Dnscrypt on dd-wrt

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
spoonassassin
DD-WRT Novice


Joined: 05 Nov 2011
Posts: 2

PostPosted: Sun Feb 19, 2012 1:17    Post subject: Dnscrypt on dd-wrt Reply with quote
Its been asked before, but no proper answer was given... is it possible to run dnscrypt (from Open DNS) on dd-wrt?

and if so how would you go about it?

link: http://www.opendns.com/technology/dnscrypt/
Sponsor
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2024
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sun Feb 19, 2012 2:24    Post subject: Reply with quote
No it is not possible. There does not appear to be anyone who has compiled the code (or even tried) for the DD-WRT firmware.
_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
strfr
DD-WRT User


Joined: 21 Jan 2008
Posts: 192

PostPosted: Sun Feb 19, 2012 13:29    Post subject: Reply with quote
I would love to see it compiled for dd-wrt! anyone skillful enough over here?
ptruman
DD-WRT User


Joined: 14 May 2008
Posts: 155

PostPosted: Mon Mar 12, 2012 15:44    Post subject: Reply with quote
Been done.
I found this earlier :

http://lancethepants.com/files/

It's a binary which runs happily on my WRT54GS V1.1
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1243
Location: Zwolle

PostPosted: Mon Mar 12, 2012 16:39    Post subject: Reply with quote
ptruman wrote:
Been done.
I found this earlier :

http://lancethepants.com/files/

It's a binary which runs happily on my WRT54GS V1.1

It works fine on my E3000 using Kong 18050M.

Settings:

Static DNS 1: 192.168.1.1
Static DNS 2: 127.0.0.2
Static DNS 3: 127.0.0.3

Running it with:

/opt/script/dnscrypt-proxy -a 192.168.1.1 -d

(Saved it in my startup script.)

My internet works ok, but I have the following output on Windows XP:

nslookup www.msn.com
*** Can't find server name for address 192.168.1.1: No information
*** Can't find server name for address 127.0.0.2: No response from server
*** Can't find server name for address 127.0.0.3: No response from server
*** Default servers are not available
Non-authoritative answer:

1.1.168.192.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
(root) ??? unknown type 41 ???
Server: UnKnown
Address: 192.168.1.1

Name: www.msn.com.dynamic.ziggo.nl
Address: 67.215.65.131

Now, since I have blocked dynamic.ziggo.nl in my OpenDNS options, it is redirected to the default OpenDNS IP for blocked websites.

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)




Last edited by slobodan on Fri Mar 16, 2012 13:49; edited 1 time in total
ptruman
DD-WRT User


Joined: 14 May 2008
Posts: 155

PostPosted: Mon Mar 12, 2012 16:56    Post subject: Reply with quote
I suggest you slot it in gradually Smile

I use DNSMasq and was using OpenDNS anyway, so my /tmp/resolv.dnsmasq read like this :

Code:

nameserver 192.168.1.1
nameserver 208.67.220.220
nameserver 208.67.222.222


What I've done is write a small script called /jffs/etc/config/startdnscryptproxy.wanup (which runs automatically once the WAN comes up)

It contains two lines :

Code:
killall dnscrypt-proxy
/jffs/bin/dnscrypt-proxy --daemonize -a 127.0.0.[b]2[/b] -P 53


That puts dnscrypt-proxy onto 127.0.0.2 port 53.
I've then modded the Local DNS setting on http://YOUR_ROUTER_IP_HERE/index.asp so that the DNS is 127.0.0.2

et voila Smile

As an aside, I'm also using the following in my DNSMasq config :

Code:
strict-order
domain-needed
local=/MY_LOCAL_DOMAIN_HERE/
expand-hosts
edns-packet-max=4096
dhcp-option=43,01:04:00:00:00:02
stop-dns-rebind


I'm also running the following in rc_firewall :

Code:
# Override manual DNS changes
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to `nvram get lan_ipaddr`


That stops anyone on the LAN using their own specified DNS, by routing to my router IP, which hands the request to DNSMasq, which fires it off to DNSCrypt... Smile


Last edited by ptruman on Tue Mar 13, 2012 13:14; edited 1 time in total
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1243
Location: Zwolle

PostPosted: Mon Mar 12, 2012 17:12    Post subject: Reply with quote
I don't use DNSmasq, I use dhcpd.

