OpenWrt Forum Archive

Topic: DNSCrypt setup — securing DNS communications

The content of this topic has been archived between 29 Mar 2018 and 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

dnscrypt-proxy now in upstream. Anyone still need this repository?

Am I allowed to add two dnsCrypt resolvers? How do I specify a second resolver (e.g., 'cloudns-syd') as a backup?


cat /etc/config/dnscrypt-proxy

config dnscrypt-proxy
        option address '127.0.0.1'
        option port    '2053'
        option resolver  'cloudns-can'
      # option resolvers_list  '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'


cat /etc/init.d/dnscrypt-proxy

#!/bin/sh /etc/rc.common

START=50

start_instance () {
    local section="$1"
    config_get address         "$section" 'address'
    config_get port            "$section" 'port'
    config_get resolver        "$section" 'resolver'
    config_get resolvers_list  "$section" 'resolvers_list'

    service_start /usr/sbin/dnscrypt-proxy -d \
        -a ${address}:${port} \
        -u nobody \
        -L ${resolvers_list:-'/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'} \
        -R ${resolver:-'cloudns-can'}

(Last edited by Lou-ltef on 2 Jul 2015, 19:44)

Is the default resolver opendns(wiki) or cisco(list)?

dartraiden wrote:

Notice that the line 4 is commented out (#) by default. So dnscrypt-proxy ignores it and using opendns. If you uncomment this line => will be used cisco or any other resolver that you specify in this line.

In new DNSCrypt versions "opendns" resolver renamed to "cisco".

Oh, I missed that moment. I deleted my post and and has made changes to the wiki.

Am I allowed to add two dnsCrypt resolvers? How do I specify a second resolver (e.g., 'cloudns-syd') as a backup?


cat /etc/config/dnscrypt-proxy

config dnscrypt-proxy
        option address '127.0.0.1'
        option port    '2053'
        option resolver  'cloudns-can'
      # option resolvers_list  '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'


cat /etc/init.d/dnscrypt-proxy

#!/bin/sh /etc/rc.common

START=50

start_instance () {
    local section="$1"
    config_get address         "$section" 'address'
    config_get port            "$section" 'port'
    config_get resolver        "$section" 'resolver'
    config_get resolvers_list  "$section" 'resolvers_list'

    service_start /usr/sbin/dnscrypt-proxy -d \
        -a ${address}:${port} \
        -u nobody \
        -L ${resolvers_list:-'/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'} \
        -R ${resolver:-'cloudns-can'}

Lou-ltef wrote:

Am I allowed to add two dnsCrypt resolvers? How do I specify a second resolver (e.g., 'cloudns-syd') as a backup?


cat /etc/config/dnscrypt-proxy

config dnscrypt-proxy
        option address '127.0.0.1'
        option port    '2053'
        option resolver  'cloudns-can'
      # option resolvers_list  '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'


cat /etc/init.d/dnscrypt-proxy

#!/bin/sh /etc/rc.common

START=50

start_instance () {
    local section="$1"
    config_get address         "$section" 'address'
    config_get port            "$section" 'port'
    config_get resolver        "$section" 'resolver'
    config_get resolvers_list  "$section" 'resolvers_list'

    service_start /usr/sbin/dnscrypt-proxy -d \
        -a ${address}:${port} \
        -u nobody \
        -L ${resolvers_list:-'/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'} \
        -R ${resolver:-'cloudns-can'}

Please update to the latest version from exOpenWrt (1.6.0-3.E).

