Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2020/07/29 02:23] – created vgaeteradocs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2024/06/20 13:12] – [Command-line instructions] Disable dnsmasq cache because to avoid double caching dpawlik
Line 1: Line 1:
 ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNSCrypt]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNSCrypt]] on OpenWrt.
   * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[packages:pkgdata:dnscrypt-proxy2|dnscrypt-proxy2]] that supports DNSCrypt v2, DNS over HTTPS and Anonymized DNSCrypt.   * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[packages:pkgdata:dnscrypt-proxy2|dnscrypt-proxy2]] that supports DNSCrypt v2, DNS over HTTPS and Anonymized DNSCrypt.
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Install the packages and configure DNS encryption.+Install the required packages
 +Enable DNS encryption.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq dnscrypt-proxy2+opkg install dnscrypt-proxy2
  
 # Enable DNS encryption # Enable DNS encryption
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 +uci set dhcp.@dnsmasq[0].localuse="1"
 +uci set dhcp.@dnsmasq[0].cachesize='0'
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
-uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#53" +uci add_list dhcp.@dnsmasq[0].server="127.0.0.53" 
- +sed -i "32 s/.*/server_names = ['google', 'cloudflare']/" /etc/dnscrypt-proxy2/*.toml
-# Enforce DNS encryption for LAN clients +
-uci set dhcp.@dnsmasq[0].noresolv="1"+
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq start 
 +service dnscrypt-proxy restart
 </code> </code>
  
Line 31: Line 35:
 Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic. Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic.
  
 +Note: These are the recommended options from the [[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-OpenWrt#recommended-tweaks|official DNSCrypt guide for OpenWrt on GitHub]].
 +
 +Note: Beware that the distributed configuration includes an activated ''block-names.txt''. If you experience problems with some names, match them against this file first.
 ===== Testing ===== ===== Testing =====
-Verify that domain name resolution works. +{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
- +
-<code bash> +
-nslookup openwrt.org localhost +
-</code> +
- +
-Check your DNS provider. +
-Make sure there is no DNS leak. +
-  * [[https://dnsleaktest.com/]] +
-Test DNSSEC validation. +
-  * [[https://dnssec.vs.uni-due.de/]]+
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 48: Line 45:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/dnscrypt-proxy restart+service log restart; service dnsmasq restart; service dnscrypt-proxy restart
  
 # Log and status # Log and status
Line 57: Line 54:
 # Runtime configuration # Runtime configuration
 pgrep -f -a dnsmasq; pgrep -f -a dnscrypt-proxy pgrep -f -a dnsmasq; pgrep -f -a dnscrypt-proxy
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
Line 63: Line 61:
  
 ===== Extras ===== ===== Extras =====
-==== Local system ==== +==== DoH and DNSCrypt provider ==== 
-{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#local_system&noheader&nofooter&noeditbutton}}+**dnscrypt-proxy2** is configured with Google DNS and Cloudflare DNS by default. 
 +You can change it to Google DNS or any other [[https://dnscrypt.info/public-servers|DoH or DNSCrypt provider]]. 
 +Use resolvers supporting DNSSEC validation if necessary. 
 +Specify several resolvers to improve fault tolerance. 
 + 
 +<code bash> 
 +# Configure DoH or DNSCrypt provider 
 +# First, we need to set up a list of servers to use, example(you have to change "exampledns" for the name of the DNS provider) 
 +sed -i "32 s/.*/server_names = ['exampledns', 'exampledns2']/" /etc/dnscrypt-proxy2/*.toml 
 +service dnscrypt-proxy restart 
 + 
 +# Or you can also use only one server, example: 
 +sed -i "32 s/.*/server_names = ['cloudflare']/" /etc/dnscrypt-proxy2/*.toml 
 +service dnscrypt-proxy restart 
 +</code> 
 + 
 +==== ODoH protocol ==== 
 +**[[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH|ODoH (Oblivious DNS-over-HTTPS)]]** prevents servers from learning anything about client IP addresses, by using intermediate **relays** dedicated to forwarding encrypted DNS data. 
 +Instead of directly sending a query to a target DoH server, the client encrypts it for that server, but sends it to a **relay**. 
 +An **ODoH relay** can only communicate with an **ODoH server** and an **ODoH client**. **Relays** can't get responses from a** generic DoH server** that doesn't support **ODoH**. 
 +You can change the [[https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md|ODoH servers]] and [[https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md|ODoH relays]] to any other. 
 + 
 +<code bash> 
 +Enable ODoH on dnscrypt-proxy2 
 +sed -i -e "s/.*odoh_servers.*/odoh_servers = true/; 689,700 s/#//" /etc/dnscrypt-proxy2/*.toml 
 + 
 +# Configure "ODoH servers" and "ODoH relays" 
 +odoh_servers="['odoh-cloudflare', 'odoh-crypto-sx']" 
 +odoh_relays="['odohrelay-crypto-sx', 'odohrelay-koki-bcn']" 
 +sed -i -e "32 s/.*/server_names = $odoh_servers/; 795 s/.*/routes = [/; 797 s/.*/    { server_name='*', via=$odoh_relays }/; 798 s/.*/]/" /etc/dnscrypt-proxy2/*.toml 
 +service dnscrypt-proxy restart 
 +</code> 
 + 
 +More information about **ODoH protocol**: [[https://blog.cloudflare.com/oblivious-dns/|Improving DNS Privacy with Oblivious DoH in 1.1.1.1]] 
 + 
 +Caveats: The **Oblivious DNS-over-HTTPS** protocol is still a work in progress. Servers and relays may not be very stable. 
 + 
 + 
  
  • Last modified: 2024/10/30 10:48
  • by dpawlik