HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

[cake]

This is great! Many thanks to the dev mimugmail (m.muenz@gmail.com) and for the tutorial!
I had a little trouble with it not starting when I entered some dns servers in the list at https://dnscrypt.info/public-servers/
I ended up looking at the log located in

Code: [Select]

cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log and choosing 3 of the resolvers that worked. I am wondering if one of the resolvers goes down, will this stop dnsproxy from starting at boot?

I went a different route from the tutorial in first post, I set up a Virtual IP in Firewall --> Virtual IP
I used: IP Alias | loopback | 127.0.0.2
Then configured the DNSCrypt plugin to use 127.0.0.2:53 (and deleted the default ones)
Lastly I headed over to  System --> Settings --> General and put 127.0.0.2 in the in the DNS Server box.

My test at https://www.dnsleaktest.com showed my dns queries are using dnscrypt. :-)

One feature request is to be able edit the verb for the log and also to show the log in the GUI.
Thanks again for this plugin!

[mimugmail]

Log in the UI is already under review, perhaps with 19.1.
The default behavior is to use the fastest two servers, and it checks every hour which one is the fastest, so no problem

[p1n0ck10]

I had a little trouble with it not starting when I entered some dns servers in the list at
I ended up looking at the log located in

Code: [Select]

cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log and choosing 3 of the resolvers that worked. I am wondering if one of the resolvers goes down, will this stop dnsproxy from starting at boot?

Lastly I headed over to  System --> Settings --> General and put 127.0.0.2 in the in the DNS Server box.

One feature request is to be able edit the verb for the log and also to show the log in the GUI.

Thanks again for this plugin!

I only recommend unbound and dnscrypt in this way what i wrote because i'm not a fan to have to many DNS-resolver between clients and internet. makes little bit difficult to solve dns errors. i have testet many DNS-resolver from the public list  https://dnscrypt.info/public-servers/
The best way is to use the automatic option because the fastest and a pool of random servers is used. If you use the manuell configuration of servers i only recommend cloudflare and cisco (opendns) because these are dnsproviders with bigger infrastructure behind the szene. Cisco (opendns) has the disadvantage thats not using DNSSEC.
The best DNS results on https://cmdns.dev.dns-oarc.net i achieved with cloudflare.

I don't know why you using 127.0.0.2 in the configuration of system/settings/general. In my opinion opnsense uses localhost as default dns-resolver. The dns-resolver in system/settings/general is normally configured with external dns resolver. that job makes dnscrypt. in my configuration is the way.
opnsense => localhost = unbound => forwarding mode to dnscrypt. thats it

Good too hear that the log is coming to the GUI 

[malkovich78]

Hi,

After reading all configuration guides for dnscrypt-proxy plugin and several testing I wasn't able to make it work with unbound, only with dnsmaq and dnscrypt-proxy instance running on 127.0.0.2:53 and 127.0.0.2 as the only dns server on System-> settings; but with this configuration I found a problem because on boot dnsmasq is started before dnscrypt-proxy so system can't resove domains. Creating an script to start dnscrypt-proxy before dnsmasq at boot time finally solved it.
I hope this info may be useful to others.

Regards.

[zaggynl]

I'm running into the same issue.
I can enable and start Unbound but it will not start after adding Advanced Settings part per: https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html

Code: [Select]

do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353
No error messages appear in webui or log.
I can start unbound from shell with -d -v, it shows no errors at that time in shell or in ui log.

Goal is to forward incoming requests to my pihole VM, which should get its DNS replies from dnscrypt on opnsense.

[franco]

I'm guessing same Unbound problem as Bind has:

> When you are using Overrides in Unbound you can not use ``do-not-query-localhost``.


Cheers,
Franco

[zaggynl]

I'm guessing same Unbound problem as Bind has:

> When you are using Overrides in Unbound you can not use ``do-not-query-localhost``.


Cheers,
Franco

Thanks for the reply, I have a number of Overrides, after removing the do-not-query-localhost line Unbound starts!

[mimugmail]

Overrides can also be done via dnscrypt-proxy if you need them. Also Adblocking is now available vial the plugin itself.

[zaggynl]

Overrides can also be done via dnscrypt-proxy if you need them. Also Adblocking is now available vial the plugin itself.

Thanks.
Had a look at using dnscrypt-proxy alone but the webui of pihole proved to be more featured.

[mimugmail]

Indeed

[p1n0ck10]

Hi All,

strange. I have 1 entry in the Host Override in Unbound and have no issues with "do-not-query-localhost: no"

great that DNSBL is implemented in the dnycrypt proxy. thanks mimugmail 

[cake]

Does anybody get server timeouts after a few days or so?  I start dnscrypt and after a couple days most servers are timeout according to the log. Not sure how to investigate. Maybe I start with making the log more verbose?

[mimugmail]

But does it switch to other ones?

[cake]

Yes it does switch, maybe I have a setting wrong or some other configuration.
Here is a bit of a log, you can see at first 3 have a timeout, and 6 hours later 11 servers are timeout.

