1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNSCrypt Preview

Discussion in 'Tomato Firmware' started by lancethepants, Mar 4, 2012.

  1. jyavenard

    jyavenard Network Guru Member

    The connection to OpenDNS is encrypted..

    To me, DNSCrypt is a fad anyway. It serves no real purpose as all it does is shift the privacy concern elsewhere while only adding downsides.

    So sure, your queries aren't sent to a public server anymore... but you send it to OpenDNS ! and all of your queries at that. IMHO, that's worse! As opposed to sending your queries to multiple servers. And once you've resolved your IP address, what are you hiding then ? A reverse dns lookup would be all you need to retrieve what your query was about.

    You also loose one of the core feature of DNS: multi-path. A DNS request is typically an UDP request (can be done with TCP, but usually, it's all UDP for a client), if one doesn't answer, you go to another etc... In this DNSCrypt setup, you now only have one server, and it uses TCP.

    For a home setup, you also loose the ability to have your DNS request resolved with a nearby server like what Akamai or Amazon Web Services, which will only slower your typical internet experience.

    If you're that concerned about privacy, encrypting your DNS request and only deal with a single provider isn't the way to go.

    So to summarise, I don't see the point. It serves no purpose and only make things slower.
    If you want privacy use a VPN or tunnel and use the DNS servers via that VPN or tunner
     
  2. lancethepants

    lancethepants Network Guru Member

    I've compiled 1.0 and have been using it for about a week without any hiccups. I've made some standalone binaries available at http://lancethepants.com/files for anyone else to test also. The author has also made a "--diable-ssp" configuration option so it's no longer necessary to manually edit the configuration file.

    DNSCrypt does use UDP, but also has the capability of running over TCP. You are correct, DNSCrypt encrypts between your router and OpenDNS. They will not be able to decipher any requests or responses. DNSCrypt DOES NOT, however, encrypt anything other than DNS, as you've stated. If you are visiting a HTTPS site, that communication will be secure as HTTPS encrypts the URL. Your ISP will be able to see all other traffic, non-encrypted traffic. If you want complete anonymity from your ISP, use a VPN as stated.
    This is not so targeted to you jyavenard as it is to everyone in general.

    http://www.opendns.com/technology/dnscrypt/
     
  3. jyavenard

    jyavenard Network Guru Member

    My point is that while your dns query will be encrypted, as the next step will usually be to connect to that site, https or not, the ISP or whomever else wants to listen will know which IP you were trying to resolve. Making the whole concept moot IMO.
     
  4. lancethepants

    lancethepants Network Guru Member

    Absolutely true, DNSCrypt will not maintain any level of anonymity between you and your ISP, use a VPN for that purpose.

    Anonymity, however is not DNSCrypt's aim .
    http://www.opendns.com/technology/dnscrypt/

    It's about increased security, not anonymity (Your query has not been tampered with).
     
  5. rhester72

    rhester72 Network Guru Member

    Very, VERY few people are in a position to tamper with the query chain between your ISP and router - it's much easier to attack the endpoint router itself and compromise its DNS tables (if not the endpoint machines). If you're truly interested in tamper-resistance, end-to-end, DNSSEC is the completely service-agnostic answer, though it's been even less widely adopted than IPv6 (but sets up easily on Tomato, with full signature validation). DNSCrypt is a marketing tool designed to drive traffic to OpenDNS (and thus away from Google) via FUD, solving problems that do not in fact actually exist in the real world.

    Just my $0.02.

    Rodney
     
  6. lancethepants

    lancethepants Network Guru Member

    http://dd-wrt.com/forum/viewtopic.php?t=148324&highlight=dnscrypt
    jedisct1
     
  7. Toastman

    Toastman Super Moderator Staff Member Member

    I fully agree with rhester72 and jyavenard, which is why it isn't in my builds.

    Similarly, I see people still keep trying to resurrect tcp vegas which doesn't have any effect at all on routed traffic, and others who rant about bufferbloat.
     
