OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • Small annotation to DNSCrypt-Proxy: Configuration - Standalone
« previous next »
  • Print
Pages: [1]

Author Topic: Small annotation to DNSCrypt-Proxy: Configuration - Standalone  (Read 1570 times)

fourstone77

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Small annotation to DNSCrypt-Proxy: Configuration - Standalone
« on: February 21, 2022, 11:55:37 am »
Hi,

it took me a while to figure this out and thought it might be good to add this to the documentation:
https://docs.opnsense.org/manual/how-tos/dnscrypt-proxy.html

1: If Unbound an all is disabled, it is necessary to enter the DNS server entry manually in the configuration of the DHCP service for the network segment, the automatic entry is disabled

2: Mention that option "Allow Priviledged Ports" needs to be enabled in Dnscrypt-Proxy if entering :53 to resemble unbound behavior

so the section imho could read:

Example: Standalone DNS
You can use the DNSCrypt-Proxy as a full-featured standalone DNS instead of Unbound or Dnsmasq. This setup has the advantage that you do not need a forwarder solution for encrypting DNS requests or the usage of DNSBL.

To do so go to Services->Unbound DNS->General and uncheck Enable. If you are using Dnsmasq go to Services->Dnsmasq DNS->Settings and uncheck Enable. Now change to Services->DNSCrypt-Proxy->Configuration and add your Local LAN IP address to the Listen Address field, e.g. 192.168.2.1:53. To be able to use Port 53 in DNS-Crypt Services->DNSCrypt-Proxy->Configuration check Allow Privileged Ports. With Unbound being disabled, be aware that the DHCP service will no longer provide the IP of the DNS server automatically, so update the DHCP settings after switching to DNSCrypt Standalone

For IPv6 with dynamic prefixes you can work around this with ::1:53 as Listen Address and add a Port Forward rule, matching every IPv6 UDP traffic, port 53, redirect to ::1.

Optionally you can set :53 to listen on all addresses like the default behaviour in Unbound.

Now you can go on with your configuration task, like choosing which servers to use, privacy policy or caching. Also cloaking (overrides) or DNSBL can be used without any workarounds.

Logged

fourstone77

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: Small annotation to DNSCrypt-Proxy: Configuration - Standalone
« Reply #1 on: February 21, 2022, 12:01:04 pm »
While at it, please also include the information on the Unbound page, because the referenced Custom Config does not exist on newer installations anymore:

https://docs.opnsense.org/manual/unbound.html

--> Bottom of page

This method replaces the Custom options settings in the General page of the Unbound configuration, which was removed in version 21.7.

imho helpfull to include this in the top of the DNSCrypt Poxy page where only: " just set this in your Unbound Advanced settings:" might lead to some irritation
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • Small annotation to DNSCrypt-Proxy: Configuration - Standalone
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2