Hi @mimugmail.
thanks a lot for the DNSCrypt Proxy Plugin. I have some question / issue regarding the Plugin.
1. I saw in the actual dnscrypt-proxy.toml the sources url points to github v2 . But when i check the example dnscrypt-proxy.toml file, there are the correct actual links to v3. How to fix this?
[sources]
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
2. I tried to test the anonymized dns, unfortunately there is no option to set in the GUI yet, could this be implemented, would be awesome?
So when i tested yet i copied the following snippet to the .toml
[anonymized_dns]
routes = [
{ server_name='server-example1', via=['anon-server1', 'anon-server2'] }
]
skip_incompatible = false
After this checked the log, and it was working perfect. But when i restarted the FW, the manually adapted configuration in the .toml File was missing. How can i get my manual adaptations in the .toml file persistent, so they survive a reboot?
Thx
BR
I can fix this after vacation
Thanks, would be great have a nice holiday!
Hello mimugmail,
did you have already time to fix ?
Thx
best regards
There is a PR in the pipeline, yes. Maybe 21.7.3 will have it
:) Perfect, Thx
Will this update allow configuration of anonymized dns via the gui? I have anonymized dns working by using the cmd line config file but think this is likely to be overwritten in future releases(?)
I'd also point out that this feature is a pretty big part of DNSCrypt since not many other DNS resolvers\forwarders allow anonymized ip and that really sets this a part.
@mimugmail - I recently started using the Dnscrypt-proxy package on opnsense, previously it was on another server. Firstly, thanks for maintaining this!
If it's easy enough, can the restrictions for min and max ttl for caching be removed or set way higher? Currently the value for min ttl is 1 hour (3600) but I prefer to use a much higher value (24 hours at present). In the Dnscrypt-proxy code there doesn't appear to be any restriction on these values, (long int). Currently I've edited the restriction out to verify I wouldn't have any problems...it's working great. I mentioned this on github, but no indication you saw it there.
Also, I copied the 2.1.1 executable over the current opnsense package version. It required some manual updates to the toml config file because of changes made in 2.1.1. Otherwise, it's also been working without issue for the past week.
Cheers!
Edit: Would also be great to have an option to disable query and nxdomain logging...save some writes on the SSD. :)
Quote from: mimugmail on September 03, 2021, 03:27:22 PM
There is a PR in the pipeline, yes. Maybe 21.7.3 will have it
Hello @mimugmail
Do you think in 21.7.5 the changes can be done?
Thx!
@crissi, you probably know this but just in case, to persist the changes I'm not sure how BUT if you just make a backup of the toml file then you can restore it and restart dnscrypt-proxy with the command line dnscrypt-proxy -system restart...at least that's what I did this morning post system update. You can also replace the binary with 2.1.1 if you haven't already and it works fine but it does have a couple changes in the config (I can highlight those if you need that because it's hard to find in the docs...might save you some searching). Actually, their example outlines it perfectly...basically they are now using brackets around certain parameters in the toml...for anyone curious.
I actually was looking into how to add the changes to the config but I think either way they'll get lost with the next update.
Edit: clarification...and link.
https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
Hi @gpb,
thanks for the information and the workaround! I have DNSCrypt Proxy on my PI installed, works great, but would like to permanent move this task to OPNsense. Yes, the restore with backup of .toml and restart of the service works, but imho should be a more permanent solution without tampering with the files.. and if information is changed, should survive a reboot of the firewall..
@mimugmail when could the changes be implemented in DNSCrypt Proxy Plugin?
Thx!
I had mine running on two Rpi-4's, then thought I'd give it a try on opnsense where they could share a cache (pi-holes running on each as well). So I'm mostly interested in the caching feature and so they can share a single cache now. I was surprised to see better latency results on opnsense.
I was expecting 2.1.1 (still 2.0.45) in the latest but the UI would need an update or the templates to generate the config. Maybe you saw, but there's a contributor on github that rewrote the entire thing and he sort of got shot down due to time/effort issues. Hopefully some of those features make it in. Here's the link.
https://github.com/opnsense/plugins/pull/2543
Edit: Was poking around a bit and found a way to let dnscrypt-proxy survive a reboot and start as normal. Put your config from your pi here with a different name, I named my file: "/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy-gpb.toml". Then I made a change in "/usr/local/etc/rc.d/dnscrypt-proxy" where you can specify the toml file you want dnscrypt-proxy to read when it starts. That survives a reboot. So, yeah I agree, I hate doing this but while you're waiting for the official you can test your changes. If you're like me, install nano (pkg install nano) and you're good to go. :) Cheers.
Indeed, I can also confirm the latency results on opnsense are much better...
Thanks for sharing the workaround, this would be perfect if I could get this to work for further testing, without scrambling my opnsense..;D
I have some understanding questions, regarding your previous information
QuoteAlso, I copied the 2.1.1 executable over the current opnsense package version.
