DNSCrypt Proxy with 21.7.1 question / Issue

[guest30640]

I have to say this plugin needs updating to the latest builds since at the moment it is not offering (readily assessible) the best that DNSCrypt has in its arsenal...Anonymized DNS!

I do appreciate that this plugin exists but it really does require an update to keep current.

i.e. GUI for

• Cache sizes
• Logging options on/off
• Anonymized DNS servers and settings

By the way my Anonymized settings survive a reboot by:

Just info on location of template: /usr/local/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml


sudo nano dnscrypt-proxy.toml

add...

[anonymized_dns]

routes = [
   { server_name='"', via=['"'] },
   { server_name='"', via=['"', '"'] },
   { server_name='"', via=['"', '"'] }
]

skip_incompatible = true


  ## Anonymized DNS relays

  [sources.'relays']
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
    cache_file = 'relays.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    refresh_delay = 72
    prefix = ''

[gpb]

adapted yet the example .toml in the downloaded package. Just to be really sure, its just the .toml file structure what i have to adapt, the binary File itself in the downloaded package (dnscrypt-proxy) i have not to copy over to opnsense???

Thank You!

Yes, just the TOML.  So here's basically what I did.

* SSH into opnsense, cd /usr/local/sbin....this is where the binary is located.  Rename the current binary to 205, i.e., mv dnscrypt-proxy dnscrypt-proxy-205

* Copy the new binary from the package you manually downloaded.  You can do this a couple ways, I just used FTP from my pc using filezilla.

* Once copied, make sure it has the same permissions as the original.  I just needed to make it executable (chmod +x dnscrypt-proxy).

* Now that the binary is in place (size is 9027584 bytes), change your directory to /usr/local/etc/dnscrypt-proxy, this is where the current config is.  Rename the current toml to a different name, i.e., mv dnscrypt-proxy.toml dnscrypt-proxy.toml.205.  Now you need the new one here.  Again several ways to do this.  I opened the editor, nano dnscrypt-proxy.toml and then copied the contents of the adapted file in windows notepad (or equivalent) and pasted into nano.  Save.  Check permissions and make sure they're the same (ls -l).  I might have changed the group, i.e, chown root:_dnscrypt-proxy dnscrypt-proxy.toml to be like the others in that directory.

* Now the toml is in place, copy the toml to the new temporary name, cp dnscrypt-proxy.toml dnscrypt-proxy-211.toml for example.  This is the file we will point to in the next step.

* Edit the file /usr/local/etc/rc.d/dnscrypt-proxy and near the top you'll see the line that points to the toml.  Edit that line to include the file name you used (i.e., dnscrypt-proxy-211.toml) in order to preserve setting over a reboot.

* Now you can start the service via the gui or command line using service dnscrypt-proxy start.

* Verify it started and the log reflects this in the gui.  I set mine to listen on port 53000, so I can also verify it's resolving using dig opnsense.org @127.0.0.1 -p 53000.  In pihole, my dns server setting is 192.168.1.1#53000.  The port number is set near the top of the toml in listen_addresses = ['127.0.0.1:53000'].

That should do it, if I missed something or confused, let me know...doing this from memory.

[gpb]

By the way my Anonymized settings survive a reboot by:

Just info on location of template: /usr/local/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml

Good point, that's another option but you may need to redo it on the next upgrade...just make a backup.  I had to tweak the zabbix template a few days ago.  Cheers.

[crissi]

@gpb Thanks so much for the detailed information, upgraded now to 211, all working as advertised

Now the next days i will test the new features and see how it goes

@pugs Thank you too for the hint with the service template