Page 3 of 5

Re: How too install and use DNSCrypt with Gargoyle

Posted: Tue Apr 09, 2019 10:21 am
by GarGoy
RomanHK wrote: It's good to write configurations here, especially about:
/etc/config/dhcp
/etc/dnsmasq.conf
/etc/config/dnscrypt-proxy


When I get home, I'll test Gargoyle 1.11.X and step by step again.
Here are my configs
/etc/config/dhcp

Code: Select all

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option noresolv 1
	list server '127.0.0.1#5353'
	list server '/pool.ntp.org/208.67.222.222'
	# list server '208.67.222.222'
	# list server '208.67.220.220'
	list addnhosts '/etc/block.hosts'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '6h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
/etc/dnsmasq.conf (this is totally unedited, everything is hashed out by default)

Code: Select all

# Change the following lines if you want dnsmasq to serve SRV
# records.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>

# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 289
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389

# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2

# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com

# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD.
# The fields are <name>,<target>
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"

# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf.
# The fields are <name>,<text>,<text>...

#Example SPF.
#txt-record=example.com,"v=spf1 a -all"

#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4

# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
# The fields are <cname>,<target>
#cname=bertand,bert
/etc/config/dnscrypt-proxy

Code: Select all

config dnscrypt-proxy
	option address '127.0.0.1'
	option port '5353'
	option resolver 'yandex'
	#option resolver 'd0wn-cz-ns1'
	#option resolver 'd0wn-ro-ns1'
	#option resolver 'opendns'
	#option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'

Re: How too install and use DNSCrypt with Gargoyle

Posted: Tue Apr 09, 2019 12:55 pm
by RomanHK
Yes, it's OK for OpenWrt. For Gargoyle some of the settings from the /dhcp file must be converted to the /dnsmasq.conf file. Gargoyle uses the "list server '..." for the "Allow NameCoin/OpenNIC Resolution" function, and the /dhcp file changes when the router is rebooted.

So my suggestion is:

/etc/config/dhcp

Code: Select all

config dnsmasq
   option domainneeded '1'
   option boguspriv '1'
   option filterwin2k '0'
   option localise_queries '1'
   option rebind_protection '1'
   option rebind_localhost '1'
   option local '/lan/'
   option domain 'lan'
   option expandhosts '1'
   option nonegcache '0'
   option authoritative '1'
   option readethers '1'
   option leasefile '/tmp/dhcp.leases'
   option resolvfile '/tmp/resolv.conf.auto'
   list addnhosts '/etc/block.hosts'

config dhcp 'lan'
   option interface 'lan'
   option start '100'
   option limit '150'
   option leasetime '6h'

config dhcp 'wan'
   option interface 'wan'
   option ignore '1'
/etc/dnsmasq.conf (commented is unnecessary to give.)

Code: Select all

no-resolv
server="127.0.0.1#5353"
server="/pool.ntp.org/208.67.222.222"
/etc/config/dnscrypt-proxy

Code: Select all

config dnscrypt-proxy ns1
   option address         '127.0.0.1'
   option port            '5353'
   option resolver       'yandex'
   option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'

Re: How too install and use DNSCrypt with Gargoyle

Posted: Tue Apr 09, 2019 2:28 pm
by RomanHK
DNSCrypt + DNSSEC

Step by step:
1) If you want to install your own packages, try this as follows (I recommend using PuTTY):

Code: Select all

opkg update
opkg install dnscrypt-proxy
opkg remove dnsmasq
opkg install dnsmasq-full --force-overwrite
2) Edit the /etc/config/dnscrypt-proxy file as follows (e.g. yandex):

Code: Select all

config global
	# start dnscrypt-proxy from procd interface trigger rather than immediately in init
	# if needed you can restrict trigger to certain interface(s)
	# list procd_trigger 'wan'
	# list procd_trigger 'wan6'

config dnscrypt-proxy ns1
	option address '127.0.0.1'
	option port '5353'
	option resolver 'yandex'
	# more details about the following options can be found in:
	#    https://github.com/dyne/dnscrypt-proxy/blob/master/dnscrypt-proxy.conf
	option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
	# ephemeral keys option requires extra CPU cycles and can cause huge system load
	# option ephemeral_keys '0'
	# option client_key '/path/to/client_key'
	# option log_level '6'
	# option syslog '1'
	# option syslog_prefix 'dnscrypt-proxy'
	# option query_log_file '/path/to/logfile'
	# enable cache may speed up dnscrypt-proxy
	# option local_cache '0'
	# disable IPv6 may also speed up dnscrypt-proxy
	# option block_ipv6 '0'
	# Blacklists allow you to block domains, ip, ...
	# list blacklist 'domains:/path/to/domains-blacklist-file.txt'
	# list blacklist 'domains:/path/to/domains-blacklist2-file.txt'

#	config dnscrypt-proxy ns2
#		option address '127.0.0.1'
#		option port '5454'
#		# option resolver 'd0wn-random-ns1'
#		# option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
#		# option ephemeral_keys '0'
#		# option client_key ''
3) Edit the /etc/config/dhcp file as follows:

Code: Select all

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/local/'
	option domain 'local'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option dnssec '1'
	option dnsseccheckunsigned '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '6h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
4) Insert rows into /etc/dnsmasq.conf configuration:

Code: Select all

no-resolv
server="127.0.0.1#5353"
and reboot the router.

