dnscrypt & dnsmasq & others FRUSTRATIONS...

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Pandora-Box
DD-WRT User


Joined: 09 Mar 2008
Posts: 218
Location: USA

PostPosted: Mon Apr 24, 2017 17:35    Post subject: dnscrypt & dnsmasq & others FRUSTRATIONS... Reply with quote
Hello,
I am starting this new topic in hope there finally will be some kind of guide or manual or dd-wrt wiki tutorial explaining how-to (and also to "vent" a bit how confusing all of this is nowadays).
I spent more than a week of research regarding dnscrypt dnsmasq and other "dependencies" to no avail.
I am using Kongs r31870M.
This FW has GUI dnscrypt, and there is only one field to specify DNS Crypt Resolver. No listener addr or port, or IPv4 or IPv6 listener (meaning localhost 127.0.0.1 or ::1.
There is nothing about listener address and port. How do I know what address:port dd-wrt assigns by GUI activation process? There is no dnscrypt config file to look into or possibly to modify it. It is possible to find out about remote resolvers settings (addresses and ports) from dnscrypt-resolvers.csv. But how frequently is this file being updated, since it sits now in non-writeable /etc/dnscrypt/dnscrypt-resolvers.csv location. Wouldn't it be better to put it in writeable /tmp folder? (devs?)
Here is more, I just found out a hard way trying dnscrypt on my Win10 machine that there is a need to allow remote resolvers listening ports (which are non-standarized, but selected to admins liking) through firewall. So, not only 53 or 443, but others as well (1053, 2053, 5353, 5443, etc), especially in ip6tables, to be able to communicate with the remote resolvers.
And more: when I set up dnscrypt on dd-wrt, suddenly nslookup does not resolve names. Even hostip will not resolve IP addr to name, or am I doing something wrong?
hostip 2001:470:20::2
[name does not exist]
I was not able to communicate with opkg, as well.
I have seen some of you run dig on dd-wrt, how and where did you get it? Current opkg does not list it.
Also time issue that ntp servers have to be specified in dnsmasq.
Also, how do I set up router clients to point to what on dd-wrt to get dns resolution on router clients?
So, recapping:
1. dnscrypt config
2. dnscrypt listener addr and port(s); 1 or more listeners? and proto
3. location and frequency of updates of dnscrypt-resolvers.csv
4. Firewalls: iptables and ip6tables
5. nslookup, hostip, and other working dns resolving tools for troubleshooting
6. access to opkg while using dnscrypt (so far I was unsuccessful)
7. ntp and current time
8. there probably is more, which skipped my mind at this time
But, please, could we get together and put some documentation how-to get security working, before ISP sell all our info
Thanks for reading.
And I will appreciate very much any CONSTRUCTIVE remarks regarding this matter.
Sincerely,
P-B

_________________
Netgear R7000
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Apr 24, 2017 19:24    Post subject: Reply with quote
well i cant answer all the questions as well they are presented in a funny way however if this will shred some light for you:
1. to be able to use DNSCrypt you must set a NTP time...
so either put and external ntp server IP in box or use this line in additional DNSMasq options

server=/us.pool.ntp.org/8.8.8.8
server=/us.pool.ntp.org/8.8.4.4

2.here you can find alternative settings for more than one resolver http://www.dd-wrt.com/phpBB2/viewtopic.php?t=308502&postdays=0&postorder=asc&start=0

3. once connected to Dnscrypt it uses it's own ipv4 or ipv6 so it does not meter if you have any of them from your side also you can use it in conjunction with DNSSEC for extra security if so...

4. for DNSCrypt config refer to Google
https://wiki.archlinux.org/index.php/DNSCrypt
https://dnscrypt.org/

to be honest i tried to install Entware and run DNSCrypt on Atheros unit but i couldn't make it, so im using only Kong's solution for DNSCrypt on Broadcom devices in his last builds...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Mon Apr 24, 2017 19:31    Post subject: Re: dnscrypt & dnsmasq & others FRUSTRATIONS... Reply with quote
Pandora-Box wrote:

So, recapping:
1. dnscrypt config
2. dnscrypt listener addr and port(s); 1 or more listeners? and proto



There is no config, only commandline params, thus you can stop and start it the way you want it add all your fancy resolvers params etc.

