Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2020/07/29 02:29] – merged sections vgaeteradocs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2024/06/20 13:12] – [Command-line instructions] Disable dnsmasq cache because to avoid double caching dpawlik
Line 1: Line 1:
 ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNSCrypt]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNSCrypt]] on OpenWrt.
   * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[packages:pkgdata:dnscrypt-proxy2|dnscrypt-proxy2]] that supports DNSCrypt v2, DNS over HTTPS and Anonymized DNSCrypt.   * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[packages:pkgdata:dnscrypt-proxy2|dnscrypt-proxy2]] that supports DNSCrypt v2, DNS over HTTPS and Anonymized DNSCrypt.
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Install the packages and configure DNS encryption.+Install the required packages
 +Enable DNS encryption.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq dnscrypt-proxy2+opkg install dnscrypt-proxy2
  
 # Enable DNS encryption # Enable DNS encryption
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 +uci set dhcp.@dnsmasq[0].localuse="1"
 +uci set dhcp.@dnsmasq[0].cachesize='0'
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
-uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#53" +uci add_list dhcp.@dnsmasq[0].server="127.0.0.53" 
- +sed -i "32 s/.*/server_names = ['google', 'cloudflare']/" /etc/dnscrypt-proxy2/*.toml
-# Enforce DNS encryption for LAN clients +
-uci set dhcp.@dnsmasq[0].noresolv="1"+
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq start 
 +service dnscrypt-proxy restart
 </code> </code>
  
Line 31: Line 35:
 Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic. Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic.
  
 +Note: These are the recommended options from the [[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-OpenWrt#recommended-tweaks|official DNSCrypt guide for OpenWrt on GitHub]].
 +
 +Note: Beware that the distributed configuration includes an activated ''block-names.txt''. If you experience problems with some names, match them against this file first.
 ===== Testing ===== ===== Testing =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
Line 38: Line 45:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/dnscrypt-proxy restart+service log restart; service dnsmasq restart; service dnscrypt-proxy restart
  
 # Log and status # Log and status
Line 47: Line 54:
 # Runtime configuration # Runtime configuration
 pgrep -f -a dnsmasq; pgrep -f -a dnscrypt-proxy pgrep -f -a dnsmasq; pgrep -f -a dnscrypt-proxy
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
Line 53: Line 61:
  
 ===== Extras ===== ===== Extras =====
-==== Local system ==== +==== DoH and DNSCrypt provider ==== 
-{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#local_system&noheader&nofooter&noeditbutton}}+**dnscrypt-proxy2** is configured with Google DNS and Cloudflare DNS by default. 
 +You can change it to Google DNS or any other [[https://dnscrypt.info/public-servers|DoH or DNSCrypt provider]]. 
 +Use resolvers supporting DNSSEC validation if necessary. 
 +Specify several resolvers to improve fault tolerance. 
 + 
 +<code bash> 
 +# Configure DoH or DNSCrypt provider 
 +# First, we need to set up a list of servers to use, example(you have to change "exampledns" for the name of the DNS provider) 
 +sed -i "32 s/.*/server_names = ['exampledns', 'exampledns2']/" /etc/dnscrypt-proxy2/*.toml 
 +service dnscrypt-proxy restart 
 + 
 +# Or you can also use only one server, example: 
 +sed -i "32 s/.*/server_names = ['cloudflare']/" /etc/dnscrypt-proxy2/*.toml 
 +service dnscrypt-proxy restart 
 +</code> 
 + 
 +==== ODoH protocol ==== 
 +**[[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH|ODoH (Oblivious DNS-over-HTTPS)]]** prevents servers from learning anything about client IP addresses, by using intermediate **relays** dedicated to forwarding encrypted DNS data. 
 +Instead of directly sending a query to a target DoH server, the client encrypts it for that server, but sends it to a **relay**. 
 +An **ODoH relay** can only communicate with an **ODoH server** and an **ODoH client**. **Relays** can't get responses from a** generic DoH server** that doesn't support **ODoH**. 
 +You can change the [[https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md|ODoH servers]] and [[https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md|ODoH relays]] to any other. 
 + 
 +<code bash> 
 +Enable ODoH on dnscrypt-proxy2 
 +sed -i -e "s/.*odoh_servers.*/odoh_servers = true/; 689,700 s/#//" /etc/dnscrypt-proxy2/*.toml 
 + 
 +# Configure "ODoH servers" and "ODoH relays" 
 +odoh_servers="['odoh-cloudflare', 'odoh-crypto-sx']" 
 +odoh_relays="['odohrelay-crypto-sx', 'odohrelay-koki-bcn']" 
 +sed -i -e "32 s/.*/server_names = $odoh_servers/; 795 s/.*/routes = [/; 797 s/.*/    { server_name='*', via=$odoh_relays }/; 798 s/.*/]/" /etc/dnscrypt-proxy2/*.toml 
 +service dnscrypt-proxy restart 
 +</code> 
 + 
 +More information about **ODoH protocol**: [[https://blog.cloudflare.com/oblivious-dns/|Improving DNS Privacy with Oblivious DoH in 1.1.1.1]] 
 + 
 +Caveats: The **Oblivious DNS-over-HTTPS** protocol is still a work in progress. Servers and relays may not be very stable. 
 + 
 + 
  
  • Last modified: 2024/10/30 10:48
  • by dpawlik