User Tools

Site Tools


docs:guide-user:services:dns:dnscrypt-proxy

dnscrypt-proxy

dnscrypt-proxy is an application that acts as a local DNS stub resolver using DNSCrypt. It encrypts your DNS-traffic improving security and privacy. dnscrypt-proxy is the client-side version of dnscrypt-wrapper. Follow DNS encryption to utilize DNSCrypt via dnscrypt-proxy.

Installation

opkg update
opkg install dnscrypt-proxy

LuCI integration:

opkg update
opkg install luci-app-dnscrypt-proxy

Configuration

Name Type Required Default Description
address string yes 127.0.0.1 The IP address of the proxy server.
port string yes 5353 Listening port for DNS queries.
resolver string no none DNS service for resolving queries. You can't add more than one resolver.
resolvers_list string no /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv Location of CSV file containing list of resolvers. When you use a custom DNSCrypt server and you later get problems when executing DNSCrypt, have a look in the resolver list (/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv) and make sure the resolver you chose is listed there. If not you may need to manually add it or just update the resolver list with the official one. Make sure to verify the integrity of the file before overwriting the local list!
ephemeral_keys boolean no 0 Improve privacy by using an ephemeral public key for each query. Note that you cannot yet use it with current (Chaos Calmer) version of OpenWrt as the dnscrypt-proxy package is outdated and uses a version of DNSCrypt, which does not support ephemeral keys. Ephemeral keys option requires extra CPU cycles (especially on non-x86 platforms) and can cause huge system load. Disable it in case of performance problems. Also this option is useless with most DNSCrypt servers (all the servers using short TTLs for the certificates, which is done by default in the Docker image).
client_key string no none Use a client public key for identification. By default, the client uses a randomized key pair in order to make tracking more difficult. This option does the opposite and uses a static key pair, so that DNS providers can offer premium services to queries signed with a known set of public keys. A client cannot decrypt the received responses without also knowing the secret key. The value of this property is the path to a file containing the secret key. The corresponding public key is computed automatically
syslog boolean no 1 Send logs to the syslog daemon
syslog_prefix string no dnscrypt-proxy Log entries can optionally be prefixed with a string
docs/guide-user/services/dns/dnscrypt-proxy.txt · Last modified: 2019/04/20 11:41 by vgaetera