DNSCrypt Preview

Discussion in 'Tomato Firmware' started by lancethepants, Mar 4, 2012.

  1. lancethepants

    lancethepants Network Guru Member

    This is a tutorial on how to get DNSCrypt running on your router. I hope to later make a Web Gui integration to easily enable it, if no one else beats me to it first. Shibby builds have dnscrypt with Gui.
    I've provided a binary you can load to either jffs or to a flash drive. You can download these at

    For JFFS, use the following code
    Administration -> Scripts -> Init
    /jffs/dnscrypt-proxy -a -r -d

    Else if you load the binary to a USB device
    USB and NAS -> USB Support -> Run after mounting
    /path/to/dnscrypt-proxy -a -r -d

    Basic -> Network -> Static DNS. Place it in the first entry.

    Advanced -> DHCP/DNS -> Dnsmasq Custom configuration

    edit: The author of DNSCrypt now has provided a tool (hostip) for resolving DNS before DNSCrypt can become active. This is useful for resolving NTP servers, and eliminates the chicken/egg scenario of DNScrypt needing the Time to work, and the Time needing functional DNS to set itself. I've compiled and included 'hostip' for those wanting to use this new method. This then eliminates the need to place IP adresses for NTP servers. You MUST choose to either use the 'hostip' method , or place IP addresses for your NTP servers, else DNSCrypt will not work.

    I've scripted the following, and have placed it in JFFS, having also place 'hostip' in JFFS.
    for server in $(nvram get ntp_server)
        addresses=$(/jffs/hostip $server)
        for address in $addresses
            echo $address $server >> /tmp/etc/hosts

    Then use the following code.
    Administration -> Scripts -> Wan Up

    Use the 'hostip' method above, OR using the following method.

    Basic -> Time -> NTP Time Server
    You need to put the IP adresses of some NPT servers, they can't be domain names.


    Reboot and that should do it.
    Go to welcome.opendns.com to check if it's working.


    Occasionally when going to welcome.opendns.com, I've noticed that it does not give me the check mark. I've checked with TCPDump that it is indeed working, and should be for you if you have followed all the directions. If you are in doubt, run TCPDump on your router as I have. You should see that DNS requests appear to have an error (using Wireshark to evaluate the dump). This is because they are encrypted, and wireshark cannot make anything of the encrypted queries.

    NOTICE: QOS users
    Unlike traditional DNS, DNSCrypt keeps one connection open for all DNS queries, instead of opening multiple smaller connections per query. If you are using Toastman QOS rules, this will result in your queries being sent to the crawl category. To fix this, remove the "KB Transferred" portion of the the DNS rule.

    Attached Files:

    HitheLightz and eahm like this.
  2. fubdap

    fubdap LI Guru Member

    Good tutorial. Just to verify - is this correct - or it (notice : before 40 in the first sets of numbers)
  3. lancethepants

    lancethepants Network Guru Member is correct. It's the address, colon, then the port number.
  4. shibby20

    shibby20 Network Guru Member

    great tutorial. I will add this to tomato with GUI configuration.

    can you tell me how did you compile this binary file? (patch,cflags,ldflags, etc)
  5. lancethepants

    lancethepants Network Guru Member

    Hey Shibby, that would be great.

    I just ran './configure --host=mipsel-linux'
    Then made the following changes.

    In src -> dnscrypt -> Makefile
    CFLAGS - For simplicity sake I removed '-fstack-protector-all', since TomatoUSB doesn't come with libssp already(though would be small enough for inclusion if desired). I did notice it is in the optware 'buildroot' package.
    LDFLAGS - added '-s -Wl,--gc-sections'.

    That should be it.

    edit: Many thanks go to Frank Denis from OpenDNS. He had the patience and courtesy to work with me to bring DNSCrypt to a state where it could be compiled for our favorite MIPS devices.
    sarelc likes this.
  6. occamsrazor

    occamsrazor Network Guru Member

    Looking forward to seeing this implemented in GUI. Thanks for the nice work.
  7. shibby20

    shibby20 Network Guru Member

    something is wrong. When i do:
    ./configure && make

    i have binary: dnscrypt-proxy: ELF 64-bit LSB shared object, x86-64

    but when i do ./configure --host=mipsel-linux && make i have error:
    but should be:
    As you see i cpuid was not detected and crypto was not compiled. Look we here: https://github.com/opendns/dnscrypt-proxy/tree/master/src/libnacl
    In cpu cycles and cpuidm, the mipsel cpu is not defined. This is our problem in my opinion.