Having the plain OpenDNS servers therein could reroute DNS requests via unencrypted DNS traffic. That's why I have put 127.0.0.2 and 127.0.0.3 in Static DNS 2 and 3. They do no serving there, they are just a way to avoid receiving the DNS servers from my provider.

About that blocked domain IP, it is just funny/weird, it is not a problem for using the internet.

Besides dnscrypt-proxy is able to daemonize in multiple instances, so you could replace the plain OpenDNS servers with 127.0.0.3 and 127.0.0.4.

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1243
Location: Zwolle

PostPosted: Mon Mar 12, 2012 17:36    Post subject: Reply with quote
Ubuntu knows how to do a proper nslookup:

Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
www.msn.com canonical name = us.co1.cb3.glbdns.microsoft.com.
Name: us.co1.cb3.glbdns.microsoft.com
Address: 70.37.131.153

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1243
Location: Zwolle

PostPosted: Fri Mar 16, 2012 13:51    Post subject: Reply with quote
dnscrypt-proxy can daemonize in multiple instances, but they have to be separate files, or at least separate links to the file.
_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


ptruman
DD-WRT User


Joined: 14 May 2008
Posts: 155

PostPosted: Fri Mar 16, 2012 15:22    Post subject: Reply with quote
Mine has run multiple instances on the same port (presumably due to an error) and the same file on different ports Smile
doloop
DD-WRT Novice


Joined: 20 Mar 2012
Posts: 1

PostPosted: Tue Mar 20, 2012 2:06    Post subject: Excuse my noobness Reply with quote
Hi everyone,

Please forgive this very noob question, but how exactly do I get these files on my router? I am very interested in using DNScrypt-proxy or at least DNSCurve, but I do not know where to start.


thank you.
Mangix
DD-WRT User


Joined: 04 Aug 2011
Posts: 367

PostPosted: Tue Mar 20, 2012 2:14    Post subject: Reply with quote
need a build with jffs2 support(eg. mini) and more than 4MB of flash. at least for K2.6 builds...
ptruman
DD-WRT User


Joined: 14 May 2008
Posts: 155

PostPosted: Tue Mar 20, 2012 11:12    Post subject: Reply with quote
Yup, JFFS2 support OR CIFS - (I have my routers set to access a partition on my NAS via CIFS).

If you're using JFFS2 on it's own (no external storage) you can use wget to download it directly to the router from the internet Smile
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 807

PostPosted: Tue May 22, 2012 19:11    Post subject: Reply with quote
ptruman wrote:
I suggest you slot it in gradually Smile

I use DNSMasq and was using OpenDNS anyway, so my /tmp/resolv.dnsmasq read like this :

Code:

nameserver 192.168.1.1
nameserver 208.67.220.220
nameserver 208.67.222.222


What I've done is write a small script called /jffs/etc/config/startdnscryptproxy.wanup (which runs automatically once the WAN comes up)

It contains two lines :

Code:
killall dnscrypt-proxy
/jffs/bin/dnscrypt-proxy --daemonize -a 127.0.0.[b]2[/b] -P 53


That puts dnscrypt-proxy onto 127.0.0.2 port 53.
I've then modded the Local DNS setting on http://YOUR_ROUTER_IP_HERE/index.asp so that the DNS is 127.0.0.2

et voila Smile

As an aside, I'm also using the following in my DNSMasq config :

Code:
strict-order
domain-needed
local=/MY_LOCAL_DOMAIN_HERE/
expand-hosts
edns-packet-max=4096
dhcp-option=43,01:04:00:00:00:02
stop-dns-rebind


I'm also running the following in rc_firewall :

