DNScrypt.eu with Tomato Firmware?

Discussion in 'Tomato Firmware' started by Deleted member 23868, May 17, 2014.

  1. Hello,

    I use DNScrypt so far via OpenDNS on my Router with Tomato Shibby firmware. Since OpenDNS is located in the US, I'm in europe and they seem to log (even if encrypted) I want to change to another DNS Service: DNScrypt.eu.

    Now sadly I can't find this one in the Tomato settings under DDNS, it isn't implented. Could you, shibby, please implent this service?

    Website of DNScrypt.eu: https://dnscrypt.eu/

    An Autoinstaller for linux (Probably implent this into a tomato shibby firmware?: http://simonclausen.dk/2013/09/dnscrypt-autoinstaller/

  2. Grimson

    Grimson Networkin' Nut Member

    Just add the DNScrypt resolver IPs as "Static DNS" in the Basic -> Network settings, make sure "Use received DNS with user-entered DNS" in Advanced -> DHCP/DNS is not set and you are done. No need to implement anything.
  3. I will try. Any way to verify if DNScrypt is working? (correct server and encrypted DNS)
  4. lancethepants

    lancethepants Network Guru Member

    In the case of DNSCrypt, you cannot just add it to "Static DNS" DNSCrypt does not work this way. You would have to enable DNSCrypt in the router, and then use the "Boot Parameters" to supply dnscrypt with the information of the resolver you want to use. Unfortunately, the "Boot Parameters" does not currently work as expected, and cannot take more than one argument.

    The only method at this time would be to do it manually, as shown here.
    Last edited: May 17, 2014
  5. lancethepants

    lancethepants Network Guru Member

    When it was implemented in Tomato, there was only OpenDNS. Now there are many encrypted resolvers, so ideally it should easily allow to use any of those.
    Last edited: May 17, 2014
  6. Well, I did following now:
    Basic --> Network settings --> Static DNS I entered following: (that's there first server) (that's there second server) (Don't know what to put in here)
    And I checked DNScrypt

    Is this right? Any way to check if it works?
  7. https://dnsleaktest.com/ shows me the DNScrypt server in denmark, seems to work.
    This is the second one I entered ( Why doesn't it show the first one (

    But I also need to check if my DNS is encrypted. Could someone help me? Using Windows here.

    Edit: DNSleaktest shows the denmark server of dnscrypt all the time and every second test, there is also OpenDNS. why that? I removed it completely out of my settings...
    Edit 2: Probably because dnscrypt-proxy is checked?

    Edit 3: I unchecked dnscrypt-proxy, now it's now shown at dnsleaktest anymore.
    Yeah, the implented dnscrypt-proxy seems just to work with OpenDNS so far, that's sad. :(
    Last edited by a moderator: May 17, 2014
  8. Elfew

    Elfew Network Guru Member

    Maybe it should be added to TODO list
  9. Victek

    Victek Network Guru Member

    It's fixed already in last tomato repo update ... tomatoRAF-RT-N .... you can set the dnscrypt priority... test version 1.3e
    Last edited: May 17, 2014
    occamsrazor likes this.
  10. Could someone please tell me how to get DNScrypt working with DNScrypt.eu and tomato shibby v119?
    I think shibby fixed it and custom parameters are allowed now.

    Please, someone tell me the steps to get it working.

    Edit: I did enter following now:


    Is this correct? Do I need to enter the public keys of DNScrypt.eu anywhere?

    I got the startup parameters from lancethepants:

    Is something left? Can I check somehow if DNScrypt is working?
    Please comment lance. :)
    Last edited by a moderator: May 24, 2014
  11. lancethepants

    lancethepants Network Guru Member

    For now, you'll need to follow the example in the first post of that link, but supplying it with the information for the server you want to use. You need to supply the 'Resolver Address', 'Provider Name', and 'Povider Public Key'.
    Augment your startup script following my guide adding those. Here's a list of the command line parameters.

