Gargoyle Forum

Update in the 1.8.x and 1.9.x branch this will not work alongside the DNS adblock plugin. At least i cant get it to work.

This is just how i got it to work. I am not a networking expert. If you try and do this i will try and help but.....

OK first let's start with what DNSCrypt is!

Description

dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using
the DNSCrypt protocol and passing them to an upstream server.

The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to
DNSCurve,
but focuses on securing communications between a client and its first-level resolver.

While not providing end-to-end security, it protects the local network, which is often the weakest point of the chain, against man-in-the-middle attacks.
It also provides some confidentiality to DNS queries.
http://dnscrypt.org/

I use OpenDNS more info on there site here:
http://www.opendns.com/about/innovations/dnscrypt/

For those who CBA to read DNSCrypt is like SSL for DNS servers!

DNSCrypt - OpenWrt Wiki
http://wiki.openwrt.org/inbox/dnscrypt

So hears what i did to get it to work on my WDN750 running GargoylePL 1.6.2.2

This line is not needed in 1.8.x and 1.9.x as DNSCrypt has bin aded to the packages on the openwrt website.

Using WinSCP ad this line to /etc/opkg

src/gz exopenwrt http://exopenwrt.and.in.net/attitude_ad ... x/packages

Save and exit.

Then in the webshell type thees lines one by one.

opkg update

opkg install dnscrypt-proxy

Now you have DNSCrypt installed!

The config file /etc/config/dnscrypt-proxy is simple and will be rarely edited. If you are using OpenDNS then this is already the default resolver so you
do not have to change anything.

Now we need to go back to the webshell
and we will start DNSCrypt and enable auto boot for it:

/etc/init.d/dnscrypt-proxy enable

/etc/init.d/dnscrypt-proxy start

Now i used WinSCP again to edit the bold lines in /etc/config/dhcp

start of my file


config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option noresolv 1
list server '127.0.0.1#2053'
list server '/pool.ntp.org/208.67.222.222'
# list server '208.67.222.222'
# list server '208.67.220.220'
list rebind_domain 'free.aero2.net.pl'
list addnhosts '/etc/block.hosts'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '6h'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

end of file

Wen you have dun save and close
Now you need to restart DHCP.
In the webshell do

/etc/init.d/dnsmasq restart

Then in a cmd prompt on windows you need to flush the DNS type

ipconfig /flushdns

How to check if your DNS queries are using dnscrypt with OpenDNS

In Windows:

nslookup -type=txt debug.opendns.com.

In Linux:

dig debug.opendns.com txt


One of the entries should be "dnscrypt enabled (<number>)".

I hope this helps.
some more info here
http://wiki.openwrt.org/inbox/dnscrypt
DNSCrypt setup — securing DNS communications
https://forum.openwrt.org/viewtopic.php?id=36380

Hi can any one give me some help pleas. I cant get this working under 1.9

I installed and then when I set up my dhcp file I get no internet and I cant work out why.


config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
# option resolvfile '/tmp/resolv.conf.auto'
option noresolv '1'
list server '127.0.0.1#5353'
list server '/pool.ntp.org/208.67.222.222'
# list server '208.67.222.222'
# list server '208.67.220.220'
list addnhosts '/etc/block.hosts'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '6h'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

Wood adblock make it brake?

Maybe. It broke back when I installed adblock in 1.8.

Yes it breaks it. Adblock plugin forces traffic through port 53. Dnscrypt wants it through 5353.

You can remove the rules in /etc/firewall.user

This means that if any device isn't specifically told to look for the router as a DNS client then they can get around Adblock.

This is a similar issue to how it interacts with the Tor plugin.

First of all, check your resolver. I have found that resolvers can come and go, unfortunately, and your router's list may be out of date because it probably only gets updated when a new version of DNSCrypt is released (which isn't very often).

The current list should be here: https://github.com/jedisct1/dnscrypt-pr ... olvers.csv Click on the "Raw" link to download that file and paste it over your router's resolver list (/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv).

That file contains information about each resolver and a "friendly" name that will go in etc/config/dnscrypt/dnscrypt-proxy to choose the resolver. I have found that okturtles is reliable, but you'll want to choose something close to your country. It can be difficult to read the file because it looks like a wall of text, but just know that the first thing on each line is the friendly name that will go in your config.

Also, I would try to get one that doesn't log. At the part on each line where it starts going yes or no, It's the second one, "yes" meaning no logs. I believe the default resolver is Cisco, which logs.

BTW, DNSCrypt is included in the Chaos Calmer repositories, so it is no longer necessary to add the line to /etc/okpg (unless you're still on Barrier Breaker).

Lantis wrote:Yes it breaks it. Adblock plugin forces traffic through port 53. Dnscrypt wants it through 5353.

You can remove the rules in /etc/firewall.user

This means that if any device isn't specifically told to look for the router as a DNS client then they can get around Adblock.

This is a similar issue to how it interacts with the Tor plugin.

Hi Lantis can you have them use the same port?

SirDrexl wrote:First of all, check your resolver. I have found that resolvers can come and go, unfortunately, and your router's list may be out of date because it probably only gets updated when a new version of DNSCrypt is released (which isn't very often).

The current list should be here: https://github.com/jedisct1/dnscrypt-pr ... olvers.csv Click on the "Raw" link to download that file and paste it over your router's resolver list (/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv).

That file contains information about each resolver and a "friendly" name that will go in etc/config/dnscrypt/dnscrypt-proxy to choose the resolver. I have found that okturtles is reliable, but you'll want to choose something close to your country. It can be difficult to read the file because it looks like a wall of text, but just know that the first thing on each line is the friendly name that will go in your config.

Also, I would try to get one that doesn't log. At the part on each line where it starts going yes or no, It's the second one, "yes" meaning no logs. I believe the default resolver is Cisco, which logs.

BTW, DNSCrypt is included in the Chaos Calmer repositories, so it is no longer necessary to add the line to /etc/okpg (unless you're still on Barrier Breaker).

Hi i am stil on CC but i use opendns for dns will I still need to use that file?

You would have to try it mate i'm honestly not sure sorry

Lantis wrote:You would have to try it mate i'm honestly not sure sorry

Hi how dus Tor get around it? using port 53 can adblock and Tor use the same port?