XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
It is currently Sat Apr 29, 2017 5:21 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 113 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
PostPosted: Sun Apr 02, 2017 6:30 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
An update, of sorts:
MonkeyBoy wrote:
Under Status -> Logs you can check on what DNS servers are in use. Look there after pressing save on advanced -> dns/dhcp since that reloads dnsmasq. When dnsmasq is loaded it lists information about the dns servers in use and some other configuration options. With "strict order" selected under dnscrypt proxy on basic -> network it should always hit the dnscrypt proxy first.

Well, when I do that I get the following, first with the two OpenDNS nameserver IPs, and finally, Proxying from 127.0.0.1:40 to 212.47.228.136:443 :

Apr 2 09:50:58 unknown daemon.info dnsmasq[3381]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth no-DNSSEC loop-detect no-inotify
Apr 2 09:50:58 unknown daemon.info dnsmasq[3381]: asynchronous logging enabled, queue limit is 10 messages
Apr 2 09:50:58 unknown daemon.info dnsmasq-dhcp[3381]: DHCP, IP range 192.168.1.2 -- 192.168.1.51, lease time 1d
Apr 2 09:50:58 unknown daemon.info dnsmasq[3381]: using nameserver 127.0.0.1#40
Apr 2 09:50:58 unknown daemon.info dnsmasq[3381]: reading /etc/resolv.dnsmasq
Apr 2 09:50:58 unknown daemon.info dnsmasq[3381]: using nameserver 127.0.0.1#40
Apr 2 09:50:58 unknown daemon.info dnsmasq[3381]: using nameserver 208.67.222.222#53
Apr 2 09:50:58 unknown daemon.info dnsmasq[3381]: using nameserver 208.67.220.220#53

Apr 2 09:50:58 unknown daemon.info dnsmasq[3381]: read /etc/hosts - 14 addresses
Apr 2 09:50:58 unknown daemon.info dnsmasq[3381]: read /etc/dnsmasq/hosts/hosts - 3 addresses
Apr 2 09:50:58 unknown daemon.info dnsmasq-dhcp[3381]: read /etc/dnsmasq/dhcp/dhcp-hosts
Apr 2 09:50:58 unknown daemon.notice dnscrypt-proxy[3401]: Starting dnscrypt-proxy 1.4.1
Apr 2 09:50:58 unknown daemon.info dnscrypt-proxy[3401]: Initializing libsodium for optimal performance
Apr 2 09:50:58 unknown daemon.info dnscrypt-proxy[3401]: Generating a new key pair
Apr 2 09:50:58 unknown daemon.info dnscrypt-proxy[3401]: Done
Apr 2 09:50:58 unknown daemon.notice dnscrypt-proxy[3403]: Starting dnscrypt-proxy 1.4.1
Apr 2 09:50:58 unknown daemon.info dnscrypt-proxy[3403]: Initializing libsodium for optimal performance
Apr 2 09:50:58 unknown daemon.info dnscrypt-proxy[3403]: Generating a new key pair
Apr 2 09:50:58 unknown daemon.info dnscrypt-proxy[3403]: Done
Apr 2 09:50:58 unknown daemon.info dnscrypt-proxy[3401]: Server certificate #1491128999 received
Apr 2 09:50:58 unknown daemon.info dnscrypt-proxy[3401]: This certificate looks valid
Apr 2 09:50:58 unknown daemon.warn dnscrypt-proxy[3401]: Unsupported certificate version
Apr 2 09:50:58 unknown daemon.info dnscrypt-proxy[3401]: Chosen certificate #1491128999 is valid from [2017-04-03] to [2017-04-04]
Apr 2 09:50:58 unknown daemon.info dnscrypt-proxy[3401]: Server key fingerprint is 6EF7:28D1:15AD:B66F:FFDE:5963:BD99:2B85:2F2C:248F:DCFD:B8CF:85EC:8DDC:17C5:1144
Apr 2 09:50:58 unknown daemon.notice dnscrypt-proxy[3401]: Proxying from 127.0.0.1:40 to 212.47.228.136:443


From what I can tell, this could be normal, since dnscrypt, at least in Tomato, is a feature inseparable from OpenDNS (in fact, when I remove the two OpenDNS IPs from Static DNS, and leave them blank, but leave the dnscrypt.org-fr still checked,I can't go anywhere, no Internet. See Edit below*Long discussion here, which includes Shibby himself. Seems to be the genesis of dnscrypt integration into his Tomato. It seems clear from this discussion that dnscrypt-proxy, at least in Shibby Tomato, can not run independently of OpenDNS. Think the dnscrypt is first generated by OpenDNS. That's why those OpenDNS #s appear first.

This is my current Dnsmasq, and nothing seems to be harmed, as far as I can tell:

#Never forward non-routable address requests
bogus-priv
#Never forward requests w/o a .TLD
domain-needed
#Stop ACK and REQ DHCP spam
quiet-dhcp
#Prevent proxy server request spam
dhcp-option=252,"\n"
#Larger cache for dnsmasq
cache-size=5000
#Larger queue for logging
log-async=10
#Block Verizon DNS servers
bogus-nxdomain=71.243.0.12
bogus-nxdomain=68.237.161.12

#Block iOS update
#address=/mesu.apple.com/10.255.255.1


The following sites report dnscrypt.org-fr 212.47.228.136 or 136-228-47-212.rev.cloud.scaleway.com as the DNS I'm using:

https://www.dnsleaktest.com/

https://ipleak.net/ (almost always shows just one DNS, but very occasionally reports the two OpenDNS nos., along with the French IP. Not really sure why it does that, or what to make of it. Does it mean that sometimes both are doing DNS resolution?

Image

Also the DNSSEC Resolver Test at http://dnssec.vs.uni-due.de/ always reports that DNSSEC signatures are being validated. Not sure if that's by way of dnscrypt or OpenDNS.

However, once in a while, get a strange result from dig whoami.akamai.net +short
Just now, it's 37.143.85.4, which appears to be some Dutch T-Mobile ISP, The other day, got one from Germany. But almost always, get the expected 212.47.228.136. I don't really understand how that command works to report the DNS server. Maybe this is a hop on the way? Edit: just tried again after writing all this, and got the correct result. Besides this one fluke or anomaly, everything else I'm using to determine the actual DNS server consistently reports the French dnscrypt.org-fr IP.

Wondering what you think of all this? At least for DNS, you think VZ is completely out of the loop now?

* EDIT: Not so, removed those a second time and was able to browse, and get the check mark from https://www.opendns.com/welcome/ Reread that discussion with Shibby, link above, and saw that this should be the case.

One thing I am a little concerned with is that the version of dnscrypt, 1.4.1, in my Shibby build might be somewhat outdated. Seems to be among the archived versions. Seems it's up to 1.9.4 now. Not sure it matters all that much https://github.com/jedisct1/dnscrypt-pr ... aster/NEWS


Top
 Profile  
 
PostPosted: Sun Apr 02, 2017 11:46 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
Yes, the version you're using is older, however even if you upgraded to the latest version you still wouldn't be on the current version. Until shibby gets back from his hiatus his builds are frozen. I've had stability problems with Toastman's builds on N12D1s, so I wouldn't recommend switching.

I would guess the reason OpenDNS shows up periodically is that sometimes the dnscrypt connection times out so it moves on to the OpenDNS servers.

The only way Verizon would get into your loop now is to redirect those occasional OpenDNS queries to their own servers. As you can see from the list of servers you're only using 127.0.0.1, 208.67.222.222, and 208.67.220.220.

OpenDNS was one of the first providers to support dnscrypt. If I remove OpenDNS servers from my configuration it will still work. If DNSCrypt fails it would fail over to my WAN port's DHCP'd DNS servers, which are listed in Tomato's logs after dnscrypt's 127.0.0.1 (or at least they are when I remove OpenDNS servers).

Keep in mind the information in that thread is 4-5 years old. There are more dnscrypt providers than opendns now, and a perfectly good reason for using dnscrypt has just come to light.

I'll try to figure out how to add the second DNSSEC cert into dnsmasq. It actually looks like I have all the info needed from the man page and the page linked from the man page, the arguments just need to be placed in the right order, using values from the xml file.


Top
 Profile  
 
PostPosted: Mon Apr 03, 2017 10:45 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
I think this should work to add current trust anchors:
#trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

It goes into Custom configuration on advanced -> dhcp/dns.

This is based on data from https://data.iana.org/root-anchors/root-anchors.xml (feel free, in fact please do, check that the values match).

I believe only the second (new) certificate is needed, the first is already part of the dnscrypt client. However if dnscrypt starts logging errors remove the # from the start of the first line, which means both new & old keys should be present. If it still logs errors then either delete or comment out (insert # at the start) both lines.

Check status -> log after pressing save on the advanced -> dhcp/dns page. This reloads dnsmasq with the new configuration, which immediately blats out a bunch of logged data about its current configuration and whether it loaded correctly. Logging errors about a particular line means dnsmasq failed to load due to an error on that particular line.

Note that I'm at work right now and don't actually have any Tomato routers available running a version that includes DNSCrypt, so this is totally untested until I get home tonight.


Top
 Profile  
 
PostPosted: Mon Apr 03, 2017 1:26 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
Thanks MB, will try to give that a test.* But in the meantime things got just a little funky. Have a bad cold, so not sure I remember everything I've tried. Was using dnscrypt.org-fr, but found that, starting yesterday, it was unable to resolve ipleak.net, couldn't go there, kept getting "server not found." And pinging the ipleak address, kept getting "unable to resolve." Actually, removing dnscrypt.org-fr and putting it back in would work for that URL for a little while and then flake out again.

Removed that and tried inputting several manually from https://github.com/jedisct1/dnscrypt-pr ... olvers.csv (hard to know which ones there are trustworthy, even with research.) But couldn't get any of those to work, so now using dnscrypt.eu-nl from the dropdown menu. Several things have been kind of weird. First, often when I run the command dig whoami.akamai.net +short (with or without +short), get IPs all over the place: Thailand, Pakistan, Germany, instead of 176.56.237.171. This was also happening with dnscrypt.org-fr, so think it must be something to do with that akamai command--don't really understand what akamai's role in finding my DNS server is supposed to be.

When I run dig resolver.dnscrypt.org (no akamai) it always returns the correct IP, 176.56.237.171. As do dnsleaktest and ipleak, and the Tomato log. So pretty certain that that akamai command is just flaky. But what has been really weird is that almost every time I remove a dnscrypt-proxy resolver and add one back in, my ISP, Verizon, gives me a new IP. I've gone through three or four new ones now, where I had kept the previous one for months, at least. No idea what's up with that.

Also, no longer getting the check mark from https://www.opendns.com/welcome/ No idea why, but don't really care about that, since when I tried the manual field with those github entries--which didn't work--it would always fall back to the usual OpenDNS IPs. They're still in Static DNS.

-------------------------------

*No good for those trust anchor additions, with or without removing the # at the first line:

Apr 3 17:33:46 unknown user.debug init[1]: dnsmasq terminated unexpectedly, restarting.
Apr 3 17:33:46 unknown daemon.crit dnsmasq[1964]: unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support) at line 32 of /etc/dnsmasq.conf
Apr 3 17:33:46 unknown daemon.crit dnsmasq[1964]: FAILED to start up
Apr 3 17:33:47 unknown daemon.notice dnscrypt-proxy[1984]: Starting dnscrypt-proxy 1.4.1
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[1984]: Initializing libsodium for optimal performance
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[1984]: Generating a new key pair
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[1984]: Done
Apr 3 17:33:47 unknown daemon.notice dnscrypt-proxy[1986]: Starting dnscrypt-proxy 1.4.1
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[1986]: Initializing libsodium for optimal performance
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[1986]: Generating a new key pair
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[1986]: Done
Apr 3 17:33:47 unknown user.debug init[1]: dnsmasq terminated unexpectedly, restarting.
Apr 3 17:33:47 unknown daemon.crit dnsmasq[1987]: unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support) at line 32 of /etc/dnsmasq.conf
Apr 3 17:33:47 unknown daemon.crit dnsmasq[1987]: FAILED to start up
Apr 3 17:33:47 unknown daemon.notice dnscrypt-proxy[2007]: Starting dnscrypt-proxy 1.4.1
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[2007]: Initializing libsodium for optimal performance
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[2007]: Generating a new key pair
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[2007]: Done
Apr 3 17:33:47 unknown daemon.notice dnscrypt-proxy[2009]: Starting dnscrypt-proxy 1.4.1
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[2009]: Initializing libsodium for optimal performance
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[2009]: Generating a new key pair
Apr 3 17:33:47 unknown daemon.info dnscrypt-proxy[2009]: Done
Apr 3 17:33:47 unknown user.debug init[1]: dnsmasq terminated unexpectedly, restarting.
Apr 3 17:33:47 unknown daemon.crit dnsmasq[2017]: unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support) at line 32 of /etc/dnsmasq.conf
Apr 3 17:33:47 unknown daemon.crit dnsmasq[2017]: FAILED to start up


Top
 Profile  
 
PostPosted: Mon Apr 03, 2017 1:56 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
Ah. It looks like 132's dnsmasq was compiled without dnssec support. That's kind of a good thing, since now we know we don't have to worry about updating it with the new cert. I would just ignore those two lines then, they're superfluous.

Basically when you see "dnsmasq: FAILED to start up" that means DNSMasq has failed to load so you won't have DNS or DHCP until you correct the configuration problem you just introduced. In this case it should be the trust-anchor lines.

To be honest since enabling dnscrypt I haven't noticed any major issues. DNS resolution is a little slower which causes complex pages to load slower since they have a billion DNS lookups for each and every stinking little widget and script and who knows what else.


Top
 Profile  
 
PostPosted: Mon Apr 03, 2017 2:09 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
What dnscrypt-proxy resolver are you using at home? Any recommendations? If it's any indication of the latency to dnscrypt.eu-nl, when I ping 176.56.237.171, I'm getting ~92 ms. Doesn't seem that bad.


Top
 Profile  
 
PostPosted: Tue Apr 04, 2017 12:14 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
I'm just using dnscrypt-fr, same as you were. I figured I may as well try the same server so I'd get a similar experience. I'm on 132 on an N66, dual band but still a MIPS R2 CPU.


Top
 Profile  
 
PostPosted: Tue Apr 04, 2017 1:58 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
Curious to know if it was just me: are you seeing any problems with dnscrypt-fr resolving or pinging ipleak.net? Was good for a few days, then all of a sudden became flaky. Would work for a while then stop. Realize this will have to wait until you get home.

dnscrypt.eu-nl seems solid, so far. No logging + DNSSEC validation, just like dnscrypt-fr.


Top
 Profile  
 
PostPosted: Tue Apr 04, 2017 3:41 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
I only went there a few times to verify it was working.


Top
 Profile  
 
PostPosted: Tue Apr 04, 2017 4:14 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
This has been a long and winding road. Had no idea a broken router would lead to all this: DNS encryption as a defense against data mining, the silver lining. Thanks for all the help and for patiently putting up with all my questions.


Top
 Profile  
 
PostPosted: Tue Apr 04, 2017 4:22 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
No biggie. I guess I should have seen this latest twist coming, but I figured there wouldn't be sufficient political will in Congress to risk the wrath of the voting public to pull this off.

Guess they think by 2018 and 2020 nobody will remember a time when ISPs weren't allowed to mangle every packet of data coming in and out of their customer's connection. :roll:


Top
 Profile  
 
PostPosted: Tue Apr 04, 2017 4:44 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
Seen this?

https://slifty.github.io/internet_noise/index.html

https://www.wired.com/2017/03/wanna-pro ... ake-noise/


Top
 Profile  
 
PostPosted: Tue Apr 04, 2017 5:09 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14371
Interesting, but...
Quote:
Schultz’s site isn’t that effective at truly jamming my signal. It’s actually too random. It doesn’t linger on sites very long, nor does it revisit them. In other words, it doesn’t really look human, and smart-enough tracking algorithms likely know that.

Tried it anyway, at my current slow 20 KB/sec speed, no sites fully loaded before it was attempting another one.


Top
 Profile  
 
PostPosted: Tue Apr 04, 2017 5:34 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
Yeah, from what I've read, it's meant more as protest than as an effective jammer. But more are being developed that may do the job. And Schultz may be refining his.


Top
 Profile  
 
PostPosted: Tue Apr 04, 2017 9:33 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14371
Realize I know nothing bout what I'm talking about, but I think the cure is randomly editing those snoopy Cookies! :D


Top
 Profile  
 
PostPosted: Thu Apr 06, 2017 12:18 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
Needs to randomize the amount of time it spends on any particular website. And maybe a larger pool of terms it can throw together, although then you run a greater risk of getting sucked into malware websites.

Though I think starting Chrome in incognito mode and letting it percolate through websites is the best option. When Chrome is closed all those cookies and supercookies and ultracookies and who knows what else are nuked with extreme prejustice. Basically nothing survives incognito mode after you shut down the incognito session.


Top
 Profile  
 
PostPosted: Thu Apr 06, 2017 1:57 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14371
How about creating a new History with millions of lines of https://mr_rogers_neiborhood... or such?


Top
 Profile  
 
PostPosted: Thu Apr 06, 2017 2:09 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
Everything to do with the incognito window is purged when the incognito window is closed. History, cache, cookies, flash cookies, everything. Nothing survives.


Top
 Profile  
 
PostPosted: Thu Apr 06, 2017 2:49 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14371
But hasn't Chrome already sent all your info to google?


Top
 Profile  
 
PostPosted: Thu Apr 06, 2017 2:55 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
Yeah, you take the good, you take the bad, you take them both, and then you have Google Chrome.

I would be surprised if Firefox's Private Browsing mode didn't work the same way though.


Top
 Profile  
 
PostPosted: Thu Apr 06, 2017 3:44 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
BTW, WZZZ, since you're not using QoS or pretty much any of the more advanced features of Tomato, you probably could enable FastNAT and eek out a little more performance from your N12.

Try opening an ssh session with your router and type modprobe bcm_nat. ssh root@192.168.1.1 plus your admin password in Terminal will get you into an ssh session. If the router is still running and doesn't spontaneously reboot then FastNAT should be enabled. You can test this by running a speedtest before and after enabling FastNAT.

To make it permanent put modprobe bcm_nat into administration -> scripts -> init. However you definitely don't want to do this until you've done it by hand first and verified it survives something stressful like a speed test.

I use QoS and other features in Tomato but since it sounds like you're not using them then you may be able to better utilize your connection with this setting.


Top
 Profile  
 
PostPosted: Fri Apr 07, 2017 6:32 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
Quote:
type modprobe bcm_nat. ssh root@192.168.1.1 plus your admin password

Admin>Access is properly set up for SSH. Gave it a try, with and without password:

-bash: modprobe: command not found

admin pw is pw from admin account?--we're not using my Tomato login pw?

Image


Top
 Profile  
 
PostPosted: Sat Apr 08, 2017 8:39 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
There's only root in Tomato, admin & root use the same password. As a bonus you can use either root or admin to log into the website but ssh can only use root.

The only way to log into Tomato over ssh w/o a password login is with certificates you define and setup ahead of time. Basically if you want to log in over ssh don't uncheck that box.

Oh well, it looks like Shibby may have removed bcm_nat a little while ago. I can't enable it on my router either.


Top
 Profile  
 
PostPosted: Wed Apr 12, 2017 6:19 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9183
Location: Caught between the moon and NYC
Apparently Shibby got married and went on his honeymoon and will be back whenever he works out his priorities. He might not be coming back.


Top
 Profile  
 
PostPosted: Wed Apr 12, 2017 6:32 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
Time off from software development to get married. What nerve!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 113 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group