connect the Google DNS
but I can not figure out how to do it.
Help!

Please checkout this wiki page.

The discussion might have continued from here.