Code: [Select]

[2019-04-18 19:56:57] [NOTICE] Source [public-resolvers.md] loaded
[2019-04-18 19:56:57] [NOTICE] dnscrypt-proxy 2.0.19
[2019-04-18 19:56:57] [NOTICE] Loading the set of whitelisting rules from [whitelist.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of cloaking rules from [cloaking-rules.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of forwarding rules from [forwarding-rules.txt]
[2019-04-18 19:56:57] [NOTICE] Now listening to 127.0.0.2:53 [UDP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 127.0.0.2:53 [TCP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 192.168.44.4:53 [UDP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 192.168.44.4:53 [TCP]
[2019-04-18 19:56:58] [NOTICE] [arvind-io] OK (crypto v2) - rtt: 256ms
[2019-04-18 19:56:58] [NOTICE] [bottlepost-dns-nl] OK (crypto v2) - rtt: 286ms
[2019-04-18 19:57:00] [NOTICE] [charis] TIMEOUT
[2019-04-18 19:57:00] [NOTICE] [cpunks-ru] OK (crypto v1) - rtt: 313ms
[2019-04-18 19:57:01] [NOTICE] [cs-ch] OK (crypto v2) - rtt: 312ms
[2019-04-18 19:57:01] [NOTICE] [cs-swe] OK (crypto v2) - rtt: 293ms
[2019-04-18 19:57:01] [NOTICE] [cs-nl] OK (crypto v2) - rtt: 213ms
[2019-04-18 19:57:01] [NOTICE] [cs-nl2] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:02] [NOTICE] [cs-fi] OK (crypto v2) - rtt: 200ms
[2019-04-18 19:57:02] [NOTICE] [cs-pl] OK (crypto v2) - rtt: 295ms
[2019-04-18 19:57:02] [NOTICE] [cs-dk] OK (crypto v2) - rtt: 206ms
[2019-04-18 19:57:02] [NOTICE] [cs-it] OK (crypto v2) - rtt: 170ms
[2019-04-18 19:57:02] [NOTICE] [cs-fr] OK (crypto v2) - rtt: 158ms
[2019-04-18 19:57:03] [NOTICE] [cs-fr2] OK (crypto v2) - rtt: 160ms
[2019-04-18 19:57:03] [NOTICE] [cs-pt] OK (crypto v2) - rtt: 211ms
[2019-04-18 19:57:03] [NOTICE] [cs-hk] OK (crypto v2) - rtt: 361ms
[2019-04-18 19:57:03] [NOTICE] [cs-ro] OK (crypto v2) - rtt: 191ms
[2019-04-18 19:57:03] [NOTICE] [cs-mo] OK (crypto v2) - rtt: 205ms
[2019-04-18 19:57:04] [NOTICE] [cs-lv] OK (crypto v2) - rtt: 202ms
[2019-04-18 19:57:04] [NOTICE] [cs-uk] OK (crypto v2) - rtt: 165ms
[2019-04-18 19:57:04] [NOTICE] [cs-de] OK (crypto v2) - rtt: 162ms
[2019-04-18 19:57:04] [NOTICE] [cs-de2] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:04] [NOTICE] [cs-ca] OK (crypto v2) - rtt: 218ms
[2019-04-18 19:57:05] [NOTICE] [cs-ca2] OK (crypto v2) - rtt: 291ms
[2019-04-18 19:57:05] [NOTICE] [cs-usny] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:05] [NOTICE] [cs-usil] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:05] [NOTICE] [cs-usnv] OK (crypto v2) - rtt: 216ms
[2019-04-18 19:57:08] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-18 19:57:08] [NOTICE] [cs-usdc] OK (crypto v2) - rtt: 264ms
[2019-04-18 19:57:08] [NOTICE] [cs-ustx] OK (crypto v2) - rtt: 242ms
[2019-04-18 19:57:08] [NOTICE] [cs-usga] OK (crypto v2) - rtt: 250ms
[2019-04-18 19:57:09] [NOTICE] [cs-usnc] OK (crypto v2) - rtt: 258ms
[2019-04-18 19:57:09] [NOTICE] [cs-usca] OK (crypto v2) - rtt: 209ms
[2019-04-18 19:57:09] [NOTICE] [cs-usor] OK (crypto v2) - rtt: 272ms
[2019-04-18 19:57:09] [NOTICE] [d0wn-is-ns2] OK (crypto v1) - rtt: 235ms
[2019-04-18 19:57:10] [NOTICE] [d0wn-tz-ns1] OK (crypto v1) - rtt: 392ms
[2019-04-18 19:57:10] [NOTICE] [de.dnsmaschine.net] OK (crypto v2) - rtt: 204ms
[2019-04-18 19:57:10] [NOTICE] [dnscrypt.ca-1] OK (crypto v2) - rtt: 297ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.ca-2] OK (crypto v2) - rtt: 288ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.eu-dk] OK (crypto v2) - rtt: 205ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.eu-nl] OK (crypto v1) - rtt: 301ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.me] OK (crypto v2) - rtt: 180ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.nl-ns0] OK (crypto v2) - rtt: 196ms
[2019-04-18 19:57:12] [NOTICE] [dnscrypt.uk-ipv4] OK (crypto v2) - rtt: 282ms
[2019-04-18 19:57:12] [NOTICE] [ev-va] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:12] [NOTICE] [ev-to] OK (crypto v2) - rtt: 270ms
[2019-04-18 19:57:12] [NOTICE] [freetsa.org] OK (crypto v1) - rtt: 256ms
[2019-04-18 19:57:13] [NOTICE] [ibksturm] OK (crypto v2) - rtt: 453ms
[2019-04-18 19:57:13] [NOTICE] [ipredator] OK (crypto v1) - rtt: 194ms
[2019-04-18 19:57:13] [NOTICE] [opennic-ethservices] OK (crypto v1) - rtt: 261ms
