Hi I'm cake, I wanted multiple dnscrypt-proxy instances for reliability. I like dnscrypt because it eliminates your ISP from keeping a log of all your travels. Some of the dnscrypt providers are not 100 percent uptime, some discontinue, etc. This is for redundancy. I don't take credit for any of the following, just gathering it all together in one spot for Opnsense 16.7.
So in the terminal-
pkg install dnscrypt-proxy
pkg install nano
I got this next script from https://forums.freebsd.org/threads/48250/ (https://forums.freebsd.org/threads/48250/)
mv /usr/local/etc/rc.d/dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.original
nano /usr/local/etc/rc.d/dnscrypt-proxy
Paste this in: (credit to arabesc)
#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
# List of dnscrypt_proxy instance id's,
# e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool): Set to NO by default.
# Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str): Set to "_dnscrypt-proxy" by default.
# User to switch to after starting.
# {instance_id}_resolver (str): Set to "opendns" by default.
# Choose a different upstream resolver.
# {instance_id}_pidfile (str): default: "/var/run/dnscrypt-proxy.pid"
# Location of pid file.
# {instance_id}_logfile (str): default: "/var/log/dnscrypt-proxy.log"
# Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'
. /etc/rc.subr
name=dnscrypt_proxy
load_rc_config ${name}
: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}
dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}
command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy
for i in $dnscrypt_proxy_instances; do
name=${i}
eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
rcvar=${name}_enable
load_rc_config ${i}
eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}
: ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy} # User to run daemon as
: ${dnscrypt_proxy_resolver_tmp:=opendns} # resolver to use
: ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
: ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file
command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"
pidfile=${dnscrypt_proxy_pidfile_tmp}
_rc_restart_done=false # workaround for: service dnscrypt-proxy restart
run_rc_command "$1"
done
Make it executable:
chmod a+x /usr/local/etc/rc.d/dnscrypt-proxy
Next:
nano /etc/rc.conf
Here is mine as a example: (see next post down for a better way)
## Use other method instead of lo0 alias ##
## ifconfig lo0 alias 127.0.0.2/32 ##
## ifconfig lo0 alias 127.0.0.3/32 ##
## ifconfig lo0 alias 127.0.0.4/32 ##
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="ipredator"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 -l /var/log/"
dnscrypt_proxy_2_resolver="dnscrypt.eu-dk"
dnscrypt_proxy_2_flags="-a 127.0.0.3:53 -l /var/log/"
dnscrypt_proxy_3_resolver="d0wn-lu-ns1"
dnscrypt_proxy_3_flags="-a 127.0.0.4:53 -l /var/log/"
You can change the resolvers to whatever you want that is listed in: /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
If you want the latest list:
pkg install wget
wget -O /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv]
You might be able to leave out the unbound enable line, since it doesn't appear to be need or is running.
In OpnSense GUI, go to Services-->DNS Forwarder
Enable it, set it to port 53. Specify the interface(s) and set it to strict. Also for testing uncheck Query DNS servers sequentially
EDIT:Use geofflowemn's advice instead of my commented out stuff above (ifconfig...)- go to the GUI - Firewall-->Virtual IP's--->Settings and add:
Virtual IP address Interface Type Description
127.0.0.2/32 LocalHost IP Alias dnscrypt-proxy
127.0.0.3/32 LocalHost IP Alias dnscrypt-proxy
127.0.0.4/32 LocalHost IP Alias dnscrypt-proxy
EDIT: fix typo, (thanks geofflowemn)
Next go to System-->Setting--->General---> Specify the dns servers at 127.0.0.2 127.0.0.3 and 127.0.0.4
I checked "Do not use the DNS Forwarder as a DNS server for the firewall" and unchecked "Allow DNS server list to be overridden by DHCP/PPP on WAN". I did not specify any dns servers in the dhcp section of services.