    did you used this sources? https://github.com/downloads/opendns/dnscrypt-proxy/dnscrypt-proxy-0.9.1.tar.gz
    or maybe you have "special"? :)

    For now i can include your compiled binary into tomato, but this is only temporary solution. I really want compile this from sources.
  8. lancethepants

    lancethepants Network Guru Member

    At the time of compilation I was using the latest git release. I was in communication with him a bit, and at .0.9.1 he stated "DNSCrypt should compile out of the box on DD-WRT and other uclibc-based systems". He had successfully compiled for debian MIPS at this point, but I found that it still did not compile for TomatoUSB. I believe at 0.9.2 when it became iphone supported is when I found it compiled for TomatoUSB. Around that time he created better support for cross-compilation. I recently compiled it with the latest git, but found that binary to be larger than the one at around 0.9.2. So maybe you would like to take it from that point.

    I totally agree with you too about compiling from source. What I love most about tomato is that it's virtually all from source code, and easily compilable (unlike other popular distributions).
  9. ulyan

    ulyan Networkin' Nut Member

    This would be really awsome if you finally manage to implement it shibby. I really like your builds.
  10. shibby20

    shibby20 Network Guru Member

    in progress. New version of dnscrypt-proxy (0.9.3) is compiling without problem :)
  11. shibby20

    shibby20 Network Guru Member

    integration completed. Now is testing time ;)
    eahm likes this.
  12. fubdap

    fubdap LI Guru Member

    Thanks for working on this. When you are done with this, would it be easy to enable from the GUI or would you provide a short tutorial?
  13. shibby20

    shibby20 Network Guru Member

    this will be one checkbox to check ;)
  14. ulyan

    ulyan Networkin' Nut Member

    Wow, you are fast ! I'll wait for your new release before I upgrade to the latest build :)
  15. maple.chick

    maple.chick Networkin' Nut Member

    This looks interesting, can't wait to try it!

    Thank you Lance and Shibby.
  16. shibby20

    shibby20 Network Guru Member

    dnscrypt-proxy integraded into my build 088. Best Regards!
    lancethepants and eahm like this.
  17. lancethepants

    lancethepants Network Guru Member

    Awesome work shibby, thanks so much. Just curious, what route did you go to get around the Time/DNSCrypt deadlock?

    edit: Just took a look at your git commits. So you just created a separate nvram variable (ntp_servers_ip) to hold a few NTP server IP addresses to use instead when dnscrypt is enabled.
  18. shibby20

    shibby20 Network Guru Member

    indeed. In the future i will (propably) make GUI to set ntp_servers_ip value :) At the moment if someone want change servers, can use "nvram set" command
  19. lancethepants

    lancethepants Network Guru Member

    That works, as good as any idea I could come up with. Perhaps it could be scripted to periodically update 'ntp_servers_ip' with the resolved IPs of the user's NTP server choices found on the Time page. Don't know if performing the occasional 'nvram commit' would be undesirable however.

    I went go update the wikipedia 'Feature Comparison' list, to see it's been done already. Definitely a feature worth mentioning, thanks again Shibby.
  20. se7six

    se7six Networkin' Nut Member

    I'm running tomato-K26-1.28.RT-MIPSR2-088-Mini.trx on a WRT160N V3 and I don't see the DNSCrypt option in the Basic -> Network section. Is it supposed to be in the Mini build also?

    Thanks for the great firmware Shibby!
  21. shibby20

    shibby20 Network Guru Member

    @se7six - indeed. Mini image hasn`t dnscrypt. i will compile with dnscrypt and you will check.
  22. se7six

    se7six Networkin' Nut Member

    Oh OK. So you're going to add it into the mini image? If you can that would be great! Your builds are the most stable of all Tomato mods I've used over the years. I have 3 different routers running your builds at the moment. WHR-HP-G54/WNR3500L/WRT160N

  23. shibby20

    shibby20 Network Guru Member

    just download and try. I swapped file.
  24. se7six

    se7six Networkin' Nut Member

    Thank you sir. I upgraded to the updated file and the option is now there. I really appreciate the very fast upgrade!

    Is DNSCrypt available in this build -> tomato-ND-1.28.-088V-Std.trx ? I gave my Buffalo router to my girlfriend and will update hers to use DNSCrypt if it's available in that build.

