Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 / 17.7 / 18.1 :-)

[cake]

Hi I'm cake, I wanted multiple dnscrypt-proxy instances for reliability. I like dnscrypt because it eliminates your ISP from keeping a log of all your travels. Some of the dnscrypt providers are not 100 percent uptime, some discontinue, etc. This is for redundancy.  I don't take credit for any of the following, just gathering it all together in one spot for Opnsense 16.7.

So in the terminal-

Code: [Select]

pkg install dnscrypt-proxy
pkg install nano
I got this next script from https://forums.freebsd.org/threads/48250/

Code: [Select]

mv /usr/local/etc/rc.d/dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.original
nano /usr/local/etc/rc.d/dnscrypt-proxy
Paste this in: (credit to arabesc)

Code: [Select]

#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
#  List of dnscrypt_proxy instance id's,
#  e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool):  Set to NO by default.
#  Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str):  Set to "_dnscrypt-proxy" by default.
#      User to switch to after starting.
# {instance_id}_resolver (str):  Set to "opendns" by default.
#      Choose a different upstream resolver.
# {instance_id}_pidfile (str):  default: "/var/run/dnscrypt-proxy.pid"
#      Location of pid file.
# {instance_id}_logfile (str):    default: "/var/log/dnscrypt-proxy.log"
#  Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy

load_rc_config ${name}

: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}

dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}

command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy

for i in $dnscrypt_proxy_instances; do
  name=${i}

  eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
  rcvar=${name}_enable

  load_rc_config ${i}

  eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
  eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
  eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
  eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}

:  ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy}  # User to run daemon as
:  ${dnscrypt_proxy_resolver_tmp:=opendns}  # resolver to use
:  ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
:  ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file

  command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"

  pidfile=${dnscrypt_proxy_pidfile_tmp}

  _rc_restart_done=false # workaround for: service dnscrypt-proxy restart

  run_rc_command "$1"
done
Make it executable:

Code: [Select]

chmod a+x /usr/local/etc/rc.d/dnscrypt-proxy
Next:

Code: [Select]

nano /etc/rc.conf
Here is mine as a example: (see next post down for a better way)

Code: [Select]

##  Use other method instead of lo0 alias  ##
##  ifconfig lo0 alias 127.0.0.2/32  ##
##  ifconfig lo0 alias 127.0.0.3/32  ##
##  ifconfig lo0 alias 127.0.0.4/32  ##

dnscrypt_proxy_enable="YES"

dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="ipredator"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 -l /var/log/"
dnscrypt_proxy_2_resolver="dnscrypt.eu-dk"
dnscrypt_proxy_2_flags="-a 127.0.0.3:53 -l /var/log/"
dnscrypt_proxy_3_resolver="d0wn-lu-ns1"
dnscrypt_proxy_3_flags="-a 127.0.0.4:53 -l /var/log/"
You can change the resolvers to whatever you want that is listed in:  /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
If you want the latest list:

Code: [Select]

pkg install wget
wget -O /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv]

You might be able to leave out the unbound enable line, since it doesn't appear to be need or is running.

In OpnSense GUI, go to Services-->DNS Forwarder
Enable it, set it to port 53. Specify the interface(s) and set it to strict. Also for testing uncheck Query DNS servers sequentially

EDIT:Use geofflowemn's advice instead of my commented out stuff above (ifconfig...)- go to the GUI - Firewall-->Virtual IP's--->Settings and add:

Virtual IP address    Interface    Type    Description
127.0.0.2/32              LocalHost        IP Alias    dnscrypt-proxy
127.0.0.3/32              LocalHost        IP Alias    dnscrypt-proxy
127.0.0.4/32              LocalHost        IP Alias    dnscrypt-proxy 

EDIT: fix typo, (thanks geofflowemn)

Next go to System-->Setting--->General---> Specify the dns servers at 127.0.0.2 127.0.0.3 and 127.0.0.4
I checked "Do not use the DNS Forwarder as a DNS server for the firewall" and unchecked "Allow DNS server list to be overridden by DHCP/PPP on WAN". I did not specify any dns servers in the dhcp section of services.

