Allow route relays for Anonymized and ODoH server routing

[rgnldo]

Allow route relays to route Anonymized and ODoH servers simultaneously

Enable cache for better latency. 512m

On dnscrypt-proxy.toml:

`##################################

Global settings

##################################

dnscrypt_servers = true doh_servers = false odoh_servers = true require_dnssec = false require_nolog = true require_nofilter = true

#########################

Servers

#########################

[sources]

Allow all server and relay's

################################

Anonymized DNS

################################

[anonymized_dns]

routes = [ { server_name='', via=[''] } ] `

[jumpsmm7]

Users can manually do this if it is feasible by Manually editing their .toml files. I don't see a reason to add too much more to the installer script.

Users pick the options you mention by answering these questions:- https://github.com/thuantran/dnscrypt-asuswrt-installer/blob/master/installer#L523-L530

A check later in the install/edit process then detects the entries for ODOH and Dnscrypt:-

elif [ "$COUNT" -eq 0 ] && grep -q '^odoh_servers = .*true.*' "$TOML_FILE" && grep -q '^dnscrypt_servers = .*true.*' "$TOML_FILE"; then Here is the lines of code that allow for this to happen in the installer. This combination is already taken into consideration @rgnldo https://github.com/thuantran/dnscrypt-asuswrt-installer/blob/master/installer#L397-L400 PTXT "$INFO This option allows you to setup wildcard options for servers (server_name "*") and relays (via=['*']) for all compatible servers and relays." read_yesno "Do you only want to skip this option for Dnscrypt Servers (still required for ODOH)?"

If you specify "YES" here it will only allow you to pick relays for ODOH servers. However, if you specify "NO" it will allow you to pick both ODOH and DNSCRYPT relays.

As for the enabling the cache, this will actually cause performance issues in some instances because DNSMASQ is already acting as cache.

[rgnldo]

I had tested your script on the AMTM. I have Dnscrypt installed on the laptop and the firewall appliance, no DNS servers. I got the queries only with the relay servers, disabling DNSSEC and DOH. So I decided to share it with your project.

[jumpsmm7]

I had tested your script on the AMTM. I have Dnscrypt installed on the laptop and the firewall appliance, no DNS servers. I got the queries only with the relay servers, disabling DNSSEC and DOH. So I decided to share it with your project.

It sounds like a limitation with the upstream dnscrypt-proxy project, and not an actual limitation introduced by this installation project. It may get better attention among the dnscrypt proxy developers. As mentioned, the installation script has a pathway to enable dnscrypt anonymization and odoh at the same time per user specification in automatic mode. It also supports it per server selection as well. If they don't properly work when selected together then something is wrong in the upstream binaries.

As for this installer , it is only intended to work for use on the router "himself".

Frankly, I am confused as to what you are expecting this project to do or achieve when the installation/configuration menu already allows for the correct entries for such relay and odoh transactions to be placed in the .toml file based on user selection at script runtime. If it is not working after the fact, then it would seem an issue must be addressed with by the upstream dnscrypt proxy developers. Or you may have picked a conflicting option when choosing a load balance strategy.

Most likely what you are experiencing is not a flaw, but dnscrypt proxy's load balancer options you defined is picking the services with the lowest latency to complete the query transactions. In this instance, maybe only the dnscrypt servers are being used because they have the lowest estimated latency.

You maybe need to pick a different load balancer strategy. Here is a link to what this looks like: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml#L149-L159

Alot of people forget to account for what this feature does which is pick the best lowest latency servers to complete query transactions.

If no odoh capable servers along side dnscrypt servers are selected within the load balance strategy, then odoh will not be used. This is for the simple fact of what the user picked to be their load balance strategy.

Another possible flaw is you have your cache for dnscrypt-proxy enabled. You could be using old responses stored from the cache. This could be creating the appearance that both anonymization and odoh are not usable together.

