Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
DNSCrypt questions, possible solution for toml file after upgrade
« previous
next »
Print
Pages: [
1
]
Author
Topic: DNSCrypt questions, possible solution for toml file after upgrade (Read 211 times)
jimcease
Newbie
Posts: 14
Karma: 0
DNSCrypt questions, possible solution for toml file after upgrade
«
on:
October 16, 2024, 02:39:46 pm »
First I am very new to this stuff. I am working on getting DNSCrypt working in opnsense. I was having trouble getting it to work via the web interface. I went through removing the GUI package and adding the package from the command line (pkg install dnscrypt-proxy2). I was seeing that folks have potential issue with the toml file especially after firmware upgrades with the toml potentially being over written.
Would the following work.
1. Make a backup of the working file.
cp /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup
2. Create a hash of this backup.
sha256 /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup > /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.hash
3. Create a script called pre-dsncrypt.sh which essentially compare the hash of the backup to the current file and if they are different copy the backup file over the current file.
#!/bin/sh
# Paths to the working config, backup, and hash in the correct directory
WORKING_FILE="/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"
BACKUP_FILE="/usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup"
HASH_FILE="/usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.hash"
# Determine if sha256 or sha256sum is available
if command -v sha256 >/dev/null 2>&1; then
HASH_CMD="sha256 -q"
elif command -v sha256sum >/dev/null 2>&1; then
HASH_CMD="sha256sum"
else
echo "Error: Neither sha256 nor sha256sum found on this system."
exit 1
fi
# Generate the current hash of the working file
CURRENT_HASH=$($HASH_CMD "$WORKING_FILE" | awk '{print $1}')
# Retrieve the known-good hash from the backup
KNOWN_HASH=$(cat "$HASH_FILE")
echo "Current Hash: $CURRENT_HASH"
echo "Known Hash: $KNOWN_HASH"
# Compare the hashes
if [ "$CURRENT_HASH" != "$KNOWN_HASH" ]; then
echo "DNSCrypt config is corrupted or overwritten, restoring from backup..."
cp "$BACKUP_FILE" "$WORKING_FILE"
# Regenerate the hash after restoring
$HASH_CMD "$BACKUP_FILE" | awk '{print $1}' > "$HASH_FILE"
else
echo "DNSCrypt config is valid, no need for restore."
fi
4. Add this script to the startup script for /usr/local/etc/rc.d/dnscrypt-proxy
start_cmd="${name}_start"
# Run the pre-startup script before starting DNSCrypt-proxy
/usr/local/bin/pre_dnscrypt_start.sh
dnscrypt_proxy_start()
{
echo "Starting dnscrypt-proxy..."
${command} ${dnscrypt_proxy_flags}
}
«
Last Edit: October 18, 2024, 03:42:23 am by jimcease
»
Logged
manysmallpieces
Newbie
Posts: 5
Karma: 0
Re: DNSCrypt questions, possible solution for toml file after upgrade
«
Reply #1 on:
October 17, 2024, 11:21:01 pm »
Your shell script seems simple enough, at least without going over it line by line. The idea should work at least.
You should take a look at
https://docs.opnsense.org/development/backend/autorun.html
tho. Putting it elsewhere could get reverted on reboot or update as I understand it.
Could put it in 'early' to have it run every restart before system network starts up or maybe 'update' to check once after core package updates.
--
That said, DNSC-P is the one DNS service I can actually
answer
questions about. What are you having trouble getting working with it?
Logged
jimcease
Newbie
Posts: 14
Karma: 0
Re: DNSCrypt questions, possible solution for toml file after upgrade
«
Reply #2 on:
October 18, 2024, 03:47:56 am »
Most of my issues were relating to not understanding the service does dynamic server selection. I was completing the server list in two places. I was definitely confused by the reference material concerning this service. I read through the forums and it looked like configuring via the Webui might be problematic. During my reading it seemed as though going the manual route was the way to go. Part of my reading I kept coming accross issues where the toml file gets overwritten so I actually leverage chatgpt with helping with this code. I will do some research on the link you provided. Thanks. I updated the script a bit as there were some errors, but the script runs as expected. I just have to figure out where to put it.
