openwrt DNScrypt

DNSCrypt

DNSCrypt offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic — The main objective of DNSCrypt is authentication of the communication channel between the client (you) and a resolver supporting the protocol — This will protect the client fromman in the middle attacks. In addition, encryption of DNS communication improves the client’s privacy. DNSCrypt is the client-side version ofdnscrypt-wrapper.

The dnscrypt-proxy client project is maintained by Frank Denis jedisct1

DNSCrypt verifies that responses you get from a DNS provider have been actually sent by that provider, and haven’t been tampered with.

This is not a VPN. It doesn’t mask your IP address, and if you are using it with a public DNS service, be aware that it will (and has to) decrypt your queries.

If you are using it for privacy, it might do the opposite of what you are trying to achieve. If you are using it to prevent VPN “leaks”, this isn’t the right tool either: the proper way to prevent VPN “leaks” is to avoid sending data to yet another third party: use a VPN service that operates its own DNSresolvers.

Installation

dnscrypt-proxy and libsodium is in the official repository for Chaos Calmer 15.05 and up.

opkg update
opkg install dnscrypt-proxy

If installed skip to configuration.
If somehow you can’t install it that way, proceed with the following instructions.

ar71xx and Barrier Breaker

The OpenWrt package for ar71xx is maintained by black-roland.

Differences with OpenWrt packages:

Package	Difference
`dnscrypt-proxy`	Newest version for Chaos Calmer. Barrier Breaker support. Procd support and possibility of launching multiple instances.
`libsodium`	Newest version for Chaos Calmer. Barrier Breaker support.
`iodine`	Memory usage reduce patch.

This will install dnscrypt-proxy as well as any dependent libraries such as libsodium

Add third-party source to your opkg configuration file /etc/opkg.conf according to your OpenWRT version.

Chaos Calmer:

cd /tmp
wget 'http://exopenwrt.roland.black/exopenwrt.pub'
opkg-key add exopenwrt.pub
echo 'src/gz exopenwrt http://exopenwrt.roland.black/chaos_calmer/15.05/ar71xx/packages/exopenwrt/' >> /etc/opkg.conf

Barrier Breaker:

http://exopenwrt.roland.black/barrier_breaker/14.07/ar71xx/packages/exopenwrt

And proceed with the installation itself:

opkg update
opkg install dnscrypt-proxy

Forum thread

Configuration

DNSCrypt is listening on address and port: 127.0.0.1:5353. We need to set OpenWRT to send DNS request to that address.

Server configuration

dnscrypt-proxy

The config file /etc/config/dnscrypt-proxy is simple and should be edited according to your needs. Possible values for the ‘resolver’ option are the first column in the list of public DNSCrypt resolvers.

config dnscrypt-proxy option address '127.0.0.1' option port '5353' # option resolver 'cisco' # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' # option ephemeral_keys '1'

Description:

Name	Type	Required	Default	Description
`address`	string	yes	`127.0.0.1`	The IP address of the proxy server.
`port`	string	yes	`5353`	Listening port for DNS queries.
`resolver`	string	no	`cisco`	DNS service for resolving queries. You can’t add more than one resolver.
`resolvers_list`	string	no	`/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv`	Location of CSV file containing list of resolvers.
`ephemeral_keys`	boolean	no	`0`	Improve privacy by using an ephemeral public key for each query. Recommended if you are not using your own server. Ephemeral keys option requires extra CPU cycles and can cause huge system load. Disable it in case of performance problems.

If you need to specify other options, you will have to edit the /etc/init.d/dnscrypt-proxy script.

Note: I’ve had a little bit of confusion at setup, so I want to remind you; address and port strings are for local proxy server, you just have to pick a dnscrypt server from the resolvers list, put its name in resolver string and comment out resolvers and resolvers list settings.

Now we will start DNSCrypt and enable auto boot for it:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start

Note: If dnscrypt-proxy is not starting after a router reboot, it may be trying to start before the network interface is fully up. Add the following to /etc/rc.local, above the line “exit 0”:

sleep 10
/etc/init.d/dnscrypt-proxy start

dnsmasq

Assuming you are using dnsmasq, edit the bold lines in /etc/config/dhcp

config dnsmasq option domainneeded 1 option boguspriv 1 option filterwin2k 0 option localise_queries 1 option rebind_protection 1 option rebind_localhost 1 option local '/lan/' option domain 'lan' option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' # option resolvfile '/tmp/resolv.conf.auto'  option noresolv 1  list server '127.0.0.1#5353'  list server '/pool.ntp.org/208.67.222.222' # list server '208.67.222.222' # list server '208.67.220.220'

We have disabled /tmp/resolv.conf.auto file since it instruct dnsmasq to use your ISP’s DNS.
noresolv option also disables /etc/resolv.conf file for similar reason.
127.0.0.1#5353 is the DNSCrypt address.
/pool.ntp.org/208.67.222.222 adds an exception for pool.ntp.org, which will be resolved through the standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise it will not resolve any domain, including pool.ntp.org. So if your device’s time was incorrect, it could never update its time, and therefore DNSCrypt would never work. So we set this exception so that pool.ntp.org queries will always bypass DNSCrypt and resolve with the standard unencrypted OpenDNS method.