      -a    --local-address=...
      -d    --daemonize
      -e    --edns-payload-size=...
      -h    --help
      -k    --provider-key=...
      -l    --logfile=...
      -m    --loglevel=...
      -n    --max-active-requests=...
      -p    --pidfile=...
      -X    --plugin=...
      -r    --resolver-address=...
      -u    --user=...
      -N    --provider-name=...
      -t    --test=...
      -T    --tcp-only
      -V    --version
    I've done some work to make this process much easier, and hopefully will be available in the next round of firmware releases. Here's are some screenshots of a currently working setup.

    DNSCrypt 1.png
    DNSCrypt 2.png
    DNSCrypt 3.png
    MatteoV, Spyros and Elfew like this.
  12. Elfew

    Elfew Network Guru Member

    User friendly GUI! Good
  13. Spyros

    Spyros LI Guru Member

    Very nice, what about setting a second ipv6 resolver for dual stack users?
  14. Thanks for your reply lance.
    I'm really sorry to say that I'm absolutely a beginner here and just what DNScrypt working as it should.

    So, there is no chance to just get it working with the correct parameters in the new Startup Parameters field and checking dnscrypt-proxy alone? I really hoped this is enough.

    What about following? Again, this example is with DNScrypt.eu: https://dnscrypt.eu/

    --provider-name= 2.dnscrypt-cert.resolver1.dnscrypt.eu
    --provider-key= 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66

    Could I just enter those 3 lines in the Startup parameters field 1:1 like I did here?
    Isn't this all that is needed? I don't get it. It's all what is mentioned at DNScrypt.eu.

    Again, I'm really sorry for being a noob.

    Edit: Right now my startup parameters is filled with following parameters. Is this working or really just fail?

    dnscrypt-proxy --daemonize --local-port=40 --tcp-port=443 --resolver-address= --provider-name= 2.dnscrypt-cert.resolver1.dnscrypt.eu --provider-key= 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66

    Edit 2: It's not working. I can see all my surfed URLs at Web usage, this shouldn't be possible if DNScrypt is working. Right?
    With "nslookup" entered in the CMD in windows I just get "unknown". :(
    Last edited by a moderator: May 25, 2014
  15. lancethepants

    lancethepants Network Guru Member

    Leave dnscrypt on the basic-network page disabled.
    Then something like this I think should work.

    Administration -> Scripts -> Init
    dnscrypt-proxy -d -a -r -N 2.dnscrypt-cert.resolver1.dnscrypt.eu -k 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
    Administration -> Scripts -> Wan Up
    Basic -> Network -> Static DNS. Place it in the first entry.
    Advanced -> DHCP/DNS -> Dnsmasq Custom configuration
  16. Thanks so much for your answers lance!

    Sadly, it's not working. I followed everything you said, but my internet connection is not working anymore then. I had to change Static DNS back to

    Any suggestion? :)
  17. Well, I tried also enabling DNScrypt now and filling the startup parameters with your first line, also didn't work. :(

    My internet is just working if I'm adding to Static DNS, alone breaks my internet connection, even with all your settings I made.

    I also did a full wipe of the nvram and installed v119 again, just set up your settings. Also didn't work.

    It would be really nice if you could find the problem, I'm really really sorry for asking again.
  18. lancethepants

    lancethepants Network Guru Member

    Move the dnscrypt-proxy command from init to wanup after ntp2ip. Previously I know dnscrypt could run fine in init, but apparentely that's not the case now. For some reason it's too early and it doesn't start at all. I thought maybe the init had issues, so I had it echo the command to a file, and the execute the file. I see the file exists, so init works, but dnscrypt does not start. Not sure what changed.
  19. Victek

    Victek Network Guru Member

    May be a simple sleep n command could help?
  20. Still not working, sadly. I put dnscrypt-proxy after ntp2ip and removed it from Init.

    Init looks like:
    -d -a -r -N 2.dnscrypt-cert.resolver1.dnscrypt.eu -k 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66

    Wan Up looks like:
    ntp2ip dnscrypt-proxy

    Still no internet connection after that.