To test/start type: service dnscrypt-proxy start (it should load when system boots from now on)
Couple of good websites to test if its working:
https://www.perfect-privacy.com/dns-leaktest/ (https://www.perfect-privacy.com/dns-leaktest/)
https://ipleak.net/ (https://ipleak.net/)
When testing: Make sure you disable your browser dns caching, also if your in linux the command sudo resolvconf -u helps when troubleshooting using dig, nslookup, etc. Hope I didn't forget any other tidbits, and your system reboots using your new dnscrypt-proxy settings without anymore user input.
Hope this gathering of info from several places has helped someone else achieve their goal. There is a nice tutorial on using unbound to cache queries for speed. https://blog.ipredator.se/freebsd-dnscrypt-howto.html (https://blog.ipredator.se/freebsd-dnscrypt-howto.html)
It would be a great feature to add this to the GUI in the future!
Edit: Add IP of LAN interface to: Services-->DHCP-->Server--->select interface-->DNS servers
Edit: Fixed some errors (spelling), added some extra. I noticed I messed up my configuration royally and when loading a older saved configuration dnscrypt-proxy gets wiped out (it didn't save my dnscrypt configuration). Had to start from scratch. Noticed a couple omissions in this post. :-0
Thanks for the great information. It saved me a ton of time! :)
1) I think there is a typo in this section:
QuoteNext go to System-->Setting--->General---> Specify the dns servers at 127.0.0.1 127.0.0.2 and 127.0.0.3
I think it should read:
127.0.0.2,
127.0.0.3, and
127.0.0.4 to match your dnscrypt-proxy instances, right?
2) It is my understanding that adding commands like "ifconfig lo0 alias <blah>" into the rc.conf file is bad form. I found that I could achieve the same result using OPNsense Virtual IPs:
Firewall > Virtual IPs > Settings
Mode: IP Alias
Interface: Localhost
Type: Single address
Address: 127.0.0.2/32
Description: dnscrypt-proxy
Repeat for 127.0.0.3, etc.
3) A question/clarification for this section:
QuoteIn OpnSense GUI, go to Services-->DNS Forwarder
Enable it, set it to port 53. I also specified the interface and set it to strict.
Which interface(s) did you specify here? I assumed since it was set to "All" I had to instead set it to "Localhost", "LAN", "OPT1", etc - everything EXCEPT "All" and the virtual IP aliases I used. And it seems to work that way.
Hi geofflowemn. So happy you got it to work!
1) Thank you, yes you are correct! I will try to re-edit the first post
2) Thanks again, I didn't know about that :-)
3) Correct, I specified my LAN interface
dnscrypt has been rock solid since I set it up so far.
Edit: Upgrading from 16.7 to 17.1 , I suggest to go to System-->Settings-->DNS servers, and change them to 8.8.8.8, 8.8.4.4 temporally until you finish upgrading. Then run through the steps again. Worked for me.
Hallo Zusammen,
vielen Dank für eure tolle Anleitung :D
Leider hatte ich das Problem, dass die Datei "/usr/local/etc/rc.d/dnscrypt-proxy" während des updates öfters überschrieben wurde und dadurch der "dnscrypt-proxy" nicht starten konnte, was zum Internetausfall aller Clients führte.