  25. shibby20

    shibby20 Network Guru Member

    may be :) i have recompile it. Will be in next release.
  26. se7six

    se7six Networkin' Nut Member

    Nice! I'm looking forward to the next release.

    Thanks again Shibby!

    For those who are curious as to where the DNSCrypt option is, here is a screenshot.

  27. _scott

    _scott Serious Server Member

    So you simply check the box? You don't need to input the dns addresses for OpenDNS?
  28. ryzhov_al

    ryzhov_al LI Guru Member

    No need to input any DNS addresses if DNSCrypt is active, it useless.

    The DNSCrypt establishes a secure connection to OpenDNS DNS servers, so it will be used for resolving every DNS names.
  29. _scott

    _scott Serious Server Member

    Thanks! So what is the best way to verify that this is working?
  30. lancethepants

    lancethepants Network Guru Member


    I've actually ran TCPDump on the public interface to watch queries as they were leaving and entering. Pretty cool actually, it can tell it is DNS, but is says 'malformed packet' because it's encrypted and can't tell what is says.
  31. ryzhov_al

    ryzhov_al LI Guru Member

    Just open http://welcome.opendns.com
    Yes! And there is no any latency on DNS requests! I thought our CPU will be overloaded with all those elliptical-curve cryptography, but everythink is ok.

    I'm using a dnscrypt-proxy from my repo.
  32. _scott

    _scott Serious Server Member

    Okay, last dumb question ... :p

    If an end user manually inputs DNS information while the DNScrypt check box is checked which setting gets priorty? I am assuming, per your statement, that checking the box overrides anything imputed and not the other way around.

  33. lancethepants

    lancethepants Network Guru Member

    That's correct, even if there are other DNS addresses entered under Basic -> Network, DNSCrypt will be used and given first priority.
    It is possible for an individual PC to bypass DNSCrypt by manually putting in that PC different DNS addresses. This however can be blocked so that all Network attached devices are forced to got through DNSCrypt, despite their local DNS settings. This can be done through
    Advanced -> DHCP/DNS -> Intercept DNS port (UDP 53). This redirects any DNS queries not bound for DNSCrypt to DNSCrypt. This is good for enforcing OpenDNS filtering if that's something you're using, or if you want to ensure everything absolutely uses DNSCrypt.
  34. maple.chick

    maple.chick Networkin' Nut Member

    I didn't experience any latency either but my CPU showed 90-100% usage for the time being I had DNSCrypt enabled. After 10 mins of constant high usage with nothing else keeping the network or CPU busy, I disabled DNSCrypt and the usage went back to normal.

    I'm using a WRT54G-TM and I have it overclocked at 250Mhz. I never got around to narrowing down the problem as Teaman released PPTP GUI and I have been waiting for ages for that feature.

    Has anyone else experienced similar problems with DNSCrypt on WRT54G routers?
  35. jazkal

    jazkal Serious Server Member

    I'm trying to enable dnscrypt by checking the check box as seen in the attachment, but it isn't redirecting the dns correctly. So what am I missing?

  36. jazkal

    jazkal Serious Server Member

    I have a second question.

    My ISP is blocking all DNS requests that don't go through their DNS servers. I have verified that I can run DNScrypt to bypass this block if I redirect DNScrypt to use port 443.

    So, my question is, how can I do the same in the Tomato firmware?
  37. lancethepants

    lancethepants Network Guru Member

    You'll have to follow the guide in the very first post. Since you're running a Shbby build, it'll work the same as the firmware I provided, so you don't need to download the binary. The only difference is you'll need to place the following for the startup script.
    dnscrypt-proxy --daemonize --local-port=40 --tcp-port=443
    Shibby's checkmark box pretty much does all those steps, just really streamlined and easy. Maybe he could implement this too.

