Support for Oblivious DNS in DNScrypt

[yeraycito]

DNScrypt supports Cloudflare's DNS under the ODOH protocol and Relay is required to configure them. DNSCrypt Servers and DNS-over-HTTPS Servers can be configured in the DNScrypt interface, but ODOH Servers cannot be configured.
Following this tutorial https://forums.serverbuilds.net/t/guide-adguard-home-unbound-dnscrypt-under-opnsense-part-2/13271 the Cloudflare ODOH DNS with their respective Relays work correctly. The problem is that when restarting Opnsense all modifications are lost and the dnscrypt-proxy.toml file has to be modified again via SSH.

[yeraycito]

In my case I have modified the dnscrypt-proxy.toml file leaving it as follows and it works without problems ..... until Opnsense restarts and stops working.:


# Now i'm using 53530 for Unbound so here I just set 53531
listen_addresses = ['127.0.0.1:5353']

max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = false
doh_servers = false
odoh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = false
force_tcp = false
timeout = 2500
keepalive = 30
server_names = ['odoh-cloudflare']

log_level = 2
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
use_syslog = false

cert_refresh_delay = 240
dnscrypt_ephemeral_keys = true
tls_disable_session_tickets = false
ignore_system_dns = true

netprobe_timeout = 30
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
# If you want to be sure you don't use IPv6 change this setting to "true"
block_ipv6 = true

forwarding_rules = 'forwarding-rules.txt'
cloaking_rules = 'cloaking-rules.txt'

# Just disable it... Why do you need more caching if you have Unbound?
cache = false

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'
  format = 'tsv'

[allowed_names]
  allowed_names_file = 'whitelist.txt'
  log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
  log_format = 'tsv'


[sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md';, 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

  ## Anonymized DNS relays

  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md';, 'https://download.dnscrypt.info/resolvers-list/v3/relays.md';, 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md';, 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

[anonymized_dns]
routes = [
    { server_name='odoh-cloudflare', via=['odohrelay-ams', 'odohrelay-crypto-sx']}
]

### ODoH (Oblivious DoH) servers and relays ###
  [sources.'odoh-servers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md';, 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-servers.md'
  refresh_delay = 72
  prefix = ''
  [sources.'odoh-relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md';, 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-relays.md'
  refresh_delay = 72
  prefix = ''

[static]

[yeraycito]

Oblivious DoH servers list: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md

Oblivious DoH relays list: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md

[Janman]

I would love to see support for this in the future.

[OPNenthu]

FYI: https://github.com/opnsense/plugins/pull/4374

Edit: Was curious, what encryption protocol does this use between OPNsense and the ODoH relay? 

I understand that it's using ODoH between the relay and the server, but is it normal DNSCrypt from OPNsense to relay?  If so, what is gained (privacy wise) over regular DNSCrypt with Anonymous relay?