    I'm also not able to click the Save button at the DHCP/DNS settings, just nothing happens. The Save button is working fine everywhere else, just Cancel is working there.
    So my Dnsmasq entry isn't saved. :(
  21. Victek

    Victek Network Guru Member

    What tomato version do you use?, pls specify.
  22. I use Tomato Shibby v119 and did a full wipe of the NVRAM before installing it. After that, I used the settings lance provided above, except the Dnsmasq, because the Save button isn't working.
  23. Victek

    Victek Network Guru Member

    Your router model? I say cause I released one test version for RT-N16 and E4200 last week....then you can do what you need and test it.
  24. I'm using an Asus RT-AC66U, so I can't test your latest build, sorry.
  25. Victek

    Victek Network Guru Member

    No worries .. you can enter the parameters directly in nvram using the cli comands ...
  26. cli commands? Sorry, I'm really a noob. I just want DNScrypt to work with DNScrypt.eu via tomato and hoped that it is enough to use the GUI for it (like lance described). Sadly, I can't get it to work. :/
  27. Victek

    Victek Network Guru Member

    Then it's better you wait for a new version from shibby.. I'll release for RT-AC66U too once I finish the test period.
  28. Seems like I have no other choice. Since shibby took a while to implent features to non arm routers (latest update with features before v119 was in january with v116), I hope this will be fixed soon.

    Going to take a look at your firmware too, if you release your next update for my router.
  29. kthaddock

    kthaddock Network Guru Member

    Why don't you use compatibility view settings of IE then you can hit SAVE button?
  30. Thanks for the tip, I used the compatibility view with Internet Explorer now, the save button worked.

    Sadly, I still don't have an internet connection with lance's settings. :(
    Something really seems broken with the firmware, if his parameters and settings are correct.
  31. lancethepants

    lancethepants Network Guru Member

    The whole init script is apart of the dnscrypt script. Move the whole thing.
    Edit: and start it in its own line.
    Last edited: May 26, 2014
  32. Spyros

    Spyros LI Guru Member

    Maybe it's better to use no-resolv option in dns/dhcp custom options (dnsmasq.conf) and also add

    Scripts are wrong
  33. You say the scripts are wrong. What exactly is wrong with them and what's the solution?
  34. Spyros

    Spyros LI Guru Member

    Wan Up

    dnscrypt-proxy -d -a -r -N 2.dnscrypt-cert.resolver1.dnscrypt.eu -k 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
    lancethepants likes this.
  35. Alright, I entered those lines only at Wan Up now and my internet is working fine now.

    But DNScrypt seems not to work: Wireshark shows all my surfed websites in plain text. :(

    Anything else I need to do?
  36. My settings are following now and DNScrypt seems not to work (plain text URLs in Wireshark):

    Administration -> Scripts -> Wan Up
    dnscrypt-proxy -d -a -r -N 2.dnscrypt-cert.resolver1.dnscrypt.eu -k 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
    Basic -> Network -> Static DNS. Place it in the first entry.
    Advanced -> DHCP/DNS -> Dnsmasq Custom configuration
    Edit: Sorry for my double posting.
  37. lancethepants

    lancethepants Network Guru Member

    The fact that you have internet makes me think it's working, otherwise the internet wouldn't work as you experienced before.
    Now you're saying that 'surfed websites' are plain text. I'm not sure exactly what you mean by this, but here is my explanation.

    Dnscrypt is NOT a vpn service. It will not encrypt all of your internet traffic. It will ONLY encrypt DNS queries. DNSCrypt has run and has finished its job before a website even starts loading.
    Unless you are using dnscrypt WITH a vpn service, then websites not already using SSL will be unencrypted, and what I think you're seeing is expected.
    Again, your response is unclear to me, so this part may or may not apply to you.

    Now when performing a TCP DUMP, in order to see that DNS is encypted, you must perform this on the router. ie with TCPDUMP
    You can't just run wireshark on your computer, becuase the encryption takes place between the router and the DNSCrypt end point.
    Everything between the computer and router DNS wise is unencrypted, but this is a trusted network since you're in control of it.
  38. I've seen this to verify if DNS encryption is working: http://www.techques.com/question/24-105366/How-to-check-if-DNS-is-encrypted

    You open up Wireshark, start a capture and enter DNS in the search.

