Text only | Text with Images

OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: yeraycito on March 05, 2025, 01:23:52 AM

Title: Support for Oblivious DNS in DNScrypt
Post by: yeraycito on March 05, 2025, 01:23:52 AM
DNScrypt supports Cloudflare's DNS under the ODOH protocol and Relay is required to configure them. DNSCrypt Servers and DNS-over-HTTPS Servers can be configured in the DNScrypt interface, but ODOH Servers cannot be configured.
Following this tutorial https://forums.serverbuilds.net/t/guide-adguard-home-unbound-dnscrypt-under-opnsense-part-2/13271 the Cloudflare ODOH DNS with their respective Relays work correctly. The problem is that when restarting Opnsense all modifications are lost and the dnscrypt-proxy.toml file has to be modified again via SSH.

Title: Re: Support for Oblivious DNS in DNScrypt
Post by: yeraycito on March 05, 2025, 01:29:46 AM
In my case I have modified the dnscrypt-proxy.toml file leaving it as follows and it works without problems ..... until Opnsense restarts and stops working.:


# Now i'm using 53530 for Unbound so here I just set 53531
listen_addresses = ['127.0.0.1:5353']

max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = false
doh_servers = false
odoh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = false
force_tcp = false
timeout = 2500
keepalive = 30
server_names = ['odoh-cloudflare']

log_level = 2
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
use_syslog = false

cert_refresh_delay = 240
dnscrypt_ephemeral_keys = true
tls_disable_session_tickets = false
ignore_system_dns = true

netprobe_timeout = 30
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
# If you want to be sure you don't use IPv6 change this setting to "true"
block_ipv6 = true

forwarding_rules = 'forwarding-rules.txt'
cloaking_rules = 'cloaking-rules.txt'

# Just disable it... Why do you need more caching if you have Unbound?
cache = false

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'
  format = 'tsv'

[allowed_names]
  allowed_names_file = 'whitelist.txt'
  log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
  log_format = 'tsv'


[sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

  ## Anonymized DNS relays

  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

[anonymized_dns]
routes = [
    { server_name='odoh-cloudflare', via=['odohrelay-ams', 'odohrelay-crypto-sx']}
]

### ODoH (Oblivious DoH) servers and relays ###
  [sources.'odoh-servers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-servers.md'
  refresh_delay = 72
  prefix = ''
  [sources.'odoh-relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-relays.md'
  refresh_delay = 72
  prefix = ''

[static]
Title: Re: Support for Oblivious DNS in DNScrypt
Post by: yeraycito on March 05, 2025, 01:37:53 AM
Oblivious DoH servers list: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md

Oblivious DoH relays list: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md
Title: Re: Support for Oblivious DNS in DNScrypt
Post by: Janman on April 14, 2025, 06:17:16 PM
I would love to see support for this in the future.
Title: Re: Support for Oblivious DNS in DNScrypt
Post by: OPNenthu on May 15, 2025, 08:17:18 AM
FYI: https://github.com/opnsense/plugins/pull/4374

Edit: Was curious, what encryption protocol does this use between OPNsense and the ODoH relay? 

I understand that it's using ODoH between the relay and the server, but is it normal DNSCrypt from OPNsense to relay?  If so, what is gained (privacy wise) over regular DNSCrypt with Anonymous relay?
Title: Re: Support for Oblivious DNS in DNScrypt
Post by: vpx23 on September 12, 2025, 08:33:45 PM
Quote from: OPNenthu on May 15, 2025, 08:17:18 AMEdit: Was curious, what encryption protocol does this use between OPNsense and the ODoH relay?
This is explained here: ODoH Message Flow (https://blog.cloudflare.com/oblivious-dns/#odoh-message-flow)

ODoH creates and end-to-end encryption (EEE) from client to target using Hybrid Public Key Encryption (HPKE). The transport encryption between client and relay and between relay and target is regular TLS/HTTPS. So even after the relay decrypts the transport encryption the query will still be encrypted. And the target doesn't know the real source IP. So the EEE protects the query from the relay and the relay protects the source IP from the target (under the premise that relay and target don't collude).

Your second question is answered here: Anonymized DNS vs. ODOH? #2617 (https://github.com/DNSCrypt/dnscrypt-proxy/discussions/2617)
Text only | Text with Images