To test/start type: service dnscrypt-proxy start (it should load when system boots from now on)
Couple of good websites to test if its working:
https://www.perfect-privacy.com/dns-leaktest/
https://ipleak.net/

When testing: Make sure you disable your browser dns caching, also if your in linux the command sudo resolvconf -u helps when troubleshooting using dig, nslookup, etc. Hope I didn't forget any other tidbits, and your system reboots using your new dnscrypt-proxy settings without anymore user input.

Hope this gathering of info from several places has helped someone else achieve their goal. There is a nice tutorial on using unbound to cache queries for speed. https://blog.ipredator.se/freebsd-dnscrypt-howto.html

It would be a great feature to add this to the GUI in the future!
Edit: Add IP of LAN interface to: Services-->DHCP-->Server--->select interface-->DNS servers
Edit: Fixed some errors (spelling), added some extra. I noticed I messed up my configuration royally and when loading a older saved configuration dnscrypt-proxy gets wiped out (it didn't save my dnscrypt configuration). Had to start from scratch. Noticed a couple omissions in this post. :-0

[geofflowemn]

Thanks for the great information.  It saved me a ton of time!   

1) I think there is a typo in this section:

Next go to System-->Setting--->General---> Specify the dns servers at 127.0.0.1 127.0.0.2 and 127.0.0.3

I think it should read: 127.0.0.2, 127.0.0.3, and 127.0.0.4 to match your dnscrypt-proxy instances, right?

2) It is my understanding that adding commands like "ifconfig lo0 alias <blah>" into the rc.conf file is bad form.  I found that I could achieve the same result using OPNsense Virtual IPs:

Firewall > Virtual IPs > Settings
Mode:  IP Alias
Interface:  Localhost
Type:  Single address
Address:  127.0.0.2/32
Description:  dnscrypt-proxy

Repeat for 127.0.0.3, etc.

3) A question/clarification for this section:

In OpnSense GUI, go to Services-->DNS Forwarder
Enable it, set it to port 53. I also specified the interface and set it to strict.

Which interface(s) did you specify here?  I assumed since it was set to "All" I had to instead set it to "Localhost", "LAN", "OPT1", etc - everything EXCEPT "All" and the virtual IP aliases I used.  And it seems to work that way.

[cake]

Hi  geofflowemn. So happy you got it to work!

1) Thank you, yes you are correct! I will try to re-edit the first post
2) Thanks again, I didn't know about that :-)
3) Correct, I specified my LAN interface

dnscrypt has been rock solid since I set it up so far.

Edit: Upgrading from 16.7 to 17.1 , I suggest to go to System-->Settings-->DNS servers, and change them to 8.8.8.8, 8.8.4.4 temporally until you finish upgrading. Then run through the steps again. Worked for me.

[Itow]

Hallo Zusammen,

vielen Dank für eure tolle Anleitung

Leider hatte ich das Problem, dass die Datei "/usr/local/etc/rc.d/dnscrypt-proxy" während  des updates öfters überschrieben wurde und dadurch der "dnscrypt-proxy" nicht starten konnte, was zum Internetausfall aller Clients führte.
Daher habe ich folgendes Script geschrieben, welches "bash" benötigt, da es in "csh" wohl keine Funktionen gibt. Oder ich habe mich nur blöd angestellt

conf_backup= Das Script von arabesc aus Post 1

Jedem, dessen Englisch besser ist als meines, steht es frei, diesen Text zu übersetzen

Code: [Select]

#!/usr/local/bin/bash

proxy_tmp=/tmp/tmp_dnscrypt_proxy
proxy_csv=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv
check_dnscrypt=$(pkg info -ak | grep 'dnscrypt-proxy-' | grep 'yes' | wc -l | tr -d ' ')
conf_backup=/root/dnscrypt_proxy_backup
conf_dnscrypt=/usr/local/etc/rc.d/dnscrypt-proxy
versions_check=$(pkg version -vx dnscrypt-proxy | grep 'up-to-date with remote' | wc -l | tr -d ' ')

update_lock() {
                pkg unlock -qy dnscrypt-proxy
                pkg install dnscrypt-proxy
                pkg lock -qy dnscrypt-proxy
}

update_unlock() {
                pkg install dnscrypt-proxy
                pkg lock -qy dnscrypt-proxy
}

