Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2021/12/28 20:38] – Wrong about adblock, I don't know when I deleted this. lasteditdocs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2024/06/20 13:12] – [Command-line instructions] Disable dnsmasq cache because to avoid double caching dpawlik
Line 1: Line 1:
 ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 20: Line 20:
  
 # Enable DNS encryption # Enable DNS encryption
-/etc/init.d/dnsmasq stop+service dnsmasq stop
 uci set dhcp.@dnsmasq[0].noresolv="1" uci set dhcp.@dnsmasq[0].noresolv="1"
 uci set dhcp.@dnsmasq[0].localuse="1" uci set dhcp.@dnsmasq[0].localuse="1"
-uci set dhcp.@dnsmasq[0].boguspriv="0" +uci set dhcp.@dnsmasq[0].cachesize='0'
-uci set dhcp.@dnsmasq[0].cachesize="0"+
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
 uci add_list dhcp.@dnsmasq[0].server="127.0.0.53" uci add_list dhcp.@dnsmasq[0].server="127.0.0.53"
 sed -i "32 s/.*/server_names = ['google', 'cloudflare']/" /etc/dnscrypt-proxy2/*.toml sed -i "32 s/.*/server_names = ['google', 'cloudflare']/" /etc/dnscrypt-proxy2/*.toml
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq start +service dnsmasq start 
-/etc/init.d/dnscrypt-proxy restart+service dnscrypt-proxy restart
 </code> </code>
  
Line 38: Line 37:
 Note: These are the recommended options from the [[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-OpenWrt#recommended-tweaks|official DNSCrypt guide for OpenWrt on GitHub]]. Note: These are the recommended options from the [[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-OpenWrt#recommended-tweaks|official DNSCrypt guide for OpenWrt on GitHub]].
  
 +Note: Beware that the distributed configuration includes an activated ''block-names.txt''. If you experience problems with some names, match them against this file first.
 ===== Testing ===== ===== Testing =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
Line 46: Line 46:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/dnscrypt-proxy restart+service log restart; service dnsmasq restart; service dnscrypt-proxy restart
  
 # Log and status # Log and status
Line 71: Line 71:
 # First, we need to set up a list of servers to use, example: (you have to change "exampledns" for the name of the DNS provider) # First, we need to set up a list of servers to use, example: (you have to change "exampledns" for the name of the DNS provider)
 sed -i "32 s/.*/server_names = ['exampledns', 'exampledns2']/" /etc/dnscrypt-proxy2/*.toml sed -i "32 s/.*/server_names = ['exampledns', 'exampledns2']/" /etc/dnscrypt-proxy2/*.toml
-/etc/init.d/dnscrypt-proxy restart+service dnscrypt-proxy restart
  
 # Or you can also use only one server, example: # Or you can also use only one server, example:
 sed -i "32 s/.*/server_names = ['cloudflare']/" /etc/dnscrypt-proxy2/*.toml sed -i "32 s/.*/server_names = ['cloudflare']/" /etc/dnscrypt-proxy2/*.toml
-/etc/init.d/dnscrypt-proxy restart+service dnscrypt-proxy restart
 </code> </code>
 +
 +==== ODoH protocol ====
 +**[[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH|ODoH (Oblivious DNS-over-HTTPS)]]** prevents servers from learning anything about client IP addresses, by using intermediate **relays** dedicated to forwarding encrypted DNS data.
 +Instead of directly sending a query to a target DoH server, the client encrypts it for that server, but sends it to a **relay**.
 +An **ODoH relay** can only communicate with an **ODoH server** and an **ODoH client**. **Relays** can't get responses from a** generic DoH server** that doesn't support **ODoH**.
 +You can change the [[https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md|ODoH servers]] and [[https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md|ODoH relays]] to any other.
 +
 +<code bash>
 +# Enable ODoH on dnscrypt-proxy2
 +sed -i -e "s/.*odoh_servers.*/odoh_servers = true/; 689,700 s/#//" /etc/dnscrypt-proxy2/*.toml
 +
 +# Configure "ODoH servers" and "ODoH relays"
 +odoh_servers="['odoh-cloudflare', 'odoh-crypto-sx']"
 +odoh_relays="['odohrelay-crypto-sx', 'odohrelay-koki-bcn']"
 +sed -i -e "32 s/.*/server_names = $odoh_servers/; 795 s/.*/routes = [/; 797 s/.*/    { server_name='*', via=$odoh_relays }/; 798 s/.*/]/" /etc/dnscrypt-proxy2/*.toml
 +service dnscrypt-proxy restart
 +</code>
 +
 +More information about **ODoH protocol**: [[https://blog.cloudflare.com/oblivious-dns/|Improving DNS Privacy with Oblivious DoH in 1.1.1.1]]
 +
 +Caveats: The **Oblivious DNS-over-HTTPS** protocol is still a work in progress. Servers and relays may not be very stable.
 +
 +
 +
  
  • Last modified: 2024/10/30 10:48
  • by dpawlik