Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 / 17.7 / 18.1 :-)

[beclar2]

Just for the records if anyone looks at this thread and for everyone using dnscrypt (and wondering why lookups won´t work anymore):

It seems that dnscrypt is abandoned: https://www.reddit.com/r/privacy/comments/7oyw0h/dnscrypt_is_now_abandoned/

[cake]

Upgraded to 18.1 this morning.
The upgrade went fine, then after reboot no dns. (drill example.com)
Went to System --> Settings --> General and changed everything to 8.8.8.8 and 8.8.4.4 just for a while.
SSH into shell and checked ping and drill, working, followed from first post again.

Code Select Expand

mv /usr/local/etc/rc.d/dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.original
nano /usr/local/etc/rc.d/dnscrypt-proxy

And pasted this in again

Code Select Expand

#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
#  List of dnscrypt_proxy instance id's,
#  e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool):  Set to NO by default.
#  Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str):  Set to "_dnscrypt-proxy" by default.
#      User to switch to after starting.
# {instance_id}_resolver (str):  Set to "opendns" by default.
#      Choose a different upstream resolver.
# {instance_id}_pidfile (str):  default: "/var/run/dnscrypt-proxy.pid"
#      Location of pid file.
# {instance_id}_logfile (str):    default: "/var/log/dnscrypt-proxy.log"
#  Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy

load_rc_config ${name}

: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}

dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}

command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy

for i in $dnscrypt_proxy_instances; do
  name=${i}

  eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
  rcvar=${name}_enable

  load_rc_config ${i}

  eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
  eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
  eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
  eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}

:  ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy}  # User to run daemon as
:  ${dnscrypt_proxy_resolver_tmp:=opendns}  # resolver to use
:  ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
:  ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file

  command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"

  pidfile=${dnscrypt_proxy_pidfile_tmp}

  _rc_restart_done=false # workaround for: service dnscrypt-proxy restart

  run_rc_command "$1"
done


Make it executable

Code Select Expand

chmod a+x /usr/local/etc/rc.d/dnscrypt-proxy

Update the resolver list with this new place on github

Code Select Expand

wget -O /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://github.com/dyne/dnscrypt-proxy/raw/master/dnscrypt-resolvers.csv

Change the resolvers to the one you want

Code Select Expand

nano /etc/rc.conf
Mine looks like this:

Code Select Expand

ddclient_enable="YES"
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="ipredator"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 -l /var/log/"
dnscrypt_proxy_2_resolver="soltysiak"
dnscrypt_proxy_2_flags="-a 127.0.0.3:53 -l /var/log/"
dnscrypt_proxy_3_resolver="dnscrypt.eu-dk"
dnscrypt_proxy_3_flags="-a 127.0.0.4:53 -l /var/log/"
Then start dnscrypt

Code Select Expand

service dnscrypt-proxy restart

Lastly I went back to System --> Settings --> General and changed the list back to 127.0.0.2 ; 127.0.0.3 and 127.0.0.4 for the WAN gateway.

Checked to make sure all is working with https://ipleak.net/

Big Thanx to the devs and the people making and improving opnsense.

[franco]

Hi cake,

Thanks, maybe we want to finally put this into a plugin?

Michael, do you read this?  :)


Cheers,
Franco

[cake]

I noticed I did something wrong because dnscrypt-proxy does not start after reboot. I must type in "service dnscrypt-proxy start" in the shell. Not sure what I did wrong. lol

/etc/rc.conf is root:wheel and not executable (I think that is correct)

If anybody else knows let me know :-) I may just use a cron job @reboot because my skills are poor.

Yes Franco a plugin would be nice. Cheers

[w2712663]

It seems that dnscrypt is abandoned: https://www.reddit.com/r/privacy/comments/7oyw0h/dnscrypt_is_now_abandoned/

No. DNSCrypt is not abandoned. In fact, DNSCrypt-proxy v2 has been released (written from scratch in Go by the original author of DNS-Crypt proxy, Frank Denis). The new DNS-Crypt v2 supports things like multiple DNS resolvers in a single process and alternate DNS encryption protocols like DNS-over-TLS (used by Quad9), DNS-over-HTTPS (successor to DNS-over-TLS and best acronym award winner, doh!) and DNSCrypt v2 protocol.

Anyway it would be great to get an updated tutorial using the new DNS-Crypt proxy.

Also, for anyone that doesn't know, the official DNSCrypt resolver lists are back (and now include a list of v2 protocol resolvers): https://github.com/DNSCrypt/dnscrypt-resolvers

[beclar2]

I noticed I did something wrong because dnscrypt-proxy does not start after reboot. I must type in "service dnscrypt-proxy start" in the shell. Not sure what I did wrong. lol

/etc/rc.conf is root:wheel and not executable (I think that is correct)

If anybody else knows let me know :-) I may just use a cron job @reboot because my skills are poor.

Cake, did you read this post?

[nikkon]

+1 for the plugin :)

[cake]

I noticed I did something wrong because dnscrypt-proxy does not start after reboot. I must type in "service dnscrypt-proxy start" in the shell. Not sure what I did wrong. lol

/etc/rc.conf is root:wheel and not executable (I think that is correct)

If anybody else knows let me know :-) I may just use a cron job @reboot because my skills are poor.

Cake, did you read this post?

Thanks, It worked!
I did read your post, I must be getting a little alzheimer's. So I guess the tutorial on the first post is now a little wrong?  I'll try and edit it tomorrow, but it sounds like the whole thing may be out of date as w2712663 mentions there is a updated version. yay!
Thanks again.

[ibb27]

+1 for the plugin :)

+1 from me too  :)

[mimugmail]

Hi cake,

Thanks, maybe we want to finally put this into a plugin?

Michael, do you read this?  :)


Cheers,
Franco

Now I read it :D
Still anyone interested in a Plugin? :)

[franco]

Yep *ducks*

[mimugmail]

I'd need 1 or better 2-3 productive sample configs

[Benqer]

Gibt es schon neuigkeiten zum Plugin?


Any news about the plugin?

[mimugmail]

I'd need 1 or better 2-3 productive sample configs

[marcelmah]

I'm looking into securing my DNS.
Why would we want a plugin for this while the project itself is dead (or am I wrong?).

It looks like getdns using Stubby is the way to go, right? plz. correct me if I'm wrong.