OpenWrt Forum Archive

Topic: DNSCrypt setup — securing DNS communications

The content of this topic has been archived between 29 Mar 2018 and 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I've been trying to install DNSCrypt on an Octeon build. When trying to install libsodium for it I get the missing libssp dependency. Searching the forums I've read it's part of openssh but even after installing that I'm still missing it. What is libssp a part of?

Just recently using OpenWRT on my TP-LINK TL-WR941NDv3 and decided to build OpenWRT on my own with pre-installed packages that I need to save free space.

Why can't I include your custom dnscrypt-proxy to my builder? If I exclude dnscrypt-proxy, the bin file for my router along with other version is available but wherever I include dnscrypt-proxy, the bin file after build aren't there, even for other router version.

Already tried to remove ipkg/opkg and ipv6 support to save more free space but still no luck, even with only including dnscrypt-proxy and libsodium.

EDIT: Nevermind, I kinda tricked the compiler and now it's working.

(Last edited by Seflyx on 11 May 2016, 16:21)

What needs to be done to get this package (and any dependencies) into Image Builder?

Hello all!

I'm using OpenWRT OpenWrt Chaos Calmer 15.05.1 and DNSCrypt  Roland Black version with TPLINK WDR4300.

It's running fine for all my network, using 'cisco' proxy.

My doubt is, it's possible to configurate another dnscrypt proxy for specific VLAN or WIFI network?

Ex:
'cisco' for lan
'cisco-familyshield' for wifi or vlan-xx

My dnscrypt-proxy:

config dnscrypt-proxy ns1
        option address         '127.0.0.1'
        option port            '5353'
        option resolver       'cisco'
        option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
        # Ephemeral keys option requires extra CPU cycles and can cause huge sy$
        # Disable it in case of performance problems.
        option ephemeral_keys '1'

config dnscrypt-proxy ns2
        option address         '127.0.0.1'
        option port            '5454'
        option resolver       'cs-ussouth'
        option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
        option ephemeral_keys '1'

My dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        list server '127.0.0.1#5353'
        list server '127.0.0.1#5454'
        list server '/pool.ntp.org/208.67.222.222'
        option localservice '1'
        option dnssec '1'
        option resolvfile '/etc/resolv-crypt.conf       list server 127.0.0.1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'wifi'
        option interface 'wifi'
        option start '50'
        option limit '60'
        option leasetime '24h'

Thanks you very much!!

Kind Regards!

Black Roland wrote:

But you need another DNS caching server (not dnsmasq).

So I would have to uninstall the "dnsmasq" and install another proxy? Or keep both? Could you suggest what package to install tinydns / maradns?

Before post here I try  with dhcp_option. Doing the following change to /etc/config/dhcp

config dhcp 'wifi'
...
option list dhcp_option '6,127.0.0.1#5656'
...

and remove the line "list server '127.0.0.1#5656" from "config dnsmaq"

not work. wink

Thank you very much Black Roland!

Best Regards!

Provide luci download http://exopenwrt.roland.black/ ?

(Last edited by q158073378252010 on 4 Aug 2016, 17:09)

@Black Roland -- please consider making the package for LEDE. Here's an output of the Image Builder when trying to include your packages in LEDE, the opkg install yields similar results.

Package dnscrypt-proxy-resolvers version 1.7.0-1.E-2016-08-01-22ff30b has no valid architecture, ignoring.
Package dnscrypt-proxy version 1.7.0-1.E has no valid architecture, ignoring.
Package hostip version 1.7.0-1.E has no valid architecture, ignoring.
Package iodine version 0.7.0-1.E has no valid architecture, ignoring.
Package iodined version 0.7.0-1.E has no valid architecture, ignoring.
Package libsodium version 1.0.11-1.E has no valid architecture, ignoring.
stangri wrote:

@Black Roland -- please consider making the package for LEDE. Here's an output of the Image Builder when trying to include your packages in LEDE, the opkg install yields similar results.

I heard about LEDE first time. I think can pull request to LEDE mainstream.

Black Roland wrote:
stangri wrote:

@Black Roland -- please consider making the package for LEDE. Here's an output of the Image Builder when trying to include your packages in LEDE, the opkg install yields similar results.

I heard about LEDE first time. I think can pull request to LEDE mainstream.

I'd be very grateful if you do, as I need to run DNSCrypt with two different resolvers.

lede would probably replace the default dnscrypt lib with @Black Roland's version if a pull request was submitted

(Last edited by moxu on 9 Aug 2016, 20:46)

Package are Good...

Black Roland wrote:

I heard about LEDE first time. I think can pull request to LEDE mainstream.

Hey Black Roland,

Could you please again consider making a LEDE-compatible package?

Thanks!

stangri wrote:

Hey Black Roland,

Could you please again consider making a LEDE-compatible package?

Thanks!

Hi.

Sorry for having kept silent for so long. LEDE uses openwrt/packages repository. I contacted with LEDE developers using IRC and they recommended make pull request to OpenWrt repository. I just made PR on Github. As soon as the PR is accepted dnscrypt-proxy should appear in LEDE.

Thanks man, looking forward to PR being accepted!

Black Roland wrote:

Hi.

Sorry for having kept silent for so long. LEDE uses openwrt/packages repository. I contacted with LEDE developers using IRC and they recommended make pull request to OpenWrt repository. I just made PR on Github. As soon as the PR is accepted dnscrypt-proxy should appear in LEDE.

Hey man, please check the PR again. Ted wants postinst and prerm functions removed. Ideally there should be a separate makefile for the resolvers list so that it's easier for Damiano to rebuild the resolvers list ipk when they're updated.

Spasibo!

stangri wrote:
Black Roland wrote:

Hi.

Sorry for having kept silent for so long. LEDE uses openwrt/packages repository. I contacted with LEDE developers using IRC and they recommended make pull request to OpenWrt repository. I just made PR on Github. As soon as the PR is accepted dnscrypt-proxy should appear in LEDE.

Hey man, please check the PR again. Ted wants postinst and prerm functions removed. Ideally there should be a separate makefile for the resolvers list so that it's easier for Damiano to rebuild the resolvers list ipk when they're updated.

Spasibo!

Yes, I saw, thank you smile PR merged today.

Please let me know when dnscrypt-proxy will appear in LEDE. I do not have a router with Lede, to check neutral

Thank you so much! I'm back to enjoying multiple resolvers support with your build of dnscrypt!

Your build has appeared in revision 1497 I think, the current revision is 1504 and it also has your build of dnscrypt.

(Last edited by stangri on 5 Sep 2016, 01:44)

stangri wrote:

Thank you so much! I'm back to enjoying multiple resolvers support with your build of dnscrypt!

Your build has appeared in revision 1497 I think, the current revision is 1504 and it also has your build of dnscrypt.

Good to hear!

I think I can now close exOpenWrt.

Black Roland wrote:
stangri wrote:

Thank you so much! I'm back to enjoying multiple resolvers support with your build of dnscrypt!

Your build has appeared in revision 1497 I think, the current revision is 1504 and it also has your build of dnscrypt.

Good to hear!

I think I can now close exOpenWrt.

It's still very useful to whoever is staying with CC/DD.

hey guys
there's one server with wrong info, how can this be corrected?
in openwrt the resolvers file has a wrong port for this server:
ns1.ru.dns.d0wn.biz
the file specifies port 80, when the correct config should use port 54

You can check this by going here:
https://dns.d0wn.biz/
Then clicking on the server named above

Can someone update the resolvers package pls?

Instead of using the resolvers list (which I dislike to edit), I used following command on my old Asus Router:

/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65055 --resolver-address=185.90.62.45:443 --provider-name=2.dnscrypt-cert.fvz-rec-de-muc-01.dnsrec.meo.ws --provider-key=C392:2B83:8EB3:884B:B99B:70BD:B90A:C204:37A4:797A:35F4:3600:7641:94E3:F995:444A --daemonize

Is it possible to do the same thing on OpenWRT?

I tried to edit the file /etc/config/dnscrypt-proxy, but it doesn't work:

config dnscrypt-proxy ns1
    option address '127.0.0.1'
    option port '5353'
    option resolver-address '185.90.62.45:443'
    option provider-name '2.dnscrypt-cert.fvz-rec-de-muc-01.dnsrec.meo.ws'
    option provider-key 'C392:2B83:8EB3:884B:B99B:70BD:B90A:C204:37A4:797A:35F4:3600:7641:94E3:F995:444A'
johndoe wrote:

Instead of using the resolvers list (which I dislike to edit), I used following command on my old Asus Router...

Maybe edit /etc/initi.d/dnscrypt-proxy so that instead of retrieving configs from /etc/config/dnscrypt-proxy and using them it just launches daemon with the parameters you want directly?