check_proxy_csv() {
                if [ -f $proxy_tmp ]; then
                        rm -rf $proxy_tmp
                fi
                mkdir $proxy_tmp
                wget --no-cache -O $proxy_tmp/dnscrypt-resolvers-new.csv https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv
                if ! cmp $proxy_tmp/dnscrypt-resolvers-new.csv $proxy_csv >/dev/null 2>&1; then
                        mv $proxy_tmp/dnscrypt-resolvers-new.csv $proxy_csv
                fi
                rm -rf $proxy_tmp
}

check_conf() {
                checkprocess=$(ps -U_dnscrypt-proxy | grep 'dnscrypt_proxy_' | wc -l | tr -d ' ')
                diff -q $conf_backup $conf_dnscrypt 1>/dev/null
                case "$?" in
                        0)
                                # Alles jut
                                check_proxy_csv
                                if [ "$checkprocess" -eq 0 ]; then
                                service dnscrypt-proxy start
                                else
                                service dnscrypt-proxy restart
                                sleep 3
                                fi
                                ;;
                        1)
                                if [ "$checkprocess" -gt 0 ]; then
                                service dnscrypt-proxy stop
                                sleep 3
                                fi
                                cp "$conf_backup" "$conf_dnscrypt"
                                check_proxy_csv
                                service dnscrypt-proxy start
                                ;;
                esac
}

case "$check_dnscrypt" in
        1)
                if [ "$versions_check" -eq 0 ]; then
                        update_lock
                fi
                check_conf
                ;;
        0)
                if [ "$versions_check" -eq 0 ]; then
                        update_unlock
                else
                        pkg lock -qy dnscrypt-proxy
                fi
                check_conf
                ;;
esac

-edit
Tippfehler

[franco]

Wir bräuchten ein Plugin damit dies nicht mehr passiert. Ein rc.d-Skript ist leider nur sehr bedingt zum Editieren geeignet.

We really need a plugin to stop the file from being overwritten. An rc.d script is not an ideal file to be edited.

[tinyx]

Hi!
I updating OPNsense to 17.7 and, after having changed dnscrypt-proxy because overwritten from update 1.9.5,
I confirm that the above configuration it works well!
Thanks All!

[cake]

I just did a update from 17.1 to 17.7 as well. So far I had only minor trouble with update, I started the update from the GUI, and got held up on a r2 after it rebooted until I went and changed System-->Settings-->General--DNS to google's 8.8.8.8 from 127.0.0.1 ....... just temporarily.
Then I went back to firmware and tried again. I got to update to 17.7  , (I was stuck on a r2 update with a end of life message also was failing to check updates due to system dns set to 127.0.0.1 .....) After the final upgrade I changed  System-->Settings-->General--DNS back to 127.0.0.1, 127.0.0.2 and 127.0.0.3 (what I had earlier)

I thought I had nsookup and dig available, but I see there is  a tool I never used before in its place -> drill. I also had to re-paste from 1st post back into  /usr/local/etc/rc.d/dnscrypt-proxy and chmod a+x

After that it dnscrypt works like a charm again.

[joaop]

Hi,
With a fresh 17.7 install /etc/rc.conf will be ignored at bootup, so it will not start automatically, I have to service dnscrypt-proxy start.
What kind of sorcery do you use for this to work? 

______________________
Before I seen this thread I made a rc.d script using the openvpn way to start multiple instances,
it uses symbolic links, cd /usr/local/etc/rc.d/; ln -s dnscrypt-proxy dnscrypt-proxy_foo

Code: [Select]

#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar ldconfig
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# This script supports running multiple instances of dnscrypt-proxy.
# To run additional instances link this script to something like
# % ln -s dnscrypt-proxy dnscrypt-proxy_foo
# and define additional dnscrypt_proxy_foo_* variables in one of
# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/dnscrypt-proxy_foo
#
# The name of the addition instance should contain only letters (a to z or A to Z),
# numbers (0 to 9) or the underscore character (_).
#
# Below NAME should be substituted with the name of this script. By default
# it is dnscrypt_proxy, so read as dnscrypt_proxy_enable. If you linked the script to
# dnscrypt-proxy_foo, then read as dnscrypt_proxy_foo_enable etc.
#
# The following variables are supported (defaults are shown).
# You can place them in any of
# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME
#
# NAME_enable="NO" # set to YES to enable dnscrypt-proxy instance
#
# # optional:
# NAME_flags= # additional command line arguments
# NAME_configfile="/usr/local/etc/dnscrypt-proxy/NAME.conf" # Will override all other
#                                               settings and only use the config file.
# NAME_uid (str): Set to "_dnscrypt-proxy" by default.
#                              User to switch to after starting.
# NAME_resolver (str):Set to "cisco" by default.
#                              Choose a different upstream resolver.
# NAME_pidfile (str): default: "/var/run/NAME.pid"
#                              Location of pid file.
# NAME_logfile (str): default: "/var/log/NAME.log"
#                              Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.x
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.x netmask 0xffffffff"
# NAME_flags='-a 127.0.0.x'