Quote:

3. location and frequency of updates of dnscrypt-resolvers.csv

It gets updated whenever dnscrypt gets updated

4. Firewalls: iptables and ip6tables
Quote:

5. nslookup, hostip, and other working dns resolving tools for troubleshooting


opkg list | grep dig
bind-dig - 9.10.4-P5-1 - bind DNS excavation tool

Quote:

6. access to opkg while using dnscrypt (so far I was unsuccessful)
7. ntp and current time


The problem is, that these routers do not have a builtin clock and after each boot it first needs to have access to ntp. I already though about a little hack to store the time in nvram and restore it on reboot. It does not have to be very accurate a few days do not matter as most apps just do a basic check, e.g. cert validity. Thus the little hacks to get time via ntp for dnscrypt to be able to run.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Pandora-Box
DD-WRT User


Joined: 09 Mar 2008
Posts: 218
Location: USA

PostPosted: Mon Apr 24, 2017 20:20    Post subject: Reply with quote
@Alozaros and @Kong
Thank You both for your kind assistance and answers.
At least a bit more light shed onto the important security subject.
About NTP in DNSMasq, I found out before and had it in.
I did NOT know I could run dnscrypt from command line. I will try to create a .conf file and run it from command and NOT from GUI (something similar to this .\dnscrypt-proxy /tmp/dnscrypt/dnscrypt-proxy.conf. It will be worth trying.
I am still not clear if GUI instance listens on port 30 or 53? I only can guess that on port 53, since netstat does not list port 30 listening.
Thanks for the opkg option to get and install dig package. This still even with option -6 does not resolve to IPv6 addresses, unlike hostip -6, which does.

Two more questions: 1. how do I specify DNS resolver on routers client PCs? Do I give router's LAN IP address to clients as DNS resolver, as I used to do before dnscrypt era?
And
2. Should dnscrypt be executed before ip6tables or after if run from a script? I would guess after firewall startup, but I just wanted to confirm this would be a correct order.

Thank You guys so much.
Sincerely,
P-B

_________________
Netgear R7000
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Sat Sep 01, 2018 22:11    Post subject: workaround fix to dnscrypt/ntpclient deadlock? Reply with quote
Crossing fingers here, but I may have finally kludged a fairly simple solution to the dnscrypt/ntpclient deadlock problem, which just appeared for me in BS build 36698. I posted details Sat Sep 01, 2018 (at 2152Z) at/near the end of page 2 on the New Build: 08-22-2018-r36698 thread.

10.21.23: edited link - kp69
Brimmy
DD-WRT User


Joined: 29 Mar 2015
Posts: 398

PostPosted: Sat Sep 01, 2018 22:31    Post subject: Re: workaround fix to dnscrypt/ntpclient deadlock? Reply with quote
SurprisedItWorks wrote:
Crossing fingers here, but I may have finally kludged a fairly simple solution to the dnscrypt/ntpclient deadlock problem, which just appeared for me in BS build 36698. I posted details Sat Sep 01, 2018 (at 2152Z) at/near the end of page 2 on the new-build thread at https://forum.dd-wrt.com/phpBB2/posting_sec.php?t=316401.


Your link says "No post mode specified"
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Tue Sep 04, 2018 18:00    Post subject: Re: workaround fix to dnscrypt/ntpclient deadlock? Reply with quote
Brimmy wrote:
SurprisedItWorks wrote:
Crossing fingers here, but I may have finally kludged a fairly simple solution to the dnscrypt/ntpclient deadlock problem, which just appeared for me in BS build 36698. I posted details Sat Sep 01, 2018 (at 2152Z) at/near the end of page 2 on the new-build thread at https://forum.dd-wrt.com/phpBB2/posting_sec.php?t=316401.


Your link says "No post mode specified"


https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1139786#1139786

Post is in the Marvell forum.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum