Dnscrypt + TomatoUSB

for years all my routers have had dd-wrt runnin on em, so tonight i decided it was time to give another firmware a try... got me e1200v2 runnin tomato. i love it

in the dns configuration for tomato, it has the standard static dns server fields where u can put google or opendns (8.8.8.8 or 208.67.222.222 or whatever) below those text fields is a checkbox... "Use dnscrypt-proxy" at first im like fuck yeah, but then im like ummm

i have the resolver set to opendns, priority set to strict-order

i run wireshark while i go to the web browser and test it (by going to web sites and running dns leak test) yet i can still see in plaintext the urls of the lookups in wireshark... this means dnscrypt is not working

the question is, have any of you used tomato on your router? if so, have you used the dnscrypt option on it? howd you configure it?

ps im a long time lurker and been watching the youtube show for a while now too. this is my first post on the forum. welcome the new guy i plan on being active on this forum because it seems like the crowd i belong in

btw private internet access vpn is the best... did u know they just got israel servers? also wendell im glad u configured https for this site. HACKERS ON

Are you running wireshark between your PC and the router or between your router and the internet? Because if it's between your PC and the router then you'll be seeing the DNS requests made from your PC to the router not the ones your router makes to it's DNS servers which will be using DNScrypt.

at first i was using wireshark on the same computer

then i tried going up a tier

my current setup is modem -> router a (ddwrt) -> router b (tomato & dnscrypt) -> laptop

i moved wireshark onto my desktop which is plugged into router a, then did the dns requests on the laptop (that's wirelessly connected to router b)

i wasn't able to see anything other than ACKs for the (local) ip of the router b (the ip that router a gave to router b)

so i was still trying and i decided to turn off dnscrypt and turn off the openvpn client (on router b) so it's not all encrypted, then tried again.... still nothing i can read on wireshark

with nothing encrypted shouldn't i be seeing dns requests from router b going to router a

say router a has an ip of 10.0.0.1, and router b has an ip of 10.0.1.1, router a gives router b an ip from it's range... the ip is 10.0.0.2

i should be seeing in wireshark: dns request destination=10.0.0.1 src=10.0.0.2 rite?

Yeah you won't be able to see anything on wireshark just because it is plugged in to router a. Wireshark will only be able to show you traffic on whatever interface it's running on so unless the traffic is going to your desktop then you can't see it. What you need to do is run wireshark between the WAN interface on router b and the modem, anywhere in that path will work. So either, if you have two network cards you could make a bridge and run wireshark on that or you could do a packet capture or dump on one of the routers and then download it and analyze it with wireshark.

If router b is configured to use opendns servers then it won't be sending DNS requests to router a, it will be sending them to the addresses you used for opendns. But again you will only see this if you are between router b and the internet.

well i would love to get my hands on a 4 port ethernet pcie nic, but those are out of my budget right now. so my only way of testing to make sure it's working is by having it disabled, running leak test, seeing my isp's proxy dns servers, then checking the dnscrypt option and then seeing opendns on the leak test. i wish i could actually see the encrypted traffic and know that this is the actual dns request and response. thanks for the help

Are you sure your router doesn't have an optionĀ  to do packet capture?