[2019-04-18 19:57:14] [NOTICE] [opennic-ethservices2] OK (crypto v1) - rtt: 259ms
[2019-04-18 19:57:14] [NOTICE] [opennic-luggs] OK (crypto v1) - rtt: 284ms
[2019-04-18 19:57:14] [NOTICE] [opennic-luggs2] OK (crypto v1) - rtt: 287ms
[2019-04-18 19:57:14] [NOTICE] [publicarray-au] OK (crypto v2) - rtt: 176ms
[2019-04-18 19:57:17] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 19:57:17] [NOTICE] [quad9-dnscrypt-ip4-nofilter-pri] OK (crypto v1) - rtt: 160ms
[2019-04-18 19:57:17] [NOTICE] [quad9-dnscrypt-ip4-nofilter-alt] OK (crypto v1) - rtt: 158ms
[2019-04-18 19:57:19] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 19:57:19] [NOTICE] [scaleway-fr] OK (crypto v2) - rtt: 162ms
[2019-04-18 19:57:19] [NOTICE] [securedns] OK (crypto v1) - rtt: 284ms
[2019-04-18 19:57:20] [NOTICE] [soltysiak] OK (crypto v1) - rtt: 280ms
[2019-04-18 19:57:20] [NOTICE] [suami] OK (crypto v2) - rtt: 161ms
[2019-04-18 19:57:20] [NOTICE] [trashvpn.de] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:20] [NOTICE] [ventricle.us] OK (crypto v2) - rtt: 275ms
[2019-04-18 19:57:22] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 19:57:22] [NOTICE] [opennic-R4SAS] OK (crypto v2) - rtt: 191ms
[2019-04-18 19:57:22] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 19:57:22] [NOTICE] dnscrypt-proxy is ready - live servers: 61
[2019-04-18 20:57:25] [NOTICE] [charis] TIMEOUT
[2019-04-18 20:57:31] [NOTICE] [cs-uswa] OK (crypto v2) - rtt: 289ms
[2019-04-18 20:57:40] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 20:57:42] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 20:57:46] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 20:58:01] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 21:58:04] [NOTICE] [charis] TIMEOUT
[2019-04-18 21:58:18] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 21:58:20] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 21:58:24] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 21:58:39] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 22:58:42] [NOTICE] [charis] TIMEOUT
[2019-04-18 22:58:57] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 22:58:59] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 22:59:02] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 22:59:17] [NOTICE] Server with the lowest initial latency: scaleway-fr (rtt: 159ms)
[2019-04-18 23:59:19] [NOTICE] [charis] TIMEOUT
[2019-04-18 23:59:25] [NOTICE] [cs-lv] TIMEOUT
[2019-04-18 23:59:27] [NOTICE] [cs-de] TIMEOUT
[2019-04-18 23:59:38] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 23:59:40] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 23:59:44] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 23:59:50] [NOTICE] [cs-lv] TIMEOUT
[2019-04-18 23:59:52] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 00:00:02] [NOTICE] Server with the lowest initial latency: cs-fr2 (rtt: 158ms)
[2019-04-19 01:00:05] [NOTICE] [charis] TIMEOUT
[2019-04-19 01:00:10] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 01:00:12] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 01:00:16] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 01:00:25] [NOTICE] [qag.me] TIMEOUT
[2019-04-19 01:00:27] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-19 01:00:30] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-19 01:00:37] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 01:00:39] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 01:00:51] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 01:00:51] [NOTICE] Server with the lowest initial latency: cs-fr2 (rtt: 158ms)
[2019-04-19 02:00:54] [NOTICE] [charis] TIMEOUT
[2019-04-19 02:01:00] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 02:01:02] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 02:01:05] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 02:01:12] [NOTICE] [ibksturm] TIMEOUT
[2019-04-19 02:01:16] [NOTICE] [qag.me] TIMEOUT
[2019-04-19 02:01:18] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-19 02:01:22] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-19 02:01:28] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 02:01:30] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 02:01:42] [NOTICE] [cs-uswa] TIMEOUT

[thg0432]

is it possible to have dnscrypt have a different set of DNS server(s) for an ip range?