DNSCrypt with Dnsmasq and dnscrypt-proxy

• This how-to describes the method for setting up DNSCrypt on OpenWrt.
• It relies on Dnsmasq and dnscrypt-proxy for resource efficiency.
• Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic.

• Encrypt your DNS traffic improving security and privacy.
  • Prevent DNS leaks and DNS hijacking.
• Bypass regional restrictions using public DNS providers.
  • Escape DNS-based content filters and internet censorship.

Install the required packages. Enable DNS encryption.

# Install packages
opkg update
opkg install dnscrypt-proxy
 
# Configure DNSCrypt provider
uci set dnscrypt-proxy.@dnscrypt-proxy[0].resolver="adguard-dns"
uci set dnscrypt-proxy.@dnscrypt-proxy[0].address="127.0.0.1"
uci set dnscrypt-proxy.@dnscrypt-proxy[0].port="5253"
uci commit dnscrypt-proxy
/etc/init.d/dnscrypt-proxy restart
 
# Enable DNS encryption
/etc/init.d/dnsmasq stop
uci set dhcp.@dnsmasq[0].noresolv="1"
uci -q delete dhcp.@dnsmasq[0].server
DNSCRYPT_ADDR="$(uci -q get dnscrypt-proxy.@dnscrypt-proxy[0].address)"
DNSCRYPT_PORT="$(uci -q get dnscrypt-proxy.@dnscrypt-proxy[0].port)"
DNSCRYPT_SERV="${DNSCRYPT_ADDR//[][]/}#${DNSCRYPT_PORT}"
uci add_list dhcp.@dnsmasq[0].server="${DNSCRYPT_SERV}"
uci commit dhcp
/etc/init.d/dnsmasq start

LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to dnscrypt-proxy which encrypts DNS traffic.

Verify domain name resolution with nslookup.

nslookup openwrt.org localhost

Check your DNS provider and test DNSSEC validation.

• https://dnsleaktest.com/
• https://dnssec-tools.org/test/

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/dnscrypt-proxy restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e dnscrypt-proxy; netstat -l -n -p | grep -e dnscrypt-proxy
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a dnscrypt-proxy
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
 
# Persistent configuration
uci show dhcp; uci show dnscrypt-proxy

If you want to manage the settings using web interface. Install the necessary packages.

# Install packages
opkg update
opkg install luci-app-dnscrypt-proxy
/etc/init.d/rpcd restart

• Navigate to LuCI → Network → DHCP and DNS to configure Dnsmasq.
• Navigate to LuCI → Services → DNSCrypt-Proxy to configure dnscrypt-proxy.

dnscrypt-proxy is configured with AdGuard DNS. You can change it to DNSCrypt.eu or any other DNSCrypt provider. Use resolvers supporting DNSSEC validation if necessary. Specify several resolvers to improve fault tolerance.

# Configure DNSCrypt provider
while uci -q delete dnscrypt-proxy.@dnscrypt-proxy[0]; do :; done
uci set dnscrypt-proxy.dns6a="dnscrypt-proxy"
uci set dnscrypt-proxy.dns6a.resolver="dnscrypt.eu-dk-ipv6"
uci set dnscrypt-proxy.dns6a.address="[::1]"
uci set dnscrypt-proxy.dns6a.port="5253"
uci set dnscrypt-proxy.dns6b="dnscrypt-proxy"
uci set dnscrypt-proxy.dns6b.resolver="dnscrypt.eu-nl-ipv6"
uci set dnscrypt-proxy.dns6b.address="[::1]"
uci set dnscrypt-proxy.dns6b.port="5254"
uci set dnscrypt-proxy.dnsa="dnscrypt-proxy"
uci set dnscrypt-proxy.dnsa.resolver="dnscrypt.eu-dk"
uci set dnscrypt-proxy.dnsa.address="127.0.0.1"
uci set dnscrypt-proxy.dnsa.port="5255"
uci set dnscrypt-proxy.dnsb="dnscrypt-proxy"
uci set dnscrypt-proxy.dnsb.resolver="dnscrypt.eu-nl"
uci set dnscrypt-proxy.dnsb.address="127.0.0.1"
uci set dnscrypt-proxy.dnsb.port="5256"
uci commit dnscrypt-proxy
/etc/init.d/dnscrypt-proxy restart
 
uci -q delete dhcp.@dnsmasq[0].server
while
DNSCRYPT_ADDR="$(uci -q get dnscrypt-proxy.@dnscrypt-proxy[0].address)"
DNSCRYPT_PORT="$(uci -q get dnscrypt-proxy.@dnscrypt-proxy[0].port)"
DNSCRYPT_SERV="${DNSCRYPT_ADDR//[][]/}#${DNSCRYPT_PORT}"
uci -q delete dnscrypt-proxy.@dnscrypt-proxy[0]
do uci add_list dhcp.@dnsmasq[0].server="${DNSCRYPT_SERV}"
done
uci revert dnscrypt-proxy
uci commit dhcp
/etc/init.d/dnsmasq restart