After rebooting:
Test DNSSEC: https://dnssec.vs.uni-due.de/ = +1

Code: Select all

root@TurrisOmnia:~# ping -c4 gargoyle-router.com
PING gargoyle-router.com (66.228.45.220): 56 data bytes
64 bytes from 66.228.45.220: seq=0 ttl=50 time=116.172 ms
64 bytes from 66.228.45.220: seq=1 ttl=50 time=115.955 ms
64 bytes from 66.228.45.220: seq=2 ttl=50 time=115.493 ms
64 bytes from 66.228.45.220: seq=3 ttl=50 time=116.592 ms

--- gargoyle-router.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 115.493/116.053/116.592 ms
root@TurrisOmnia:~#

root@TurrisOmnia:~# nslookup gargoyle-router.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      gargoyle-router.com
Address 1: 66.228.45.220
*** Can't find gargoyle-router.com: No answer
root@TurrisOmnia:~#

root@TurrisOmnia:~# ps | grep dnscrypt-proxy
22167 nobody    1580 S    /usr/sbin/dnscrypt-proxy /var/etc/dnscrypt-proxy-ns1
22469 root      1064 R    grep dnscrypt-proxy
root@TurrisOmnia:~#

root@TurrisOmnia:~# logread | grep dnscrypt-proxy
Tue Apr  9 20:18:17 2019 user.info : dnscrypt-proxy - [yandex] does not support DNS Security Extensions
Tue Apr  9 20:18:17 2019 user.warn : dnscrypt-proxy - [yandex] logs your activity - a different provider might be better a choice if privacy is a concern
Tue Apr  9 20:18:17 2019 daemon.notice dnscrypt-proxy[8246]: dnscrypt-proxy Starting dnscrypt-proxy 1.9.5
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy Generating a new session key pair
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy Done
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy Server certificate with serial #1547797595 received
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy This certificate is valid
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy Chosen certificate #1547797595 is valid from [2019-01-18] to [2020-01-18]
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Tue Apr  9 20:18:17 2019 daemon.info dnscrypt-proxy[8246]: dnscrypt-proxy Server key fingerprint is 8DF9:C0B3:1881:1DFB:0518:E1DF:9FC1:5571:881D:E465:87F5:72C9:187D:9E24:866A:1321
Tue Apr  9 20:18:17 2019 daemon.notice dnscrypt-proxy[8246]: dnscrypt-proxy Proxying from 127.0.0.1:5353 to 77.88.8.78:15353
root@TurrisOmnia:~#
All functional, tested on Turris Omnia with Gargoyle 1.11.0 = confirm functionality.

Re: How too install and use DNSCrypt with Gargoyle

Posted: Fri Apr 12, 2019 5:38 pm
by RomanHK

Re: How too install and use DNSCrypt with Gargoyle

Posted: Fri Apr 26, 2019 7:57 am
by GarGoy
Awesome reply RomanHK,
I'm keen to try setup DNSCrypt soon, just had more pressing things to deal with recently.
Will post back with update once ive attempted.

Re: How too install and use DNSCrypt with Gargoyle

Posted: Sat Apr 27, 2019 10:53 am
by CBx86
Im trying.
cloudflare have a free dnssec?

Yandex get-me 286 ms
1.0.0.1 cloudflare: 27ms

:x

Re: How too install and use DNSCrypt with Gargoyle

Posted: Sat Apr 27, 2019 11:38 am
by RomanHK
CBx86 wrote:Im trying.
cloudflare have a free dnssec?

Yandex get-me 286 ms
1.0.0.1 cloudflare: 27ms

:x
Yandex is just an example I tried with. It depends on which DNSCrypt you use (/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv).

Choose yourself:
https://github.com/dyne/dnscrypt-proxy/ ... olvers.csv
or
https://dnscrypt.info/public-servers/
I will add that many of them do not work.

The v2 version already uses Cloudflare - the installation procedure is in the post above.

Re: How too install and use DNSCrypt with Gargoyle

Posted: Sat Apr 27, 2019 1:34 pm
by CBx86
Thanks Roman.

I try v2, looks the binary dont match:

Code: Select all

/usr/sbin/dnscrypt-proxy: line 1: syntax error: unexpected word (expecting ")")
:|

Edit:
For little-endian MIPS64, kernel version 4.1 is known to fail, and 4.8 works.
Edit1:
V1 Works great! But all the DNS are too slow for me. Except: OpenDNS return:
Insecure DS reply received, do upstream DNS servers support DNSSEC?

Re: How too install and use DNSCrypt with Gargoyle

Posted: Sat Apr 27, 2019 2:32 pm
by RomanHK
I'm sorry, but the compiled package is just for the mvebu platform. From author website: "Compiled from Trunk sources for the Linksys 32x, 3200, 1900 and 1200 series routers"
If you want a different archive, you must contact v2 author or wait for OpenWrt releases.
Insecure DS reply received, do upstream DNS servers support DNSSEC?
Here's just one, turn off DNSSEC at dnsmasq and find the DNSCrypt server that DNSSEC supports.

Re: How too install and use DNSCrypt with Gargoyle

Posted: Sat Apr 27, 2019 2:52 pm
by CBx86
RomanHK wrote:
Insecure DS reply received, do upstream DNS servers support DNSSEC?
Here's just one, turn off DNSSEC at dnsmasq and find the DNSCrypt server that DNSSEC supports.
Yeap! This one are the last with acceptable response for me.

Your guide works great! :D