Question regarding certIgnoreTimestamp

[thuantran]

Hi dev,

I'm the author of https://github.com/thuantran/dnscrypt-asuswrt-installer dnscrypt-proxy installer for asus routers running asuswrt-merlin.

I wonder from these two commits 6ca26971286c1cf6c317da9cc089f387f60fbec2 and 8bcba92f97c5a378c7090043ea51c1cd1da520f0 if these assumptions are correct:

• Adding 'cert_ignore_timestamp = true' to config file will result in the same effect as -I in dnscrypt-proxy version 1.
• The flag will be automatically clear if dnscrypt-proxy v2 connects to a server with correct timestamp.

If they are true, it's more than awesome :).

Best regards, thuan

[jedisct1]

Hi Thuan,

You are absolutely correct.

It ignores the timestamp when fetching certificates the first time, but then the flag will automatically turns itself off, since you will probably have a properly set clock afterwards.

Let me know if there is anything else that should be added to make integration in asuswrt easier!

[thuantran]

Cool. I wanna hug you right now.

The only other stuff that I'd like to have is config options to run dnscrypt-proxy process under different user/group after opening its sockets.

If you can do that, I can remove nonroot command from my script.

Thanks and best regards, thuan

[jedisct1]

I'd love to do that, but this seems to be difficult to do in Go right now: https://github.com/golang/go/issues/1435

So, this is something I will add as soon as a proper solution eventually comes out from that thread :/

[thuantran]

Well then I guess I will leave off implementing caching setup in dnscrypt-proxy for now, because that would require running dnscrypt-proxy as root and it's also harder to implement because of some chicken egg problem.

[jedisct1]

sudo setcap cap_net_bind_service=pe dnscrypt-proxy

Boom, no need to run it as root any more.

[thuantran]

There's no sudo on asuswrt unfortunately.

There's another workaround for the issue is running iptables to forward dns query to the router at hand to dnscrypt-proxy process running on a high port. It would work theoretically but I don't know what it would break.

The other chicken egg issue is priming the dnscrypt-resolvers file. During my installation process and updating I'm sure my users have internet connection so I'd like to prime the list then, can you add a switch for that?

Thanks, thuan

[jedisct1]

Well, you don't need sudo. It's just to mention that the command has to be run as root.

If there are no caches, these will be pulled from all the configured sources. But you need a working DNS resolver for that. The assumption is that you changes the DNS settings to 127.0.0.1 after having installed dnscrypt-proxy, not before.

No sure what kind of switch I could add. Unless sources URLs use IP addresses, you need a working DNS to connect to these URLs.

Support for non-encrypted DNS servers can be added. So you can have an initial configuration file that only includes, e.g. Quad9, and then you change the configuration file to add the sources you want. But this is not really different from changing the system DNS settings after installation.

[thuantran]

Didn't look close enough but asuswrt does not have setcap command as well.

During the installation process, my my script uses internet for most of the operations so users should have internet then. What I meant is the dnscrypt-resolvers could be primed right then so when booting next being the sole resolver on the router, it has this file to start up.

As I have started working on my manager script (the script that handles the setting up of dnscrypt-proxy process and the router environment for it to work), I can confirm with you certIgnoreTimestamp does work but I would like it for you to print warnings like in v1 when an exception was made and when it's cleared for level 2 logging.

I wonder why in daemon mode, why does it launch multiple times like this:

Jan 22 13:51:36 dnscrypt-proxy[1009]: Source [https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v1/dnscrypt-resolvers.csv] loaded
Jan 22 13:51:36 dnscrypt-proxy[1009]: Starting dnscrypt-proxy 2.0.0beta8
Jan 22 13:51:36 dnscrypt-proxy[1117]: Source [https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v1/dnscrypt-resolvers.csv] loaded
Jan 22 13:51:36 dnscrypt-proxy[1117]: Starting dnscrypt-proxy 2.0.0beta8
Jan 22 13:51:36 dnscrypt-proxy[1123]: Source [https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v1/dnscrypt-resolvers.csv] loaded
Jan 22 13:51:36 dnscrypt-proxy[1123]: Starting dnscrypt-proxy 2.0.0beta8

Lastly, it seems like v2 does not read TZ env var thus it prints to syslog with the wrong timezone.

[thuantran]

I have initially updated my script to support dnscrypt-proxy version 2 on asus router running asuswrt-merlin https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-19#post-375531

I noticed one more problem beside those I mentioned previously. If there's no dnscrypt-resolvers.csv and dnscrypt-resolvers.csv.minisig in the same directory as dnscrypt-proxy at boot where the clock is not updated yet, dnscrypt-proxy will fail to start as it's unable to download these files. For now, I have written my script to download these files, so it's fixed for my environment, but you might want to fix it for others.

[jedisct1]

I guess the issue is that you are fetching a source over HTTPS, but HTTPS requires a valid clock or else the HTTPS certificate check will fail. There's no way to "fix" that, besides starting the download after the clock has been set, or downloading over HTTP instead of HTTPS. Which is fine, actually, because of the signature. Maybe we should encourage sources to be accessible over HTTP in addition to HTTPS.

[thuantran]

Yup I think that's fine, too because of the sig. On the other hand, some SSL lib do allow one to ignore the timestamp so I was thinking you could do the same with Go and the cert_ignore_timestamp flag.

[jedisct1]

Using TLS with certificates verification disabled is against my religion :)

If we do that, the protocol identifier should really be "http". Using "https" would be a lie.

[thuantran]

It's actually cool for me as I have primed it from my installer script as I told you. The fun thing now is rewriting my function to parse v2 resolver list now :).

Anyway what about the time (TZ) issue I posted previously? As your process does not read that info, it has wrong timezone info and this is an example result for my timezone:

Jan 26 17:03:15 dropbear[22952]: Exit (admin): Error reading: Connection reset by peer
Jan 26 17:03:15 dropbear[25451]: Exit (admin): Error reading: Connection reset by peer
Jan 26 10:18:12 dnscrypt-proxy[980]: [cisco] OK (crypto v1) - rtt: 52ms
Jan 26 10:18:12 dnscrypt-proxy[980]: [cisco] OK (crypto v1) - rtt: 52ms```

[jedisct1]

Unfortunately, I can't reproduce the TZ issue. It seems to work well here :(

[D1n0Bot]

Think thuantran mention he running on embedded device (asuswrt-merlin router) loaded with busybox. I think the router do not have a hardware clock. Therefore time is incorrect.

[jedisct1]

He was referring to the time zone.

[thuantran]

I managed to update my script with Google DOH support and it's working nicely for me. 👍

Just wondering if you use random_padding in the DOH API, to more effectively hide our payload?