. /etc/rc.subr

# service(8) does not create an authentic environment, try to guess,
# and as of 10.3-RELEASE-p0, it will not find the indented name=
# assignments below. So give it a default.
# Trailing semicolon also for service(8)'s benefit:
name="$file" ;

case "$0" in
/etc/rc*)
# during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown),
# so get the name of the script from $_file
name="$_file"
;;
*/service)
# do not use this as $0
;;
*)
name="$0"
;;
esac

# default name to "dnscrypt_proxy" if guessing failed
# Trailing semicolon also for service(8)'s benefit:
name="dnscrypt_proxy${name##*dnscrypt-proxy}" ;
rcvar=${name}_enable

stop_postcmd()
{
rm -f "$pidfile" || warn "Could not remove $pidfile."
}

# command and arguments
command="/usr/local/sbin/dnscrypt-proxy"

# run this last
stop_postcmd="stop_postcmd"

load_rc_config ${name}

eval ": \${${name}_enable:=\"NO\"}"
eval ": \${${name}_configfile:=\"/usr/local/etc/dnscrypt-proxy/${name}.conf\"}"
eval ": \${${name}_uid:=\"_dnscrypt-proxy\"}" # User to run daemon as
eval ": \${${name}_resolver:=\"cisco\"}" # resolver to use
eval ": \${${name}_pidfile:=\"/var/run/${name}.pid\"}" # Path to pid file
eval ": \${${name}_logfile:=\"/var/log/${name}.log\"}" # Path to log file

configfile="$(eval echo \${${name}_configfile})"
uid="$(eval echo \${${name}_uid})"
resolver="$(eval echo \${${name}_resolver})"
pidfile="$(eval echo \${${name}_pidfile})"
logfile="$(eval echo \${${name}_logfile})"

if [ -f "$configfile" ]; then
command_args="$configfile"
else
command_args="-d -p $pidfile -l $logfile -u $uid -R $resolver"
fi

run_rc_command "$1"


[beclar2]

First, thanks to Cake for this nice Howto. I am wondering if anyone uses dnscrypt-proxy (as described in first post) with Unbound DNS.

I have the problem that after a reboot DNS isn´t working anymore. My workaround: Stop Unbound DNS manually (GUI -> Stop Button), than start dnscrypt-proxy via shell (service dnscrypt-proxy start) and finally restart Unbound via GUI.

I am not sure but it looks like dnscrypt-proxy (enabled in /etc/rc.conf) doesn´t start when Unbound is already running. In the dnscrypt-proxy we see the directive "BEFORE: unbound..." but this controls the normal "service... start" process. How can I make sure that the Unbound-Plugin will be started AFTER "service dnscrypt-proxy start" at boot time?

[franco]

With a fresh 17.7 install /etc/rc.conf will be ignored at bootup, so it will not start automatically, I have to service dnscrypt-proxy start.
What kind of sorcery do you use for this to work? 

Look out for typos, it must read dnscrypt_proxy_enable="YES". It should not be ignored.

I am not sure but it looks like dnscrypt-proxy (enabled in /etc/rc.conf) doesn´t start when Unbound is already running. In the dnscrypt-proxy we see the directive "BEFORE: unbound..." but this controls the normal "service... start" process. How can I make sure that the Unbound-Plugin will be started AFTER "service dnscrypt-proxy start" at boot time?

Unbound is part of our system, a base plugin if you will. We start auxiliary services afterwards, so in order to fix this we need to make dnscrypt-proxy a plugin as well to adhere to a correct starting order.


