Support for Oblivious DNS in DNScrypt

Started by yeraycito, March 05, 2025, 01:23:52 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 05, 2025, 01:23:52 AM
DNScrypt supports Cloudflare's DNS under the ODOH protocol and Relay is required to configure them. DNSCrypt Servers and DNS-over-HTTPS Servers can be configured in the DNScrypt interface, but ODOH Servers cannot be configured.
Following this tutorial https://forums.serverbuilds.net/t/guide-adguard-home-unbound-dnscrypt-under-opnsense-part-2/13271 the Cloudflare ODOH DNS with their respective Relays work correctly. The problem is that when restarting Opnsense all modifications are lost and the dnscrypt-proxy.toml file has to be modified again via SSH.

March 05, 2025, 01:29:46 AM #1
In my case I have modified the dnscrypt-proxy.toml file leaving it as follows and it works without problems ..... until Opnsense restarts and stops working.:


# Now i'm using 53530 for Unbound so here I just set 53531
listen_addresses = ['127.0.0.1:5353']

max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = false
doh_servers = false
odoh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = false
force_tcp = false
timeout = 2500
keepalive = 30
server_names = ['odoh-cloudflare']

log_level = 2
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
use_syslog = false

cert_refresh_delay = 240
dnscrypt_ephemeral_keys = true
tls_disable_session_tickets = false
ignore_system_dns = true

netprobe_timeout = 30
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
# If you want to be sure you don't use IPv6 change this setting to "true"
block_ipv6 = true

forwarding_rules = 'forwarding-rules.txt'
cloaking_rules = 'cloaking-rules.txt'

# Just disable it... Why do you need more caching if you have Unbound?
cache = false

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'
  format = 'tsv'

[allowed_names]
  allowed_names_file = 'whitelist.txt'
  log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
  log_format = 'tsv'


[sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md';, 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

  ## Anonymized DNS relays

  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md';, 'https://download.dnscrypt.info/resolvers-list/v3/relays.md';, 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md';, 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

[anonymized_dns]
routes = [
    { server_name='odoh-cloudflare', via=['odohrelay-ams', 'odohrelay-crypto-sx']}
]

### ODoH (Oblivious DoH) servers and relays ###
  [sources.'odoh-servers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md';, 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-servers.md'
  refresh_delay = 72
  prefix = ''
  [sources.'odoh-relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md';, 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-relays.md'
  refresh_delay = 72
  prefix = ''

[static]
March 05, 2025, 01:37:53 AM #2
Print
Go Up Pages1
User actions