Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2021/12/17 16:46] – Add IPv6 section lasteditdocs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2024/06/20 13:12] – [Command-line instructions] Disable dnsmasq cache because to avoid double caching dpawlik
Line 1: Line 1:
 ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 20: Line 20:
  
 # Enable DNS encryption # Enable DNS encryption
-/etc/init.d/dnsmasq stop+service dnsmasq stop
 uci set dhcp.@dnsmasq[0].noresolv="1" uci set dhcp.@dnsmasq[0].noresolv="1"
 uci set dhcp.@dnsmasq[0].localuse="1" uci set dhcp.@dnsmasq[0].localuse="1"
-uci set dhcp.@dnsmasq[0].boguspriv="0" +uci set dhcp.@dnsmasq[0].cachesize='0'
-uci set dhcp.@dnsmasq[0].cachesize="0"+
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
 uci add_list dhcp.@dnsmasq[0].server="127.0.0.53" uci add_list dhcp.@dnsmasq[0].server="127.0.0.53"
 sed -i "32 s/.*/server_names = ['google', 'cloudflare']/" /etc/dnscrypt-proxy2/*.toml sed -i "32 s/.*/server_names = ['google', 'cloudflare']/" /etc/dnscrypt-proxy2/*.toml
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq start +service dnsmasq start 
-/etc/init.d/dnscrypt-proxy restart+service dnscrypt-proxy restart
 </code> </code>
  
Line 38: Line 37:
 Note: These are the recommended options from the [[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-OpenWrt#recommended-tweaks|official DNSCrypt guide for OpenWrt on GitHub]]. Note: These are the recommended options from the [[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-OpenWrt#recommended-tweaks|official DNSCrypt guide for OpenWrt on GitHub]].
  
 +Note: Beware that the distributed configuration includes an activated ''block-names.txt''. If you experience problems with some names, match them against this file first.
 ===== Testing ===== ===== Testing =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
Line 46: Line 46:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/dnscrypt-proxy restart+service log restart; service dnsmasq restart; service dnscrypt-proxy restart
  
 # Log and status # Log and status
Line 71: Line 71:
 # First, we need to set up a list of servers to use, example: (you have to change "exampledns" for the name of the DNS provider) # First, we need to set up a list of servers to use, example: (you have to change "exampledns" for the name of the DNS provider)
 sed -i "32 s/.*/server_names = ['exampledns', 'exampledns2']/" /etc/dnscrypt-proxy2/*.toml sed -i "32 s/.*/server_names = ['exampledns', 'exampledns2']/" /etc/dnscrypt-proxy2/*.toml
-/etc/init.d/dnscrypt-proxy restart+service dnscrypt-proxy restart
  
 # Or you can also use only one server, example: # Or you can also use only one server, example:
 sed -i "32 s/.*/server_names = ['cloudflare']/" /etc/dnscrypt-proxy2/*.toml sed -i "32 s/.*/server_names = ['cloudflare']/" /etc/dnscrypt-proxy2/*.toml
-/etc/init.d/dnscrypt-proxy restart+service dnscrypt-proxy restart
 </code> </code>
  
-==== IPv6 DNS servers ==== +==== ODoH protocol ==== 
-**dnscrypt-proxy2** is configured by default to only use DNS servers over IPv4, **but if you have an __IPv6 connectivity__**, you can configure **dnscrypt-proxy2** to use IPv6 DNS servers. +**[[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH|ODoH (Oblivious DNS-over-HTTPS)]]** prevents servers from learning anything about client IP addresses, by using intermediate **relays** dedicated to forwarding encrypted DNS data. 
-You can add the name of the **IPv6 DNS servers** in the [[:docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2#doh_and_dnscrypt_provider|instructions above]].+Instead of directly sending a query to a target DoH serverthe client encrypts it for that server, but sends it to a **relay**. 
 +An **ODoH relay** can only communicate with an **ODoH server** and an **ODoH client**. **Relays** can't get responses from a** generic DoH server** that doesn't support **ODoH**. 
 +You can change the [[https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md|ODoH servers]] and [[https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md|ODoH relays]] to any other.
  
 <code bash> <code bash>
-Use servers reachable over IPv6 (Do not enable if you don't have IPv6 connectivity) +Enable ODoH on dnscrypt-proxy2 
-sed -i "s/.*ipv6_servers.*/ipv6_servers = true/" /etc/dnscrypt-proxy2/*.toml +sed -i -e "s/.*odoh_servers.*/odoh_servers = true/; 689,700 s/#//" /etc/dnscrypt-proxy2/*.toml 
-/etc/init.d/dnscrypt-proxy restart+ 
 +# Configure "ODoH servers" and "ODoH relays" 
 +odoh_servers="['odoh-cloudflare', 'odoh-crypto-sx']" 
 +odoh_relays="['odohrelay-crypto-sx', 'odohrelay-koki-bcn']" 
 +sed -i -e "32 s/.*/server_names = $odoh_servers/; 795 s/.*/routes = [/; 797 s/.*/    { server_name='*', via=$odoh_relays }/; 798 s/.*/]/" /etc/dnscrypt-proxy2/*.toml 
 +service dnscrypt-proxy restart
 </code> </code>
  
-==== Adblock package + dnscrypt-proxy2 ==== +More information about **ODoH protocol**: [[https://blog.cloudflare.com/oblivious-dns/|Improving DNS Privacy with Oblivious DoH in 1.1.1.1]] 
-Correctly configure the **DNS backend** option in [[https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md|Adblock]] package and the **Blocklists** option in [[https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml#L495|dnscrypt-proxy2]], so that [[https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml#L495|dnscrypt-proxy2]] uses the "blocklist file" (**adb_list.overall**) generated by the [[https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md|Adblock]] package instead of **dnsmasq**, __as it should be__.+ 
 +Caveats: The **Oblivious DNS-over-HTTPS** protocol is still a work in progressServers and relays may not be very stable. 
 + 
 + 
  
-<code bash> 
-# Correctly configure Adblock and dnscrypt-proxy2 
-uci set adblock.global.adb_dns="raw" 
-uci set adblock.global.adb_dnsdir="/etc/dnscrypt-proxy2" 
-sed -i "s/.*blocked_names_file.*/blocked_names_file = 'adb_list.overall'/" /etc/dnscrypt-proxy2/*.toml 
-uci commit adblock 
-/etc/init.d/adblock restart 
-/etc/init.d/dnscrypt-proxy restart 
-</code> 
  • Last modified: 2024/10/30 10:48
  • by dpawlik