You can specify many resolvers this way:

$ cat /etc/config/dnscrypt-proxy
config dnscrypt-proxy cloudnscan
    option address         '127.0.0.1'
    option port            '5353'
    option resolver        'cloudns-can'

config dnscrypt-proxy cloudnssyd
    option address         '127.0.0.1'
    option port            '5454'
    option resolver        'cloudns-syd'

$ cat /etc/config/dhcp 
config dnsmasq
    # ...
    option noresolv '1'
    list server '127.0.0.1#5353'
    list server '127.0.0.1#5454'
    list server '/pool.ntp.org/84.200.69.80'
    list server '/pool.ntp.org/84.200.70.40'

Anybody have any idea why DNSCrypt has stopped working? I have changed nothing on my network and yet it will no longer work. Have had it running without issue for several months. I can connect fine if I set /etc/dhcp/dhclient.conf to go directly to OpenDNS. But trying cisco and numerous other dnscrypt resolvers will not work any longer. Using Barrier Breaker and have changed nothing prior to this happening.

Lou-ltef wrote:

Anybody have any idea why DNSCrypt has stopped working? I have changed nothing on my network and yet it will no longer work. Have had it running without issue for several months. I can connect fine if I set /etc/dhcp/dhclient.conf to go directly to OpenDNS. But trying cisco and numerous other dnscrypt resolvers will not work any longer. Using Barrier Breaker and have changed nothing prior to this happening.

Can yo provide output of logread command (after dnscrypt start)?

Okay, so I reset OpenWRT to a clean slate and then updated to Chaos Calmer final release. then I followed the directions here precisely: http://wiki.openwrt.org/inbox/dnscrypt?s

this command is producing good output: logread | grep -n "using nameserver"

this command produces NO output: logread | grep "Proxying from"

So it appears that the proxy is not working. If you are willing to help out, much appreciated. If you want specific logread info, could you be specific in how exactly you want me to get it? Thanks.

(Last edited by Lou-ltef on 11 Sep 2015, 21:53)

Is /etc/init.d/dnscrypt-proxy supposed to show 'opendns' as the resolver even though I'm not using opends?

cat /etc/init.d/dnscrypt-proxy

#!/bin/sh /etc/rc.common

START=50

start_instance () {
        local section="$1"
        config_get address         "$section" 'address'
        config_get port            "$section" 'port'
        config_get resolver        "$section" 'resolver'
        config_get resolvers_list  "$section" 'resolvers_list'

        service_start /usr/sbin/dnscrypt-proxy -d \
                -a ${address}:${port} \
                -u nobody \
                -L ${resolvers_list:-'/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'} \
                -R ${resolver:-'opendns'}
}

cat /etc/config/dnscrypt-proxy

config dnscrypt-proxy dnscrypteu-nl
    option address        '127.0.0.1'
    option port                '5353'
    option resolver        'dnscrypt.eu-nl'
    option ephemeral_keys    '1'

config dnscrypt-proxy dnscrypteu-dk
    option address        '127.0.0.1'
    option port                '5454'
    option resolver        'dnscrypt.eu-dk'
    option ephemeral_keys    '1'

(Last edited by Lou-ltef on 11 Sep 2015, 22:44)

Lou-ltef wrote:

Okay, so I reset OpenWRT to a clean slate and then updated to Chaos Calmer final release. then I followed the directions here precisely: http://wiki.openwrt.org/inbox/dnscrypt?s

this command is producing good output: logread | grep -n "using nameserver"

this command produces NO output: logread | grep "Proxying from"

So it appears that the proxy is not working. If you are willing to help out, much appreciated. If you want specific logread info, could you be specific in how exactly you want me to get it? Thanks.

Without grep:

/etc/init.d/dnscrypt-proxy restart
logread | tail -n 20
Lou-ltef wrote:

Is /etc/init.d/dnscrypt-proxy supposed to show 'opendns' as the resolver even though I'm not using opends?

cat /etc/init.d/dnscrypt-proxy

#!/bin/sh /etc/rc.common

START=50

start_instance () {
        local section="$1"
        config_get address         "$section" 'address'
        config_get port            "$section" 'port'
        config_get resolver        "$section" 'resolver'
        config_get resolvers_list  "$section" 'resolvers_list'

        service_start /usr/sbin/dnscrypt-proxy -d \
                -a ${address}:${port} \
                -u nobody \
                -L ${resolvers_list:-'/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'} \
                -R ${resolver:-'opendns'}
}

cat /etc/config/dnscrypt-proxy

config dnscrypt-proxy dnscrypteu-nl
    option address        '127.0.0.1'
    option port                '5353'
    option resolver        'dnscrypt.eu-nl'
    option ephemeral_keys    '1'

config dnscrypt-proxy dnscrypteu-dk
    option address        '127.0.0.1'
    option port                '5454'
    option resolver        'dnscrypt.eu-dk'
    option ephemeral_keys    '1'

Install exopenwrt repository first:

cd /tmp
wget 'http://exopenwrt.and.in.net/exopenwrt.pub'
opkg-key add exopenwrt.pub
echo 'src/gz exopenwrt http://exopenwrt.and.in.net/chaos_calmer/15.05-rc3/ar71xx/packages/exopenwrt' >> /etc/opkg.conf

opkg update
opkg install dnscrypt-proxy dnscrypt-proxy-resolvers libsodium
Black Roland wrote:

Without grep:

/etc/init.d/dnscrypt-proxy restart
logread | tail -n 20
# /etc/init.d/dnscrypt-proxy restart && logread | tail -n 20
Sat Sep 12 16:48:51 2015 daemon.info hostapd: wlan1: STA c8:f7:22:6e:12:aa WPA: group key handshake completed (RSN)
Sat Sep 12 16:48:51 2015 daemon.info hostapd: wlan1: STA 00:46:d7:82:89:ec WPA: group key handshake completed (RSN)
Sat Sep 12 16:52:56 2015 authpriv.info dropbear[1456]: Child connection from 192.168.100.198:44305
Sat Sep 12 16:53:03 2015 authpriv.notice dropbear[1456]: Password auth succeeded for 'root' from 192.168.100.198:44305
Sat Sep 12 16:55:00 2015 daemon.warn dnsmasq[1171]: no servers found in /tmp/resolv.conf.auto, will retry
Sat Sep 12 16:56:10 2015 authpriv.info dropbear[1456]: Exit (root): Disconnect received
Sat Sep 12 16:56:28 2015 daemon.info dnsmasq[1171]: exiting on receipt of SIGTERM
Sat Sep 12 16:56:31 2015 daemon.info dnsmasq[1932]: started, version 2.73 cachesize 150
Sat Sep 12 16:56:31 2015 daemon.info dnsmasq[1932]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC loop-detect inotify
Sat Sep 12 16:56:31 2015 daemon.info dnsmasq[1932]: DNS service limited to local subnets
Sat Sep 12 16:56:31 2015 daemon.info dnsmasq-dhcp[1932]: DHCP, IP range 192.168.100.100 -- 192.168.100.249, lease time 4d
Sat Sep 12 16:56:31 2015 daemon.info dnsmasq[1932]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
Sat Sep 12 16:56:31 2015 daemon.info dnsmasq[1932]: using nameserver 127.0.0.1#5353
Sat Sep 12 16:56:31 2015 daemon.info dnsmasq[1932]: using local addresses only for domain lan
Sat Sep 12 16:56:31 2015 daemon.warn dnsmasq[1932]: no servers found in /tmp/resolv.conf.auto, will retry
Sat Sep 12 16:56:31 2015 daemon.info dnsmasq[1932]: read /etc/hosts - 1 addresses
Sat Sep 12 16:56:31 2015 daemon.info dnsmasq[1932]: read /tmp/hosts/dhcp - 1 addresses
Sat Sep 12 16:56:31 2015 daemon.info dnsmasq-dhcp[1932]: read /etc/ethers - 0 addresses
Sat Sep 12 16:56:47 2015 authpriv.info dropbear[1935]: Child connection from 192.168.100.198:44312
Sat Sep 12 16:56:51 2015 authpriv.notice dropbear[1935]: Password auth succeeded for 'root' from 192.168.100.198:44312

Install exopenwrt repository first:

cd /tmp
wget 'http://exopenwrt.and.in.net/exopenwrt.pub'
opkg-key add exopenwrt.pub
echo 'src/gz exopenwrt http://exopenwrt.and.in.net/chaos_calmer/15.05-rc3/ar71xx/packages/exopenwrt' >> /etc/opkg.conf

opkg update
opkg install dnscrypt-proxy dnscrypt-proxy-resolvers libsodium

I thought everything I need is now in the official repos. I need to install outside repo?

(Last edited by Lou-ltef on 12 Sep 2015, 20:08)

Lou-ltef wrote:

I thought everything I need is now in the official repos. I need to install outside repo?

Dnscrypt in official repos does not support launching of many instances.

Black Roland wrote:

Dnscrypt in official repos does not support launching of many instances.

Is it:

http://exopenwrt.and.in.net/chaos_calmer/15.05-rc3/ar71xx/packages/exopenwrt

or

http://exopenwrt.rlnd.black/chaos_calmer/15.05/ar71xx/packages/exopenwrt

(Last edited by TJKV on 13 Sep 2015, 07:28)

TJKV wrote:
Black Roland wrote:

Dnscrypt in official repos does not support launching of many instances.

Is it:

http://exopenwrt.and.in.net/chaos_calmer/15.05-rc3/ar71xx/packages/exopenwrt

or

http://exopenwrt.rlnd.black/chaos_calmer/15.05/ar71xx/packages/exopenwrt

This:

http://exopenwrt.rlnd.black/chaos_calmer/15.05/ar71xx/packages/exopenwrt

Repo migrated to new domain.

I reflashed OpenWRT chaos calmer and setup DNSCrypt per the wiki with a single resolver. Everything worked fine for the entire week until today. DNSCrypt just stopped working. I have tried switching DNSCrypt resolvers, but still nothing works. I switch to a non-DNSCrypt resolver and everything works. Every thing looks in order in the logs. I have no idea why it stops working.

I rebooted the router. Once reboot was complete, I pulled the log file. This is it:

~# /etc/init.d/dnscrypt-proxy restart && logread | tail -n 20
Sun Sep 20 13:18:08 2015 daemon.info dnscrypt-proxy[1248]: Done
Sun Sep 20 13:18:08 2015 user.emerg syslog: setting up led USB1
Sun Sep 20 13:18:08 2015 user.emerg syslog: setting up led USB2
Sun Sep 20 13:18:08 2015 user.emerg syslog: setting up led WLAN2G
Sun Sep 20 13:18:08 2015 daemon.info dnscrypt-proxy[1248]: Server certificate #808464433 received
Sun Sep 20 13:18:08 2015 daemon.info dnscrypt-proxy[1248]: This certificate looks valid
Sun Sep 20 13:18:08 2015 daemon.info dnscrypt-proxy[1248]: Chosen certificate #808464433 is valid from [2015-09-11] to [2016-09-10]
Sun Sep 20 13:18:08 2015 daemon.info dnscrypt-proxy[1248]: Server key fingerprint is E7AC:5C21:A4E6:6A90:B254:DD73:5229:3BA1:5BE9:8EB3:4E8F:E538:52DE:A2FB:DDB6:1357
Sun Sep 20 13:18:08 2015 daemon.notice dnscrypt-proxy[1248]: Proxying from 127.0.0.1:5353 to 176.56.237.171:443
Sun Sep 20 13:18:08 2015 daemon.info procd: - init complete -
Sun Sep 20 13:18:16 2015 authpriv.info dropbear[1272]: Child connection from 192.168.100.180:34057
Sun Sep 20 13:18:51 2015 authpriv.notice dropbear[1272]: Password auth succeeded for 'root' from 192.168.100.180:34057
Sun Sep 20 13:18:58 2015 daemon.notice dnscrypt-proxy[1285]: Starting dnscrypt-proxy 1.4.3
Sun Sep 20 13:18:58 2015 daemon.info dnscrypt-proxy[1285]: Initializing libsodium for optimal performance
Sun Sep 20 13:18:58 2015 daemon.info dnscrypt-proxy[1285]: Generating a new key pair
Sun Sep 20 13:18:58 2015 daemon.info dnscrypt-proxy[1285]: Done
Sun Sep 20 13:18:58 2015 daemon.info dnscrypt-proxy[1285]: Server certificate #808464433 received
Sun Sep 20 13:18:58 2015 daemon.info dnscrypt-proxy[1285]: This certificate looks valid
Sun Sep 20 13:18:58 2015 daemon.info dnscrypt-proxy[1285]: Chosen certificate #808464433 is valid from [2015-09-11] to [2016-09-10]
Sun Sep 20 13:18:58 2015 daemon.info dnscrypt-proxy[1285]: Server key fingerprint is E7AC:5C21:A4E6:6A90:B254:DD73:5229:3BA1:5BE9:8EB3:4E8F:E538:52DE:A2FB:DDB6:1357