Daher habe ich folgendes Script geschrieben, welches "bash" benötigt, da es in "csh" wohl keine Funktionen gibt. Oder ich habe mich nur blöd angestellt ::)
conf_backup= Das Script von arabesc aus Post 1
Jedem, dessen Englisch besser ist als meines, steht es frei, diesen Text zu übersetzen ;)
#!/usr/local/bin/bash
proxy_tmp=/tmp/tmp_dnscrypt_proxy
proxy_csv=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv
check_dnscrypt=$(pkg info -ak | grep 'dnscrypt-proxy-' | grep 'yes' | wc -l | tr -d ' ')
conf_backup=/root/dnscrypt_proxy_backup
conf_dnscrypt=/usr/local/etc/rc.d/dnscrypt-proxy
versions_check=$(pkg version -vx dnscrypt-proxy | grep 'up-to-date with remote' | wc -l | tr -d ' ')
update_lock() {
pkg unlock -qy dnscrypt-proxy
pkg install dnscrypt-proxy
pkg lock -qy dnscrypt-proxy
}
update_unlock() {
pkg install dnscrypt-proxy
pkg lock -qy dnscrypt-proxy
}
check_proxy_csv() {
if [ -f $proxy_tmp ]; then
rm -rf $proxy_tmp
fi
mkdir $proxy_tmp
wget --no-cache -O $proxy_tmp/dnscrypt-resolvers-new.csv https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv
if ! cmp $proxy_tmp/dnscrypt-resolvers-new.csv $proxy_csv >/dev/null 2>&1; then
mv $proxy_tmp/dnscrypt-resolvers-new.csv $proxy_csv
fi
rm -rf $proxy_tmp
}
check_conf() {
checkprocess=$(ps -U_dnscrypt-proxy | grep 'dnscrypt_proxy_' | wc -l | tr -d ' ')
diff -q $conf_backup $conf_dnscrypt 1>/dev/null
case "$?" in
0)
# Alles jut
check_proxy_csv
if [ "$checkprocess" -eq 0 ]; then
service dnscrypt-proxy start
else
service dnscrypt-proxy restart
sleep 3
fi
;;
1)
if [ "$checkprocess" -gt 0 ]; then
service dnscrypt-proxy stop
sleep 3
fi
cp "$conf_backup" "$conf_dnscrypt"
check_proxy_csv
service dnscrypt-proxy start
;;
esac
}
case "$check_dnscrypt" in
1)
if [ "$versions_check" -eq 0 ]; then
update_lock
fi
check_conf
;;
0)
if [ "$versions_check" -eq 0 ]; then
update_unlock
else
pkg lock -qy dnscrypt-proxy
fi
check_conf
;;
esac
-edit
Tippfehler
Wir bräuchten ein Plugin damit dies nicht mehr passiert. Ein rc.d-Skript ist leider nur sehr bedingt zum Editieren geeignet.
We really need a plugin to stop the file from being overwritten. An rc.d script is not an ideal file to be edited.
Hi!
I updating OPNsense to 17.7 and, after having changed dnscrypt-proxy because overwritten from update 1.9.5,
I confirm that the above configuration it works well!
Thanks All!
I just did a update from 17.1 to 17.7 as well. So far I had only minor trouble with update, I started the update from the GUI, and got held up on a r2 after it rebooted until I went and changed System-->Settings-->General--DNS to google's 8.8.8.8 from 127.0.0.1 ....... just temporarily.
Then I went back to firmware and tried again. I got to update to 17.7 :D, (I was stuck on a r2 update with a end of life message also was failing to check updates due to system dns set to 127.0.0.1 .....) After the final upgrade I changed System-->Settings-->General--DNS back to 127.0.0.1, 127.0.0.2 and 127.0.0.3 (what I had earlier)
I thought I had nsookup and dig available, but I see there is a tool I never used before in its place -> drill. I also had to re-paste from 1st post back into /usr/local/etc/rc.d/dnscrypt-proxy and chmod a+x
After that it dnscrypt works like a charm again.
Hi,
With a fresh 17.7 install /etc/rc.conf will be ignored at bootup, so it will not start automatically, I have to service dnscrypt-proxy start.
What kind of sorcery do you use for this to work? :o
______________________
Before I seen this thread I made a rc.d script using the openvpn way to start multiple instances,
it uses symbolic links, cd /usr/local/etc/rc.d/; ln -s dnscrypt-proxy dnscrypt-proxy_foo
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar ldconfig
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# This script supports running multiple instances of dnscrypt-proxy.
