How to install DNSCRYPT from OpenDNS in pfSense

fsansfil

Heres the way I made it work with latest beta 2.2

1. Install

2. to start : dnscrypt-proxy -R opendns –local-address=127.0.0.1:42 --daemonize

3. Add : server=127.0.0.1#42  ...in advanced options of dnsmasq

4. General Setup Tab : dns servers add : 127.0.0.1 ...dont select any GW

5. Make a quick rule on WAN, UDP/TCP ... block all sport and dport 53

F.

Gery

Here is what I did for PFSense 2.2 RC and Unbound (it's quite similar to what fsansfil did):

1. Shell: pkg install dnscrypt-proxy

2. mv /usr/local/etc/rc.d/dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.sh

3. chmod 744 /usr/local/etc/rc.d/dnscrypt-proxy.sh (make sure the file is executable)

4. added to /usr/local/etc/rc.d/dnscrypt-proxy.sh (like in the google docs file)

echo 'dnscrypt_proxy_enable="YES"' > /etc/rc.conf
echo 'dnscrypt_proxy_flags="-a 127.0.0.1:42"' >> /etc/rc.conf

I also changed a line to use a different resolver as opendns:
: ${dnscrypt_proxy_resolver=dnscrypt.eu-nl} # resolver to use

5. /usr/local/etc/rc.d/dnscrypt-proxy.sh start

6. General Setup Tab: Add dns server: 127.0.0.1 without any Gateway, I also added the OpenDNS Servers as fallback in case anything isn't working

7. Services -> DNS Resolver

Make sure DNS Query Forwarding is unchecked

Put into Advanced section:

server:
do-not-query-localhost: no

forward-zone:
  name: "."  
  forward-addr: 127.0.0.1@42

Edit: Updated my changes

MisterY

I followed these instructions, though I'm on 2.2 (not 2.2 RC) and things went swimmingly until I tried to do step 5:

/usr/local/etc/rc.d/dnscrypt-proxy.sh start
Starting dnscrypt_proxy.
./dnscrypt-proxy.sh: WARNING: failed to start dnscrypt_proxy

and that was that.  It didn't create any entries in any log I could find, so the only thing I could think of to look at (not being FreeBSD savvy) was the executable:

file /usr/local/sbin/dnscrypt-proxy
/usr/local/sbin/dnscrypt-proxy: ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.0 (1000510), stripped

and not really knowing what to look for, I compared it to another file:

file /usr/local/sbin/dnsmasq
/usr/local/sbin/dnsmasq: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.1, stripped

where I see that one difference of the FreeBSD version number - can this be my problem?

TIA!

ESPNSTI

I recently installed dnscrypt on 2.2 following these instructions and everything is working fine for me.

This is what I get from file /usr/local/sbin/dnscrypt-proxy :
dnscrypt-proxy: ELF 32-bit LSB shared object, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.0 (1000510), stripped

file /usr/local/sbin/dnsmasq shows this:
dnsmasq: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.1, stripped

The /var/log/dnscrypt-proxy.log file does have some content for me.

kejianshi

You know, for me it seems that rather than inventing DNS crypt, they would simply have offered a vpn that tunnels only port 53 to their servers….

Mithrondil

This would be so much easier if somebody created a package for dnscrypt.

manaox2

@MisterY:

I followed these instructions, though I'm on 2.2 (not 2.2 RC) and things went swimmingly until I tried to do step 5:

/usr/local/etc/rc.d/dnscrypt-proxy.sh start
Starting dnscrypt_proxy.
./dnscrypt-proxy.sh: WARNING: failed to start dnscrypt_proxy

and that was that.  It didn't create any entries in any log I could find, so the only thing I could think of to look at (not being FreeBSD savvy) was the executable:

file /usr/local/sbin/dnscrypt-proxy
/usr/local/sbin/dnscrypt-proxy: ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.0 (1000510), stripped

and not really knowing what to look for, I compared it to another file:

file /usr/local/sbin/dnsmasq
/usr/local/sbin/dnsmasq: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.1, stripped

where I see that one difference of the FreeBSD version number - can this be my problem?

TIA!

I have the same problem. Now DNSCrypt has many more arguments required to start such as a UID. Not sure if that effects running on pfsense.

file /usr/local/sbin/dnscrypt-proxy
ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 10.1, stripped

jeffhammett

I setup DNSCrypt on pfSense 2.2.5 with DNS Resolver following a combination of the two below instructions:

https://docs.google.com/document/d/1Q8Deap2Yt3UKcMAP7t6PGf_IVbFsD9rk3E6jhuL1RoM/edit?pli=1
http://citisky.net/installing-dnscrypt-onto-pfsense-2-2-x/

Everything is working great but I'd like to set it up to fail open to use plain text DNS should the DNSCrypt server stop working for any reason.

As it is now I have DNS Forwarding unchecked in the DNS Resolver and the following entered in Advanced:

do-not-query-localhost: no

forward-zone:
 name: "."
 forward-addr: 127.0.0.1@40

In my System-> General Setup I have 127.0.0.1 followed by two other public IP servers. I then stopped DNSCrypt and tried a DNS query on my pfSense but it did not work.

I assume I could add:

forward-addr: 127.0.0.1

to the DNS Resolver advanced settings, but I wasn't sure how to ensure that all queries go through DNSCrypt on port 40 and to only fall back to plain text DNS if DNSCrypt is down.

Any help is appreciated.

yop038

for 2.3 => https://forum.pfsense.org/index.php?topic=111895.0

chrcoluk

pkg: No packages available to install matching 'dnscrypt-proxy' have been found in the repositories