DNScrypt supports Cloudflare's DNS under the ODOH protocol and Relay is required to configure them. DNSCrypt Servers and DNS-over-HTTPS Servers can be configured in the DNScrypt interface, but ODOH Servers cannot be configured.
Following this tutorial https://forums.serverbuilds.net/t/guide-adguard-home-unbound-dnscrypt-under-opnsense-part-2/13271 the Cloudflare ODOH DNS with their respective Relays work correctly. The problem is that when restarting Opnsense all modifications are lost and the dnscrypt-proxy.toml file has to be modified again via SSH.
In my case I have modified the dnscrypt-proxy.toml file leaving it as follows and it works without problems ..... until Opnsense restarts and stops working.:
# Now i'm using 53530 for Unbound so here I just set 53531
listen_addresses = ['127.0.0.1:5353']
max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = false
doh_servers = false
odoh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = false
force_tcp = false
timeout = 2500
keepalive = 30
server_names = ['odoh-cloudflare']
log_level = 2
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
use_syslog = false
cert_refresh_delay = 240
dnscrypt_ephemeral_keys = true
tls_disable_session_tickets = false
ignore_system_dns = true
netprobe_timeout = 30
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
# If you want to be sure you don't use IPv6 change this setting to "true"
block_ipv6 = true
forwarding_rules = 'forwarding-rules.txt'
cloaking_rules = 'cloaking-rules.txt'
# Just disable it... Why do you need more caching if you have Unbound?
cache = false
[query_log]
file = '/var/log/dnscrypt-proxy/query.log'
format = 'tsv'
[nx_log]
file = '/var/log/dnscrypt-proxy/nx.log'
format = 'tsv'
[allowed_names]
allowed_names_file = 'whitelist.txt'
log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
log_format = 'tsv'
[sources]
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
## Anonymized DNS relays
[sources.'relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
cache_file = 'relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
[anonymized_dns]
routes = [
{ server_name='odoh-cloudflare', via=['odohrelay-ams', 'odohrelay-crypto-sx']}
]
### ODoH (Oblivious DoH) servers and relays ###
[sources.'odoh-servers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
cache_file = 'odoh-servers.md'
refresh_delay = 72
prefix = ''
[sources.'odoh-relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
cache_file = 'odoh-relays.md'
refresh_delay = 72
prefix = ''
[static]
Oblivious DoH servers list: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md
Oblivious DoH relays list: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md
I would love to see support for this in the future.
FYI: https://github.com/opnsense/plugins/pull/4374
Edit: Was curious, what encryption protocol does this use between OPNsense and the ODoH relay?
I understand that it's using ODoH between the relay and the server, but is it normal DNSCrypt from OPNsense to relay? If so, what is gained (privacy wise) over regular DNSCrypt with Anonymous relay?