How to install DNSCRYPT from OpenDNS in pfSense

atlmcw

This is my method to get OpenDNS w/ DNSCRYPT as my primary DNS in pfsense. Comments welcome.

This method verified to work in 2.1.3.  Only caveat is that it must be re-installed after and upgrade and the server may be in a bad state (no DNS resolution) until then.

https://docs.google.com/document/d/1BgvDY8haswQd2BgBP8ctEriy9QRX1CikdbaFqr7yaOQ/edit?usp=sharing

-M

openletter

I'm not comfortable enough with FreedBSD or pfSense to try this, but thank you for working on it. I've wondered if there is a way to get my network behind DNSCrypt. I hope you develop this into a plugin would-be admins such as myself can use.

I spotted a spelling error at

4.  Start the dnscript-proxy service

shimura

@atlmcw:

This is my method to get OpenDNS w/ DNSCRYPT as my primary DNS in pfsense. Comments welcome.

This method verified to work in 2.1.3.  Only caveat is that it must be re-installed after and upgrade and the server may be in a bad state (no DNS resolution) until then.

https://docs.google.com/document/d/1BgvDY8haswQd2BgBP8ctEriy9QRX1CikdbaFqr7yaOQ/edit?usp=sharing

-M

Tried on 2.1.4 nano install (Alix), looks like everything fine, through DNS leak test.
I'm trying to change the default OpenDns server to another one but not sure where,I checked dnscrypt-proxy.sh .
Any advice?

priller

I encountered problems with the originally documented process in the first post, on 2.2-BETA.  I never tried the installation on 2.1.x.

I have updated the original documentation based on my experience with pfSense 2.2-BETA.

2.2 DOC:  https://docs.google.com/document/d/1Q8Deap2Yt3UKcMAP7t6PGf_IVbFsD9rk3E6jhuL1RoM/edit?usp=sharing

fsansfil

Works with the latest

dnscrypt-proxy 1.4.0_4
libsodium: 1.0.0

F.

fsansfil

FYI

Humm, just updated to 2.2 BETA RC4 Nov 3…and I cant seem to make it work...

:(

Paul47

Is priller's 2.2 procedure supposed to work with 2.1.X?

If I understand properly, this looks a bit of a kludge, e.g. having to recreate rc.conf every time it boots. And just being outside the supported pfsense software, requiring re-install after every upgrade of pfsense (apparently). It would be nice if we could have this as part of pfsense in some future release, in this post-Snowden world… also would increase the appeal of pfsense, I think.

(later) Ah, never mind, I see that dnscrypt is only an opendns product.

(later yet) But they submitted the source on github...

fsansfil

I remenber donwloading the app on MAC OS like 7 years ago, back then it was OpenDNS only…

Right now, OpenDNS is indeed default, but you can change it....check the screenshot.

CloudNS Canberra
CloudNS Sydney
First d0wn server in France
Second d0wn server in France
d0wn server in Isle of Man
d0wn server in Lichtenstein
First d0wn server in Netherlands
Second d0wn server in Netherlands
First d0wn server in Romania
Second d0wn server in Romania
d0wn server in Singapore
DNSCrypt.eu Denmark
DNSCrypt.eu Denmark over IPv6
DNSCrypt.eu Holland
DNSCrypt.eu Holland over IPv6
okTurtles
OpenDNS
OpenDNS with FamilyShield
OpenDNS over IPv6
OpenNIC server ns3.ca
OpenNIC server ns3.ca over IPv6
OpenNIC server ns4.ca
OpenNIC server ns4.ca over IPv6
OpenNIC server ns2.jp
OpenNIC server ns3.jp over IPv6
OpenNIC server ns10.uk
OpenNIC server ns10.uk over IPv6
OpenNIC server ns8.uk
OpenNIC server ns8.uk over IPv6
OpenNIC server ns9.uk
OpenNIC server ns9.uk over IPv6
OpenNIC server ns17.ca.us
OpenNIC server ns17.ca.us over IPv6
Soltysiak


priller

@Paul47:

If I understand properly, this looks a bit of a kludge, e.g. having to recreate rc.conf every time it boots. And just being outside the supported pfsense software, requiring re-install after every upgrade of pfsense (apparently). It would be nice if we could have this as part of pfsense in some future release, in this post-Snowden world… also would increase the appeal of pfsense, I think.

It will survive an upgrade.  I have upgraded 2.2-BETA multiple times and it survives.

I agree, it would be nice for DNScrypt to be a supported part of pfSense or at least an official package.  (not in my skill set to do that)

Yes, you can use any of the other DNScrypt capable servers included in  the /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv file by specifying the desired one with the –resolver-name=  option.

fsansfil

Heres the way I made it work with latest beta 2.2

1. Install

2. to start : dnscrypt-proxy -R opendns –local-address=127.0.0.1:42 --daemonize

3. Add : server=127.0.0.1#42  ...in advanced options of dnsmasq

4. General Setup Tab : dns servers add : 127.0.0.1 ...dont select any GW

5. Make a quick rule on WAN, UDP/TCP ... block all sport and dport 53

F.

