How too install and use DNSCrypt with Gargoyle

Want to share your OpenWrt / Gargoyle knowledge? Implemented a new feature? Let us know here.

Moderator: Moderators

GarGoy
Posts: 10
Joined: Fri Apr 05, 2019 8:09 am

Re: How too install and use DNSCrypt with Gargoyle

Post by GarGoy »

RomanHK wrote: It's good to write configurations here, especially about:
/etc/config/dhcp
/etc/dnsmasq.conf
/etc/config/dnscrypt-proxy


When I get home, I'll test Gargoyle 1.11.X and step by step again.
Here are my configs
/etc/config/dhcp

Code: Select all

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option noresolv 1
	list server '127.0.0.1#5353'
	list server '/pool.ntp.org/208.67.222.222'
	# list server '208.67.222.222'
	# list server '208.67.220.220'
	list addnhosts '/etc/block.hosts'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '6h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
/etc/dnsmasq.conf (this is totally unedited, everything is hashed out by default)

Code: Select all

# Change the following lines if you want dnsmasq to serve SRV
# records.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>

# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 289
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389

# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2

# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com

# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD.
# The fields are <name>,<target>
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"

# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf.
# The fields are <name>,<text>,<text>...

#Example SPF.
#txt-record=example.com,"v=spf1 a -all"

#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4

# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
# The fields are <cname>,<target>
#cname=bertand,bert
/etc/config/dnscrypt-proxy

Code: Select all

config dnscrypt-proxy
	option address '127.0.0.1'
	option port '5353'
	option resolver 'yandex'
	#option resolver 'd0wn-cz-ns1'
	#option resolver 'd0wn-ro-ns1'
	#option resolver 'opendns'
	#option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: How too install and use DNSCrypt with Gargoyle

Post by RomanHK »

Yes, it's OK for OpenWrt. For Gargoyle some of the settings from the /dhcp file must be converted to the /dnsmasq.conf file. Gargoyle uses the "list server '..." for the "Allow NameCoin/OpenNIC Resolution" function, and the /dhcp file changes when the router is rebooted.

So my suggestion is:

/etc/config/dhcp

Code: Select all

config dnsmasq
   option domainneeded '1'
   option boguspriv '1'
   option filterwin2k '0'
   option localise_queries '1'
   option rebind_protection '1'
   option rebind_localhost '1'
   option local '/lan/'
   option domain 'lan'
   option expandhosts '1'
   option nonegcache '0'
   option authoritative '1'
   option readethers '1'
   option leasefile '/tmp/dhcp.leases'
   option resolvfile '/tmp/resolv.conf.auto'
   list addnhosts '/etc/block.hosts'

config dhcp 'lan'
   option interface 'lan'
   option start '100'
   option limit '150'
   option leasetime '6h'

config dhcp 'wan'
   option interface 'wan'
   option ignore '1'
/etc/dnsmasq.conf (commented is unnecessary to give.)

Code: Select all

no-resolv
server="127.0.0.1#5353"
server="/pool.ntp.org/208.67.222.222"
/etc/config/dnscrypt-proxy

Code: Select all

config dnscrypt-proxy ns1
   option address         '127.0.0.1'
   option port            '5353'
   option resolver       'yandex'
   option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: How too install and use DNSCrypt with Gargoyle

Post by RomanHK »

DNSCrypt + DNSSEC

Step by step:
1) If you want to install your own packages, try this as follows (I recommend using PuTTY):

Code: Select all

opkg update
opkg install dnscrypt-proxy
opkg remove dnsmasq
opkg install dnsmasq-full --force-overwrite
2) Edit the /etc/config/dnscrypt-proxy file as follows (e.g. yandex):

Code: Select all

config global
	# start dnscrypt-proxy from procd interface trigger rather than immediately in init
	# if needed you can restrict trigger to certain interface(s)
	# list procd_trigger 'wan'
	# list procd_trigger 'wan6'

config dnscrypt-proxy ns1
	option address '127.0.0.1'
	option port '5353'
	option resolver 'yandex'
	# more details about the following options can be found in:
	#    https://github.com/dyne/dnscrypt-proxy/blob/master/dnscrypt-proxy.conf
	option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
	# ephemeral keys option requires extra CPU cycles and can cause huge system load
	# option ephemeral_keys '0'
	# option client_key '/path/to/client_key'
	# option log_level '6'
	# option syslog '1'
	# option syslog_prefix 'dnscrypt-proxy'
	# option query_log_file '/path/to/logfile'
	# enable cache may speed up dnscrypt-proxy
	# option local_cache '0'
	# disable IPv6 may also speed up dnscrypt-proxy
	# option block_ipv6 '0'
	# Blacklists allow you to block domains, ip, ...
	# list blacklist 'domains:/path/to/domains-blacklist-file.txt'
	# list blacklist 'domains:/path/to/domains-blacklist2-file.txt'

#	config dnscrypt-proxy ns2
#		option address '127.0.0.1'
#		option port '5454'
#		# option resolver 'd0wn-random-ns1'
#		# option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
#		# option ephemeral_keys '0'
#		# option client_key ''
3) Edit the /etc/config/dhcp file as follows:

Code: Select all

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/local/'
	option domain 'local'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option dnssec '1'
	option dnsseccheckunsigned '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '6h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
4) Insert rows into /etc/dnsmasq.conf configuration:

Code: Select all

no-resolv
server="127.0.0.1#5353"
and reboot the router.