Cheers,
Franco

[beclar2]

I am not sure but it looks like dnscrypt-proxy (enabled in /etc/rc.conf) doesn´t start when Unbound is already running. In the dnscrypt-proxy we see the directive "BEFORE: unbound..." but this controls the normal "service... start" process. How can I make sure that the Unbound-Plugin will be started AFTER "service dnscrypt-proxy start" at boot time?

Unbound is part of our system, a base plugin if you will. We start auxiliary services afterwards, so in order to fix this we need to make dnscrypt-proxy a plugin as well to adhere to a correct starting order.

Ok, thank you for your reply. Unfortunately I have not the skills to develop a dnscrypt-proxy-Plugin. So the only option seems to wait for a plugin or - as a workaround - modify the dnscrypt-proxy-Start script in a way that Unbound will be stopped temporarily and started again after dnsycrypt-proxy has started. But... I have no idea how :-(

[franco]

Would it be enough to be able to reconfigure unbound after startup?

[beclar2]

Finally I figured out some solutions:

ad 1 (no startup on boot time): The script in the first post won´t start dnscrypt-proxy automatically on boot time. In this thread we see the solution (second post of the linked thread): "(Add rcvar=dnscrypt_proxy_enable after name=...)"

Solution: Grab the actual dnscrypt-proxy script from Github:

Code: [Select]

#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: ldconfig cleanvar
# BEFORE: SERVERS
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
#                                 List of dnscrypt_proxy instance id's,
#                                 e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool):    Set to NO by default.
#                                 Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str):        Set to "_dnscrypt-proxy" by default.
#                                User to switch to after starting.
# {instance_id}_resolver (str):   Set to "opendns" by default.
#                                Choose a different upstream resolver.
# {instance_id}_pidfile (str):    default: "/var/run/dnscrypt-proxy.pid"
#                                Location of pid file.
# {instance_id}_logfile (str):   default: "/var/log/dnscrypt-proxy.log"
#                                 Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy
rcvar=dnscrypt_proxy_enable

load_rc_config ${name}

: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}

dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}

command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy

for i in $dnscrypt_proxy_instances; do
    name=${i}

    eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
    rcvar=${name}_enable

    load_rc_config ${i}

    eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
    eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
    eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
    eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}

:   ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy}       # User to run daemon as
:   ${dnscrypt_proxy_resolver_tmp:=opendns}          # resolver to use
:   ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
:   ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file

    command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"

    pidfile=${dnscrypt_proxy_pidfile_tmp}

    _rc_restart_done=false # workaround for: service dnscrypt-proxy restart

    run_rc_command "$1"
done
ad 2 (dnscrypt-proxy not starting when unbound is already running):
Set Interfaces for Unbound DNS (General-> Network Interfaces) not to "All". If you mean "All" select everything except entries for dnscrypt-proxy.

[diversyy]

Thanks for this tutorial. Seems to work for me with OPNsense 17.7.5-amd64.

Only thing I needed to add was the following custom config options to unbound DNS in order to get the dns resolver to work:

do-not-query-localhost: no

[beclar2]

[EDIT: Added a solution to create a cron job]
[EDIT 2: URL for dnscrypt-resolvers.csv has changed - actions.d corrected.]

One addition from my side:

/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv should be updated regularly. Otherwise dnscrypt lookups will stop working when DNS resolvers change their IP.

Quick and dirty solution might be to set up an individual cron job (e.g. monthly) to update resolvers list and restart dnscrypt-proxy:

1. Create file /usr/local/opnsense/service/conf/actions.d/actions_dnscrypt.conf with this content:

Code: [Select]

[update]
command:wget -O /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v1/dnscrypt-resolvers.csv && /usr/local/etc/rc.d/dnscrypt-proxy restart
parameters:
type:script
message:Updating dnscrypt-resolvers.csv
description: Update dnscrypt-resolvers.csv

2. Restart configd

Code: [Select]

service configd restart
3. Add new cronjob in WebGui: System -> Settings -> Cron -> + (= add new cron job):
Day of Month: 15 (= start job once in a month on every 15th day)
As command select "Update dnscrypt-resolvers.csv" from drop down list.
Save changes + Apply.

Nicer would be to use a script that is included in dnscrypt-proxy source package:
https://github.com/jedisct1/dnscrypt-proxy/blob/master/contrib/dnscrypt-update-resolvers.sh.in
Unfortunately I haven´t found this script in OPNsense. Maybe it is missing... beside I am not familiar enough with FreeBSD.