Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2020/07/29 02:23] – created vgaetera | docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2024/06/20 13:12] – [Command-line instructions] Disable dnsmasq cache because to avoid double caching dpawlik | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== | ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| * It relies on [[docs: | * It relies on [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| ===== Goals ===== | ===== Goals ===== | ||
| {{section> | {{section> | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| - | Install the packages | + | Install the required |
| + | Enable | ||
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install | + | opkg install dnscrypt-proxy2 |
| # Enable DNS encryption | # Enable DNS encryption | ||
| + | service dnsmasq stop | ||
| + | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| + | uci set dhcp.@dnsmasq[0].localuse=" | ||
| + | uci set dhcp.@dnsmasq[0].cachesize=' | ||
| uci -q delete dhcp.@dnsmasq[0].server | uci -q delete dhcp.@dnsmasq[0].server | ||
| - | uci add_list dhcp.@dnsmasq[0].server=" | + | uci add_list dhcp.@dnsmasq[0].server=" |
| - | + | sed -i "32 s/.*/ | |
| - | # Enforce DNS encryption for LAN clients | + | |
| - | uci set dhcp.@dnsmasq[0].noresolv=" | + | |
| uci commit dhcp | uci commit dhcp | ||
| - | / | + | service |
| + | service dnscrypt-proxy | ||
| </ | </ | ||
| Line 31: | Line 35: | ||
| Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic. | Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic. | ||
| + | Note: These are the recommended options from the [[https:// | ||
| + | |||
| + | Note: Beware that the distributed configuration includes an activated '' | ||
| ===== Testing ===== | ===== Testing ===== | ||
| - | Verify that domain name resolution works. | + | {{section>docs: |
| - | + | ||
| - | <code bash> | + | |
| - | nslookup openwrt.org localhost | + | |
| - | </ | + | |
| - | + | ||
| - | Check your DNS provider. | + | |
| - | Make sure there is no DNS leak. | + | |
| - | * [[https:// | + | |
| - | Test DNSSEC validation. | + | |
| - | * [[https:// | + | |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 48: | Line 45: | ||
| <code bash> | <code bash> | ||
| - | # Restart | + | # Restart services |
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 57: | Line 54: | ||
| # Runtime configuration | # Runtime configuration | ||
| pgrep -f -a dnsmasq; pgrep -f -a dnscrypt-proxy | pgrep -f -a dnsmasq; pgrep -f -a dnscrypt-proxy | ||
| + | head -v -n -0 / | ||
| # Persistent configuration | # Persistent configuration | ||
| Line 63: | Line 61: | ||
| ===== Extras ===== | ===== Extras ===== | ||
| - | ==== Local system | + | ==== DoH and DNSCrypt provider |
| - | {{section>docs:guide-user:services:dns: | + | **dnscrypt-proxy2** is configured with Google DNS and Cloudflare DNS by default. |
| + | You can change it to Google DNS or any other [[https:// | ||
| + | Use resolvers supporting DNSSEC validation if necessary. | ||
| + | Specify several resolvers to improve fault tolerance. | ||
| + | |||
| + | <code bash> | ||
| + | # Configure DoH or DNSCrypt provider | ||
| + | # First, we need to set up a list of servers to use, example: (you have to change " | ||
| + | sed -i "32 s/ | ||
| + | service dnscrypt-proxy restart | ||
| + | |||
| + | # Or you can also use only one server, example: | ||
| + | sed -i "32 s/ | ||
| + | service dnscrypt-proxy restart | ||
| + | </ | ||
| + | |||
| + | ==== ODoH protocol ==== | ||
| + | **[[https:// | ||
| + | Instead of directly sending a query to a target DoH server, the client encrypts it for that server, but sends it to a **relay**. | ||
| + | An **ODoH relay** can only communicate with an **ODoH server** and an **ODoH client**. **Relays** can't get responses from a** generic DoH server** that doesn' | ||
| + | You can change the [[https:// | ||
| + | |||
| + | <code bash> | ||
| + | # Enable ODoH on dnscrypt-proxy2 | ||
| + | sed -i -e " | ||
| + | |||
| + | # Configure "ODoH servers" | ||
| + | odoh_servers=" | ||
| + | odoh_relays=" | ||
| + | sed -i -e "32 s/ | ||
| + | service dnscrypt-proxy restart | ||
| + | </ | ||
| + | |||
| + | More information about **ODoH protocol**: [[https:// | ||
| + | |||
| + | Caveats: The **Oblivious DNS-over-HTTPS** protocol is still a work in progress. Servers and relays may not be very stable. | ||
| + | |||
| + | |||