Reboot router or restart dnsmasq for the changes to take effect.

/etc/init.d/dnsmasq restart

Client configuration

Note: you may need admin privileges to run the commands below.

Linux

sudo /etc/init.d/nscd restart

sudo /etc/init.d/networking restart

Windows

ipconfig /flushdns

Mac OS X

Mac OSX 10.4 (Tiger)
- ```
lookupd -flushcache
```
Mac OSX 10.5/10.6 (Leopard/Snow Leopard)
- ```
dscacheutil -flushcache
```

Troubleshooting

How to check what features are supported by your resolver

The DNS leak test or DNS randomness test will show the actual IP of your DNS. You can check here if the IP is associated with the service you are using (put the IP in the search field).
DNSSEC resolver test determines whether your DNS resolver validates DNSSEC signatures.
If you can access DNSCrypt.bit, your resolver can resolve domain names using Namecoin.

How to check if your DNS queries are using dnscrypt

On the router:

pkill -STOP dnscrypt-proxy

DNS resolution should not work any more.

To restore service, unfreeze the client proxy:

pkill -CONT dnscrypt-proxy

How to check if dnscrypt-proxy is set up and running

The easy way is to look in the log.

Check if dnsmasq is using only dnscrypt. Only the last block of logged nameservers is relevant.

```
logread | grep -n "using nameserver"
```

132:Jan  1 01:01:00 openwrt daemon.info dnsmasq[1883]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
133:Jan  1 01:01:00 openwrt daemon.info dnsmasq[1883]: using nameserver 127.0.0.1#5353

Check that dnscrypt-proxy is working.

```
logread | grep "Proxying from"
```

Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]: Proxying from 127.0.0.1:5353 to 208.67.220.220:443

Suspicious certificate received

A “suspicious” certificate can be reported:

root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -R dnscrypt.eu-nl -a 127.0.0.1:5353 [INFO] Generating a new key pair [INFO] Done [ERROR] Suspicious certificate received [ERROR] No useable certificates found [INFO] Refetching server certificates [ERROR] Suspicious certificate received [ERROR] No useable certificates found

Check the date and time on your router: this kind of behavior is usually caused by a system clock that hasn’t been set properly.

2016-02-142016-12-20

Free and Public DNS Servers

Your ISP automatically assigns DNS servers when your router or computer connects to the Internet via DHCP… but you don’t have to use those.

Below are free DNS servers you can use instead of the ones assigned, the best and most reliable of which, from the likes of Google and OpenDNS, you can find below:

See How Do I Change DNS Servers? for help. More help is below the table.

Free & Public DNS Servers (Valid February 2016)

Provider	Primary DNS Server	Secondary DNS Server
Level3¹	209.244.0.3	209.244.0.4
Verisign²	64.6.64.6	64.6.65.6
Google³	8.8.8.8	8.8.4.4
DNS.WATCH⁴	84.200.69.80	84.200.70.40
Comodo Secure DNS	8.26.56.26	8.20.247.20
OpenDNS Home⁵	208.67.222.222	208.67.220.220
DNS Advantage	156.154.70.1	156.154.71.1
Norton ConnectSafe⁶	199.85.126.10	199.85.127.10
GreenTeamDNS⁷	81.218.119.11	209.88.198.133
SafeDNS⁸	195.46.39.39	195.46.39.40
OpenNIC⁹	50.116.23.211	192.99.240.129
SmartViper	208.76.50.50	208.76.51.51
Dyn	216.146.35.35	216.146.36.36
FreeDNS¹⁰	37.235.1.174	37.235.1.177
Alternate DNS¹¹	198.101.242.72	23.253.163.53
Yandex.DNS¹²	77.88.8.8	77.88.8.1
censurfridns.dk¹³	89.233.43.71	91.239.100.100
Hurricane Electric¹⁴	74.82.42.42
puntCAT¹⁵	109.69.8.51

Note: Primary DNS servers are sometimes called preferred DNS servers and secondary DNS servers are sometimes called alternate DNS servers. Primary and secondary DNS servers can be “mixed and matched” to provide another layer of redundancy.