After rebooting:
Test DNSSEC: https://dnssec.vs.uni-due.de/ = +1

Code: Select all

root@TurrisOmnia:~# ping -c4 gargoyle-router.com
PING gargoyle-router.com (66.228.45.220): 56 data bytes
64 bytes from 66.228.45.220: seq=0 ttl=50 time=116.172 ms
64 bytes from 66.228.45.220: seq=1 ttl=50 time=115.955 ms
64 bytes from 66.228.45.220: seq=2 ttl=50 time=115.493 ms
64 bytes from 66.228.45.220: seq=3 ttl=50 time=116.592 ms

--- gargoyle-router.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 115.493/116.053/116.592 ms
root@TurrisOmnia:~#

root@TurrisOmnia:~# nslookup gargoyle-router.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      gargoyle-router.com
Address 1: 66.228.45.220
*** Can't find gargoyle-router.com: No answer
root@TurrisOmnia:~#

root@TurrisOmnia:~# ps | grep dnscrypt-proxy
22167 nobody    1580 S    /usr/sbin/dnscrypt-proxy /var/etc/dnscrypt-proxy-ns1
22469 root      1064 R    grep dnscrypt-proxy
root@TurrisOmnia:~#

root@TurrisOmnia:~# logread | grep dnscrypt-proxy
Tue Apr  9 20:18:17 2019 user.info : dnscrypt-proxy - [yandex] does not support DNS Security Extensions
Tue Apr  9 20:18:17 2019 user.warn : dnscrypt-proxy - [yandex] logs your activity - a different provider might be better a choice if privacy is a concern
Tue Apr  9 20:18:17 2019 daemon.notice dnscrypt-proxy[8246]: dnscrypt-proxy Starting dnscrypt-proxy 1.9.5
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy Generating a new session key pair
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy Done
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy Server certificate with serial #1547797595 received
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy This certificate is valid
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy Chosen certificate #1547797595 is valid from [2019-01-18] to [2020-01-18]
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy Server key fingerprint is 8DF9:C0B3:1881:1DFB:0518:E1DF:9FC1:5571:881D:E465:87F5:72C9:187D:9E24:866A:1321
Tue Apr  9 20:18:17 2019 daemon.notice dnscrypt-proxy[8246]: dnscrypt-proxy Proxying from 127.0.0.1:5353 to 77.88.8.78:15353
root@TurrisOmnia:~#
All functional, tested on Turris Omnia with Gargoyle 1.11.0 = confirm functionality.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: How too install and use DNSCrypt with Gargoyle

Post by RomanHK »

Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

GarGoy
Posts: 10
Joined: Fri Apr 05, 2019 8:09 am

Re: How too install and use DNSCrypt with Gargoyle

Post by GarGoy »

Awesome reply RomanHK,
I'm keen to try setup DNSCrypt soon, just had more pressing things to deal with recently.
Will post back with update once ive attempted.

User avatar
CBx86
Posts: 157
Joined: Sun Jan 05, 2014 5:43 pm
Location: Brazil

Re: How too install and use DNSCrypt with Gargoyle

Post by CBx86 »

Im trying.
cloudflare have a free dnssec?

Yandex get-me 286 ms
1.0.0.1 cloudflare: 27ms

:x

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: How too install and use DNSCrypt with Gargoyle

Post by RomanHK »

CBx86 wrote:Im trying.
cloudflare have a free dnssec?

Yandex get-me 286 ms
1.0.0.1 cloudflare: 27ms

:x
Yandex is just an example I tried with. It depends on which DNSCrypt you use (/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv).

Choose yourself:
https://github.com/dyne/dnscrypt-proxy/ ... olvers.csv
or
https://dnscrypt.info/public-servers/
I will add that many of them do not work.

The v2 version already uses Cloudflare - the installation procedure is in the post above.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

User avatar
CBx86
Posts: 157
Joined: Sun Jan 05, 2014 5:43 pm
Location: Brazil

Re: How too install and use DNSCrypt with Gargoyle

Post by CBx86 »

Thanks Roman.

I try v2, looks the binary dont match:

Code: Select all

/usr/sbin/dnscrypt-proxy: line 1: syntax error: unexpected word (expecting ")")
:|

Edit:
For little-endian MIPS64, kernel version 4.1 is known to fail, and 4.8 works.
Edit1:
V1 Works great! But all the DNS are too slow for me. Except: OpenDNS return:
Insecure DS reply received, do upstream DNS servers support DNSSEC?

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: How too install and use DNSCrypt with Gargoyle

Post by RomanHK »

I'm sorry, but the compiled package is just for the mvebu platform. From author website: "Compiled from Trunk sources for the Linksys 32x, 3200, 1900 and 1200 series routers"
If you want a different archive, you must contact v2 author or wait for OpenWrt releases.
Insecure DS reply received, do upstream DNS servers support DNSSEC?
Here's just one, turn off DNSSEC at dnsmasq and find the DNSCrypt server that DNSSEC supports.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

User avatar
CBx86
Posts: 157
Joined: Sun Jan 05, 2014 5:43 pm
Location: Brazil

Re: How too install and use DNSCrypt with Gargoyle

Post by CBx86 »

RomanHK wrote:
Insecure DS reply received, do upstream DNS servers support DNSSEC?
Here's just one, turn off DNSSEC at dnsmasq and find the DNSCrypt server that DNSSEC supports.
Yeap! This one are the last with acceptable response for me.

Your guide works great! :D

Post Reply