Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade DNSCrypt-proxy to v2: add DoH support #1831

Closed
Crescendo-BLYAT opened this issue Apr 19, 2018 · 29 comments
Closed

Upgrade DNSCrypt-proxy to v2: add DoH support #1831

Crescendo-BLYAT opened this issue Apr 19, 2018 · 29 comments
Assignees
Milestone

Comments

@Crescendo-BLYAT
Copy link

@Crescendo-BLYAT Crescendo-BLYAT commented Apr 19, 2018

How about cleanup of DNScrypt providers and update it to match this:
https://download.dnscrypt.info/dnscrypt-resolvers/v2/

Coz many DNS are down/non-existent anymore, like many of D0wn's DNS.
Or pull that lists periodically in AG, like once every 2 weeks or 1 month to maintain working DNScrypt list.

You don't even have Cloudflare's DNS till this RC.

@admitrevskiy

This comment has been minimized.

Copy link

@admitrevskiy admitrevskiy commented Apr 19, 2018

According to this list, we should delete:

cs-cfii (CS secondary cryptofree France DNSCrypt server)
cs-lt (CS Lithuania DNSCrypt server)
cs-useast (CS New York City NY US DNSCrypt serve)
d0wn-at-ns1 (D0wn Resolver Austria 01)
d0wn-fr-ns2 (D0wn Resolver France 02)
d0wn-fr-ns2-ipv6 (D0wn Resolver France 02 over IPv6)
d0wn-id-ns1 (D0wn Resolver Indonesia 01)
d0wn-is-ns1 (D0wn Resolver Iceland 01)
d0wn-lv-ns1 (D0wn Resolver Latvia 01)
d0wn-nl-ns1 (D0wn Resolver Netherlands 01)
d0wn-nl-ns1-ipv6 (D0wn Resolver Netherlands 01 over IPv6)
d0wn-nl-ns2 (D0wn Resolver Netherlands 02)
d0wn-nl-ns2-ipv6 (D0wn Resolver Netherlands 02 over IPv6)
d0wn-sg-ns1 (D0wn Resolver Singapore 01)
d0wn-sg-ns1-ipv6 (D0wn Resolver Singapore 01 over IPv6)
d0wn-us-ns2 (D0wn Resolver United States of America 02)
dnscrypt.org-fr (DNSCrypt.org France)
ns0.dnscrypt.is (ns0.dnscrypt.is in Reykjavik, Iceland)
okturtles (okTurtles)
securedns-ipv6 (SecureDNS over IPv6)

And add:
captnemo-in
cleanbrowsing-family
leanbrowsing-adult
doh-cleanbrowsing-adult
cloudflare-ipv6
cloudflare
comodo-02
de.dnsmaschine.net
dnscrypt.ca-2-ipv6
dnscrypt.name
doh-crypto-sx
ev-us
ev-us2
ev-us3
flatty.co
google
lazarus-dns
opennic-famicoman
opennic-luggs
opennic-luggs-ipv6
opennic-onic
publicarray-au
qag.me
qualityology.com
scaleway-fr
trashvpn
zeroaim-ipv6

@ameshkov should I start?

@Crescendo-BLYAT

This comment has been minimized.

Copy link
Author

@Crescendo-BLYAT Crescendo-BLYAT commented Apr 20, 2018

yes please.....
that was taken from this: https://github.com/jedisct1/dnscrypt-proxy
that github is the most active + developed DNScrypt related thing.....

so, yes update it please....

if possible, like I said, periodic pull of those file from that link....

@Crescendo-BLYAT

This comment has been minimized.

Copy link
Author

@Crescendo-BLYAT Crescendo-BLYAT commented Apr 20, 2018

also, if possible & hasn't been implemented yet: move to DNScrypt v2 instead of using the old v1....
Here's the diff: https://github.com/jedisct1/dnscrypt-proxy/wiki/Differences-to-v1

from my exp of using it in my PC, its more reliable + stable than v1 DNScrypt.
so if AG still using v1, better to move on....

@FengLengshun

This comment has been minimized.