Why Use Different DNS Servers?

One reason you might want to change from the DNS servers assigned by your ISP is if you suspect there’s a problem with the ones you’re using now.

An easy way to test for a DNS server issue is by typing a website’s IP address into the browser. If you can reach the website with the IP address, but not the name, then the DNS server is likely having issues.

Another reason to change DNS servers is if you’re looking for a better performing service. Many people complain that their ISP-maintained DNS servers are sluggish and contribute to a slower overall browsing experience.

Yet another, increasingly common reason to use DNS servers from a third party is to prevent logging of your web activity and to circumvent the blocking of certain websites.

The Small Print

Don’t worry, this is good small print!

Many of the DNS providers listed above have varying levels of services (OpenDNS, Norton ConnectSafe, etc.), IPv6 DNS servers (Google, DNS.WATCH, etc.), and location specific servers you might prefer (OpenNIC).

While you don’t need to know anything beyond what I included in the table above, this bonus information might be helpful for some of you, depending on your needs:

_{[1] The free DNS servers listed above as Level3 will automatically route to the nearest DNS server operated by Level3 Communications, the company that provides most of the ISPs in the US their access to the Internet backbone.}

_{[2] Verisign says this about their free DNS servers: “We will not sell your public DNS data to third parties nor redirect your queries to serve you any ads.” Verisign offers IPv6 public DNS servers as well: 2620:74:1b::1:1 and 2620:74:1c::2:2.}

_{[3] Google also offers IPv6 public DNS servers: 2001:4860:4860::8888 and 2001:4860:4860::8844.}

_{[4] DNS.WATCH also has IPv6 DNS servers at 2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b. In an uncommon but much appreciated move, DNS.WATCH publishes live statistics for both of their free DNS servers. Both servers are located in Germany which could impact performance if used from the US or other remote locations.}

_{[5] OpenDNS also offers DNS servers that block adult content, called OpenDNS FamilyShield. Those DNS servers are 208.67.222.123 and 208.67.220.123. A premium DNS offering is also available, called OpenDNS Home VIP.}

_{[6] The Norton ConnectSafe free DNS servers listed above block sites hosting malware, phishing schemes, and scams, and is called Policy 1. Use Policy 2 (199.85.126.20 and 199.85.127.20) to block those sites plus those with pornographic content. Use Policy 3 (199.85.126.30 and 199.85.127.30) to block all previously mentioned site categories plus those Norton deems “non-family friendly.” Be sure to check out the list of things blocked in Policy 3 – there are several controversial topics in there that you may find perfectly acceptable.}

_{[7] GreenTeamDNS “blocks tens of thousands of dangerous websites which include malware, botnets, adult related content, aggressive/ violent sites as well as advertisements and drug-related websites ” according to their FAQ page. Premium accounts have more control.}

_{[8] Register here with SafeDNS for content filtering options in several areas.}

_{[9] The DNS servers listed here for OpenNIC are just two of many in the US and across the globe. Instead of using the OpenNIC DNS servers listed above, see their complete list of public DNS servers here and use two that are close to you or, better yet, let them tell you that automatically here. OpenNIC also offers some IPv6 public DNS servers.}

_{[10] FreeDNS says that they “never log DNS queries.” Their free DNS servers are located in Austria.}

_{[11] Alternate DNS says that their DNS servers “block unwanted ads” and that they engage in “no query logging.”}

_{[12] Yandex’s Basic free DNS servers, listed above, are also available in IPv6 at 2a02:6b8::feed:0ff and 2a02:6b8:0:1::feed:0ff. Two more free tiers of DNS are available as well. The first is Safe, at 77.88.8.88 and 77.88.8.2, or 2a02:6b8::feed:bad and 2a02:6b8:0:1::feed:bad, which blocks “infected sites, fraudulent sites, and bots.” The second is Family, at 77.88.8.7 and 77.88.8.3, or 2a02:6b8::feed:a11 and 2a02:6b8:0:1::feed:a11, which blocks everything thatSafe does, plus “adult sites and adult advertising.”}

_{[13] The censurfridns.dk DNS servers are uncensored, operated by a privately funded individual, and are physically located in Denmark. You can read more about them here. IPv6 DNS servers are also available at 2002:d596:2a92:1:71:53:: and 2001:67c:28a4::.}

_{[14] Hurricane Electric also has an IPv6 public DNS server available: 2001:470:20::2.}

_{[15] puntCAT is physically located near Barcelona, Spain. The IPv6 version of their free DNS server is 2a00:1508:0:4::9.}

2016-02-142016-12-20

Best Free Public DNS Servers

Looking to switch from your ISP DNS to another provider? I was surprised to find out that using a free public DNS server from a reputable company was far better than using my local ISP DNS, especially when travelling in foreign countries.

I was recently in India and was getting very frustrated with the constant Webpage cannot load errors followed by the website loading 5 seconds later. I kept seeing the DNS lookup failed message, so I figured let me try another DNS provider and that made an absolute world of difference.

There are a bunch of public DNS servers you can use, but I won’t bother mentioning them all as the top 5 to 10 will cover the needs for pretty much everyone. Some DNS servers provide additional benefits like filtering out phishing scams, blocking porn sites, etc. and I’ll be sure to mention the features for each service.

Also, be sure to read my post on finding the fastest public DNS server from your location using free utilities. Once you have chosen a DNS service, read my post on how to change your DNS servers in Windows.

1. Google Public DNS

Google being Google, they have massive scale, load-balancing, redundancy and DNS servers distributed all over the world. They also support the latest technologies and security mechanisms like IPv6 DNS servers and DNSSEC. Their DNS servers are also well protected against DoS attacks and cache poisoning attacks.

It’s worth noting that Google Public DNS does not perform any blocking or filtering on the DNS requests, as some of the other services do. They state that only under extraordinary circumstances would they block anything. For me, this is a good option because I use other tools to filter out malware sites, etc and don’t necessarily want my DNS service to be involved.

The main benefit for using Google is their global data center and the fact that they have DNS servers located around the world. Some other services only have DNS servers located in one part of the world, so the performance will suffer considerably.

The main downside to using Google is that they are all about tracking and logging everything anyone does on the Internet and this is no exception. If you are leery of Google having too much information, I would suggest using a different DNS server.

Google Public DNS IPv4 Addresses:

8.8.8.8
8.8.4.4

Google Public DNS IPv6 Addresses:

2001:4860:4860::8888
2001:4860:4860::8844

2. Level 3 DNS

Level 3 is the company that provides a lot of ISPs their connection to the Internet backbone, so they are huge, reliable and secure. There is no filtering with Level 3, just like Google DNS, so it’s mostly used for performance and reliability.

Depending on your location in the world, any of the public DNS servers I mention here could be the fastest, so that’s why it’s necessary to read the link above on finding the fastest DNS server for your connection.

Level 3 Public DNS Server Addresses:

209.244.0.3
209.244.0.4
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4

3. OpenDNS

OpenDNS has been around for a very long time and they are a reputable company. OpenDNS provides several services including Enhanced DNS and Parental Controls, both of which are free.

OpenDNS is also the first public DNS that I have mentioned that does automatic blocking and filtering against phishing attacks and identity theft. This is a great option if you have kids and want to prevent them from landing on malware-infested sites or if you have older family members who sometimes click on spam links in emails.

They also have a VIP service for $20 a month that gives you a bunch Internet usage statistics for all the devices on your network.

OpenDNS IP Addresses:

208.67.222.222
208.67.220.220

4. Norton ConnectSafe DNS

Norton ConnectSafe is the public DNS service provided by Norton. Like OpenDNS, Norton also has automatic filtering and blocking based on their database of sites. Using the free DNS speed tools I mentioned, it’s also one of the fastest public DNS servers.

Norton DNS has a couple of different DNS servers, depending on the type of protection you want. They have three options:

A – Protection against malware, phishing sties and scam sites

B – A + Pornography

C – A +Pornography + Other

Other will basically block sites related to mature content, gambling, hate, suicide, tobacco, drugs, alcohol, etc. Obviously, that could block a lot of sites, so us that option as you see fit.

Norton DNS IP Addresses:

Option A:

199.85.126.10
199.85.127.10

Option B:

199.85.126.20
199.85.127.20

Option C:

DNSDNSDNS199.85.126.30
199.85.127.30

5. OpenNIC DNS

Lastly, another one I like to use is OpenNIC. They have servers all of the world run by their own members and exist to provide a democratic, non-national network that protects your privacy. The link above will show you a list of all of their Tier 2 DNS servers around the world, but you can go to thehomepage and it will tell you the closest servers to your IP automatically at the top right.

When looking at the list of servers, you can choose one that fits your privacy needs. A lot of them keep no logs, have logs completely disabled or keep anonymous logs.

So those are my top recommendations for public DNS servers that are reliable, fast, and provide extra security and filtering for those that need it. Even though most people use their ISP for DNS, it’s really much better to use a third-party. If you have any questions, let us know in the comments. Enjoy!

2016-02-13

二战德国党卫军军衔、肩章、领章一览

党卫军全国领袖（仅希姆莱一人使用）

肩章	领章

海因里希希姆莱

接受检查时服毒自杀后的照片

党卫军全国总指挥/武装党卫军一级上将(大将)（1942年设）

肩章	领章	迷彩服臂章

“武装党卫军一级上将/党卫军全国总指挥”这一职务所授予的人极少，在武装党卫军中，只有保罗·豪塞尔和约瑟夫·迪特里希两位获得；普通党卫军中，负责治安警察的库尔特·达吕格尔和主管党内财物的弗兰茨·施瓦茨两位。因此，党卫军全国总指挥只有这四位。

党卫队一级总队长党卫军大将约瑟夫·迪特里希

党卫队一级总队长党卫军大将:保罗.豪塞尔

党卫队一级总队长警察大将:库尔特.达吕格尔

党卫队一级总队长纳粹党司库长:弗兰茨.施瓦茨

党卫军全国副总指挥 / 武装党卫军二级上将(上级集团领袖)

1942年前肩章	1942年后肩章	迷彩服臂章
		迷彩服臂章
1942年前领章	1942年后领章

党卫军全国副总指挥共105人

党卫军全国副总指挥兼警察上将:莱因哈特.海德里希

党卫队军全国副总指挥兼武装党卫军上将：提奥多尔·艾克

党卫队全国副总指挥兼武装党卫军上将菲利克斯·斯坦因纳

党卫队副总指挥兼党卫军上将埃里希·冯·德姆·巴赫-泽勒维斯基

党卫军地区总队长/武装党卫军中将

1942年前肩章	1942年后肩章	迷彩服臂章
		迷彩服臂章
1942年前领章	1942年后领章

武装党卫军中将赫伯特-奥托-吉勒

党卫军旅队指挥／武装党卫军少将

1942年前肩章	1942年后肩章	迷彩服臂章
		迷彩服臂章
1942年前领章	1942年后领章

党卫队旗队长兼武装党卫军少将奥托·库姆

党卫军上级区队队长／武装党卫军准将、大校（炮兵）

肩章	1942年前领章	1942年后领章	迷彩服臂章

党卫队旗队长 (旗队领袖)／党卫军上校（装甲部队）

肩章	1942年前领章	1942年后领章	迷彩服臂章

武装党卫军装甲兵上校：库尔特.阿道夫.威廉.迈尔

党卫队一级突击队大队长／武装党卫军中校（步兵）

肩章	领章	迷彩服臂章

卫旗队师第第二装甲掷弹兵团二营5连连长莱因哈特中校

党卫军一级突击队大队长：阿道夫·艾希曼（犹太人屠夫）

党卫队二级突击队大队长／武装党卫军少校（医师）

肩章	领章	迷彩服臂章

营救墨索里尼的奥托·斯科尔兹尼少校

党卫队一级突击队中队长／武装党卫军上尉（保安处）

肩章	领章	迷彩服臂章

二战中最优秀的坦克指挥官武装党卫队上尉：米歇尔魏特曼

党卫队二级突击队中队长／武装党卫军中尉（集中营看守）

肩章	领章	迷彩服臂章

辛德勒名单中的阿蒙葛斯中尉

党卫队三级突击队中队长／党卫军少尉（骑兵）

肩章	领章	迷彩服臂章

武装党卫队三级突击队中队长：埃特·泽普

党卫队突击小队长（候补技术队员），党卫军本部上士或参谋上士

肩章	领章	迷彩服臂章

二战德国党卫军军衔、肩章、领章一览

党卫队一级小队长／党卫军二级军士长（山地部队）

肩章	领章	迷彩服臂章

党卫队二级小队长（高级小队领袖），党卫军一级上士

肩章	领章	迷彩服臂章

党卫队三级小队长（上级小队领袖），党卫军上士

肩章	领章	迷彩服臂章

党卫队四级小队长（小队领袖），党卫军中士

肩章	领章	迷彩服臂章

党卫队三级小队副（下级小队领袖），党卫军代理下士

肩章	领章	臂章

党卫队突击队员（突击队员、突击兵），党卫军一等兵

肩章	领章	臂章

党卫队组长（上级队员、上级突击兵），党卫军二等兵

肩章	领章	臂章

党卫队队员（队员、狙击兵），党卫军二等兵

肩章	领章	臂章
		——