Where did you exactly copy / extract the package content https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.1/dnscrypt-proxy-freebsd_amd64-2.1.1.tar.gz in OPNsense ?
QuoteIt required some manual updates to the toml config file because of changes made in 2.1.1
I compared my Raspi .toml file with the Example https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml , unfortunately i cant find the difference regarding the brackets, can you please point me in the right direction ?
Thanks a Lot!
Yes, that's where I got the binary. Easiest to just use their sample toml (in the download) and put your changes into it and then of course save it to the new name (not the default name since that will get overwritten when opnsense reboots).
Brackets are now wrapped around the server list and bootstrap servers (previously called fallback servers). Again, easiest to just refer to their included sample in the download. One note, I attempted to ftp the toml file from my pc to that folder and that didn't work...couldn't get dnscrypt to start. What I ended up doing was editing the file on the pc, then selected all and pasted into a new nano file on opnsense and save there. Hope that helps.
Edit: you could also make the changes on your rpi to verify and then move that file to opnsense...assuming you have 2.1.1 on your rpi.
adapted yet the example .toml in the downloaded package. Just to be really sure, its just the .toml file structure what i have to adapt, the binary File itself in the downloaded package (dnscrypt-proxy) i have not to copy over to opnsense???
Thank You!
I have to say this plugin needs updating to the latest builds since at the moment it is not offering (readily assessible) the best that DNSCrypt has in its arsenal...Anonymized DNS!
I do appreciate that this plugin exists but it really does require an update to keep current.
i.e. GUI for
- Cache sizes
- Logging options on/off
- Anonymized DNS servers and settings
By the way my Anonymized settings survive a reboot by:
Just info on location of template: /usr/local/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
sudo nano dnscrypt-proxy.toml
add...
[anonymized_dns]
routes = [
{ server_name='"', via=['"'] },
{ server_name='"', via=['"', '"'] },
{ server_name='"', via=['"', '"'] }
]
skip_incompatible = true
## Anonymized DNS relays
[sources.'relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
cache_file = 'relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
Quote from: crissi on November 17, 2021, 10:39:17 AM
adapted yet the example .toml in the downloaded package. Just to be really sure, its just the .toml file structure what i have to adapt, the binary File itself in the downloaded package (dnscrypt-proxy) i have not to copy over to opnsense???
Thank You!
Yes, just the TOML. So here's basically what I did.
* SSH into opnsense, cd /usr/local/sbin....this is where the binary is located. Rename the current binary to 205, i.e., mv dnscrypt-proxy dnscrypt-proxy-205
* Copy the new binary from the package you manually downloaded. You can do this a couple ways, I just used FTP from my pc using filezilla.
* Once copied, make sure it has the same permissions as the original. I just needed to make it executable (chmod +x dnscrypt-proxy).
* Now that the binary is in place (size is 9027584 bytes), change your directory to /usr/local/etc/dnscrypt-proxy, this is where the current config is. Rename the current toml to a different name, i.e., mv dnscrypt-proxy.toml dnscrypt-proxy.toml.205. Now you need the new one here. Again several ways to do this. I opened the editor, nano dnscrypt-proxy.toml and then copied the contents of the adapted file in windows notepad (or equivalent) and pasted into nano. Save. Check permissions and make sure they're the same (ls -l). I might have changed the group, i.e, chown root:_dnscrypt-proxy dnscrypt-proxy.toml to be like the others in that directory.
* Now the toml is in place, copy the toml to the new temporary name, cp dnscrypt-proxy.toml dnscrypt-proxy-211.toml for example. This is the file we will point to in the next step.
* Edit the file /usr/local/etc/rc.d/dnscrypt-proxy and near the top you'll see the line that points to the toml. Edit that line to include the file name you used (i.e., dnscrypt-proxy-211.toml) in order to preserve setting over a reboot.
* Now you can start the service via the gui or command line using service dnscrypt-proxy start.
* Verify it started and the log reflects this in the gui. I set mine to listen on port 53000, so I can also verify it's resolving using dig opnsense.org @127.0.0.1 -p 53000. In pihole, my dns server setting is 192.168.1.1#53000. The port number is set near the top of the toml in listen_addresses = ['127.0.0.1:53000'].
That should do it, if I missed something or confused, let me know...doing this from memory.
Quote from: pugs on November 17, 2021, 11:13:25 AM
By the way my Anonymized settings survive a reboot by:
Just info on location of template: /usr/local/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
Good point, that's another option but you may need to redo it on the next upgrade...just make a backup. I had to tweak the zabbix template a few days ago. Cheers.
@gpb Thanks so much for the detailed information, upgraded now to 211, all working as advertised ;D
Now the next days i will test the new features and see how it goes :)
@pugs Thank you too for the hint with the service template