User Tools

Site Tools


docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy

DNSCrypt via Dnsmasq and dnscrypt-proxy

Introduction

  • This guide describes how to configure OpenWrt to protect your DNS traffic.
  • It utilizes DNSCrypt to provide DNS encryption.
  • DNS encryption is limited to DNS traffic, use VPN to protect all traffic.

Goals

  • Encrypt your DNS traffic improving security and privacy.
    • Prevent DNS leak and DNS hijacking.
  • Bypass regional restrictions using public DNS providers.
    • Escape DNS-based content filters and internet censorship.

Instructions

This method utilizes DNSCrypt via Dnsmasq and dnscrypt-proxy and focuses on resource efficiency.

Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data.

Use dnscrypt-proxy to encrypt DNS traffic. Configure Dnsmasq to forward DNS queries to dnscrypt-proxy. Enforce DNS encryption for LAN clients to avoid DNS leak.

# Install packages
opkg update
opkg install dnsmasq dnscrypt-proxy
 
# Configure DNSCrypt provider
uci set dnscrypt-proxy.@dnscrypt-proxy[0].resolver="cisco"
uci commit dnscrypt-proxy
service dnscrypt-proxy restart
 
# Enable DNS encryption
uci -q delete dhcp.@dnsmasq[0].server
DNSCRYPT_ADDR="$(uci get dnscrypt-proxy.@dnscrypt-proxy[0].address)"
DNSCRYPT_PORT="$(uci get dnscrypt-proxy.@dnscrypt-proxy[0].port)"
DNSCRYPT_SERV="${DNSCRYPT_ADDR//[][]/}#${DNSCRYPT_PORT}"
uci add_list dhcp.@dnsmasq[0].server="${DNSCRYPT_SERV}"
 
# Enforce DNS encryption for LAN clients
uci set dhcp.@dnsmasq[0].noresolv="1"
uci commit dhcp
service dnsmasq restart

See also: DNS hijacking, Random generator

Testing

Verify that domain name resolution works.

nslookup openwrt.org localhost

Check your DNS provider. Make sure there is no DNS leak.

Test DNSSEC validation.

Troubleshooting

Collect and analyze the following information.

# Restart the services
service log restart; service dnsmasq restart; service dnscrypt-proxy restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e dnscrypt; netstat -l -n -p | grep -e dnscrypt
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a dnscrypt-proxy
 
# Persistent configuration
uci show dhcp; uci show dnscrypt-proxy

Extras

DNSCrypt provider

dnscrypt-proxy uses Cisco DNS by default. You can change it to another DNSCrypt provider. Make sure selected provider supports DNSSEC validation if required. Specify several servers to improve fault tolerance.

# Configure DNSCrypt provider
while uci -q delete dnscrypt-proxy.@dnscrypt-proxy[0]; do :; done
uci set dnscrypt-proxy.dns6a="dnscrypt-proxy"
uci set dnscrypt-proxy.dns6a.address="[::1]"
uci set dnscrypt-proxy.dns6a.port="5353"
uci set dnscrypt-proxy.dns6a.resolver="dnscrypt.eu-dk-ipv6"
uci set dnscrypt-proxy.dns6b="dnscrypt-proxy"
uci set dnscrypt-proxy.dns6b.address="[::1]"
uci set dnscrypt-proxy.dns6b.port="5354"
uci set dnscrypt-proxy.dns6b.resolver="dnscrypt.eu-nl"
uci set dnscrypt-proxy.dnsa="dnscrypt-proxy"
uci set dnscrypt-proxy.dnsa.address="127.0.0.1"
uci set dnscrypt-proxy.dnsa.port="5355"
uci set dnscrypt-proxy.dnsa.resolver="dnscrypt.eu-dk"
uci set dnscrypt-proxy.dnsb="dnscrypt-proxy"
uci set dnscrypt-proxy.dnsb.address="127.0.0.1"
uci set dnscrypt-proxy.dnsb.port="5356"
uci set dnscrypt-proxy.dnsb.resolver="dnscrypt.nl-ns0"
uci commit dnscrypt-proxy
service dnscrypt-proxy restart
 
DNSCRYPT_ID="0"
uci -q delete dhcp.@dnsmasq[0].server
while uci get dnscrypt-proxy.@dnscrypt-proxy[${DNSCRYPT_ID}] &>/dev/null
do
DNSCRYPT_ADDR="$(uci get dnscrypt-proxy.@dnscrypt-proxy[${DNSCRYPT_ID}].address)"
DNSCRYPT_PORT="$(uci get dnscrypt-proxy.@dnscrypt-proxy[${DNSCRYPT_ID}].port)"
DNSCRYPT_SERV="${DNSCRYPT_ADDR//[][]/}#${DNSCRYPT_PORT}"
uci add_list dhcp.@dnsmasq[0].server="${DNSCRYPT_SERV}"
let DNSCRYPT_ID++
done
uci commit dhcp
service dnsmasq restart

Local system DNS via Dnsmasq

Enforce DNS encryption for local system. Override DNS encryption for NTP provider to avoid deadlock state if system time is not synchronized. Beware of fault tolerance issues.

# Enforce DNS encryption for local system
uci set dhcp.@dnsmasq[0].localuse="1"
 
# Fetch DNS provider
source /lib/functions/network.sh
network_find_wan NET_IF
network_find_wan6 NET_IF6
network_get_dnsserver NET_DNS "${NET_IF}"
network_get_dnsserver NET_DNS6 "${NET_IF6}"
 
# Override DNS encryption for NTP provider
uci get system.ntp.server \
| sed -e "s/\s/\n/g" \
| sed -e "s/^[0-9]*\.//" \
| sort -u \
| while read NTP_DOMAIN
do
uci add_list dhcp.@dnsmasq[0].server="/${NTP_DOMAIN}/${NET_DNS%% *}"
uci add_list dhcp.@dnsmasq[0].server="/${NTP_DOMAIN}/${NET_DNS6%% *}"
done
uci commit dhcp
service dnsmasq restart
docs/guide-user/services/dns/dnscrypt_dnsmasq_dnscrypt-proxy.txt · Last modified: 2019/05/26 17:01 by vgaetera