DNSCrypt with Dnsmasq and dnscrypt-proxy2

This article relies on the following:

This how-to describes the method for setting up DNSCrypt on OpenWrt.
It relies on Dnsmasq and dnscrypt-proxy2 that supports DNSCrypt v2, DNS over HTTPS and Anonymized DNSCrypt.
Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic.

Encrypt your DNS traffic improving security and privacy.
- Prevent DNS leak and DNS hijacking.
Bypass regional restrictions using public DNS providers.
- Escape DNS-based content filters and internet censorship.

Install the packages and configure DNS encryption.

# Install packages
opkg update
opkg install dnsmasq dnscrypt-proxy2
 
# Enable DNS encryption
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#53"
 
# Enforce DNS encryption for LAN clients
/etc/init.d/dnsmasq stop
uci set dhcp.@dnsmasq[0].noresolv="1"
uci commit dhcp
/etc/init.d/dnsmasq start

LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic.

Verify that domain name resolution works.

nslookup openwrt.org localhost

Check your DNS provider. Make sure there is no DNS leak.

https://dnsleaktest.com/

Test DNSSEC validation.

https://dnssec.vs.uni-due.de/

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/dnscrypt-proxy restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e dnscrypt-proxy; netstat -l -n -p | grep -e dnscrypt-proxy
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a dnscrypt-proxy
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
 
# Persistent configuration
uci show dhcp; grep -v -e "^\s*#" -e "^\s*$" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml

DNSCrypt with Dnsmasq and dnscrypt-proxy2

Introduction

Goals

Command-line interface

Testing

Troubleshooting