Install DNSCrypt on OpenWrt for Beginners


DNSCrypt is a tool for securing communications between a client and a DNS resolver using elliptic-curve cryptography in the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic.

With DNSCrypt it can preventing spying, spoofing, and man-in-the-middle attacks from cyber criminals or even bypass DNS censorship from ISP using DNSLeak.
Warning: This tutorial was tested on OpenWrt Attitude Adjustment (12.09).

Requirements

Router minimum size requirement = (256.00 KB)

Installation

Step 1 : Install DNSCrypt
  1. Open OpenWrt's LuCI Web's Interface
  2. Select tabs System - Software
  3. Click Update List
  4. In download and install packages type "dnscrypt-proxy" then click ok
[su_accordion] [su_spoiler title="For x86 Platforms"] For x86 Platforms (New Method)
cd /tmp
wget https://downloads.openwrt.org/snapshots/trunk/x86/packages/packages/dnscrypt-proxy_1.4.1-1_x86.ipk
opkg install dnscrypt-proxy*.ipk
rm -f dnscrypt-proxy*ipk
For x86 Platforms (Old Method)
mkdir -p /etc/ssl/certs/
wget -P /etc/ssl/certs/ http://curl.haxx.se/ca/cacert.pem
cd /tmp
curl -OL --cacert /etc/ssl/certs/cacert.pem https://github.com/damianorenfer/libsodium-openwrt/raw/master/openwrt/bin/x86/libsodium_0.4.5-1_x86.ipk
opkg install libsodium_0.4.5-1_x86.ipk
rm -f libsodium*.ipk
cd /tmp
curl -OL --cacert /etc/ssl/certs/cacert.pem https://github.com/damianorenfer/dnscrypt-proxy-openwrt/raw/master/bin/x86/packages/dnscrypt-proxy_1.4.0-1_x86.ipk
opkg install dnscrypt-proxy_1.4.0-1_x86.ipk
rm -f dnscrypt-proxy*.ipk
[/su_spoiler] [su_spoiler title="If dnscrypt-proxt doesn't exist on available packages for ar71xx or change the architecture to yours"]
cd /tmp
wget http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/packages/dnscrypt-proxy_1.4.1-1_ar71xx.ipk
opkg install dnscrypt-proxy_*.ipk
rm -f dnscrypt-proxy*.ipk
[/su_spoiler] [/su_accordion]

Step 2 : Now the dnscrypt-proxy already installed you can check by doing following command or view on the software list on the router web interface
opkg status | grep -n "dnscrypt-proxy"
The command will show
  • 217:Package: dnscrypt-proxy
  • 224: /etc/config/dnscrypt-proxy 7524801bccfc5504202a7c469f9fbc51
If command doesn't show you anything maybe there is a problem with the installation of dnscrypt-proxy

Configuration

Step 3 : Configure the dnscrypt to working properly First time you're need to start dnscrypt-proxy first
  1. Connect your router via web interface
  2. Select tabs System - Startup
  3. Find in initscript - dnscrypt-proxy
  4. Click enabled and start
Step 4 : After that we need to configure Openwrt to send DNS request to dnscrypt address (127.0.0.1#2053) or (127.0.0.1#5353) for x86 Platform
  1. Select Tabs Network - DHCP and DNS
  2. Select General Setting tabs - select DNS Forwardings Fill the both column with 127.0.0.1#2053 and /pool.ntp.org/208.67.222.222
  3. Select Resolv and Hosts File - Check the Ignore Resolve file (Optional)
  4. Press Save & Apply
Step 5 : Now restart dnsmasq or router 
  1. Select Tabs System - Startup
  2. Find in initscript - dnsmasq
  3. Click Restart
You're finished the steps!

Testing

To test if dnscrypt working properly on router - Run the following commands in SSH
logread | grep -n "using nameserver"
logread | grep "Proxying from"
The command will show
  • 132:Jan  1 01:01:00 openwrt daemon.info dnsmasq[1883]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
  • 133:Jan  1 01:01:00 openwrt daemon.info dnsmasq[1883]: using nameserver 127.0.0.1#2053
  • Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]: Proxying from 127.0.0.1:2053 to 208.67.220.220:443
To test if dnscrypt working properly on client
- In Windows 
  1. Open Command Prompt ( CMD )
  2. Do following commands
  3. nslookup
  4. set type=txt
  5. debug.opendns.com
- In Linux
  1. Open Terminal
  2. Do Following commands
  3. dig txt debug.opendns.com
the output is "dnscrypt enabled (7165343751484877)"

References

Update Notes

  • (15, June 2014) OpenWrt has been added "dnscrypt-proxy" packages into default packages (Attitude Adjustment 12.09 and higher)
  • (27, June 2014) Added x86 Platform and old versions installation steps (Thanks to locusf on Reddit)

Comments