Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2022/01/16 20:25] – [Command-line instructions] It works the same without those extra options. lastedit | docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy2 [2024/06/20 13:12] – [Command-line instructions] Disable dnsmasq cache because to avoid double caching dpawlik | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== | ====== DNSCrypt with Dnsmasq and dnscrypt-proxy2 ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 20: | Line 20: | ||
| # Enable DNS encryption | # Enable DNS encryption | ||
| - | / | + | service |
| uci set dhcp.@dnsmasq[0].noresolv=" | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| + | uci set dhcp.@dnsmasq[0].localuse=" | ||
| + | uci set dhcp.@dnsmasq[0].cachesize=' | ||
| uci -q delete dhcp.@dnsmasq[0].server | uci -q delete dhcp.@dnsmasq[0].server | ||
| uci add_list dhcp.@dnsmasq[0].server=" | uci add_list dhcp.@dnsmasq[0].server=" | ||
| sed -i "32 s/ | sed -i "32 s/ | ||
| uci commit dhcp | uci commit dhcp | ||
| - | / | + | service |
| - | / | + | service |
| </ | </ | ||
| Line 33: | Line 35: | ||
| Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic. | Dnsmasq forwards DNS queries to dnscrypt-proxy2 which encrypts DNS traffic. | ||
| + | Note: These are the recommended options from the [[https:// | ||
| + | |||
| + | Note: Beware that the distributed configuration includes an activated '' | ||
| ===== Testing ===== | ===== Testing ===== | ||
| {{section> | {{section> | ||
| Line 41: | Line 46: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 66: | Line 71: | ||
| # First, we need to set up a list of servers to use, example: (you have to change " | # First, we need to set up a list of servers to use, example: (you have to change " | ||
| sed -i "32 s/ | sed -i "32 s/ | ||
| - | / | + | service |
| # Or you can also use only one server, example: | # Or you can also use only one server, example: | ||
| sed -i "32 s/ | sed -i "32 s/ | ||
| - | / | + | service |
| </ | </ | ||
| + | |||
| + | ==== ODoH protocol ==== | ||
| + | **[[https:// | ||
| + | Instead of directly sending a query to a target DoH server, the client encrypts it for that server, but sends it to a **relay**. | ||
| + | An **ODoH relay** can only communicate with an **ODoH server** and an **ODoH client**. **Relays** can't get responses from a** generic DoH server** that doesn' | ||
| + | You can change the [[https:// | ||
| + | |||
| + | <code bash> | ||
| + | # Enable ODoH on dnscrypt-proxy2 | ||
| + | sed -i -e " | ||
| + | |||
| + | # Configure "ODoH servers" | ||
| + | odoh_servers=" | ||
| + | odoh_relays=" | ||
| + | sed -i -e "32 s/ | ||
| + | service dnscrypt-proxy restart | ||
| + | </ | ||
| + | |||
| + | More information about **ODoH protocol**: [[https:// | ||
| + | |||
| + | Caveats: The **Oblivious DNS-over-HTTPS** protocol is still a work in progress. Servers and relays may not be very stable. | ||
| + | |||
| + | |||
| + | |||