Logged
jimcease
Newbie
Posts: 14
Karma: 0
Re: DNSCrypt questions, possible solution for toml file after upgrade
«
Reply #3 on:
October 18, 2024, 05:32:53 am »
i am having the same problem when I was trying to use the WebUi. The service Starts finds 146 servers and then stops. Am i missing something stupid ?
Logged
jimcease
Newbie
Posts: 14
Karma: 0
Re: DNSCrypt questions, possible solution for toml file after upgrade
«
Reply #4 on:
October 18, 2024, 05:40:01 am »
I tried to use this and it fails, I also renamed the ,sample to .toml and it does the same thing loads the servers then exists.
# DNSCrypt-proxy configuration file
# List of DNSCrypt or DoH servers to use
server_names = [
# Primary unfiltered servers (Unfiltered, DNSSEC, No logging)
# NextDNS (Unfiltered, DNSSEC, No logging)
"sdns://AgcAAAAAAAAACjQ1LjkwLjMwLjAgmjo09yfeubylEAPZzpw5-PJ92cUkKQHCurGkTmNaAhkWYW55Y2FzdC5kbnMubmV4dGRucy5pbwovZG5zLXF1ZXJ5",
# DNSCry.pt Ashburn (Unfiltered, DNSSEC, No logging)
"sdns://AQcAAAAAAAAACzQ1LjExLjIzMC44IMGyYyUUH-ohVO5gxPJoOoTQYe6WeqqivutZK9FR5v2eGTIuZG5zY3J5cHQtY2VydC5kbnNjcnkucHQ",
# DNSCry.pt Allentown (Unfiltered, DNSSEC, No logging)
"sdns://AQcAAAAAAAAADTIzLjEzNy4yNTMuMjQg3Z0YI7udXIjKWcPC5GdTm4Uk6D1x2DuyYuj2OZz2cKQZMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeS5wdA",
# Plan9 DNS NJ (Unfiltered, DNSSEC, No logging)
"sdns://AQcAAAAAAAAAEjIwNy4yNDYuODcuOTY6ODQ0MyCwmQlIDpKk8SiiyrJbPgKhHxCrBJLb8ZWlu6tvr1KvkyQyLmRuc2NyeXB0LWNlcnQua3Jvbm9zLnBsYW45LWRucy5jb20",
# Fallback server (Filtered, DNSSEC, No logging) - Quad9
# Quad9 (Filtered, DNSSEC, No logging)
"sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0"
]
# Listen on these addresses for DNS queries (localhost on port 5353)
listen_addresses = ['127.0.0.1:5353']
# Max number of simultaneous clients
max_clients = 250
# Enable DNS caching for performance improvement
cache = true
cache_size = 512
# Enable DNSSEC to ensure all servers provide DNSSEC validation
require_dnssec = true
# Disable the use of IPv6 servers (optional)
ipv6_servers = false
# Set fallback resolver to avoid DNS outages if all selected servers fail
fallback_resolver = '9.9.9.9:53'
# Block IPv6 entirely if not in use
block_ipv6 = true
# Set the path for log files
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
log_level = 2 # Log only warnings and errors
# Use DNSCrypt with ephemeral keys for privacy
dnscrypt_ephemeral_keys = true
# Set load-balancing strategy (p2 = prefer lowest-latency servers)
lb_strategy = 'p2'
# Disable TLS session tickets for better security
tls_disable_session_tickets = true
tls_cipher_suite = [52392, 49199]
# Optional: Enable anonymized DNS if you need extra privacy
anon_routes = []
# Control whether to block relays with malicious content
block_relay = true
Logged
jimcease
Newbie
Posts: 14
Karma: 0
Re: DNSCrypt questions, possible solution for toml file after upgrade
«
Reply #5 on:
October 18, 2024, 05:47:42 am »
Going to bed, but the actual logs were from when I first started to try to get this running on 10-12. No updates in the logs when I try to start the service. I am confused and tired at this point. DOT is running for now. If there is a simple step by step you can refer me to. If i can use the WEBui or manual way.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
DNSCrypt questions, possible solution for toml file after upgrade