[Zastoff]

Been using Anonymized DNSCrypt and ODoH servers for months now with version 2.1.2 and now also on 2.1.3 From my syslog Feb 4 19:39:12 RT-AX88U-6C58 manager[939]: Randomization: Health Check; Monitor will randomize it! Feb 4 19:39:12 RT-AX88U-6C58 manager[939]: Starting dnscrypt-proxy from manager[939]. Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: dnscrypt-proxy 2.1.3 Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Network connectivity detected Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Dropping privileges Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Network connectivity detected Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Now listening to 127.0.1.1:53 [UDP] Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Now listening to 127.0.1.1:53 [TCP] Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Source [odoh-relays] loaded Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Source [public-resolvers] loaded Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Source [relays] loaded Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Source [odoh-servers] loaded Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymized DNS: routing [odoh-koki-se] via [odohrelay-crypto-sx odohrelay-koki-ams] Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymized DNS: routing [sth-dnscrypt-se] via [anon-cs-swe anon-meganerd] Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymized DNS: routing [quad9-dnscrypt-ip4-nofilter-pri] via [anon-sth-se anon-cs-norway] Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymized DNS: routing [meganerd] via [anon-sth-se anon-cs-dk] Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymized DNS: routing [quad9-dnscrypt-ip4-nofilter-ecs-pri] via [anon-cs-swe anon-sth-se] Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymized DNS: routing [odoh-cloudflare] via [odohrelay-koki-se] Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Firefox workaround initialized Feb 4 19:39:12 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymizing queries for [odoh-cloudflare] via [odohrelay-koki-se] Feb 4 19:39:15 RT-AX88U-6C58 dnscrypt-proxy[3763150]: [odoh-cloudflare] OK (ODoH) - rtt: 18ms Feb 4 19:39:15 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymizing queries for [quad9-dnscrypt-ip4-nofilter-pri] via [anon-sth-se] Feb 4 19:39:15 RT-AX88U-6C58 dnscrypt-proxy[3763150]: [quad9-dnscrypt-ip4-nofilter-pri] OK (DNSCrypt) - rtt: 15ms Feb 4 19:39:15 RT-AX88U-6C58 dnscrypt-proxy[3763150]: [quad9-dnscrypt-ip4-nofilter-pri] OK (DNSCrypt) - rtt: 15ms - additional certificate Feb 4 19:39:15 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymizing queries for [sth-dnscrypt-se] via [anon-cs-swe] Feb 4 19:39:15 RT-AX88U-6C58 dnscrypt-proxy[3763150]: [sth-dnscrypt-se] OK (DNSCrypt) - rtt: 15ms Feb 4 19:39:15 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymizing queries for [quad9-dnscrypt-ip4-nofilter-ecs-pri] via [anon-sth-se] Feb 4 19:39:16 RT-AX88U-6C58 dnscrypt-proxy[3763150]: [quad9-dnscrypt-ip4-nofilter-ecs-pri] OK (DNSCrypt) - rtt: 17ms Feb 4 19:39:16 RT-AX88U-6C58 dnscrypt-proxy[3763150]: [quad9-dnscrypt-ip4-nofilter-ecs-pri] OK (DNSCrypt) - rtt: 17ms - additional certificate Feb 4 19:39:16 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymizing queries for [odoh-koki-se] via [odohrelay-koki-ams] Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: [odoh-koki-se] OK (ODoH) - rtt: 51ms Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Anonymizing queries for [meganerd] via [anon-sth-se] Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: [meganerd] OK (DNSCrypt) - rtt: 39ms Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Sorted latencies: Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: - 15ms quad9-dnscrypt-ip4-nofilter-pri Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: - 15ms sth-dnscrypt-se Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: - 17ms quad9-dnscrypt-ip4-nofilter-ecs-pri Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: - 18ms odoh-cloudflare Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: - 39ms meganerd Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: - 51ms odoh-koki-se Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: Server with the lowest initial latency: quad9-dnscrypt-ip4-nofilter-pri (rtt: 15ms) Feb 4 19:39:17 RT-AX88U-6C58 dnscrypt-proxy[3763150]: dnscrypt-proxy is ready - live servers: 6 Configured with dnscrypt installer (in amtm)

[rgnldo]

Don't understand that I am blaming the AMTM Asus Dnscrypt installer. It is working. I am contributing an observation, that is, if the user chooses anonymous queries and ODoH, you must disable DNSSEC and DOH for compatibility reasons. If this is already provided for in the installer, very good.

[jumpsmm7]

Don't understand that I am blaming the AMTM Asus Dnscrypt installer. It is working. I am contributing an observation, that is, if the user chooses anonymous queries and ODoH, you must disable DNSSEC and DOH for compatibility reasons. If this is already provided for in the installer, very good.

I was trying to understand what you were meaning here. This is a place where people would report issues pertaining to the amtm installer. A better place to share your findings would be the addons thread of the snbforums so other users can see a potential issue exist in dnscrypt proxy if users don't select options a certain way.