    After the link above, when DNScrypt is working, Wireshark shows: Unknown Operation and [Malformed Packet], the DNS query seems to be encrypted because it's not shown.

    When DNScrypt is not working, it shows the surfed URLs in plain text.

    The second screenshot is also from the link above, but that's how it looks here. Doesn't seem encrypted to me at all.

    Edit: You seem to be right, encryption is made at the router, not my computer.
    Is there any way to verify if DNScrypt is working then?

    Edit 2: Is it possible that the ping increases with DNScrypt? I tested my ping with http://speedof.me/
    Before DNScrypt was enabled, I got around 11ms to 13ms ping.
    Now I have around 30 to 40ms ping.
    I don't have a problem with that but think that this is caused by DNScrypt (so it seems to work, probably!).
    Last edited by a moderator: May 27, 2014
  39. lancethepants

    lancethepants Network Guru Member

    You can perform a TCPDump off the router. With TCPDUMP I usually do the following.
    tcpdump -i vlan2 -n -s 0 -vvv -w dump.pcap
    This assumes vlan2 is your wan, you may need to change this depending on your internet type.
    I have a TCPDump binary on my site. lancethepants.com/files
    After you caught some traffic you can stop it and transfer to the resulting file, dump.pcap to you PC for evaluation in wireshark.

    TomatoRAF I know has TCPDUMP already included. His last release actually includes a GUI too, though I have not yet checked it out yet (later today).
    May depend on your router if it's available.
    Also in his last release are my additions to DNSCRypt, that simply gives you a dropdown menu of providers to pick from.

    Now the page you linked to assumes we are running DNS on the standard port, 53. Many providers however, including the one you use opt to use port 443.
    This will cause you DNS queries to be muddled in with all the other SSL traffic that usually runs on port 443, so you'll need to figure out to filter out the crap, by also filtering by the DNS IP address.

    I wouldn't expect DNSCrypt to cause sustained higher pings. For the inital lookup it may take longer, but after that point both the router and you PC are caching the results.
    Elfew likes this.
  40. Elfew

    Elfew Network Guru Member

    I am testing latest Tomato RAF build 3 days and dnscrypt is working very well with dnssec enabled! Good work
  41. Victek

    Victek Network Guru Member

    Correct, resolve time improves 65% after first caching in almost of the tested sites. Good job Lance.
  42. DNScrypt is working, thanks so much lance! You're the man! :)
    Also thanks a lot to Victek who also helped me.

    I've just seen Victek released 1.3f for my router, I'll try that one now. Hopefully the GUI to make DNScrypt working is similar. :p

    With the latest Victek release, do I have to change anything than before?
    Checking the DNScrypt service for example or writing the startup parameters somewhere else?
    Or just use Wan Up for my startup parameters and don't check the DNScrypt service?
    Last edited by a moderator: May 27, 2014
  43. lancethepants

    lancethepants Network Guru Member

    The gui will do it all, you don't have to do any init or wanup or custom config.
  44. Thanks. Do I need to check "DNScrypt service" then in Victek?

    Well, I have to. Else I can't enter the settings. ;)
  45. Last question: Do I have to enter something at Static DNS with Victek 1.3f?
  46. lancethepants

    lancethepants Network Guru Member

    You just have to enable dnscrypt and pick the resolver you want if it's there. The list is up-to-date currently No need to put anything in static dns, dnscrypt does not look at that.
  47. Thanks, it seems to work great now. :)
  48. lancethepants

    lancethepants Network Guru Member

    Can't find the reference now that I'm looking for it. The author alluded somewhere that the ability to use multiple resolvers in one daemon has yet been implemented. Didn't necessary say he would but it might happen. I would much prefer this anyway then spawn two daemons. You could make a request on github page.