  8. leandroong

    leandroong Addicted to LI Member

    Shbby FW version 097 & 099 has "DNSSCRYPT-PROXY" issue when using 3G MODEM. Hard to connect and if connected, slowly killing internet connection, making webpage display errors. If unchecked, no issue. Kindly verify this matter.
     
  9. leandroong

    leandroong Addicted to LI Member

    Using different sim provider, allows me to connect easily to 3g modem and surf successfully except for 1 url, http://repo.or.cz/w/tomato.git/shortlog/refs/heads/tomato-RT, it says gateway timeout.

    Common problem for both sim card are having problem connecting using putty or winscp whenever dnscrypt-proxy is checked.
     
  10. jony121

    jony121 Serious Server Member

    I would just like to add, when I downloaded a copy of the version lancethepants kindly uploaded I lost file permissions. I used chmod and was able to execute and it runs great. Thanks so much.
     
  11. GrimSage

    GrimSage Reformed Router Member

    I know this is a pretty old thread, but I am trying to get dnscrypt on my wrt310n v1. I have installed tomato-ND-1.28.5x-109-VPN.trx but have not been able to find the settings for dnscrypt. Is it not in this build?
     
  12. shibby20

    shibby20 Network Guru Member

    no, in rhis firmware dnscrypt-proxy is not available. I will think about add this featyre in next release
     
  13. FameWolf

    FameWolf Serious Server Member

    Any idea how to correct the following showing up over and over in the log?

    Dec 31 20:00:29 Guardian daemon.info dnscrypt-proxy[789]: Refetching server certificates
    Dec 31 20:00:29 Guardian daemon.info dnscrypt-proxy[789]: Server certificate #1369080797 received
    Dec 31 20:00:29 Guardian daemon.info dnscrypt-proxy[789]: This certificate has not been activated yet
    Dec 31 20:00:29 Guardian daemon.err dnscrypt-proxy[789]: No useable certificates found

    It repeats alot...I'm using the latest version in the files directory..had an older version working fine.....
     
  14. ryzhov_al

    ryzhov_al Networkin' Nut Member

    Look at system date. It's Dec, 31. That's why dnscrypt-proxy can't use certificate has been received.

    There was other guys, caught by this deadlock:
    • dnscrypt-proxy can't accept received certificate because of wrong system date/time,
    • ntp client can't receive right time because DNS resolver (dnscrypt-proxy) is not working.
     
  15. koitsu

    koitsu Network Guru Member

    To expand on @ryzhov_al's comment -- you need to do two things:

    1. Configure working NTP (Tomato has this built-in; Basic -> Time). The routers do not have the equivalent of a battery-backed CMOS, so they lose all concept of what the current time is when they're rebooted. They can keep track of time (they have an RTC), they just can't retain (between reboots) what time it is. Doing this is covered in the initial instructions in this thread.

    2. Make sure that the dnscrypt-proxy daemon starts after NTP has finished its syncing. The initial instructions in this thread do not take this into account; instead the approach implemented is "run dnscrypt-proxy immediately when USB drive/flash is mounted", which can happen before NTP is sync'd.

    2a. Furthermore, you cannot launch dnscrypt-proxy via Administration -> Scripts -> WAN Up because (AFAIK -- I need to go look at the code) that still doesn't guarantee 100% that NTP has been completed before those scripts are run, only "now you have an IPv4 address". Most people implement a crappy hack-fix for things like this, they just add "sleep 30" (or something) to their startup scripts before running a daemon -- and that's still not really fixing the problem.

    So for (2a) I do not know how to properly solve this situation.

    2b. Additionally, blindly starting a daemon under "WAN Up" is also bad because in many cases that daemon will still be running even when the WAN goes down (i.e. router comes up, WAN comes up, dnscrypt-proxy launches. WAN goes down for 60-70 seconds, then comes back up, now dnscrypt-proxy launches again, etc..). There is no "WAN Down" section (which would be useful for killing off a daemon).

