Small annotation to DNSCrypt-Proxy: Configuration - Standalone

Started by fourstone77, February 21, 2022, 11:55:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 21, 2022, 11:55:37 AM
Hi,

it took me a while to figure this out and thought it might be good to add this to the documentation:
https://docs.opnsense.org/manual/how-tos/dnscrypt-proxy.html

1: If Unbound an all is disabled, it is necessary to enter the DNS server entry manually in the configuration of the DHCP service for the network segment, the automatic entry is disabled

2: Mention that option "Allow Priviledged Ports" needs to be enabled in Dnscrypt-Proxy if entering :53 to resemble unbound behavior

so the section imho could read:

Example: Standalone DNS
You can use the DNSCrypt-Proxy as a full-featured standalone DNS instead of Unbound or Dnsmasq. This setup has the advantage that you do not need a forwarder solution for encrypting DNS requests or the usage of DNSBL.

To do so go to Services->Unbound DNS->General and uncheck Enable. If you are using Dnsmasq go to Services->Dnsmasq DNS->Settings and uncheck Enable. Now change to Services->DNSCrypt-Proxy->Configuration and add your Local LAN IP address to the Listen Address field, e.g. 192.168.2.1:53. To be able to use Port 53 in DNS-Crypt Services->DNSCrypt-Proxy->Configuration check Allow Privileged Ports. With Unbound being disabled, be aware that the DHCP service will no longer provide the IP of the DNS server automatically, so update the DHCP settings after switching to DNSCrypt Standalone

For IPv6 with dynamic prefixes you can work around this with ::1:53 as Listen Address and add a Port Forward rule, matching every IPv6 UDP traffic, port 53, redirect to ::1.

Optionally you can set :53 to listen on all addresses like the default behaviour in Unbound.

Now you can go on with your configuration task, like choosing which servers to use, privacy policy or caching. Also cloaking (overrides) or DNSBL can be used without any workarounds.

February 21, 2022, 12:01:04 PM #1
While at it, please also include the information on the Unbound page, because the referenced Custom Config does not exist on newer installations anymore:

https://docs.opnsense.org/manual/unbound.html

--> Bottom of page

This method replaces the Custom options settings in the General page of the Unbound configuration, which was removed in version 21.7.

imho helpfull to include this in the top of the DNSCrypt Poxy page where only: " just set this in your Unbound Advanced settings:" might lead to some irritation
Print
Go Up Pages1
User actions