Gery

Here is what I did for PFSense 2.2 RC and Unbound (it's quite similar to what fsansfil did):

1. Shell: pkg install dnscrypt-proxy

2. mv /usr/local/etc/rc.d/dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.sh

3. chmod 744 /usr/local/etc/rc.d/dnscrypt-proxy.sh (make sure the file is executable)

4. added to /usr/local/etc/rc.d/dnscrypt-proxy.sh (like in the google docs file)

echo 'dnscrypt_proxy_enable="YES"' > /etc/rc.conf
echo 'dnscrypt_proxy_flags="-a 127.0.0.1:42"' >> /etc/rc.conf

I also changed a line to use a different resolver as opendns:
: ${dnscrypt_proxy_resolver=dnscrypt.eu-nl} # resolver to use

5. /usr/local/etc/rc.d/dnscrypt-proxy.sh start

6. General Setup Tab: Add dns server: 127.0.0.1 without any Gateway, I also added the OpenDNS Servers as fallback in case anything isn't working

7. Services -> DNS Resolver

Make sure DNS Query Forwarding is unchecked

Put into Advanced section:

server:
do-not-query-localhost: no

forward-zone:
  name: "."  
  forward-addr: 127.0.0.1@42

Edit: Updated my changes

MisterY

I followed these instructions, though I'm on 2.2 (not 2.2 RC) and things went swimmingly until I tried to do step 5:

/usr/local/etc/rc.d/dnscrypt-proxy.sh start
Starting dnscrypt_proxy.
./dnscrypt-proxy.sh: WARNING: failed to start dnscrypt_proxy

and that was that.  It didn't create any entries in any log I could find, so the only thing I could think of to look at (not being FreeBSD savvy) was the executable:

file /usr/local/sbin/dnscrypt-proxy
/usr/local/sbin/dnscrypt-proxy: ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.0 (1000510), stripped

and not really knowing what to look for, I compared it to another file:

file /usr/local/sbin/dnsmasq
/usr/local/sbin/dnsmasq: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.1, stripped

where I see that one difference of the FreeBSD version number - can this be my problem?

TIA!

ESPNSTI

I recently installed dnscrypt on 2.2 following these instructions and everything is working fine for me.

This is what I get from file /usr/local/sbin/dnscrypt-proxy :
dnscrypt-proxy: ELF 32-bit LSB shared object, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.0 (1000510), stripped

file /usr/local/sbin/dnsmasq shows this:
dnsmasq: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.1, stripped

The /var/log/dnscrypt-proxy.log file does have some content for me.

kejianshi

You know, for me it seems that rather than inventing DNS crypt, they would simply have offered a vpn that tunnels only port 53 to their servers….

Mithrondil

This would be so much easier if somebody created a package for dnscrypt.

manaox2

@MisterY:

I followed these instructions, though I'm on 2.2 (not 2.2 RC) and things went swimmingly until I tried to do step 5:

/usr/local/etc/rc.d/dnscrypt-proxy.sh start
Starting dnscrypt_proxy.
./dnscrypt-proxy.sh: WARNING: failed to start dnscrypt_proxy

and that was that.  It didn't create any entries in any log I could find, so the only thing I could think of to look at (not being FreeBSD savvy) was the executable:

file /usr/local/sbin/dnscrypt-proxy
/usr/local/sbin/dnscrypt-proxy: ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.0 (1000510), stripped

and not really knowing what to look for, I compared it to another file:

file /usr/local/sbin/dnsmasq
/usr/local/sbin/dnsmasq: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.1, stripped

where I see that one difference of the FreeBSD version number - can this be my problem?

TIA!

I have the same problem. Now DNSCrypt has many more arguments required to start such as a UID. Not sure if that effects running on pfsense.

file /usr/local/sbin/dnscrypt-proxy
ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 10.1, stripped

jeffhammett

I setup DNSCrypt on pfSense 2.2.5 with DNS Resolver following a combination of the two below instructions:

https://docs.google.com/document/d/1Q8Deap2Yt3UKcMAP7t6PGf_IVbFsD9rk3E6jhuL1RoM/edit?pli=1
http://citisky.net/installing-dnscrypt-onto-pfsense-2-2-x/

Everything is working great but I'd like to set it up to fail open to use plain text DNS should the DNSCrypt server stop working for any reason.

As it is now I have DNS Forwarding unchecked in the DNS Resolver and the following entered in Advanced:

do-not-query-localhost: no

forward-zone:
 name: "."
 forward-addr: 127.0.0.1@40

In my System-> General Setup I have 127.0.0.1 followed by two other public IP servers. I then stopped DNSCrypt and tried a DNS query on my pfSense but it did not work.

I assume I could add:

forward-addr: 127.0.0.1

to the DNS Resolver advanced settings, but I wasn't sure how to ensure that all queries go through DNSCrypt on port 40 and to only fall back to plain text DNS if DNSCrypt is down.

Any help is appreciated.

yop038

for 2.3 => https://forum.pfsense.org/index.php?topic=111895.0

chrcoluk

pkg: No packages available to install matching 'dnscrypt-proxy' have been found in the repositories