DNSCrypt results so far.

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Brimmy
DD-WRT User


Joined: 29 Mar 2015
Posts: 398

PostPosted: Mon Aug 14, 2017 20:29    Post subject: DNSCrypt results so far. Reply with quote
Playing with the different settings for DNSCrypt i have noticed a few things and i am just reporting what i have found so far, i am located in the Caribbean and using a wzr1750dhp/d so your results may vary.

Adguard DNS Family Protection 2 seems to work fine without any real issues. Some of the DNSCrypt choices introduce more latencey than others which is to be expected as they are in different locations and configurations. Some seem to be blocking online services like Netflix.

In the SYSLOG i find these that stand out because of the highleted color.
These are for Yandex's DNSCrypter:-
in yellow = user.info : - [yandex] does not support DNS Security Extensions

For SecureDNS Unsensored, No logging Amsterdam Netherlands:-
in red = user.warn : - [yandex] logs your activity - a different provider might be better a choice if privacy is a concern
in red = daemon.err dnscrypt-proxy[1857]: Unable to create a socket to the resolver
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Tue Aug 15, 2017 6:31    Post subject: Reply with quote
this are normal, some providers support DNSSEC some not,
all are different as well their quality and speed...
personally i use only those that support DNSSEC...
you have to find out for yourself...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
r6300v2usr
DD-WRT Novice


Joined: 03 Jan 2017
Posts: 49
Location: Lindau, Germany

PostPosted: Tue Aug 15, 2017 7:06    Post subject: Re: DNSCrypt results so far. Reply with quote
Brimmy wrote:
In the SYSLOG i find these that stand out because of the highleted color.
These are for Yandex's DNSCrypter:-
in yellow = user.info : - [yandex] does not support DNS Security Extensions

For SecureDNS Unsensored, No logging Amsterdam Netherlands:-
in red = user.warn : - [yandex] logs your activity - a different provider might be better a choice if privacy is a concern

These two messages are warnings due to the properties of the chosen dnscrypt resolvers. If you take a look in the dnscrypt-resolvers.csv file (DD-WRT location is: /etc/dnscrypt/dnscrypt-resolv.csv, a comma seperated text file) you will find the following information (attached picture): Yandex and adguard does not support DNSSEC validation, Yandex keeps logs.
If logging or DNSSEC are a concern for you you should try other dnscrypt resolvers. The dnscrypt-resolv.csv may help to find the appropriate one for you (e.g. location Anycast) out of 111 possible resolvers. It might be faster then "Try and Error".
Quote:
in red = daemon.err dnscrypt-proxy[1857]: Unable to create a socket to the resolver

The chosen resolver seems not to work (temporarily?), you should try another one. Or there is another issue?
In my setup (KONG build 33010) securedns works and gives the following complete syslog (key and serial deleted):
    Aug 15 08:37:32 R6300v2 user.info : + DNS Security Extensions are supported
    Aug 15 08:37:32 R6300v2 user.info : + Provider supposedly doesn't keep logs
    Aug 15 08:37:32 R6300v2 daemon.notice dnscrypt-proxy[23198]: Starting dnscrypt-proxy 1.9.5
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Generating a new session key pair
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Done
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Server certificate with serial #1...3 received
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: This certificate is valid
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Chosen certificate #1...3 is valid from [2017-06-29] to [2018-06-29]
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Server key fingerprint is xxx:xxx:xxx:....
    Aug 15 08:37:32 R6300v2 daemon.notice dnscrypt-proxy[23198]: Proxying from 127.0.0.11:30 to 146.185.167.43:5353
Maybe I will give securedns a try regarding DNSSEC.



Bildschirmfoto_2017-08-15_08-20-41.png
 Description:
 Filesize:  47.39 KB
 Viewed:  5111 Time(s)

Bildschirmfoto_2017-08-15_08-20-41.png


Brimmy
DD-WRT User


Joined: 29 Mar 2015
Posts: 398

PostPosted: Wed Aug 16, 2017 12:10    Post subject: Re: DNSCrypt results so far. Reply with quote
r6300v2usr wrote:
Brimmy wrote:
In the SYSLOG i find these that stand out because of the highleted color.
These are for Yandex's DNSCrypter:-
in yellow = user.info : - [yandex] does not support DNS Security Extensions

For SecureDNS Unsensored, No logging Amsterdam Netherlands:-
in red = user.warn : - [yandex] logs your activity - a different provider might be better a choice if privacy is a concern

These two messages are warnings due to the properties of the chosen dnscrypt resolvers. If you take a look in the dnscrypt-resolvers.csv file (DD-WRT location is: /etc/dnscrypt/dnscrypt-resolv.csv, a comma seperated text file) you will find the following information (attached picture): Yandex and adguard does not support DNSSEC validation, Yandex keeps logs.
If logging or DNSSEC are a concern for you you should try other dnscrypt resolvers. The dnscrypt-resolv.csv may help to find the appropriate one for you (e.g. location Anycast) out of 111 possible resolvers. It might be faster then "Try and Error".
Quote:
in red = daemon.err dnscrypt-proxy[1857]: Unable to create a socket to the resolver

The chosen resolver seems not to work (temporarily?), you should try another one. Or there is another issue?
In my setup (KONG build 33010) securedns works and gives the following complete syslog (key and serial deleted):
    Aug 15 08:37:32 R6300v2 user.info : + DNS Security Extensions are supported
    Aug 15 08:37:32 R6300v2 user.info : + Provider supposedly doesn't keep logs
    Aug 15 08:37:32 R6300v2 daemon.notice dnscrypt-proxy[23198]: Starting dnscrypt-proxy 1.9.5
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Generating a new session key pair
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Done
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Server certificate with serial #1...3 received
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: This certificate is valid
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Chosen certificate #1...3 is valid from [2017-06-29] to [2018-06-29]
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
    Aug 15 08:37:32 R6300v2 daemon.info dnscrypt-proxy[23198]: Server key fingerprint is xxx:xxx:xxx:....
    Aug 15 08:37:32 R6300v2 daemon.notice dnscrypt-proxy[23198]: Proxying from 127.0.0.11:30 to 146.185.167.43:5353
Maybe I will give securedns a try regarding DNSSEC.


Thanks for the information. If you plan to use securedns try both and see if the non-ipv6 one has more latency and blocks or timeout netfilx, because it does for me. I am now using the ipv6 securedns and i have netflix loading with no issue and i have my normal internet speed.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum