Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2021/12/17 02:03] – updated the link in "Adblock package + dnscrypt-proxy2" section lasteditdocs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2024/06/20 13:12] – [Command-line instructions] Disable dnsmasq cache because to avoid double caching dpawlik
Line 1: Line 1:
 ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 20: Line 20:
  
 # Enable DNS encryption # Enable DNS encryption
-/etc/init.d/dnsmasq stop+service dnsmasq stop
 uci set dhcp.@dnsmasq[0].noresolv="1" uci set dhcp.@dnsmasq[0].noresolv="1"
 uci set dhcp.@dnsmasq[0].localuse="1" uci set dhcp.@dnsmasq[0].localuse="1"
-uci set dhcp.@dnsmasq[0].boguspriv="0" +uci set dhcp.@dnsmasq[0].cachesize='0'
-uci set dhcp.@dnsmasq[0].cachesize="0"+
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
 uci add_list dhcp.@dnsmasq[0].server="127.0.0.53" uci add_list dhcp.@dnsmasq[0].server="127.0.0.53"
 sed -i "32 s/.*/server_names = ['google', 'cloudflare']/" /etc/dnscrypt-proxy2/*.toml sed -i "32 s/.*/server_names = ['google', 'cloudflare']/" /etc/dnscrypt-proxy2/*.toml
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq start +service dnsmasq start 
-/etc/init.d/dnscrypt-proxy restart+service dnscrypt-proxy restart
 </code> </code>
  
Line 36: Line 35:
 Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic. Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic.
  
 +Note: These are the recommended options from the [[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-OpenWrt#recommended-tweaks|official DNSCrypt guide for OpenWrt on GitHub]].
 +
 +Note: Beware that the distributed configuration includes an activated ''block-names.txt''. If you experience problems with some names, match them against this file first.
 ===== Testing ===== ===== Testing =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
Line 44: Line 46:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/dnscrypt-proxy restart+service log restart; service dnsmasq restart; service dnscrypt-proxy restart
  
 # Log and status # Log and status
Line 69: Line 71:
 # First, we need to set up a list of servers to use, example: (you have to change "exampledns" for the name of the DNS provider) # First, we need to set up a list of servers to use, example: (you have to change "exampledns" for the name of the DNS provider)
 sed -i "32 s/.*/server_names = ['exampledns', 'exampledns2']/" /etc/dnscrypt-proxy2/*.toml sed -i "32 s/.*/server_names = ['exampledns', 'exampledns2']/" /etc/dnscrypt-proxy2/*.toml
-/etc/init.d/dnscrypt-proxy restart+service dnscrypt-proxy restart
  
 # Or you can also use only one server, example: # Or you can also use only one server, example:
 sed -i "32 s/.*/server_names = ['cloudflare']/" /etc/dnscrypt-proxy2/*.toml sed -i "32 s/.*/server_names = ['cloudflare']/" /etc/dnscrypt-proxy2/*.toml
-/etc/init.d/dnscrypt-proxy restart+service dnscrypt-proxy restart
 </code> </code>
  
-==== Adblock package + dnscrypt-proxy2 ==== +==== ODoH protocol ==== 
-Correctly configure the **DNS backend** option in [[https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md|Adblock]] package and the **Blocklists** option in [[https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml#L495|dnscrypt-proxy2]], so that [[https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml#L495|dnscrypt-proxy2]] uses the "blocklist file" (**adb_list.overall**) generated by the [[https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md|Adblock]] package instead of **dnsmasq**, __as it should be__.+**[[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH|ODoH (Oblivious DNS-over-HTTPS)]]** prevents servers from learning anything about client IP addresses, by using intermediate **relays** dedicated to forwarding encrypted DNS data. 
 +Instead of directly sending a query to a target DoH server, the client encrypts it for that server, but sends it to a **relay**
 +An **ODoH relay** can only communicate with an **ODoH server** and an **ODoH client**. **Relays** can't get responses from a** generic DoH server** that doesn't support **ODoH**. 
 +You can change the [[https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md|ODoH servers]] and [[https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md|ODoH relays]] to any other.
  
 <code bash> <code bash>
-Correctly configure Adblock and dnscrypt-proxy2 +Enable ODoH on dnscrypt-proxy2 
-uci del adblock.global.adb_dnsdir +sed -i -e "s/.*odoh_servers.*/odoh_servers true/; 689,700 s/#//" /etc/dnscrypt-proxy2/*.toml 
-uci set adblock.global.adb_dns="raw" + 
-uci set adblock.global.adb_dnsdir="/etc/dnscrypt-proxy2" +# Configure "ODoH servers" and "ODoH relays" 
-sed -i "s/.*blocked_names_file.*/blocked_names_file 'adb_list.overall'/" /etc/dnscrypt-proxy2/*.toml +odoh_servers="['odoh-cloudflare', 'odoh-crypto-sx']" 
-uci commit adblock +odoh_relays="['odohrelay-crypto-sx', 'odohrelay-koki-bcn']
-/etc/init.d/adblock restart +sed -i -e "32 s/.*/server_names = $odoh_servers/; 795 s/.*/routes [/; 797 s/.*/    { server_name='*', via=$odoh_relays }/; 798 s/.*/]/" /etc/dnscrypt-proxy2/*.toml 
-/etc/init.d/dnscrypt-proxy restart+service dnscrypt-proxy restart
 </code> </code>
 +
 +More information about **ODoH protocol**: [[https://blog.cloudflare.com/oblivious-dns/|Improving DNS Privacy with Oblivious DoH in 1.1.1.1]]
 +
 +Caveats: The **Oblivious DNS-over-HTTPS** protocol is still a work in progress. Servers and relays may not be very stable.
 +
 +
 +
 +
  • Last modified: 2024/10/30 10:48
  • by dpawlik