Topic: Solved! Help with DNSCrypt pleas

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

tapper

8 Feb 2017, 22:38

Hi i have fixed the text from the 2 config files. This is what works for me in the UK. I am running Lede leviathan III SNAPSHOT r3063-f2e6e11 / LuCI Master (git-17.020.82842-e1edb10)
This will work on OpenWRT just the same!

Hi I cant get DNSCrypt to work for me.
I want to use opendns servers.
I have it installed and started.
Here's my DHCP file.

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
#option resolvfile '/tmp/resolv.conf.auto'
    option localservice '1'
        option noresolv '1'
        list server '127.0.0.1#5353'
        list server '/uk.pool.ntp.org/85.199.214.102'
# list server                 '208.67.222.222'
# list server                 '208.67.220.220'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option dhcpv6 'server'
    option ra 'server'
    option leasetime '6h'
    option ra_management '1'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'

Is this rite?
What do i have to do with my dnscrypt-proxy file:

config dnscrypt-proxy ns1
    option address '127.0.0.1'
    option port '5353'
    option resolver 'cisco'
 option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
    # ephemeral keys option requires extra CPU cycles and can cause huge system load
    # option ephemeral_keys '0'
    # more details at [url]https://github.com/jedisct1/dnscrypt-proxy#public-key-client-authentication[/url]
    # option client_key '/path/to/client_key'
    # option syslog '1'
    # option syslog_prefix 'dnscrypt-proxy'
    # option query_log_file '/path/to/logfile'
    # enable cache may speed up dnscrypt-proxy, see [url]https://github.com/jedisct1/dnscrypt-proxy/wiki/Go-faster[/url]
    # option local_cache '0'
    # disable IPv6 may also speed up dnscrypt-proxy, see [url]https://github.com/jedisct1/dnscrypt-proxy/wiki/Go-faster[/url]
    # option block_ipv6 '0'
    # Blacklists allow you to block domains, ip, ... see [url]https://github.com/jedisct1/dnscrypt-proxy/wiki/Filtering[/url]
    # list blacklist 'domains:/path/to/domains-blacklist-file.txt'
    # list blacklist 'domains:/path/to/domains-blacklist2-file.txt'

#    config dnscrypt-proxy ns2
#        option address '127.0.0.1'
#        option port '5454'
#        # option resolver 'd0wn-random-ns1'
#        # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
#        # option ephemeral_keys '0'
#        # option client_key ''

for your /etc/firewall.user file
ad these to lines to stop devices on your network like android phones using hard coded dns servers.

iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 53

(Last edited by tapper on 4 Jun 2017, 19:44)

Post #2

tapper

8 Feb 2017, 22:51

I would all so like to know how to test and make sure that DNSCrypt is working because a lot of the commands I have found on the net don't work on OpenWRT.

Post #3

InkblotAdmirer

8 Feb 2017, 23:17

You want to get rid of your two "list server" commands going to 208.67 or you may see DNS traffic routed to those on port 53. The dnscrypt-enabled server IPs belong in the dnscrypt config file only.

I used tcpdump to validate operation. To test, run tcpdump and listen on the wan interface, i.e.

tcpdump -i eth1 port 53

... plus any verbosity or logging options you choose. You should NOT see outbound traffic using the above command. Listen for port 443 traffic to/from the servers you've chosen to see the actual dnscrypt traffic.

I had to add an iptables rule to force all port 53 traffic through dnscrypt because some software and items (smart TVs) use hardcoded DNS IPs.

Post #4

stangri

8 Feb 2017, 23:23

You need to remove:

list server                 '208.67.222.222'
list server                 '208.67.220.220'

from your dnsmasq config.

In the dnscrypt-proxy file uncomment first

option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'

To test if dnscrypt is working you need to run /etc/init.d/dnscrypt-proxy stop (or just stop dnscrypt service from Luci) and if no domains resolve then (run nslookup google.com 127.0.0.1 on your router), it means that dnscrypt is being used to resolve domain names for you (you'd then of course need to start dnscrypt again).

With the law recently passed in UK, I'm surprised more people are not looking to switch to dnscrypt.

PS. Do learn how to use the code tags here on the forum.
PPS. It's a good idea to enable dns hijacking on your network to ensure all connected devices use your router and not any other dns servers.

(Last edited by stangri on 8 Feb 2017, 23:24)

Post #5

tapper

8 Feb 2017, 23:26

OK I have edited my op pleas have a look for me thanks to the both of you. About the code tags were can i find out about them?
Did i get the code tags rite? I got it from here:
http://www.dailywritingtips.com/forum/m … ?do=bbcode

(Last edited by tapper on 8 Feb 2017, 23:33)

Post #6

tapper

8 Feb 2017, 23:41

I have it working now thanks for all your help man. I am going to edit my first post so there is a record of what i have dun. lol because i will for get. + it will help anyone else.

Post #7

tapper

8 Feb 2017, 23:47

How do I enable dns hijacking?

The discussion might have continued from here.

Page 1 of 1