Upgrade DNSCrypt-proxy to v2: add DoH support

[Crescendo-BLYAT]

How about cleanup of DNScrypt providers and update it to match this:
https://download.dnscrypt.info/dnscrypt-resolvers/v2/

Coz many DNS are down/non-existent anymore, like many of D0wn's DNS.
Or pull that lists periodically in AG, like once every 2 weeks or 1 month to maintain working DNScrypt list.

You don't even have Cloudflare's DNS till this RC.

[admitrevskiy]

According to this list, we should delete:

cs-cfii (CS secondary cryptofree France DNSCrypt server)
cs-lt (CS Lithuania DNSCrypt server)
cs-useast (CS New York City NY US DNSCrypt serve)
d0wn-at-ns1 (D0wn Resolver Austria 01)
d0wn-fr-ns2 (D0wn Resolver France 02)
d0wn-fr-ns2-ipv6 (D0wn Resolver France 02 over IPv6)
d0wn-id-ns1 (D0wn Resolver Indonesia 01)
d0wn-is-ns1 (D0wn Resolver Iceland 01)
d0wn-lv-ns1 (D0wn Resolver Latvia 01)
d0wn-nl-ns1 (D0wn Resolver Netherlands 01)
d0wn-nl-ns1-ipv6 (D0wn Resolver Netherlands 01 over IPv6)
d0wn-nl-ns2 (D0wn Resolver Netherlands 02)
d0wn-nl-ns2-ipv6 (D0wn Resolver Netherlands 02 over IPv6)
d0wn-sg-ns1 (D0wn Resolver Singapore 01)
d0wn-sg-ns1-ipv6 (D0wn Resolver Singapore 01 over IPv6)
d0wn-us-ns2 (D0wn Resolver United States of America 02)
dnscrypt.org-fr (DNSCrypt.org France)
ns0.dnscrypt.is (ns0.dnscrypt.is in Reykjavik, Iceland)
okturtles (okTurtles)
securedns-ipv6 (SecureDNS over IPv6)

And add:
captnemo-in
cleanbrowsing-family
leanbrowsing-adult
doh-cleanbrowsing-adult
cloudflare-ipv6
cloudflare
comodo-02
de.dnsmaschine.net
dnscrypt.ca-2-ipv6
dnscrypt.name
doh-crypto-sx
ev-us
ev-us2
ev-us3
flatty.co
google
lazarus-dns
opennic-famicoman
opennic-luggs
opennic-luggs-ipv6
opennic-onic
publicarray-au
qag.me
qualityology.com
scaleway-fr
trashvpn
zeroaim-ipv6

@ameshkov should I start?

[Crescendo-BLYAT]

yes please.....
that was taken from this: https://github.com/jedisct1/dnscrypt-proxy
that github is the most active + developed DNScrypt related thing.....

so, yes update it please....

if possible, like I said, periodic pull of those file from that link....

[Crescendo-BLYAT]

also, if possible & hasn't been implemented yet: move to DNScrypt v2 instead of using the old v1....
Here's the diff: https://github.com/jedisct1/dnscrypt-proxy/wiki/Differences-to-v1

from my exp of using it in my PC, its more reliable + stable than v1 DNScrypt.
so if AG still using v1, better to move on....

[bayazidbh]

Maybe the DNS list can be made to be linked to the update filter/app option - so it periodically pulls an updated list.

[Crescendo-BLYAT]

Dunno where this log will fit into, I merely exporting it for no reason just for the devs to check.
There's some error in the logs altho the app itself is working OK for me apart from AdGuard DNScrypt won't get connected automatically after network change (wifi <---> mobile) thus totally block the internet access, I need to disable + re-enable the AG for that.

http://www.mediafire.com/file/ro3akmht8lmgrxg/adguard_logs_2.11.81_2304_0807.zip

[ameshkov]

@admitrevskiy here's what needs to be done here:

1. Start using dnscrypt-proxy v2 instead of the v1. Unfortunately, this will considerably increase the apk size.
2. Change the data model, we should now use the sdns:// URLs instead of the resolver/provider/key.
3. Migrate the old settings to the new model.

[Crescendo-BLYAT]

@ameshkov don't worry about apk size, we're living in 2018 where space doesn't matter anymore.... increase in few MB for better app functionality is better than keeping it down but "just working"....

[Crescendo-BLYAT]

@ameshkov
The DNScrypt isn't working.
No matter what DNS I choose, it just not working at all.

Log: https://www.dropbox.com/s/tnjx46bmqdnbhhc/adguard_logs_2.12.19_2205_1746.zip?dl=0

Also, is it periodically updated according to the source?

---

@admitrevskiy
Further digging, somehow the changes in AG's DNS sections doesn't get reflected in dnscrypt-proxy.toml inside AG data in /data (it's still in default value with no DNS server selected).

I tried to manually edit the dnscrypt-proxy.toml matching my settings in my PC, it's defaulted back to original value upon activating AG.

[Crescendo-BLYAT]

UPDATE: DNScrypt in v2.12.26-beta is working ONLY in VPN mode.

It won't work at all (no efffect, still using ISP's) on Local HTTP Proxy mode.

Tested using WiFi & mobile data.

[ameshkov]

Further digging, somehow the changes in AG's DNS sections doesn't get reflected in dnscrypt-proxy.toml inside AG data in /data (it's still in default value with no DNS server selected).

That's a template file, it is unpacked to the data folder when AG runs dnscrypt-proxy.

Edit: okay, I see, you've been checking the data folder. We'll check it.

[ameshkov]

Also, is it periodically updated according to the source?

We're keeping an eye on its repo, but the process is not automated.

[ameshkov]

It won't work at all (no efffect, still using ISP's) on Local HTTP Proxy mode.

It should've been working:
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -p udp -d 0/0 --dport 53 -j REDIRECT --to 1160

What are your system DNS?

[ameshkov]

Ah, I think I've figured what's going on. We exclude private subnets, hence DNS traffic is not getting redirected:

/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 0.0.0.0/8 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 10.0.0.0/8 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 100.64.0.0/10 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 172.16.0.0/12 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 192.0.0.0/24 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 192.168.0.0/16 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 224.0.0.0/4 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 240.0.0.0/4 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 255.255.255.255/32 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 208.54.0.0/16 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 129.192.166.0/24 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 109.249.0.0/16 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 68.31.26.0/24 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 141.207.0.0/16 -j ACCEPT
/system/bin/iptables -t nat -A ADGUARD_OUTPUT -d 217.116.96.0/20 -j ACCEPT

It's not just about dnscrypt, DNS filtering is broken in the local HTTP proxy mode completely (for those who have system dns pointing to a private subnet ip).

Thank you for reporting it!

[admitrevskiy]

@CrescendoFang Hi!
Please install this version and let me know how it works: https://www.dropbox.com/s/63d3dwvqekhlgk7/adguard-android-udp-redirect-fix-debug.apk?dl=0

[Crescendo-BLYAT]

@ameshkov My system DNS is the ISP's (DHCP assigned).
I can't change DNS without DNScrypt due to government enforcing all DNS request to ISP's using transparent proxy.

So I can only test using DNScrypt.

Here's my AG settings: https://www.dropbox.com/s/mcoet56m298b0pf/adguard_settings_2.12.26_2305_1029.json?dl=0&m=

[ameshkov]

@CrescendoFang have you tried the test build posted by @admitrevskiy? Is it okay with it now?

[Crescendo-BLYAT]

@ameshkov @admitrevskiy yup, still not working...

natrium:/ $ nslookup reddit.com
Server:    8.8.4.4
Address 1: 8.8.4.4 google-public-dns-b.google.com

Name:      reddit.com
Address 1: 36.86.63.185

Those 36.86.63.185 is my ISP's censorship proxy...

EDIT: IT'S WORKING NOW after reboot....

[ameshkov]

EDIT: IT'S WORKING NOW after reboot....

Hm, not sure why reboot was required, but I am glad it is working now:)

[Crescendo-BLYAT]

I tried to reconnect the wifi on my wife's phone, it's working OK...

maybe it only needs a reconnection, but I rebooted mine first... 😝

How to check DoH?
Or it's already working?

If all is done, we can close this issue 😉

[admitrevskiy]

@CrescendoFang it already works, try to connect any DoH server. For example doh-crypto-sx or doh-cleanbrowsing. Please let me know if something goes wrong.

[Crescendo-BLYAT]

@admitrevskiy yup, it's working perfectly 😉

thank you so much...

shall we close this issue now?

[ameshkov]

Not yet, it's in Review/QA pipeline now

[v-chernyshev]

For some reason secure DNS doesn't work for me at all in the latest 2.12 nightly. As soon as I enable any server, the Internet effectively dies. Is it something you are aware of? If not, how can I assist in debugging what's going on?

My phone is the Exynos version of Galaxy S8 with the latest stable Oreo firmware (G950FXXU2CRED), if it's of any help.

[ameshkov]

@vchrn logs with "record everything" level would be helpful.

But before that try reinstalling AG and see if it changes anything.

[v-chernyshev]

Heh, yeah, reinstalling did the trick, it works now.

[ameshkov]

It means something is not okay with the update process.

What DNSCrypt server did you have before upgrading to nightly? Was it a custom server or smth else?

[v-chernyshev]

I had been using the regular DNS.WATCH, no custom configuration. After the upgrade to nightly the regular servers still worked fine, but not a single "Secure DNS" one could resolve names.

[ameshkov]

What was the version you were upgrading from?

[v-chernyshev]

The latest beta.