    edit: I don't really see a big need for 'dual-stack' dns. It will resolve just the same either way, it's just the transport that differs. Now having multiple dnscrypt resolvers I could see. Just so you can have multiple encrypted sources to pull from. Of course if you had dual-stack, you'd be able to pick whichever resolvers you'd like.
    Last edited: May 28, 2014
  49. Spyros

    Spyros LI Guru Member

    Hm you are right, it seems that it doesn't matter if the dns server is ipv4 or ipv6 because ipv4 dns servers can return AAAA records. You need ipv6 for an IPv6 only internet or just for like livin on the edge :p
    lancethepants likes this.
  50. Is there a way to just allow the DNS of DNScrypt.eu? I've seen the one of my IPS several times now with dnsleaktest.com (besides the DNScrypt.eu one).

    Which one do I have to enter at Static DNS?

    2. (IP of DNScrypt.eu)
    3. (non-usable IP)

    I just want to allow the DNS I use with DNScrypt, nothing else.
    Last edited by a moderator: May 28, 2014
  51. lancethepants

    lancethepants Network Guru Member

    no-resolv in priority. Default is strict-order. None will allow other DNS. This only applies if your devices are set to use your router for DNS. If they have something manually set, then they use whatever they have.
  52. Well, I enabled strict-order but still see two DNS: DNScrypt.eu and the one of my IPS.
    Will try it with no-resolv then. Anything else I should enter?
    Last edited by a moderator: May 28, 2014
  53. lancethepants

    lancethepants Network Guru Member

    I'd be surprised even with strict-order if other DNS managed to get out. DNSMasq tries very hard to before failing over to the next server. Provide a TCPDUMP for evaluation.
  54. That's how it looks:

    Is it correct to leave Static DNS empty? ( for all fields)
    That's my setting right now, just enabled DNScrypt and chose DNScrypt.eu from the list.

    Will following dnsmasq commands increase privacy?
    Last edited by a moderator: May 28, 2014
  55. lancethepants

    lancethepants Network Guru Member

    I couldn't replicate your issue, it's working perfectly fine for me. your dnsleaktest shows only dnscrypt.eu when I tested it myself. tcpdump shows nothing on port 53, since dnscrypt.eu uses 443. This is with strcit-order.

    Make sure the computer you run the test on only has the router for its dns, and not isp resolvers plugged in. flush dns (or reboot) to test.
    tcpdump is necessary for evaluation if you can't find the issue.
  56. Spyros

    Spyros LI Guru Member

    I was able to replicate the problem yesterday when 1.3f was released but i waited and can't replicate today. Yesterday after 3~4 consecutive extended tests at dnsleaktest.com there was a leak at one of my ISP's dns server, today after 10+ consecutive extended tests i can't replicate. Looks like you have to leave it to settle down, maybe dnscrypt.eu can't resolve some addreses and router uses isp dns as a final resort maybe there is a cache somewhere, use ipconfig /flushdns in windows machines, use Intercept DNS port 53 in Advanced->DHCP / DNS.
  57. Is there a setting to absolutely block this behaviour (will no-resolv do this?)? I want DNScrypt because I don't want to use the DNS of my IPS.

    What's the difference between no-resolve and strict-order?
    Last edited by a moderator: May 28, 2014
  58. lancethepants

    lancethepants Network Guru Member

    yes, no-resolve absolutely will only use dnscrypt.
  59. Yep, seems to work with no-resolve.
    With strict-order the DNS of my ISP is shown in every few tests, with no-resolve there is just DNScrypt.eu
    Also the ping seems better (just around 11 to 13ms, wow!!!!)
  60. Spyros

