Support for Oblivious DNS in DNScrypt

Started by yeraycito, March 05, 2025, 01:23:52 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 05, 2025, 01:23:52 AM
DNScrypt supports Cloudflare's DNS under the ODOH protocol and Relay is required to configure them. DNSCrypt Servers and DNS-over-HTTPS Servers can be configured in the DNScrypt interface, but ODOH Servers cannot be configured.
Following this tutorial https://forums.serverbuilds.net/t/guide-adguard-home-unbound-dnscrypt-under-opnsense-part-2/13271 the Cloudflare ODOH DNS with their respective Relays work correctly. The problem is that when restarting Opnsense all modifications are lost and the dnscrypt-proxy.toml file has to be modified again via SSH.

March 05, 2025, 01:29:46 AM #1
In my case I have modified the dnscrypt-proxy.toml file leaving it as follows and it works without problems ..... until Opnsense restarts and stops working.:


# Now i'm using 53530 for Unbound so here I just set 53531
listen_addresses = ['127.0.0.1:5353']

max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = false
doh_servers = false
odoh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = false
force_tcp = false
timeout = 2500
keepalive = 30
server_names = ['odoh-cloudflare']

log_level = 2
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
use_syslog = false

cert_refresh_delay = 240
dnscrypt_ephemeral_keys = true
tls_disable_session_tickets = false
ignore_system_dns = true

netprobe_timeout = 30
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
# If you want to be sure you don't use IPv6 change this setting to "true"
block_ipv6 = true

forwarding_rules = 'forwarding-rules.txt'
cloaking_rules = 'cloaking-rules.txt'

# Just disable it... Why do you need more caching if you have Unbound?
cache = false

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'
  format = 'tsv'

[allowed_names]
  allowed_names_file = 'whitelist.txt'
  log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
  log_format = 'tsv'


[sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md';, 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

  ## Anonymized DNS relays

  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md';, 'https://download.dnscrypt.info/resolvers-list/v3/relays.md';, 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md';, 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

[anonymized_dns]
routes = [
    { server_name='odoh-cloudflare', via=['odohrelay-ams', 'odohrelay-crypto-sx']}
]

### ODoH (Oblivious DoH) servers and relays ###
  [sources.'odoh-servers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md';, 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-servers.md'
  refresh_delay = 72
  prefix = ''
  [sources.'odoh-relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md';, 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-relays.md'
  refresh_delay = 72
  prefix = ''

[static]
March 05, 2025, 01:37:53 AM #2
April 14, 2025, 06:17:16 PM #3
I would love to see support for this in the future.
May 15, 2025, 08:17:18 AM #4 Last Edit: May 15, 2025, 08:29:53 AM by OPNenthu
FYI: https://github.com/opnsense/plugins/pull/4374

Edit: Was curious, what encryption protocol does this use between OPNsense and the ODoH relay? 

I understand that it's using ODoH between the relay and the server, but is it normal DNSCrypt from OPNsense to relay?  If so, what is gained (privacy wise) over regular DNSCrypt with Anonymous relay?
September 12, 2025, 08:33:45 PM #5 Last Edit: September 12, 2025, 08:39:19 PM by vpx23
Quote from: OPNenthu on May 15, 2025, 08:17:18 AMEdit: Was curious, what encryption protocol does this use between OPNsense and the ODoH relay?
This is explained here: ODoH Message Flow

ODoH creates and end-to-end encryption (EEE) from client to target using Hybrid Public Key Encryption (HPKE). The transport encryption between client and relay and between relay and target is regular TLS/HTTPS. So even after the relay decrypts the transport encryption the query will still be encrypted. And the target doesn't know the real source IP. So the EEE protects the query from the relay and the relay protects the source IP from the target (under the premise that relay and target don't collude).

Your second question is answered here: Anonymized DNS vs. ODOH? #2617
Print
Go Up Pages1
User actions