    The workaround for (2b) is to write proper shell code that checks for the existence of an already-running daemon and kills it off. Do not use killall for this purpose (most people do); killall is often dangerous and can/will catch things that people wouldn't expect (there's a couple threads here on the forum about this (I tried to warn people...)). So what do you do?

    Easy: in the WAN Up section, you'd use something like this:

    Code:
    mypid=`/bin/pidof dnscrypt-proxy`
    if [ ! -z $mypid ]; then
      /bin/kill $mypid
      /bin/sleep 5
    fi
    /path/to/dnscrypt-proxy -a 127.0.0.1:40 -r 208.67.222.222:53 -d
    
    You might wonder what the sleep 5 is for. Some daemons when sent SIGTERM actually take time to cleanly shut down, rather than do so as quick as possible. Aside from a loop that sits around calling pidof repeatedly until the PID isn't found (meaning the daemon has exited) and then starting the daemon, this is usually sufficient. But if dnscrypt-proxy takes longer than 5 seconds to shut down/exit on SIGTERM then that number would need to be increased.

    This short shell snippet will handle situations where on WAN Up the daemon will get started -- or if already running, killed and restarted.

    Honestly I feel this should go into the WAN Up section and not the "Execute on USB mount" section (per initial instructions). And you can't have it in both, otherwise what would happen is: daemon starts when USB is mounted, few seconds later WAN comes up, daemon is killed and restarted (what to the user would look like "for no apparent reason"), but work from there on out (and if WAN goes down, would be killed + restarted properly).

    I think it's important to restart this daemon in the case the WAN goes down and then back up because for a lot of people with PPPoE, their WAN IP will change, and an already-running daemon may cache knowledge of that (not sure, I would need to look at the dnscrypt-proxy code to determine such).

    I think I've covered all the bases...? :)

    I can't help past this point. But this will hopefully give those "managing" this stuff food for thought/input.
     
    Last edited: Aug 23, 2013
  16. FameWolf

    FameWolf Serious Server Member

    Thanks for pointing this out...my ntp_resolv.sh wasn't getting ran as it should.

    @koitsu You gave me lots of info to chew on. Currently my dnscrypt-proxy is on /opt/dnscrypt/ (a mounted flashdrive) If I move the kill/start of wan up instead of the usb mount section how can I ensure that the flashdrive has been mounted to /opt to run the command?
     
  17. lancethepants

    lancethepants Network Guru Member

    You can keep it where it's at. It's fine if DNSCrypt starts before ntp_resolv.sh. Once your hosts file gets updated by the script, the time will be correctly set, and DNSCrypt will take note of the correct time.
     
  18. koitsu

    koitsu Network Guru Member

    I'd go with what @lancethepants said, because my view on the problem (re: "you gave me lots of info to chew on") is that our lack of proper rc or init script startup framework is a serious/massive problem in Tomato, and is a recurring problem that comes up on this board almost weekly. (And to those who try to shove Upstart or systemd down my throat, I recommend reading about s6)

    I guess via WAN Up, you could just use something like this which would indefinitely spin until the /opt/whatever binary became available:

    Code:
    while [ ! -x /path/to/dnscrypt-proxy ]; do
      /bin/sleep 5
    done
    
    mypid=`/bin/pidof dnscrypt-proxy`
    if [ ! -z $mypid ]; then
      /bin/kill $mypid
      /bin/sleep 5
    fi
    /path/to/dnscrypt-proxy -a 127.0.0.1:40 -r 208.67.222.222:53 -d
    
    The first 3 lines would cause the WAN Up script to sit in a loop (but not taking up 100% CPU, since it'd sleep for 5 seconds before re-checking) waiting for the existence of the /path/to/dnscrypt-proxy binary (e.g. /opt/bin/dnscrypt-proxy).
     
    Last edited: Aug 23, 2013
    56kb likes this.
  19. ntest7

    ntest7 Network Guru Member

    It might be helpful to add something like this to your script before it starts dnsproxy, to be sure the time is set.

    Code:
    until ntpc 0.us.pool.ntp.org 1.us.pool.ntp.org
    do sleep 5
    done
    Format of the ntpc command is
    ntpc timeserver1 timeserver2 timeserver3 ...
    timeserver can be a hostname or an IP address.
    each timeserver is tried in the order you specify.
    exit status of ntpc is 0 on success, non-zero on failure
     
  20. damionhh

    damionhh Reformed Router Member

    hey there folks. i have been using DD-WRT for quite some time but i heard about the shibby build of tomato and wanted to try it, especially for the DNSCrypt-proxy ability. the only real difference is that i would like to use the custom servers for dnscrypt. i tried this line in the shibby firmware (tomato-E2500-NVRAM60K-1.28.RT-N5x-MIPSR2-115-Max):

    Code:
    --local-address=127.0.0.1:40 --resolver-address=106.186.17.181:2053 --provider-name=2.dnscrypt-cert.ns2.jp.dns.opennic.glue  --provider-key=8768:C3DB:F70A:FBC6:3B64:8630:8167:2FD4:EE6F:E175:ECFD:46C9:22FC:7674:A1AC:2E2A
    and set the first custom DNS to 127.0.0.1:40. just to be clear, it WORKS when i dont put anything in the field but i dont want to use OpenDNS. when i DO put this line in the field it breaks the DNS and i have checked the logs but dont see where it is failing. ill check it right now and post what my log says...
     
  21. damionhh

    damionhh Reformed Router Member

    log says this: any ideas anyone? cant even tell if dnscrypt started and not sure where an error message would be.

    Code:
    Nov 28 14:10:13 evil user.info init[1]: Linksys E2500 v1.0: Tomato 1.28.0000 MIPSR2-115 K26 USB Max
    Nov 28 14:10:13 evil user.debug init[1]: 182: pptp peerdns disabled
    Nov 28 14:10:13 evil daemon.info dnsmasq[8251]: exiting on receipt of SIGTERM
    Nov 28 14:10:13 evil daemon.info dnsmasq[8339]: started, version 2.67 cachesize 1500
    Nov 28 14:10:13 evil daemon.info dnsmasq-dhcp[8339]: read /etc/dnsmasq/dhcp/dhcp-hosts
    Nov 28 14:10:14 evil daemon.info dnsmasq[8373]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth
    Nov 28 14:10:14 evil daemon.info dnsmasq[8373]: asynchronous logging enabled, queue limit is 5 messages
    Nov 28 14:10:14 evil daemon.info dnsmasq-dhcp[8373]: DHCP, IP range 192.168.1.110 -- 192.168.1.130, lease time 1d
    Nov 28 14:10:14 evil daemon.info dnsmasq[8373]: using nameserver 127.0.0.1#40
    Nov 28 14:10:14 evil daemon.info dnsmasq[8373]: using nameserver 127.0.0.1#40
    Nov 28 14:10:14 evil daemon.warn dnsmasq[8373]: no servers found in /etc/resolv.dnsmasq, will retry
    Nov 28 14:10:14 evil daemon.info dnsmasq[8373]: read /etc/hosts - 14 addresses
    Nov 28 14:10:14 evil daemon.info dnsmasq[8373]: read /etc/dnsmasq/hosts/hosts - 9 addresses
    Nov 28 14:10:14 evil daemon.info dnsmasq-dhcp[8373]: read /etc/dnsmasq/dhcp/dhcp-hosts
    Nov 28 14:10:15 evil user.info kernel: device eth1 left promiscuous mode
    Nov 28 14:10:15 evil user.info kernel: br0: port 2(eth1) entering disabled state
    Nov 28 14:10:15 evil user.info kernel: device eth2 left promiscuous mode
    Nov 28 14:10:15 evil user.info kernel: br0: port 3(eth2) entering disabled state
    Nov 28 14:10:15 evil user.info kernel: vlan1: dev_set_promiscuity(master, 1)
    Nov 28 14:10:15 evil user.info kernel: vlan1: dev_set_allmulti(master, -1)
    Nov 28 14:10:15 evil user.info kernel: device eth1 entered promiscuous mode
    Nov 28 14:10:15 evil user.info kernel: br0: port 2(eth1) entering forwarding state
    Nov 28 14:10:18 evil user.info kernel: device eth2 entered promiscuous mode
    Nov 28 14:10:18 evil user.info kernel: br0: port 3(eth2) entering forwarding state
     
  22. leandroong

    leandroong Addicted to LI Member

    RT-N56U, padavan
    Today, I installed entware optware dnscrypt-proxy. Enable it, reboot router. Check log and everything is working fine. So, happy, 0 configuration.
     
  23. leandroong

    leandroong Addicted to LI Member

    I'm curious, with dnscrypt-proxy installed. What can ISP monitor or see in my browsing? Can they still tell what I'm doing?
     
  24. lancethepants

    lancethepants Network Guru Member

    They will be blind to your DNS queries, but able to see all other traffic. You can use a VPN in conjunction to encrypt everything.
    Also, you may need to modify your firmwares DNS to take advantage of DNSCrypt.
     
  25. MatteoV

    MatteoV Serious Server Member

    I think you are somehow wrong. Let me explain.

    There are options in Tomato that will make it be the only local dns server for your network, relying only to one/more crypted dns', and there's also the option to intercept any dns queries on the network that would try to use external/different DNS'. Of course we know there are ways to circumvent this kind of "interception" but obviously we would not use them to defeat our own purpose :)
    So, in short, I think that, still relying to some external thus risky crypted dns, all the other parties (isp..) will be unable to understand at least the hostnames we are trying to reach. Which is a starting point. Of course they will still be able to understand which ip we are connecting to. But it's mostly false that an IP is answering for a single hostname only. Servers are usually shared within multiple hostnames.
    Going further they will even be able to sniff the data if connections are unencrypted.
    But the dnscrypto thing would hide the hostnames and in some cases that hides completely the destination, when encrypted (https and so on) and when the server is shared.
    If I'm wrong please explain ;)
     
  26. damionhh

    damionhh Reformed Router Member

    @shibby20... your firmware revision rocks. good stuff. cant believe i was stuck in DD-WRT for so long, nothing changed nothing improved.

    anyway i am just wondering what switches you have hard coded for the dnscrypt-proxy and how i can get it to use a different server like any of the ones listed at https://github.com/opendns/dnscrypt-proxy. i tried the switches detailed a few posts up and couldnt find any log entries anywhere telling me what went wrong, but something went wrong. anyway, any idea what i can do next?
     
  27. shibby20

    shibby20 Network Guru Member

    dncrypt is started by command:
    dnscrypt-proxy -d -a 127.0.0.1:<dnscrypt_port> <dnscrypt_cmd>

    where <dnscrypt_port> is taken from GUI -> Local Port
    and <dnscrypt_cmd> is taken from GUI -> Startup Parameters

    well only non-bold part is hard coded.
     
  28. leandroong

    leandroong Addicted to LI Member

    from log, I notice that server certificate is being refetch every hour. Sounds very secure.
    Note: Useless, refetching since certificate is the same and it says valid from 10-3-2013 to 10-3-2014.
     
    Last edited: Dec 2, 2013
  29. Mangix

    Mangix Networkin' Nut Member

  30. damionhh

    damionhh Reformed Router Member

    has anyone gotten an alternate server to work with DNSCrypt yet via the shibby builds? i have tried everything i could think of. it could be something else in my system but i dont know how to find it.
     