    Spyros LI Guru Member


    There, it looks like normal behaviour. DNSleaktest sends a no existent query, dnscrypt.eu can't resolve, router tries the next server.
  61. lancethepants

    lancethepants Network Guru Member

    This looks like you're running wireshark on your PC. Communication is going between & Queries aren't encrypted until they leave the router bound for the dnscrypt.eu address. When queries come in to your router, they are decrypted then supplied to the PC. You must run TCPDump on the router in order to see the queries encrypted. This screenshot doesn't tell us anything as far as whether it is working or not. We can't tell which service provided the dns because we're behind it in this dump.
    Queries between your PC and router of course use port 53. Between the router and dnscrypt.eu, it goes to port 443.
    edit: My testing a long time ago showed me that dnsmasq doesn't give up easily on the first server with strict-order, to the point of almost dns not working at all.
    Last edited: May 29, 2014
  62. Spyros

    Spyros LI Guru Member

    This is tcpdump from router, queries between router and pc. Will send you the file link in PM, switching to no-resolv does the trick.
  63. Spyros

    Spyros LI Guru Member

    Uhm sorry about that, its late

    in the screenshot :8888:8888 is my ISP's dns server and the other is the router wan address
  64. lancethepants

    lancethepants Network Guru Member

    I see, I looked past the IPv6 assuming it was between the router and PC as well. You are correct though, I did a dump, and I see a few queries not from dnscrypt on wan when using 'strict-order'. Apparently DNSMasq doesn't try as hard to not use the other dns servers as I remember. Like you said though, no-resolv should take care of that. Sorry for the misunderstanding.
    Last edited: May 29, 2014
    Spyros likes this.
  65. lancethepants

    lancethepants Network Guru Member

    Yep, absolutely nothing else escapes when using no-resolv after just testing as expected.
    Spyros likes this.
  66. no-resolv is working great, haven't seen any leaks anymore. :)

    Would you recommend to use DNSSEC with DNScrypt? DNSSEC seems just to verify a DNS, don't know how important this is.
  67. Spyros

    Spyros LI Guru Member

    Yes you can enable it, dnscrypt.eu server itself uses DNSSEC validation but overall DNSSEC availability is very small.
  68. Mysteron

    Mysteron Networkin' Nut Member

    Is it possible to use DNSCrypt in conjunction with dnsmasq?

    In my situation, I have to use my ISP DNS to access their resources/LAN (10.10.10.*) so I have dnsmasq setup to send all queries for anything on this network to their DNS and everything else goes through OpenDNS.
  69. lancethepants

    lancethepants Network Guru Member

    DNSCrypt does work in conjunction with DNSMasq. You can just think of DNSCrypt as an upstream nameserver.
    When DNSCrypt is enabled, it automatically adds 'server=' to /etc/dnsmasq.conf, which sends queries to the DNSCrypt daemon.
  70. YeOldHinnerk

    YeOldHinnerk Serious Server Member


    I'm also using dnscrypt.eu. I'm not entirely sure if I got everything right, I have to say, it is a bit confusing with all these settings of which I'm uncertain how they interact... anyway:

    Is the following correct:
    Static DNS: (for all three rows)
    Enable DNSSEC: Check
    Use dnscrypt-proxy: Check
    Manual Entry: Check
    Resolver Address:
    Provider Name: 2.dnscrypt-cert.resolver1.dnscrypt.eu
    Provider Public Key: (Key)
    Priority: Strict Order (No-Resolve apparently stops all DNS, as I can not connect to any site anymore)
    Local Port: 40
    Log Level: 99​
    Use internal DNS: Check
    Use received DNS with user-entered DNS: Not checked
    Prevent DNS-rebind attacks: Check
    Intercept DNS port: Check
    Use user-entered gateway if WAN is disabled: Check
    Dnsmasq Custom configuration:
    I'm using an Asus RT-AC66U with Shibby's latest (124, rerelease).

    DNSleaktest (simple) shows my ISP! (after fresh ipconfig /flushdns)
    DNSleaktest (extended) shows my ISP! (after fresh ipconfig /flushdns)

    So apparently, something must be wrong...


    PS: Just tried disabling DNSSEC - now (and after dnsflush) DNSleaktest shows the dnscrypt.eu DNS server. Which raises a couple of questions: 1. Why does DNSSEC interfere? The server supports this. 2. Even if there is some error, why is it using the ISP's server? 3. How do I fix it?

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice