Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2021/03/10 01:36] – handle race conditions vgaetera | docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2024/06/20 13:12] – [Command-line instructions] Disable dnsmasq cache because to avoid double caching dpawlik | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== | ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 10: | Line 10: | ||
| {{section> | {{section> | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| - | Install the packages | + | Install the required |
| + | Enable | ||
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install | + | opkg install dnscrypt-proxy2 |
| # Enable DNS encryption | # Enable DNS encryption | ||
| + | service dnsmasq stop | ||
| + | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| + | uci set dhcp.@dnsmasq[0].localuse=" | ||
| + | uci set dhcp.@dnsmasq[0].cachesize=' | ||
| uci -q delete dhcp.@dnsmasq[0].server | uci -q delete dhcp.@dnsmasq[0].server | ||
| - | uci add_list dhcp.@dnsmasq[0].server=" | + | uci add_list dhcp.@dnsmasq[0].server=" |
| - | + | sed -i "32 s/.*/server_names = [' | |
| - | # Enforce DNS encryption for LAN clients | + | |
| - | /etc/init.d/dnsmasq stop | + | |
| - | uci set dhcp.@dnsmasq[0].noresolv=" | + | |
| uci commit dhcp | uci commit dhcp | ||
| - | / | + | service |
| + | service dnscrypt-proxy restart | ||
| </ | </ | ||
| Line 32: | Line 35: | ||
| Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic. | Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic. | ||
| + | Note: These are the recommended options from the [[https:// | ||
| + | |||
| + | Note: Beware that the distributed configuration includes an activated '' | ||
| ===== Testing ===== | ===== Testing ===== | ||
| {{section> | {{section> | ||
| Line 40: | Line 46: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 53: | Line 59: | ||
| uci show dhcp; grep -v -e " | uci show dhcp; grep -v -e " | ||
| </ | </ | ||
| + | |||
| + | ===== Extras ===== | ||
| + | ==== DoH and DNSCrypt provider ==== | ||
| + | **dnscrypt-proxy2** is configured with Google DNS and Cloudflare DNS by default. | ||
| + | You can change it to Google DNS or any other [[https:// | ||
| + | Use resolvers supporting DNSSEC validation if necessary. | ||
| + | Specify several resolvers to improve fault tolerance. | ||
| + | |||
| + | <code bash> | ||
| + | # Configure DoH or DNSCrypt provider | ||
| + | # First, we need to set up a list of servers to use, example: (you have to change " | ||
| + | sed -i "32 s/ | ||
| + | service dnscrypt-proxy restart | ||
| + | |||
| + | # Or you can also use only one server, example: | ||
| + | sed -i "32 s/ | ||
| + | service dnscrypt-proxy restart | ||
| + | </ | ||
| + | |||
| + | ==== ODoH protocol ==== | ||
| + | **[[https:// | ||
| + | Instead of directly sending a query to a target DoH server, the client encrypts it for that server, but sends it to a **relay**. | ||
| + | An **ODoH relay** can only communicate with an **ODoH server** and an **ODoH client**. **Relays** can't get responses from a** generic DoH server** that doesn' | ||
| + | You can change the [[https:// | ||
| + | |||
| + | <code bash> | ||
| + | # Enable ODoH on dnscrypt-proxy2 | ||
| + | sed -i -e " | ||
| + | |||
| + | # Configure "ODoH servers" | ||
| + | odoh_servers=" | ||
| + | odoh_relays=" | ||
| + | sed -i -e "32 s/ | ||
| + | service dnscrypt-proxy restart | ||
| + | </ | ||
| + | |||
| + | More information about **ODoH protocol**: [[https:// | ||
| + | |||
| + | Caveats: The **Oblivious DNS-over-HTTPS** protocol is still a work in progress. Servers and relays may not be very stable. | ||
| + | |||
| + | |||
| + | |||