dnscrypt-proxy Package Broken on DSM 7

[Libre12]

Error when trying to download:

"Invalid file format. Please contact the package developer"

Setup

Package Name: dnscrypt-proxy
Package Version: 2.0.44-5

NAS Model: DS920+
NAS Architecture:
DSM version: DSM 7.0-41890

Expected behavior

It should install it

Actual behavior

It downloads the package and immediately gives an error

Steps to reproduce

1. Try to install it from the package manager

[hgy59]

Please regard the notes on the start page (README.rst) and #4524. dnscrypt-proxy is not updated for DSM7, and maybe it will never be installable on DSM7 as the package needs root privileges.

[publicarray]

@hgy59 just to add if/when it is ported it will be at a reduced feature set. Specifically I assume the port number has to be above 1024 (uncommon for plain DNS)

[hgy59]

Yes, the following comment in service-setup.sh is the reason, it will be difficult to port dns-crypt-proxy to DSM7.

## I need root to bind to port 53 see `service_prestart()` below

[Libre12]

We can set the default port to 5353 and from the package DNS Server forward requests to it (127.0.0.1:5353).

Such setup would be even better because the DNS requests would be cached and hence served much faster than if they were handled directly by dnscrypt-proxy.

[publicarray]

@Libre12 I'm working on something here yes the default port will be different (I've used 10053 as 5353 is already assigned and used for Multicast DNS e.g. bonjour uses it), and my plan at the moment to remove the GUI to edit the config file and instead migrate it to a separate package: synoedit.

FYI dnscrypt-proxy already caches requests and IMHO is better at doing it. But you can turn it off with cache = false

the full option list (from a newer version so some don't apply yet)

 ###########################
#        DNS cache        #
###########################

## Enable a DNS cache to reduce latency and outgoing traffic

cache = true


## Cache size

cache_size = 4096


## Minimum TTL for cached entries

cache_min_ttl = 2400


## Maximum TTL for cached entries

cache_max_ttl = 86400


## Minimum TTL for negatively cached entries

cache_neg_min_ttl = 60


## Maximum TTL for negatively cached entries

cache_neg_max_ttl = 600

[publicarray]

@Libre12 I tried to forward the DNS from the DNS package, but they don't allow a custom port.

[Libre12]

FYI dnscrypt-proxy already caches requests and IMHO is better at doing it. But you can turn it off with cache = false

the full option list (from a newer version so some don't apply yet)

Strange, I always felt that the sites were very slow to open with dnscrypt-proxy. Due to the lack of cache I had assumed.

Question, how come we can still install the package DNS Server? Doesn't it bind to port 53 as well?

[Libre12]

@Libre12 I tried to forward the DNS from the DNS package, but they don't allow a custom port.

Wow, that's a big limitation... Not even a newer version?

[publicarray]

I assume Synology allows root for their own packages

[Libre12]

@Libre12 I tried to forward the DNS from the DNS package, but they don't allow a custom port.

I saw it, their gui thinks 127.0.0.1:10053 is invalid. Hopefully just a matter of updating the gui / javascript and the actual config files would allow it.

Otherwise how to work around this root / binding issue? Any suggestions from Synology?

[Libre12]

I dug a little deeper and found DNS Server's config files. For some reason they seem to be duplicated.

The DNS resolution seemed to be set on this file:

/var/packages/DNSServer/target/named/etc/conf/named.options.resolution.conf
or
/volume1/@appstore/DNSServer/named/etc/conf/named.options.resolution.conf

I tried changing both to:

    allow-recursion {any;};
    forwarders {127.0.0.1 port 10053;};
    forward first;

But it had no effect at all. So I tried restarting the named daemon:

sudo /volume1/@appstore/DNSServer/script/restart.sh

But again didn't seem to work.

Am I changing the right config files? Maybe it's because 127.0.0.1 is not allowed and I should perhaps try it's LAN IP?

[publicarray]

Thanks @Libre12, /volume1/@appstore/DNSServer/ and /var/packages/DNSServer/target/ point to the same directory.
I'm not sure, since not familiar with their DNS package.

Previously, I used DHCP (implemented using dnsmasq) to redirect the DNS queries. If you have the DNS package installed, they also redirect the queries. So I recommend to only have one redirection.

# DSM
echo "server=127.0.0.1#10053" > /etc/dhcpd/dhcpd-dns-dns.conf
echo "enable=yes" > /etc/dhcpd/dhcpd-dns-dns.info
# RSM
echo "server=127.0.0.1#10053" > /etc/dhcpd/dhcpd-dnscrypt-dnscrypt.conf
echo "enable=yes" > /etc/dhcpd/dhcpd-dnscrypt-dnscrypt.info

# restart dnsmasq
/etc/rc.network nat-restart-dhc

But how can a DSM7 package do this without root?

[Libre12]

But how can a DSM7 package do this without root?

During the package install DSM could ask for root password for some packages, dnscrypt_proxy could be one of these. It seems one way or the other we will need root permission then? Or Synology could update their GUI to allow the DNS redirection, either from the DNS Server package or DHCP settings page?

Right now I'm trying to run dnscrypt_proxy from a Docker container, it was so much better when it just worked from your package though..