    Just some FYI from the DNSCrypt site too...
    edit: and make sure to disable it in the gui also.
  38. ArCan

    ArCan Networkin' Nut Member

    How I can know and be sure
    if CRYPT works fine and not only DNS from OpenDNS?
    Thank you.
  39. lancethepants

    lancethepants Network Guru Member

    So far as I can tell, if you check DNSCrypt, and your internet works, then it's using DNSCrypt. The 'scrict-order' command in DNSMasq doesn't seem to allow any other DNS provider to work, even if your first provider (DNSCrypt) isn't working. I don't know if that's the intended function, but that has been my experience.
    If you want to actually see it, look at the DNS queries with TCPDump as mentioned above.

    edit: If you want the warm fuzzy without running TCPDump, don't put OpenDNS IP Addresses in the DNS Server boxes, and check DNSCrypt. If http://welcome.opendns.com comes back affirmative, it's working because it can only be DNSCrypt. However, even with the additional OpenDNS addresses, DNSCrypt should always be taking over.
  40. ArCan

    ArCan Networkin' Nut Member

    Thank you.
    One more question.
    In QoS Details could I see port 40 or 443 and IP's of OpenDNS instead port 53 and IP's other DNS servers?
  41. phuque99

    phuque99 LI Guru Member

    Are there performance hit using openDNS instead of local DNS, especially to sites on CDN? I know a lot major sites and streaming services use CDN. If you use openDNS, you'll get a CDN server close to openDNS instead of one within your ISP.
  42. lancethepants

    lancethepants Network Guru Member

    In Qos I see of this.
    UDP    localhost (    53    localhost (
    UDP    localhost (    40    localhost (
    This is DNSMasq and DNSCrypt internally talking to eachother.

    And also this.
    resolver2.opendns.com (    53    wan-ip (xx.xxx.xxx.xx)
    This is DNSCrypt talking to OpenDNS
  43. ArCan

    ArCan Networkin' Nut Member

    Yes. Same is here.
    And I can see in log
    "daemon.info dnscrypt-proxy[1590]: Server certificate #XXXXXXXXX received
    daemon.info dnscrypt-proxy[1590]: This certificate looks valid
    daemon.info dnscrypt-proxy[1590]: Server key fingerprint is XXXXXXXXXX
    dnscrypt-proxy is ready: proxying from [] to []"

    Certificate # and Server key fingerprint # always same and doesn't matter what's my IP,
    device, browser or VPN... It's really fingerpint - ONE FOR LIFE.
  44. Nitro

    Nitro Networkin' Nut Member

    Shibby is there a reason why you use a different QoS system from Toastman? i would love DNS Crypt but I also prefer how toastmans QoS system works, is there a benefit as to why you use the QoS system in your build?
  45. FameWolf

    FameWolf Addicted to LI Member


    have you updated your scripts to use the same method shibby did of storing the ntp servers in nvram so you don't have to modify the local ntp servers?
  46. lancethepants

    lancethepants Network Guru Member

    No, I've only placed the binary in the build. You'll have to follow the tutorial in the first post. It just does manually what Shibby's does automatically.
  47. FameWolf

    FameWolf Addicted to LI Member

    I understand but I was hoping to avoid having to hardcode the ntp servers by IP so the ntp pool domain names would continue to work...did I misunderstand that there was a way to do that? Thanks again for setting up the instructions.

    *update* Got it working and seems to work well.
  48. nobody

    nobody Serious Server Member

    I have been waiting so long for something like this... thanks
  49. wilsonhlacerda

    wilsonhlacerda Addicted to LI Member

    DNSCrypt is nice. Thanks lancethepants/shibby20!
  50. ArCan

    ArCan Networkin' Nut Member

    Sorry for stupid question?
    but I tryed to switch on the DNScrypt with Tomato
    like explained in the first post.

    Everything works fine except the lines in QoS details
    I can see now
    " UDP localhost ( 40 localhost ( "
    " resolver2.opendns.com ( 53 wan-ip (xx.xxx.xxx.xx) "

    But I don't see
    " UDP localhost ( 53 localhost ( "

    Something wrong with my DNSMasq ?

    Thank you.
  51. Aaron

    Aaron Networkin' Nut Member

    Can anyone confirm that Status>Overview will still display the ISP issued DNS servers under WAN when dnscrypt is enabled?
    (I left the 3 DNS entries as

    welcome.opendns.com says that I'm using OpenDNS, and I see dnscrypt-proxy is ready: proxying from [] to [] in my log file.
  52. Nick G Rhodes

    Nick G Rhodes Addicted to LI Member

    RTFM - its not unfortunate, because its not intended to "bring us true secure/anonymous internet".


