DNSCrypt Setup - Questions and Issues

[Pocket_Sevens]

Good morning.

I've recently changed my DNS settings to use Cloudfare (moving from OpenDNS).  I've looked at this Wiki entry for setting up DNSCrypt:

https://docs.opnsense.org/manual/how-tos/dnscrypt-proxy.html

Cloudfare has a site that lets you know if you're using Cloudfare's DNS server and if DNS over HTTPS has been set up: https://1.1.1.1/help

For some reason, when I set up DNSCrypt with Unbound for Cloudfare, Cloudfare's help site doesn't recognize my DNS over HTTPS.  If I set up DNSCrypt as a stand-alone DNS, Cloudfare recognizes it and recognizes DNS over HTTPS, but when I reboot my laptop, I no longer have internet access (i.e. DNS doesn't seem to work).

So, I have a few questions to ask anyone who has successfully set up DNSCrypt DNS over HTTPS:

• Can I run DNSCrypt as a stand-alone DNS without Unbound?  Or does DNSCrypt require a DNS forwarder/resolver?
• In Settings > General, do I need to remove any DNS Server settings listed?  Do I need to point back to my Local LAN IP?
• If I decide to use DNSCrypt with Unbound, even though Cloudfare's site might not recognize DoH, how can I tell if it's working?
• I have a number of firewall rules that ensure the DNS servers don't get overridden.  I'm just wondering if any of them could be interfering with my DNSCrypt setup.  Thoughts?

Thank you in advance for any guidance.

[mircolino]

I did try to run DNSCrypt as the only DNS and for the most part it works.
The biggest problem I found was that the DNSCrypt service seemed to start late in the boot-up process, so at every restart, a bunch of services, being without DNS, were not starting correctly.

I ended up removing DNSCrypt and setting up DoT with unbound using the following custom configuration:

server:
tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 2001:4860:4860::8888@853#dns.google

Of course you can replace google servers with cloudflare.

IMHO, DoT offers the same level of security as DoH but with the advantage of being able to filter traffic in the firewall

[Pocket_Sevens]

@mircolino: Thank you for your reply.  I will look into setting up DoT instead.

Question: what other setup did you need to do?  Did you need to point to the DNS servers in Settings > General?  I noticed you're pointing to google at port 853 - did you need to use a different port for DoT?

Sorry for the noob questions.

Thanks.

[Pocket_Sevens]

@mircolino - Sorry, one more question: do I need to remove any of my Firewall rules for port 53?  I have a few firewall and a NAT rule to enforce usage of the preferred DNS.

[mircolino]

what other setup did you need to do?  Did you need to point to the DNS servers in Settings > General?  I noticed you're pointing to google at port 853 - did you need to use a different port for DoT?

Nothing more really. With that custom config you basically force unbound into forwarding mode using DoT over port 853 using google servers.

do I need to remove any of my Firewall rules for port 53?  I have a few firewall and a NAT rule to enforce usage of the preferred DNS.

No, I have similar rules. You can do port forward 53 and 853 to force "stray" devices on your network to resolve through unbound/DoT

PS: But unfortunately you cannot stop/forward a device using DoH.