Copy link

@FengLengshun FengLengshun commented Apr 20, 2018

Maybe the DNS list can be made to be linked to the update filter/app option - so it periodically pulls an updated list.

@Crescendo-BLYAT

This comment has been minimized.

Copy link
Author

@Crescendo-BLYAT Crescendo-BLYAT commented Apr 23, 2018

Dunno where this log will fit into, I merely exporting it for no reason just for the devs to check.
There's some error in the logs altho the app itself is working OK for me apart from AdGuard DNScrypt won't get connected automatically after network change (wifi <---> mobile) thus totally block the internet access, I need to disable + re-enable the AG for that.

http://www.mediafire.com/file/ro3akmht8lmgrxg/adguard_logs_2.11.81_2304_0807.zip

@ameshkov ameshkov changed the title DNScrypt list is obsolete Upgrade DNSCrypt-proxy to v2 Apr 27, 2018
@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Apr 27, 2018

@admitrevskiy here's what needs to be done here:

  1. Start using dnscrypt-proxy v2 instead of the v1. Unfortunately, this will considerably increase the apk size.
  2. Change the data model, we should now use the sdns:// URLs instead of the resolver/provider/key.
  3. Migrate the old settings to the new model.
@Crescendo-BLYAT

This comment has been minimized.

Copy link
Author

@Crescendo-BLYAT Crescendo-BLYAT commented May 11, 2018

@ameshkov don't worry about apk size, we're living in 2018 where space doesn't matter anymore.... increase in few MB for better app functionality is better than keeping it down but "just working"....

@ameshkov ameshkov changed the title Upgrade DNSCrypt-proxy to v2 Upgrade DNSCrypt-proxy to v2: add DoH support May 15, 2018
@Crescendo-BLYAT

This comment has been minimized.

Copy link
Author

@Crescendo-BLYAT Crescendo-BLYAT commented May 22, 2018

@ameshkov
The DNScrypt isn't working.
No matter what DNS I choose, it just not working at all.

Log: https://www.dropbox.com/s/tnjx46bmqdnbhhc/adguard_logs_2.12.19_2205_1746.zip?dl=0

Also, is it periodically updated according to the source?


@admitrevskiy
Further digging, somehow the changes in AG's DNS sections doesn't get reflected in dnscrypt-proxy.toml inside AG data in /data (it's still in default value with no DNS server selected).

I tried to manually edit the dnscrypt-proxy.toml matching my settings in my PC, it's defaulted back to original value upon activating AG.

@Crescendo-BLYAT

This comment has been minimized.

Copy link
Author

@Crescendo-BLYAT Crescendo-BLYAT commented May 23, 2018

UPDATE: DNScrypt in v2.12.26-beta is working ONLY in VPN mode.

It won't work at all (no efffect, still using ISP's) on Local HTTP Proxy mode.

Tested using WiFi & mobile data.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 23, 2018

Further digging, somehow the changes in AG's DNS sections doesn't get reflected in dnscrypt-proxy.toml inside AG data in /data (it's still in default value with no DNS server selected).

That's a template file, it is unpacked to the data folder when AG runs dnscrypt-proxy.

Edit: okay, I see, you've been checking the data folder. We'll check it.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 23, 2018

Also, is it periodically updated according to the source?

We're keeping an eye on its repo, but the process is not automated.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 23, 2018

It won't work at all (no efffect, still using ISP's) on Local HTTP Proxy mode.

It should've been working:
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -p udp -d 0/0 --dport 53 -j REDIRECT --to 1160

What are your system DNS?

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 23, 2018

Ah, I think I've figured what's going on. We exclude private subnets, hence DNS traffic is not getting redirected:

/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 0.0.0.0/8 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 10.0.0.0/8 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 100.64.0.0/10 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 172.16.0.0/12 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 192.0.0.0/24 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 192.168.0.0/16 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 224.0.0.0/4 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 240.0.0.0/4 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 255.255.255.255/32 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 208.54.0.0/16 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 129.192.166.0/24 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 109.249.0.0/16 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 68.31.26.0/24 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 141.207.0.0/16 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 217.116.96.0/20 -j ACCEPT

It's not just about dnscrypt, DNS filtering is broken in the local HTTP proxy mode completely (for those who have system dns pointing to a private subnet ip).

Thank you for reporting it!

@admitrevskiy

This comment has been minimized.

Copy link

@admitrevskiy admitrevskiy commented May 23, 2018

@CrescendoFang Hi!
Please install this version and let me know how it works: https://www.dropbox.com/s/63d3dwvqekhlgk7/adguard-android-udp-redirect-fix-debug.apk?dl=0

@Crescendo-BLYAT

This comment has been minimized.

Copy link
Author

@Crescendo-BLYAT Crescendo-BLYAT commented May 23, 2018

@ameshkov My system DNS is the ISP's (DHCP assigned).
I can't change DNS without DNScrypt due to government enforcing all DNS request to ISP's using transparent proxy.

So I can only test using DNScrypt.

Here's my AG settings: https://www.dropbox.com/s/mcoet56m298b0pf/adguard_settings_2.12.26_2305_1029.json?dl=0&m=

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 23, 2018

@CrescendoFang have you tried the test build posted by @admitrevskiy? Is it okay with it now?

@Crescendo-BLYAT

This comment has been minimized.

Copy link
Author

@Crescendo-BLYAT Crescendo-BLYAT commented May 23, 2018

@ameshkov @admitrevskiy yup, still not working...

natrium:/ $ nslookup reddit.com
Server:    8.8.4.4
Address 1: 8.8.4.4 google-public-dns-b.google.com

Name:      reddit.com
Address 1: 36.86.63.185

Those 36.86.63.185 is my ISP's censorship proxy...

EDIT: IT'S WORKING NOW after reboot....

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 23, 2018

EDIT: IT'S WORKING NOW after reboot....

Hm, not sure why reboot was required, but I am glad it is working now:)

@Crescendo-BLYAT

This comment has been minimized.

Copy link
Author

@Crescendo-BLYAT Crescendo-BLYAT commented May 23, 2018

I tried to reconnect the wifi on my wife's phone, it's working OK...

maybe it only needs a reconnection, but I rebooted mine first... 😝

How to check DoH?
Or it's already working?

If all is done, we can close this issue 😉

@admitrevskiy

This comment has been minimized.

Copy link

@admitrevskiy admitrevskiy commented May 23, 2018

@CrescendoFang it already works, try to connect any DoH server. For example doh-crypto-sx or doh-cleanbrowsing. Please let me know if something goes wrong.

@Crescendo-BLYAT

This comment has been minimized.

Copy link
Author

@Crescendo-BLYAT Crescendo-BLYAT commented May 23, 2018

@admitrevskiy yup, it's working perfectly 😉

thank you so much...

shall we close this issue now?

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 23, 2018

Not yet, it's in Review/QA pipeline now

@vchrn

This comment has been minimized.

Copy link

@vchrn vchrn commented Jun 15, 2018

For some reason secure DNS doesn't work for me at all in the latest 2.12 nightly. As soon as I enable any server, the Internet effectively dies. Is it something you are aware of? If not, how can I assist in debugging what's going on?

My phone is the Exynos version of Galaxy S8 with the latest stable Oreo firmware (G950FXXU2CRED), if it's of any help.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Jun 15, 2018

@vchrn logs with "record everything" level would be helpful.

But before that try reinstalling AG and see if it changes anything.

@vchrn

This comment has been minimized.

Copy link

@vchrn vchrn commented Jun 15, 2018

Heh, yeah, reinstalling did the trick, it works now.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Jun 15, 2018

It means something is not okay with the update process.

What DNSCrypt server did you have before upgrading to nightly? Was it a custom server or smth else?

@vchrn

This comment has been minimized.

Copy link

@vchrn vchrn commented Jun 15, 2018

I had been using the regular DNS.WATCH, no custom configuration. After the upgrade to nightly the regular servers still worked fine, but not a single "Secure DNS" one could resolve names.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Jun 15, 2018

What was the version you were upgrading from?

@vchrn

This comment has been minimized.

Copy link

@vchrn vchrn commented Jun 15, 2018

The latest beta.

@vozersky vozersky closed this Jul 31, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.