    Cheers, Nick
  53. lancethepants

    lancethepants Network Guru Member

    TomatoUSB is OpenVPN server/client, PPTP server/client, tor capable.
  54. paladin252

    paladin252 Networkin' Nut Member

    you should pass this along to toastman so he can include it in his builds.
  55. lancethepants

    lancethepants Network Guru Member

    Toastman hasn't decided yet whether or not to include this in his builds (or has decided not to, but I haven't heard anything definate). If he decides to do, is should be fairly easily for him to merge those parts from Shibby's mod.
  56. crumpler

    crumpler Addicted to LI Member

  57. Toastman

    Toastman Super Moderator Staff Member Member

    No, at the moment I have serious concerns about the resources used when running this. I don't think it's stable on all routers. I also think that very few people will actually use it. Maybe later.

  58. lancethepants

    lancethepants Network Guru Member

    If it'll fit in your firmware, then it most likely will fit in JFFS, and you got the guide from the first post to get it going. Sure Gui's are nice, but you don't have to wait for it to become available to get those features now. I'd like to see a mesh VPN with gui, and maybe I'll take a stab at it (definate maybe), but in the mean time I read the doc, compiled the binary, and got things setup. Most applications like this are very well documented, and usually don't have guis anyway.
  59. redhat27

    redhat27 Addicted to LI Member

    Hello lancethepants: Do you have the dnscrypt-proxy compiled for dd-wrt K24 routers? I downloaded the one off your site from
    / Binaries (DNSCrypt) / DNSCrypt-Proxy / 0.9.3 /

    This is what it says on my WRT54GS v1.1

    dnscrypt-proxy: can't resolve symbol 'syscall'

    root@WRT54GSv11:~# uname -a
    Linux WRT54GSv11 2.4.37 #13294 Thu Aug 12 03:26:28 CEST 2010 mips unknown
  60. lancethepants

    lancethepants Network Guru Member

    I actually went to the dd-wrt forum remembering someone else had that router. Worked for someone else, but under dd-wrt. Saw that you had already posted there, lol. I'll look at trying to build a static binary tomorrow.
  61. redhat27

    redhat27 Addicted to LI Member

  62. lancethepants

    lancethepants Network Guru Member

    I've uploaded another file built with the toolchain used to create the K2.4 builds of tomatousb. The original was built with the K2.6 toolchain for tomatousb, but has appeared to work for most firmwares for both kernels.
    It comes to the exact same size, but does have a different md5 checksum. Give that a shot and let me know.
    redhat27 likes this.
  63. redhat27

    redhat27 Addicted to LI Member

    Works beautifully. Thank you so very much :)
  64. redhat27

    redhat27 Addicted to LI Member

    Where do the feature requests go? I'd love to see how many DNS request are passing through the proxy. Maybe the proxy can be made to log that info (and other key stats) on ad hoc request?

    So maybe on receiving an user signal

    kill -SIGUSR1 `pidof dnscrypt-proxy`

    would make the daemon write stats to the log? What do you think?
  65. lancethepants

    lancethepants Network Guru Member

    That might be a good request for the maintainer of DNSCrypt. As far as I can see, it doesn't appear to have much logging capability other than what already shows up.

    Another approach could be to instead log from DNSMasq. DNSMasq is very tightly integrated into TomatoUSB, so the two work in conjunction. All DNS queries are first sent to DNSMasq which keeps a DNS cache. If the query has not been previously cached, it then forwards the query to DNSCrypt which performs the lookup.

    It would probably be better to log from DNSMasq anyway, because you will see all requests, instead of just the ones that haven't been cached yet.
  66. ryzhov_al

    ryzhov_al LI Guru Member

    You knew it!:) Last versions is really unstable.
    We were forced to roll back to stable v.0.9.3.
  67. lancethepants

    lancethepants Network Guru Member

    I also tried compiling 0.9.4, but noticed when starting it not as a daemon is seemed to not completely startup. I did notice entware did the same and meant to ask but didn't.
  68. Toastman

    Toastman Super Moderator Staff Member Member

    LOL - never mind! Great work!
  69. lancethepants

    lancethepants Network Guru Member

    0.9.5 has been released. Preliminary tests appear to be more stable, I've made the binaries available for any wanting to test them.
  70. ryzhov_al

    ryzhov_al LI Guru Member

    Do not rush^), just few hours pasts. It crashes fine too^).
  71. Toastman

    Toastman Super Moderator Staff Member Member

  72. tylergl

    tylergl Serious Server Member

    Question, I downloaded tomato-K26-1.28.RT-MIPSR1-093-MiniIPv6.trx yesterday from Shibby. I previously was using tomato-ND-1.28.-088V-SD-VPN.trx. After I installed the Mini IPV6 version and noticed that DNSCrypt was not an option in the GUI. I had it and was using it in the 88 version I was using previously. I checked the matrix of what features were in what version prior to downloading it and noticed that it was supposed to have DNScrypt in it. What am I doing Wrong?
  73. M_ars

    M_ars Network Guru Member

    its not contained in that version.
  74. tylergl

    tylergl Serious Server Member

    I downloaded "tomato-K26-1.28.RT-MIPSR1-093-MiniIPv6.trx". According to Shibby's chart DNScrypt should be in the mini ipv6 version. Is the chart incorrect or did I read something wrong? This chart was updated June 1st 2012.

  75. ArCan

    ArCan Networkin' Nut Member

    Could somebody tell me about difference between DNScrypt 0.9.5 and 0.9.3 version ?
    Now I'm using 0.9.3 and it works fine for me.
    Should I update it to newer version?
  76. lancethepants

    lancethepants Network Guru Member

    .0.9.5 adds IPv6 support. However, it has been said that .0.9.5 is not stable. I did notice that in the entware repository they've recompiled it using their own libuv library, which I guess was causing the instability. I'll try to make a tomato library compatible build sometime this weekend using their library.
  77. ryzhov_al

    ryzhov_al LI Guru Member

    It's not my own libuv library.:) I just placed libuv to separate package and now a can change it version before linking with dnscrypt-proxy. Its all because the libuv is a main suspect in the heap leak.
  78. lancethepants

    lancethepants Network Guru Member

    Thanks for looking into getting DNScrypt going with the latest versions. Nice to see that IPv6 is now supported. I only meant "your" libuv in the same context as used on the Entware page.
  79. lancethepants

    lancethepants Network Guru Member

  80. ryzhov_al

    ryzhov_al LI Guru Member

    Its useless:
    • we tried dnscrypt-proxy 0.9.5 with newest libuv and it leaks,
    • we tried dnscrypt-proxy 0.9.5 with old libuv (was in stable 0.9.3) and it leaks too,
    • then we tried old dnscrypt-proxy 0.9.3 with old libuv. Its stable!
    And now we dropped libuv at all, as far as new dnscrypt-proxy builds will be libevent driven. Now testing libevent branch.
  81. jsmiddleton4

    jsmiddleton4 Network Guru Member

    What does that mean in relation to the new 7500 version then? Does it have a memory leak with its DNSCrypt?
  82. lancethepants

    lancethepants Network Guru Member

    AFAIK all tomato mods are still using the stable 0 9.3 version.
  83. ryzhov_al

    ryzhov_al LI Guru Member

    No leaks anymore^) Leaking libuv was thrown out. New master branch is libevent-driven now.
    All? AFAIK, Shibby only.
  84. ArCan

    ArCan Networkin' Nut Member

    I can see new version of DNScrypt-proxy.
    It's 0.10

    But I don't know what's new in this...
    Could somebody tell me where I can find information about it?

    Or other words - What's new in this new version?

    Thank you.

    OK! I found the info:

    "dnscrypt-proxy 0.10
    Updated on Jun 19th, 2012 // No Comment

    dnscrypt-proxy acts as a DNS proxy between a regular client, like a DNS cache or an operating system stub resolver, and a DNSCrypt-aware resolver, like OpenDNS. The DNSCrypt protocol focuses on securing communications between a client and its first-level resolver. While not providing end-to-end security, it protects the local network (which is often the weakest link in the chain) against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.

    Release Notes: This release is a major rewrite based on libevent, featuring smaller binaries, lower latency, and a significant reduction of memory usage. The maximum number of simultaneous queries is now global, not per-protocol. The default resolver port has been changed to 443. Additional dtrace probes have been added.

    Release Tags: Major
    Tags: network security, DNS, Proxy
    Licenses: BSD Revised"

    And I have a couple of questions:
    Should I change to
    and /jffs/dnscrypt-proxy --daemonize --local-port=40 to /jffs/dnscrypt-proxy --daemonize --local-port=443
    in configuration of router
    and use new 0.10 version same way like 0.9.3 ?

    Thanks again.
  85. lancethepants

    lancethepants Network Guru Member

    You can run DNSCrypt on any local port you want, but can leave it on 40 if you like.

    DNSCrypt now by default connects to OpenDNS on their port 443. I found this out recently, before having read your post, because I was trying to look at the DNS traffic with tcpdump, and noticed there wasn't anything running on port 53 (the usualy DNS port).

    This is to disguise the DNS queries and make them look like https traffic instead of DNS traffic, on top of already being encrypted. You can divert back to port 53 by also adding

    You can also run DNSCrypt over IPv6 by also adding

    I wouldn't recommend running over IPv6 unless you have native IPv6 from your ISP.

    I've uploaded both K2.6 and K2.4 binaries of DNSCrypt 0.10 to http://lancethepants.com/files/
  86. ArCan

    ArCan Networkin' Nut Member

    Thank a lot for quick answer and explanation.
    P.S. I did "--resolver-port=53" because with QoS the 443 port was in crawl rule and the port 53 in service rule...
  87. lancethepants

    lancethepants Network Guru Member

    Very insightful, yes that would mess up qos for those that use it (I do). I'll make a note of it in my first post.
  88. barry beest

    barry beest Serious Server Member

    Hi shibby, is it also possible to compile dnscrypt in the linksys e2000 version?
  89. lancethepants

    lancethepants Network Guru Member

    I've uploaded the various binaries of DNSCrypt version 0.11. Here's the changelog.

    * Version 0.11:
    Introduce hostip(8), a tool for resolving a name before dnscrypt-proxy starts.
    It should help fighting the chicken-and-egg issue seen on routers, where
    dnscrypt-proxy requires a working NTP server, but the NTP server requires
    a working resolver.

    I haven't had time to test this yet, but this should be much better than the work around we've been having to do.
  90. busy

    busy Addicted to LI Member

    Thanks lancethepants.

    hostip is a separate tool.
  91. redhat27

    redhat27 Addicted to LI Member

  92. redhat27

    redhat27 Addicted to LI Member

  93. lancethepants

    lancethepants Network Guru Member

    Another user pointed me to the DD-WRT toolchains that I'm using. Perhaps your build uses a different toolchain than these.
    If you can point me to another one I can give it a shot.
    For best compatability it may be best to use Entware, they have been really good at keeping their versions up to date, and should work everywhere.

  94. rhester72

    rhester72 Network Guru Member

    Where is hostip?

  95. lancethepants

    lancethepants Network Guru Member

    I've uploaded version 0.12 with their respective hostip binaries. Looks like version 1.0 is next out the door. The following is the code I use to resolve NTP IP Addresses using hostip. I've placed my binares is /jffs, but adjust for your setup.

    for server in $(nvram get ntp_server)
        addresses=$(/jffs/hostip $server)
        for address in $addresses
            echo $address $server >> /tmp/etc/hosts
  96. rhester72

    rhester72 Network Guru Member

    OK - I was more asking what package hostip was a part of, since I wasn't aware it shipped with the proxy, and it *greatly* simplified some of the mumbo-jumbo I'm going through at startup with unbound. Thanks!

    0.12 K24 binaries on my site if anyone cares.

  97. TC777

    TC777 Networkin' Nut Member

    I'm not very knowledgeable about dnscrypt. But does anyone know if when you click/choose the dnscrypt option, does that then bypass the DNS servers you have entered in?

    I ask because whenever I choose DNSCrypt, then when a mistyped URL is entered, I no longer get my standard DNS server message, instead I get the message from OPENDNS.

    I'm using it on my router with the shibby firmware. Although if opendns is being used as the dns server, then I'll probably not use it because opendns ranks almost dead last for speed using the DNS Benchmark program by Gibson... for me anyways.
  98. Nitro

    Nitro Networkin' Nut Member

    DNScrypt is a technology invented by Opendns, only their dns servers can be used. :)
  99. Mangix

    Mangix Networkin' Nut Member

    How beneficial is DNSCrypt at the router level? What I've gathered from it is that it's just encrypted DNS. However once it gets out of the router, it's unencrypted and those are the results clients get. Something like that is easily MITMable by doing DHCP spoofing and setting a custom DNS server.

    I have DNSCrypt installed on my Windows 8 box and on it it makes sense since the information only gets unencrypted on the computer.

    All I can make of this is that it makes ISPs not being able to know exactly which website you visit without some packet inspection(IP addresses are still visible). Am I missing something here?
  100. shibby20

    shibby20 Network Guru Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice