Hello,
I am starting this new topic in hope there finally will be some kind of guide or manual or dd-wrt wiki tutorial explaining how-to (and also to "vent" a bit how confusing all of this is nowadays).
I spent more than a week of research regarding dnscrypt dnsmasq and other "dependencies" to no avail.
I am using Kongs r31870M.
This FW has GUI dnscrypt, and there is only one field to specify DNS Crypt Resolver. No listener addr or port, or IPv4 or IPv6 listener (meaning localhost 127.0.0.1 or ::1.
There is nothing about listener address and port. How do I know what address:port dd-wrt assigns by GUI activation process? There is no dnscrypt config file to look into or possibly to modify it. It is possible to find out about remote resolvers settings (addresses and ports) from dnscrypt-resolvers.csv. But how frequently is this file being updated, since it sits now in non-writeable /etc/dnscrypt/dnscrypt-resolvers.csv location. Wouldn't it be better to put it in writeable /tmp folder? (devs?)
Here is more, I just found out a hard way trying dnscrypt on my Win10 machine that there is a need to allow remote resolvers listening ports (which are non-standarized, but selected to admins liking) through firewall. So, not only 53 or 443, but others as well (1053, 2053, 5353, 5443, etc), especially in ip6tables, to be able to communicate with the remote resolvers.
And more: when I set up dnscrypt on dd-wrt, suddenly nslookup does not resolve names. Even hostip will not resolve IP addr to name, or am I doing something wrong?
hostip 2001:470:20::2
[name does not exist]
I was not able to communicate with opkg, as well.
I have seen some of you run dig on dd-wrt, how and where did you get it? Current opkg does not list it.
Also time issue that ntp servers have to be specified in dnsmasq.
Also, how do I set up router clients to point to what on dd-wrt to get dns resolution on router clients?
So, recapping:
1. dnscrypt config
2. dnscrypt listener addr and port(s); 1 or more listeners? and proto
3. location and frequency of updates of dnscrypt-resolvers.csv
4. Firewalls: iptables and ip6tables
5. nslookup, hostip, and other working dns resolving tools for troubleshooting
6. access to opkg while using dnscrypt (so far I was unsuccessful)
7. ntp and current time
8. there probably is more, which skipped my mind at this time
But, please, could we get together and put some documentation how-to get security working, before ISP sell all our info
Thanks for reading.
And I will appreciate very much any CONSTRUCTIVE remarks regarding this matter.
Sincerely,
P-B _________________ Netgear R7000
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Mon Apr 24, 2017 19:24 Post subject:
well i cant answer all the questions as well they are presented in a funny way however if this will shred some light for you:
1. to be able to use DNSCrypt you must set a NTP time...
so either put and external ntp server IP in box or use this line in additional DNSMasq options
3. once connected to Dnscrypt it uses it's own ipv4 or ipv6 so it does not meter if you have any of them from your side also you can use it in conjunction with DNSSEC for extra security if so...
to be honest i tried to install Entware and run DNSCrypt on Atheros unit but i couldn't make it, so im using only Kong's solution for DNSCrypt on Broadcom devices in his last builds... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
So, recapping:
1. dnscrypt config
2. dnscrypt listener addr and port(s); 1 or more listeners? and proto
There is no config, only commandline params, thus you can stop and start it the way you want it add all your fancy resolvers params etc.
Quote:
3. location and frequency of updates of dnscrypt-resolvers.csv
It gets updated whenever dnscrypt gets updated
4. Firewalls: iptables and ip6tables
Quote:
5. nslookup, hostip, and other working dns resolving tools for troubleshooting
opkg list | grep dig
bind-dig - 9.10.4-P5-1 - bind DNS excavation tool
Quote:
6. access to opkg while using dnscrypt (so far I was unsuccessful)
7. ntp and current time
The problem is, that these routers do not have a builtin clock and after each boot it first needs to have access to ntp. I already though about a little hack to store the time in nvram and restore it on reboot. It does not have to be very accurate a few days do not matter as most apps just do a basic check, e.g. cert validity. Thus the little hacks to get time via ntp for dnscrypt to be able to run. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
@Alozaros and @Kong
Thank You both for your kind assistance and answers.
At least a bit more light shed onto the important security subject.
About NTP in DNSMasq, I found out before and had it in.
I did NOT know I could run dnscrypt from command line. I will try to create a .conf file and run it from command and NOT from GUI (something similar to this .\dnscrypt-proxy /tmp/dnscrypt/dnscrypt-proxy.conf. It will be worth trying.
I am still not clear if GUI instance listens on port 30 or 53? I only can guess that on port 53, since netstat does not list port 30 listening.
Thanks for the opkg option to get and install dig package. This still even with option -6 does not resolve to IPv6 addresses, unlike hostip -6, which does.
Two more questions: 1. how do I specify DNS resolver on routers client PCs? Do I give router's LAN IP address to clients as DNS resolver, as I used to do before dnscrypt era?
And
2. Should dnscrypt be executed before ip6tables or after if run from a script? I would guess after firewall startup, but I just wanted to confirm this would be a correct order.
Thank You guys so much.
Sincerely,
P-B _________________ Netgear R7000
Joined: 04 Aug 2018 Posts: 1446 Location: Appalachian mountains, USA
Posted: Sat Sep 01, 2018 22:11 Post subject: workaround fix to dnscrypt/ntpclient deadlock?
Crossing fingers here, but I may have finally kludged a fairly simple solution to the dnscrypt/ntpclient deadlock problem, which just appeared for me in BS build 36698. I posted details Sat Sep 01, 2018 (at 2152Z) at/near the end of page 2 on the New Build: 08-22-2018-r36698 thread.
Posted: Sat Sep 01, 2018 22:31 Post subject: Re: workaround fix to dnscrypt/ntpclient deadlock?
SurprisedItWorks wrote:
Crossing fingers here, but I may have finally kludged a fairly simple solution to the dnscrypt/ntpclient deadlock problem, which just appeared for me in BS build 36698. I posted details Sat Sep 01, 2018 (at 2152Z) at/near the end of page 2 on the new-build thread at https://forum.dd-wrt.com/phpBB2/posting_sec.php?t=316401.
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Tue Sep 04, 2018 18:00 Post subject: Re: workaround fix to dnscrypt/ntpclient deadlock?
Brimmy wrote:
SurprisedItWorks wrote:
Crossing fingers here, but I may have finally kludged a fairly simple solution to the dnscrypt/ntpclient deadlock problem, which just appeared for me in BS build 36698. I posted details Sat Sep 01, 2018 (at 2152Z) at/near the end of page 2 on the new-build thread at https://forum.dd-wrt.com/phpBB2/posting_sec.php?t=316401.