# To run additional instances link this script to something like
# % ln -s dnscrypt-proxy dnscrypt-proxy_foo
# and define additional dnscrypt_proxy_foo_* variables in one of
# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/dnscrypt-proxy_foo
#
# The name of the addition instance should contain only letters (a to z or A to Z),
# numbers (0 to 9) or the underscore character (_).
#
# Below NAME should be substituted with the name of this script. By default
# it is dnscrypt_proxy, so read as dnscrypt_proxy_enable. If you linked the script to
# dnscrypt-proxy_foo, then read as dnscrypt_proxy_foo_enable etc.
#
# The following variables are supported (defaults are shown).
# You can place them in any of
# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME
#
# NAME_enable="NO" # set to YES to enable dnscrypt-proxy instance
#
# # optional:
# NAME_flags= # additional command line arguments
# NAME_configfile="/usr/local/etc/dnscrypt-proxy/NAME.conf" # Will override all other
# settings and only use the config file.
# NAME_uid (str): Set to "_dnscrypt-proxy" by default.
# User to switch to after starting.
# NAME_resolver (str):Set to "cisco" by default.
# Choose a different upstream resolver.
# NAME_pidfile (str): default: "/var/run/NAME.pid"
# Location of pid file.
# NAME_logfile (str): default: "/var/log/NAME.log"
# Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.x
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.x netmask 0xffffffff"
# NAME_flags='-a 127.0.0.x'
. /etc/rc.subr
# service(8) does not create an authentic environment, try to guess,
# and as of 10.3-RELEASE-p0, it will not find the indented name=
# assignments below. So give it a default.
# Trailing semicolon also for service(8)'s benefit:
name="$file" ;
case "$0" in
/etc/rc*)
# during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown),
# so get the name of the script from $_file
name="$_file"
;;
*/service)
# do not use this as $0
;;
*)
name="$0"
;;
esac
# default name to "dnscrypt_proxy" if guessing failed
# Trailing semicolon also for service(8)'s benefit:
name="dnscrypt_proxy${name##*dnscrypt-proxy}" ;
rcvar=${name}_enable
stop_postcmd()
{
rm -f "$pidfile" || warn "Could not remove $pidfile."
}
# command and arguments
command="/usr/local/sbin/dnscrypt-proxy"
# run this last
stop_postcmd="stop_postcmd"
load_rc_config ${name}
eval ": \${${name}_enable:=\"NO\"}"
eval ": \${${name}_configfile:=\"/usr/local/etc/dnscrypt-proxy/${name}.conf\"}"
eval ": \${${name}_uid:=\"_dnscrypt-proxy\"}" # User to run daemon as
eval ": \${${name}_resolver:=\"cisco\"}" # resolver to use
eval ": \${${name}_pidfile:=\"/var/run/${name}.pid\"}" # Path to pid file
eval ": \${${name}_logfile:=\"/var/log/${name}.log\"}" # Path to log file
configfile="$(eval echo \${${name}_configfile})"
uid="$(eval echo \${${name}_uid})"
resolver="$(eval echo \${${name}_resolver})"
pidfile="$(eval echo \${${name}_pidfile})"
logfile="$(eval echo \${${name}_logfile})"
if [ -f "$configfile" ]; then
command_args="$configfile"
else
command_args="-d -p $pidfile -l $logfile -u $uid -R $resolver"
fi
run_rc_command "$1"
First, thanks to Cake for this nice Howto. I am wondering if anyone uses dnscrypt-proxy (as described in first post) with Unbound DNS.
I have the problem that after a reboot DNS isn´t working anymore. My workaround: Stop Unbound DNS manually (GUI -> Stop Button), than start dnscrypt-proxy via shell (service dnscrypt-proxy start) and finally restart Unbound via GUI.
I am not sure but it looks like dnscrypt-proxy (enabled in /etc/rc.conf) doesn´t start when Unbound is already running. In the dnscrypt-proxy we see the directive "BEFORE: unbound..." but this controls the normal "service... start" process. How can I make sure that the Unbound-Plugin will be started AFTER "service dnscrypt-proxy start" at boot time?
Quote from: joaop on August 22, 2017, 04:25:44 PM
With a fresh 17.7 install /etc/rc.conf will be ignored at bootup, so it will not start automatically, I have to service dnscrypt-proxy start.
What kind of sorcery do you use for this to work? :o
Look out for typos, it must read dnscrypt_proxy_enable="YES". It should not be ignored.
QuoteI am not sure but it looks like dnscrypt-proxy (enabled in /etc/rc.conf) doesn´t start when Unbound is already running. In the dnscrypt-proxy we see the directive "BEFORE: unbound..." but this controls the normal "service... start" process. How can I make sure that the Unbound-Plugin will be started AFTER "service dnscrypt-proxy start" at boot time?