Code:
# Override manual DNS changes
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to `nvram get lan_ipaddr`


That stops anyone on the LAN using their own specified DNS, by routing to my router IP, which hands the request to DNSMasq, which fires it off to DNSCrypt... Smile


Newbie questions. Can you elaborate on setting this up through the gui (or commandline if necessary) step by step?
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1243
Location: Zwolle

PostPosted: Wed May 23, 2012 21:12    Post subject: Reply with quote
Bird333 wrote:

Newbie questions. Can you elaborate on setting this up through the gui (or commandline if necessary) step by step?


ptruman wrote:
I use DNSMasq and was using OpenDNS anyway, so my /tmp/resolv.dnsmasq read like this :

Code:

nameserver 192.168.1.1
nameserver 208.67.220.220
nameserver 208.67.222.222

This will default to unencrypted DNS requests whenever dnscrypt is not working properly. If you want to avoid that, use the following:

nameserver 192.168.1.1
nameserver 127.0.0.2
nameserver 127.0.0.3

How to do it? Fill the following options in your DD-WRT Setup page:

Static DNS 1: 192.168.1.1
Static DNS 2: 127.0.0.2
Static DNS 3: 127.0.0.3

Quote:
What I've done is write a small script called /jffs/etc/config/startdnscryptproxy.wanup (which runs automatically once the WAN comes up)

It contains two lines :

Code:
killall dnscrypt-proxy
/jffs/bin/dnscrypt-proxy --daemonize -a 127.0.0.[b]2[/b] -P 53

If you want to write such a script use:

vi /jffs/etc/config/startdnscryptproxy.wanup

or

nano /jffs/etc/config/startdnscryptproxy.wanup

I would advise using the following command instead of the above:

/jffs/bin/dnscrypt-proxy -d -a 192.168.1.1

Hint: this is just for the record. I have no such wanup script and dnscrypt works fine. I have simply added it to my startup script and I do not have problems with it stopping unexpectedly. Sure, my system first checks if the year is different from 1970 and if no, then it loops back to checking the year, till the time is correctly set with a static IP of a timesever (don't use an URL since there is nothing to resolve it, at least in the configuration suggested by me.) dnscrypt is only executed if the time has been set correctly. I have cron doing an ntpclient synchronization with a static IP every 3 minutes past the hour and 8 minutes past the hour; this is an extra safety measure in the case the router does not get NTP time by itself.

Quote:
That puts dnscrypt-proxy onto 127.0.0.2 port 53.
I've then modded the Local DNS setting on http://YOUR_ROUTER_IP_HERE/index.asp so that the DNS is 127.0.0.2

et voila Smile

As an aside, I'm also using the following in my DNSMasq config :

Code:
strict-order
domain-needed
local=/MY_LOCAL_DOMAIN_HERE/
expand-hosts
edns-packet-max=4096
dhcp-option=43,01:04:00:00:00:02
stop-dns-rebind

You may enter the above under Services / Additional DNSMasq options.

Here are my DNSMasq options:

Code:
bogus-priv
domain-needed
local=/lan/
dhcp-option=43,01:04:00:00:00:02
expand-hosts
user=root

addn-hosts=/opt/etc/pixelserv/blacks

The last line has been added by the Optware service pixelserv, so you do not have to duplicate it.

I consider that if you use 127.0.0.2 and 127.0.0.3 as DNS servers, strict-order is not necessary, but if it reassures you, you may add it there.

stop-dns-rebind is not needed (and it may be a problem) if you have selected the radio button No DNS Rebind.

Meanwhile I have switched to DNSMasq instead of udhcpd.
Quote:
I'm also running the following in rc_firewall :

Code:
# Override manual DNS changes
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to `nvram get lan_ipaddr`


That stops anyone on the LAN using their own specified DNS, by routing to my router IP, which hands the request to DNSMasq, which fires it off to DNSCrypt... Smile

The above is a good script, type it under Administration / Commands and press Save Firewall.

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum