dnscrypt.org-fr public proxy in csv file is out of date

[cybern0id]

I presume since dnscrypt.org is no longer owned or maintained by @jedisct1, it should be removed from the public proxy csv file. Or perhaps it can be updated to the new server if it can still serve requests to dns-crypt v.1.9.x clients?

I'd been using fr.dnscrypt.org as one of three resolvers and only today realised it was not working....

[cybern0id]

...or perhaps I am mistaken? I guess only the IP address and public key in the csv file are used by the dnscrypt-proxy client. Still, dnscrypt.org-fr has not been working for my v1.9.x client running on my LEDE router for some time it seems.

[jedisct1]

dnscrypt.org-fr works well :)

It was renamed scaleway-fr, although the old certificates should still work.

See https://fr.dnscrypt.info/

[cybern0id]

dnscrypt.org-fr does not work for me! The following entries in the router log appear if I use (only) dnscrypt.org-fr:

Thu Feb 15 16:10:48 2018 daemon.info dnscrypt-proxy[31480]: dnscrypt-proxy Refetching server certificates Thu Feb 15 16:10:48 2018 daemon.info dnscrypt-proxy[31480]: dnscrypt-proxy Unsupported certificate version: 2.0 Thu Feb 15 16:10:48 2018 daemon.err dnscrypt-proxy[31480]: dnscrypt-proxy No useable certificates found

I'm using dnscrypt-proxy version 1.9.4-1 from the LEDE repos. I am using a more up to date resolvers csv file than the packaged one though - I manually downloaded it from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v1/dnscrypt-resolvers.csv which seemed to have the most recent commits.

root@LEDE:~# opkg list-installed | grep dnscrypt dnscrypt-proxy - 1.9.4-1 dnscrypt-proxy-resolvers - 1.9.4+git-20161129-f17bace-1

All the dnscrypt-resolvers.csv files for v1 that I can find on github or by googling have this line for dnscrypt.org-fr:

dnscrypt.org-fr,"DNSCrypt.org France","DNSSEC/Non-logged/Uncensored - ARM server donated by Scaleway.com","Paris, France","",https://fr.dnscrypt.org,2,yes,yes,no,212.47.228.136,2.dnscrypt-cert.fr.dnscrypt.org,E801:B84E:A606:BFB0:BAC0:CE43:445B:B15E:BA64:B02F:A3C4:AA31:AE10:636A:0790:324D,pubkey.fr.dnscrypt.org ...no mention of scaleway. However, I can see that if I do a rDNS lookup using dig, the IP address resolves to scaleway-fr.dnscrypt.info domain.

[jedisct1]

Thu Feb 15 16:10:48 2018 daemon.info dnscrypt-proxy[31480]: dnscrypt-proxy Unsupported certificate version: 2.0

The libsodium version this dnscrypt-proxy binary was linked against is very old, and doesn't support the required crypto algorithm. Support for legacy crypto was removed from that resolver, and new resolvers do not support it any more either.

Upgrade.

[cybern0id]

OK, thanks, I'll submit a bug to the LEDE/OpenWRT maintainers. If new resolvers won't be supporting the old libsodium version, perhaps the dependency for libsodium => 1.0.0 in dnscrypt-proxy should be updated?

[jedisct1]

The current stable version of dnscrypt-proxy (2.0.0) doesn't require libsodium any more :)

[BrainSlayer]

@jedisct1 the current stable version is written in a language which is unsupported by openwrt and other router firmware projects. it cannot be used

[licaon-kter]

@BrainSlayer There is compiler for that arch?

[BrainSlayer]

@licaon-kter there is a gccgo compiler yes, but you need to create manually alot of toolchains for each platform and you need also to integrate the curious buildsystem. in addition there are alot of dependencies for that package. dnscrypt v1 is much smaller as it seems. we are talking about embedded systems here. its not that you can use the standard sys libraries here. its based on musl libc

[jedisct1]

The precompiled binaries should work out of the box on LEDE. Been running it on a TPLink Archer C7 since the very first version with no changes. Packages for Asus routers have also been available since the beginning.

The mips binaries are compiled with softfloat specifically for this.

[BrainSlayer]

yes but static binary blobs is nothing i can or want to deal with. i just talked about lede, but in fact i'm the dd-wrt developer and to get it working for all targets it should be integrated into the build system. this will also reduce size. so far i have x86, x64, powerpc (various types with different instruction level), mips r1, mipsr2 mipsel r1 mipsel r2, mipsle64, arm v6 arm v5k, armv7, aarch64 and other things i may have missed. now consider that some routers are just comming with 8 mb flash (i do not consider 4 mb devices) this will not fit. so only chance is using standard non static binaries which are using standard musl libc library

[jedisct1]

You can write a new implementation in a different language. More implementations would be great!

[BrainSlayer]

@jedisct1 that would cost alot of time for sure and i'm not very deep into the way dnscrypt works. the classic v1 was perfect with dnsmasq integration and i also wrote a gui for it a while ago. its all wasted now. rewriting it from scratch would take months for me

[jedisct1]

It took about 15 minutes to write the first version of dnscrypt-proxy v2 https://github.com/jedisct1/dnscrypt-proxy/commit/b076e01f7afe6d2f625c00c7ffb78caf813c56ac

It took probably about the same time to write this in Python https://github.com/tresni/dnspython-dnscrypt

[cybern0id]

This version of dnscrypt-proxy (i.e. version 1.9.5) will still be supported by resolvers running the newer version 2.0.0 if they are speaking the same protocol wont they, as long as the relevant version of libsodium is used? I was told in LEDE irc not to open a bug report because the next version of OpenWRT (after the LEDE/OpenWRT merge) is imminent and both dnscrypt-proxy (v1.9.5 in trunk) and libsodium (v1.0.16 in trunk) have been updated. I presume this means it will support version 2 certificates.

[jedisct1]

Version 2 of the protocol is what all (with one exception) resolvers use since 2013. It hasn't changed.

dnscrypt-proxy is a client. I don't maintain the legacy version of this specific client any more and I don't have any reasons to. I barely remember how it works, it has unfixed vulnerabilities, I don't have time to maintain servers lists for legacy software that I don't even have on my computer and no one else is maintaining these lists either. Because it's boring, time-consuming, frustrating, and people may have an actual job to do in order to pay the bills. It's so much easier to complain than help or even express gratitude.

I wouldn't recommend LEDE, or any other distribution to ship version 1.x today, especially with CVEs to be published soon.

[cybern0id]

Well, thank you for making and maintaining dnscrypt-proxy all these years. I certainly was not complaining and if I could code I would make a v2 implementation in C, but I can't so all I can do to contribute is report what I see as being bugs, until I'm told otherwise. Anyway, I think it is time for me to move to something else, like DNS via VPN....