  31. lancethepants

    lancethepants Network Guru Member

    Tried emailing but your server is down or something. I compiled a version of tomato shibby yesterday with dnscrypt for WRT54GL. I removed some other features to get it to fit.
    Maybe shibby hasn't properly implemented dnscrypt with 2.4 kernel, but the firmware had all sorts of issues. dnscrypt never started up, with or without custom command line options, though dnsmasq did set its dns to 127.0.0.1:40.
    The firewall was weird on me too, and wouldn't let me ssh in until I opened the port using the tomato gui to add iptable rule. Random but frustrating issue. ssh server was running, but iptables hadn't opened the port.
    Perhaps shibby's gui doesn't add the '-d' to daemonize? Tried that too, but I think my firmware I compiled had some other issues too. Perhaps shibby could try using alternate server with command options and see if he can replicate the problem.
    You can use my manual guide in the first post, and can even substitute the binary location to the one shibby has included. The binary seemed to work alright, just the gui startup seemed problematic. Maybe I will try with RT-N16, just didn't want to have to flash and take down the internet.
     
  32. damionhh

    damionhh Reformed Router Member

    thanks lance. i bailed on the WRT54G and bought a Linksys E2500 and put the latest Shibby Tomato on it. ill try your manual method referenced in the first post and let you know.
     
  33. damionhh

    damionhh Reformed Router Member

    @lancethepants hey lance so i actually got around to trying your method today and im still having a problem. i manually entered NTP server IP address and used the DNSmasq strict keyword, i also entered 127.0.0.1:40 as my static DNS and the checkmark for the GUI DNSCrypt is NOT checked. then in adminitration->scripts->init i used this command which should run the binary already there...
    Code:
    /usr/sbin/dnscrypt-proxy -d -a 127.0.0.1:40 --resolver-address=106.186.17.181:2053 --provider-name=2.dnscrypt-cert.ns2.jp.dns.opennic.glue  --provider-key=8768:C
    3DB:F70A:FBC6:3B64:8630:8167:2FD4:EE6F:E175:ECFD:46C9:22FC:7674:A1AC:2E2A
    and when it reboots i have no DNS resolution and the logs (via the tomato GUI) dont show any errors. when i SSH into the router and PS, DNSCrypt-proxy is NOT running. if i run the above command from the SSH terminal, it works.

    i tried downloading your binary and putting it on the USB drive i have connected, and running
    Code:
    /tmp/mnt/500gb/dnscrypt-proxy -d -a 127.0.0.1:40 --resolver-address=106.186.17.181:2053 --provider-name=2.dnscrypt-cert.ns2.jp.dns.opennic.glue  --provider-key=8768:C
    3DB:F70A:FBC6:3B64:8630:8167:2FD4:EE6F:E175:ECFD:46C9:22FC:7674:A1AC:2E2A
    in USB Support->run after mounting but the same result.

    at the SSH terminal line, if i run the above command, it works fine and my DNS is back up. DNSCrypt-proxy is marked executable and runs from the terminal with no errors or problems. then i get the proper log entries for certificates and whatnot. it seems that the router is never executing the command but im not sure why not. this is Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB AIO

    *edit* well i tried moving everything to the JFFS area, still didnt work. i moved the DNSCrypt line to right after the NTP_resolve.sh line (which im doing now instead of hard coding the NTP server IP) and even though it chokes up a few times because the time hasnt been set yet, it finally kicks over once the time sets. so. it works. so it doesnt work in the Admin->scripts->Init section, but DOES after the NTP_resvolve.sh command in the admin->scripts->wan Up section.

    anyway. there it for anyone trying to get DNSCRypt to work with alternate DNSCrypt compatible servers.
     
    Last edited: Dec 21, 2013
  34. lancethepants

    lancethepants Network Guru Member

    @damionhh Nice you got it working. Looks as though you're running a version of shibby already. If you're capable of upgrading to one of his later releases, shibby has included some of my dnscrypt enhancements that allow you to set a custom dnscrypt server from within the gui. It also provides a drop-down menu of servers, that should be up-to-date at compile time, for selection.
     

Share This Page