Anybody have any idea what's wrong with my box, why DNSCrypt won't work?

Is anybody else also having this problem?

If I do a fresh install, everything works--for a while and then it just stops working.

Using DNSCrypt in win/linux/macosx and as the control freak that i am, i've enabled DNS log.
I wish to migrate the service at router level also but... is DNS logging, or other plugins available?
What are my options to enable log plugin?
Thanks.

@Black Roland

Hello Roland,

could you help me please with compiling dnscrypt-proxy? I've tried to compile dnscrypt-proxy on TurrisOS (OpenWrt fork based on 14.07 version; Target System (Freescale MPC85xx); Subtarget (P2020-NAND).
I followed all your steps and everything went well till I run:

$ make -j 2 V=s toolchain/install

After that I've got:

/home/odra/openwrt/include/toplevel.mk:171: recipe for>> target 'toolchain/install' failed
make: *** [toolchain/install] Error 2

Screenshot: PunBB bbcode test


Do you have any idea why I've got this error? sad

I have also looked at your repository http://exopenwrt.roland.black/barrier_b … ages/base/ where can I get (how to build or download) libc_0.9.33.2-1, libgcc_4.8-linaro-1, zlib_1.2.8-1??

(Last edited by ODra on 26 Dec 2015, 22:26)

ODra wrote:

@Black Roland

Hello Roland,

could you help me please with compiling dnscrypt-proxy? I've tried to compile dnscrypt-proxy on TurrisOS (OpenWrt fork based on 14.07 version; Target System (Freescale MPC85xx); Subtarget (P2020-NAND).
I followed all your steps and everything went well till I run:

$ make -j 2 V=s toolchain/install

After that I've got:

/home/odra/openwrt/include/toplevel.mk:171: recipe for>> target 'toolchain/install' failed
make: *** [toolchain/install] Error 2

Screenshot: PunBB bbcode test


Do you have any idea why I've got this error? sad

I have also looked at your repository http://exopenwrt.roland.black/barrier_b … ages/base/ where can I get (how to build or download) libc_0.9.33.2-1, libgcc_4.8-linaro-1, zlib_1.2.8-1??

ld: ... no space left on device

stas2z wrote:

ld: ... no space left on device

That's pretty embarrassing.. Ahh, thank you sir. yikes

Lou-ltef wrote:

Okay, so I reset OpenWRT to a clean slate and then updated to Chaos Calmer final release. then I followed the directions here precisely: http://wiki.openwrt.org/inbox/dnscrypt?s

this command is producing good output: logread | grep -n "using nameserver"

this command produces NO output: logread | grep "Proxying from"

So it appears that the proxy is not working. If you are willing to help out, much appreciated. If you want specific logread info, could you be specific in how exactly you want me to get it? Thanks.

I had the same issue. When I rebooted router dnscrypt wasn't proxying.
Change the START in

/etc/init.d/dnscrypt-proxy

to 60 instead of 50.

dnsmasq run at 60 and dnscrypt-proxy should have same value by default.

Next run

/etc/init.d/dnscrypt-proxy enable