DNSCrypt Proxy with 21.7.1 question / Issue

[crissi]

Hi @mimugmail.

thanks a lot for the DNSCrypt Proxy Plugin. I have some question / issue regarding the Plugin.

1. I saw in the actual dnscrypt-proxy.toml the sources url points to github v2 . But when i check the example dnscrypt-proxy.toml file, there are the correct actual links to v3. How to fix this?

[sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md';, 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

2. I tried to test the anonymized dns, unfortunately there is no option to set in the GUI yet, could this be implemented, would be awesome?

So when i tested yet i copied the following snippet to the .toml

[anonymized_dns]

routes = [
   { server_name='server-example1', via=['anon-server1', 'anon-server2'] }
]

skip_incompatible = false


After this checked the log, and it was working perfect. But when i restarted the FW, the manually adapted configuration in the .toml File was missing. How can i get my manual adaptations in the .toml file persistent, so they survive a reboot?


Thx
BR

[mimugmail]

I can fix this after vacation

[crissi]

Thanks, would be great have a nice holiday!

[crissi]

Hello mimugmail,

did you have already time to fix ?

Thx
best regards

[mimugmail]

There is a PR in the pipeline, yes. Maybe 21.7.3 will have it

[crissi]

 :) Perfect, Thx

[guest30640]

Will this update allow configuration of anonymized dns via the gui? I have anonymized dns working by using the cmd line config file but think this is likely to be overwritten in future releases(?)

I'd also point out that this feature is a pretty big part of DNSCrypt since not many other DNS resolvers\forwarders allow anonymized ip and that really sets this a part.

[gpb]

@mimugmail - I recently started using the Dnscrypt-proxy package on opnsense, previously it was on another server.  Firstly, thanks for maintaining this! 

If it's easy enough, can the restrictions for min and max ttl for caching be removed or set way higher?  Currently the value for min ttl is 1 hour (3600) but I prefer to use a much higher value (24 hours at present).  In the Dnscrypt-proxy code there doesn't appear to be any restriction on these values, (long int).  Currently I've edited the restriction out to verify I wouldn't have any problems...it's working great.  I mentioned this on github, but no indication you saw it there.

Also, I copied the 2.1.1 executable over the current opnsense package version.  It required some manual updates to the toml config file because of changes made in 2.1.1.  Otherwise, it's also been working without issue for the past week.

Cheers!

Edit: Would also be great to have an option to disable query and nxdomain logging...save some writes on the SSD.  :)

[crissi]

There is a PR in the pipeline, yes. Maybe 21.7.3 will have it

Hello @mimugmail

Do you think in 21.7.5 the changes can be done?

Thx!

[gpb]

@crissi, you probably know this but just in case, to persist the changes I'm not sure how BUT if you just make a backup of the toml file then you can restore it and restart dnscrypt-proxy with the command line dnscrypt-proxy -system restart...at least that's what I did this morning post system update.  You can also replace the binary with 2.1.1 if you haven't already and it works fine but it does have a couple changes in the config (I can highlight those if you need that because it's hard to find in the docs...might save you some searching).  Actually, their example outlines it perfectly...basically they are now using brackets around certain parameters in the toml...for anyone curious.

I actually was looking into how to add the changes to the config but I think either way they'll get lost with the next update.

Edit: clarification...and link.

https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml

[crissi]

Hi @gpb,

thanks for the information and the workaround! I have DNSCrypt Proxy on my PI installed, works great, but would like to permanent move this task to OPNsense. Yes, the restore with backup of .toml and restart of the service works, but imho should be a more permanent solution without tampering with the files.. and if information is changed, should survive a reboot of the firewall..

@mimugmail when could the changes be implemented in DNSCrypt Proxy Plugin?

Thx!

[gpb]

I had mine running on two Rpi-4's, then thought I'd give it a try on opnsense where they could share a cache (pi-holes running on each as well).  So I'm mostly interested in the caching feature and so they can share a single cache now.  I was surprised to see better latency results on opnsense.

I was expecting 2.1.1 (still 2.0.45) in the latest but the UI would need an update or the templates to generate the config.  Maybe you saw, but there's a contributor on github that rewrote the entire thing and he sort of got shot down due to time/effort issues.  Hopefully some of those features make it in.  Here's the link.

https://github.com/opnsense/plugins/pull/2543

Edit: Was poking around a bit and found a way to let dnscrypt-proxy survive a reboot and start as normal.  Put your config from your pi here with a different name, I named my file: "/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy-gpb.toml".  Then I made a change in "/usr/local/etc/rc.d/dnscrypt-proxy" where you can specify the toml file you want dnscrypt-proxy to read when it starts.  That survives a reboot.  So, yeah I agree, I hate doing this but while you're waiting for the official you can test your changes.  If you're like me, install nano (pkg install nano) and you're good to go.  :)  Cheers.

[crissi]

Indeed, I can also confirm the latency results on opnsense are much better...
Thanks for sharing the workaround, this would be perfect if I could get this to work for further testing, without scrambling my opnsense..;D

I have some understanding questions, regarding your previous information

Also, I copied the 2.1.1 executable over the current opnsense package version.

Where did you exactly copy / extract the package content https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.1/dnscrypt-proxy-freebsd_amd64-2.1.1.tar.gz in OPNsense ?

It required some manual updates to the toml config file because of changes made in 2.1.1

I compared my Raspi .toml file with the Example https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml , unfortunately i cant find the difference regarding the brackets, can you please point me in the right direction ?

Thanks a Lot!

[gpb]

Yes, that's where I got the binary.  Easiest to just use their sample toml (in the download) and put your changes into it and then of course save it to the new name (not the default name since that will get overwritten when opnsense reboots). 

Brackets are now wrapped around the server list and bootstrap servers (previously called fallback servers).  Again, easiest to just refer to their included sample in the download.  One note, I attempted to ftp the toml file from my pc to that folder and that didn't work...couldn't get dnscrypt to start.  What I ended up doing was editing the file on the pc, then selected all and pasted into a new nano file on opnsense and save there.  Hope that helps.

Edit: you could also make the changes on your rpi to verify and then move that file to opnsense...assuming you have 2.1.1 on your rpi.

[crissi]

adapted yet the example .toml in the downloaded package. Just to be really sure, its just the .toml file structure what i have to adapt, the binary File itself in the downloaded package (dnscrypt-proxy) i have not to copy over to opnsense???

Thank You!