Unbound is part of our system, a base plugin if you will. We start auxiliary services afterwards, so in order to fix this we need to make dnscrypt-proxy a plugin as well to adhere to a correct starting order.
Cheers,
Franco
Quote from: franco on September 18, 2017, 09:13:35 AMQuoteI am not sure but it looks like dnscrypt-proxy (enabled in /etc/rc.conf) doesn´t start when Unbound is already running. In the dnscrypt-proxy we see the directive "BEFORE: unbound..." but this controls the normal "service... start" process. How can I make sure that the Unbound-Plugin will be started AFTER "service dnscrypt-proxy start" at boot time?
Unbound is part of our system, a base plugin if you will. We start auxiliary services afterwards, so in order to fix this we need to make dnscrypt-proxy a plugin as well to adhere to a correct starting order.
Ok, thank you for your reply. Unfortunately I have not the skills to develop a dnscrypt-proxy-Plugin. So the only option seems to wait for a plugin or - as a workaround - modify the dnscrypt-proxy-Start script in a way that Unbound will be stopped temporarily and started again after dnsycrypt-proxy has started. But... I have no idea how :-(
Would it be enough to be able to reconfigure unbound after startup?
Finally I figured out some solutions:
ad 1 (no startup on boot time): The script in the first post won´t start dnscrypt-proxy automatically on boot time. In this thread (https://forums.freebsd.org/threads/48250/) we see the solution (second post (https://forums.freebsd.org/threads/48250/#post-281305) of the linked thread): "(Add rcvar=dnscrypt_proxy_enable after name=...)"
Solution: Grab the actual dnscrypt-proxy script from Github (https://gist.githubusercontent.com/steakknife/02832ff104df3483c012/raw/c456bf414cdc18648054abe1acab3ec27af2a158/dnscrypt-proxy):
#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: ldconfig cleanvar
# BEFORE: SERVERS
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
# List of dnscrypt_proxy instance id's,
# e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool): Set to NO by default.
# Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str): Set to "_dnscrypt-proxy" by default.
# User to switch to after starting.
# {instance_id}_resolver (str): Set to "opendns" by default.
# Choose a different upstream resolver.
# {instance_id}_pidfile (str): default: "/var/run/dnscrypt-proxy.pid"
# Location of pid file.
# {instance_id}_logfile (str): default: "/var/log/dnscrypt-proxy.log"
# Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'
. /etc/rc.subr
name=dnscrypt_proxy
rcvar=dnscrypt_proxy_enable
load_rc_config ${name}
: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}
dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}
command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy
for i in $dnscrypt_proxy_instances; do
name=${i}
eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
rcvar=${name}_enable
load_rc_config ${i}
eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}
: ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy} # User to run daemon as
: ${dnscrypt_proxy_resolver_tmp:=opendns} # resolver to use
: ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
: ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file
command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"
pidfile=${dnscrypt_proxy_pidfile_tmp}
_rc_restart_done=false # workaround for: service dnscrypt-proxy restart
run_rc_command "$1"
done
ad 2 (dnscrypt-proxy not starting when unbound is already running):
Set Interfaces for Unbound DNS (General-> Network Interfaces) not to "All". If you mean "All" select everything except entries for dnscrypt-proxy.
Thanks for this tutorial. Seems to work for me with OPNsense 17.7.5-amd64.
Only thing I needed to add was the following custom config options to unbound DNS in order to get the dns resolver to work:
do-not-query-localhost: no
[EDIT: Added a solution to create a cron job]
[EDIT 2: URL for dnscrypt-resolvers.csv has changed - actions.d corrected.]
One addition from my side:
/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv should be updated regularly. Otherwise dnscrypt lookups will stop working when DNS resolvers change their IP.
Quick and dirty solution might be to set up an individual cron job (e.g. monthly) to update resolvers list and restart dnscrypt-proxy:
1. Create file /usr/local/opnsense/service/conf/actions.d/actions_dnscrypt.conf with this content:
[update]
command:wget -O /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v1/dnscrypt-resolvers.csv && /usr/local/etc/rc.d/dnscrypt-proxy restart
parameters:
type:script
message:Updating dnscrypt-resolvers.csv
description: Update dnscrypt-resolvers.csv
2. Restart configd
service configd restart
3. Add new cronjob in WebGui: System -> Settings -> Cron -> + (= add new cron job):
Day of Month: 15 (= start job once in a month on every 15th day)
As command select "Update dnscrypt-resolvers.csv" from drop down list.
Save changes + Apply.
Nicer would be to use a script that is included in dnscrypt-proxy source package:
https://github.com/jedisct1/dnscrypt-proxy/blob/master/contrib/dnscrypt-update-resolvers.sh.in (https://github.com/jedisct1/dnscrypt-proxy/blob/master/contrib/dnscrypt-update-resolvers.sh.in)
Unfortunately I haven´t found this script in OPNsense. Maybe it is missing... beside I am not familiar enough with FreeBSD.
Just for the records if anyone looks at this thread and for everyone using dnscrypt (and wondering why lookups won´t work anymore):
It seems that dnscrypt is abandoned: https://www.reddit.com/r/privacy/comments/7oyw0h/dnscrypt_is_now_abandoned/ (https://www.reddit.com/r/privacy/comments/7oyw0h/dnscrypt_is_now_abandoned/)
Upgraded to 18.1 this morning.
The upgrade went fine, then after reboot no dns. (drill example.com)
Went to System --> Settings --> General and changed everything to 8.8.8.8 and 8.8.4.4 just for a while.
SSH into shell and checked ping and drill, working, followed from first post again.
mv /usr/local/etc/rc.d/dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.original
nano /usr/local/etc/rc.d/dnscrypt-proxy
And pasted this in again
#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
# List of dnscrypt_proxy instance id's,
# e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool): Set to NO by default.
# Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str): Set to "_dnscrypt-proxy" by default.
# User to switch to after starting.
# {instance_id}_resolver (str): Set to "opendns" by default.
# Choose a different upstream resolver.
# {instance_id}_pidfile (str): default: "/var/run/dnscrypt-proxy.pid"
# Location of pid file.
# {instance_id}_logfile (str): default: "/var/log/dnscrypt-proxy.log"
# Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'
. /etc/rc.subr
name=dnscrypt_proxy
load_rc_config ${name}
: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}
dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}
command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy
for i in $dnscrypt_proxy_instances; do
name=${i}
eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
rcvar=${name}_enable
load_rc_config ${i}
eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}
: ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy} # User to run daemon as
: ${dnscrypt_proxy_resolver_tmp:=opendns} # resolver to use
: ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
: ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file
command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"
pidfile=${dnscrypt_proxy_pidfile_tmp}
_rc_restart_done=false # workaround for: service dnscrypt-proxy restart
run_rc_command "$1"
done
Make it executable
chmod a+x /usr/local/etc/rc.d/dnscrypt-proxy
Update the resolver list with this new place on github
wget -O /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://github.com/dyne/dnscrypt-proxy/raw/master/dnscrypt-resolvers.csv
Change the resolvers to the one you want
nano /etc/rc.conf
Mine looks like this:
ddclient_enable="YES"
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="ipredator"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 -l /var/log/"
dnscrypt_proxy_2_resolver="soltysiak"
dnscrypt_proxy_2_flags="-a 127.0.0.3:53 -l /var/log/"
dnscrypt_proxy_3_resolver="dnscrypt.eu-dk"
dnscrypt_proxy_3_flags="-a 127.0.0.4:53 -l /var/log/"
Then start dnscrypt
service dnscrypt-proxy restart
Lastly I went back to System --> Settings --> General and changed the list back to 127.0.0.2 ; 127.0.0.3 and 127.0.0.4 for the WAN gateway.
Checked to make sure all is working with https://ipleak.net/
Big Thanx to the devs and the people making and improving opnsense.
Hi cake,
Thanks, maybe we want to finally put this into a plugin?
Michael, do you read this? :)
Cheers,
Franco
I noticed I did something wrong because dnscrypt-proxy does not start after reboot. I must type in "service dnscrypt-proxy start" in the shell. Not sure what I did wrong. lol
/etc/rc.conf is root:wheel and not executable (I think that is correct)
If anybody else knows let me know :-) I may just use a cron job @reboot because my skills are poor.
Yes Franco a plugin would be nice. Cheers
Quote from: beclar2 on January 08, 2018, 07:55:50 PMIt seems that dnscrypt is abandoned: https://www.reddit.com/r/privacy/comments/7oyw0h/dnscrypt_is_now_abandoned/ (https://www.reddit.com/r/privacy/comments/7oyw0h/dnscrypt_is_now_abandoned/)
No. DNSCrypt is not abandoned. In fact, DNSCrypt-proxy v2 (https://github.com/jedisct1/dnscrypt-proxy/releases/tag/2.0.0rc3) has been released (written from scratch in Go by the original author of DNS-Crypt proxy, Frank Denis). The new DNS-Crypt v2 supports things like multiple DNS resolvers in a single process and alternate DNS encryption protocols like DNS-over-TLS (used by Quad9), DNS-over-HTTPS (successor to DNS-over-TLS and best acronym award winner, doh!) and DNSCrypt v2 protocol (https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/DNSCRYPT-V2-PROTOCOL.txt).
Anyway it would be great to get an updated tutorial using the new DNS-Crypt proxy.
Also, for anyone that doesn't know, the official DNSCrypt resolver lists are back (and now include a list of v2 protocol resolvers): https://github.com/DNSCrypt/dnscrypt-resolvers
Quote from: cake on February 01, 2018, 12:08:08 AM
I noticed I did something wrong because dnscrypt-proxy does not start after reboot. I must type in "service dnscrypt-proxy start" in the shell. Not sure what I did wrong. lol
/etc/rc.conf is root:wheel and not executable (I think that is correct)
If anybody else knows let me know :-) I may just use a cron job @reboot because my skills are poor.
Cake, did you read this post (https://forum.opnsense.org/index.php?topic=4044.msg25145#msg25145)?
+1 for the plugin :)
Quote from: beclar2 on February 05, 2018, 08:39:04 AM
Quote from: cake on February 01, 2018, 12:08:08 AM
I noticed I did something wrong because dnscrypt-proxy does not start after reboot. I must type in "service dnscrypt-proxy start" in the shell. Not sure what I did wrong. lol
/etc/rc.conf is root:wheel and not executable (I think that is correct)
If anybody else knows let me know :-) I may just use a cron job @reboot because my skills are poor.
Cake, did you read this post (https://forum.opnsense.org/index.php?topic=4044.msg25145#msg25145)?
Thanks, It worked!
I did read your post, I must be getting a little alzheimer's. So I guess the tutorial on the first post is now a little wrong? I'll try and edit it tomorrow, but it sounds like the whole thing may be out of date as w2712663 mentions there is a updated version. yay!
Thanks again.
Quote from: franco on January 31, 2018, 07:35:36 AM
Hi cake,
Thanks, maybe we want to finally put this into a plugin?
Michael, do you read this? :)
Cheers,
Franco
Now I read it :D
Still anyone interested in a Plugin? :)
Yep *ducks*
I'd need 1 or better 2-3 productive sample configs
Gibt es schon neuigkeiten zum Plugin?
Any news about the plugin?
I'm looking into securing my DNS.
Why would we want a plugin for this while the project itself is dead (or am I wrong?).
It looks like getdns using Stubby is the way to go, right? plz. correct me if I'm wrong.
Quote from: marcelmah on October 01, 2018, 11:23:40 AM
I'm looking into securing my DNS.
Why would we want a plugin for this while the project itself is dead (or am I wrong?).
It looks like getdns using Stubby is the way to go, right? plz. correct me if I'm wrong.
Seems you're wrong:
https://github.com/jedisct1/dnscrypt-proxy
Last commit 28 days ago ...