Dnscrypt-proxy comming to pfsense package?



  • Any1 know if theres a package comming for dnscrypt-proxy anytime soon?



  • 1+



  • +1. It would be a nice security addition to pfsense.

    Edit: I'll throw in $50 if someone wants to put together a bounty detailing what would be required.


  • Rebel Alliance Global Moderator

    Since the default of pfsense is to use unbound as resolver, and dnscrypt is a tool to encrypt traffic to a resolver..  what is the point of this?  When pfsense is the resolver..



  • Quite a few potential reasons.

    • The OP may want to use a forwarder rather than have pfSense do the resolving

    • The OP's ISP may operate a transparent DNS proxy which they wish to bypass

    • The OP may wish to use a DNS based web-filtering service such as OpenDNS and have the DNS queries encrypted (Sure the OP could use pfblocker NG DNSBL but they may find it easier to use OpenDNS)


  • Rebel Alliance Global Moderator

    Using a forwarder does not mean they want/need to encrypt to forwarder.
    Shitty ISP, change would be the better option ;)
    So he wants to hide his dns queries from his ISP, that is sniffing his traffic because clearly he is not asking their dns.. Wouldn't such a person already be using a VPN to hide their traffic from their NSA friendly isp? ;)



  • @johnpoz:

    Using a forwarder does not mean they want/need to encrypt to forwarder.
    Shitty ISP, change would be the better option ;)
    So he wants to hide his dns queries from his ISP, that is sniffing his traffic because clearly he is not asking their dns.. Wouldn't such a person already be using a VPN to hide their traffic from their NSA friendly isp? ;)

    Shitty ISP, change would be the better option

    Not always an option. There are plenty of places where a single broadband provider has a monopoly… and also engage in various not so great things via DNS. How many people really examine the TOS for their ISP anyway? Plus, metadata isn't protected under privacy laws in many many countries.

    As far as using a VPN... not many (most?) of us want to use a vpn for general traffic. Never mind that some consumer vpn providers simply aren't trustworthy or particularly good at what they do... you really don't want your identifying data to be associated with any addresses used by their less savory clientele (not interested in arguing this one with privacy nuts, thanks).

    Dnscrypt won't really hide what you are doing online, but perhaps that really isn't necessary. Maybe you just want a bit of added protection when you are on networks you don't control, but for whatever reason you aren't interested in or able to use a VPN. Poking around at DNS queries is probably the most common way unskilled people attempt to spy on others browsing habits. Although discussion of that seems pointless in today's world of deep packet inspection and what not, dnscrypt is a good option if you prefer to not have your DNS queries visible to that casual type of traffic snooping which sadly seems accepted and ubiquitous these days.

    It might make more sense to set up DNSCrypt per device, but that can get labor intensive. Perhaps you provide net access for less technical folks? The last thing you want to do is get a finger in their box, as from that non techie's pov you now own it and everything wrong with it! I don't deny that monkeying with non standard DNS settings eventually breaks something, especially on mobile devices that are used in lots of environments. In that light, like adblocking, its sometimes easier to just deal with near or at the gateway. That's probably why there's a bit of interest in pursuing such on PFSense. As to whether it'll lead to to less labor than alternatives methods is something people will have to figure out for themselves. :)



  • @EHG:

    +1. It would be a nice security addition to pfsense.

    Edit: I'll throw in $50 if someone wants to put together a bounty detailing what would be required.

    What sort of approval process is there for pfsense packages?  I'm certain I could get this to at least a beta state, but I'd want to know whether my labor wouldn't be for naught if the powers that be have zero interest in allowing it.

    Getting dnscrypt working well on PFSense 2.3 would require the following at a minimum:

    1. Installing dnscrypt-proxy package + dependencies
    2. updating dnscrypt server list
    3. knowing whether unbound or dnsmasq is used (and not breaking other addons with changes)
    4. dnscrypt config - setting server(s), internal ip & port (other than 53)
    5. putting unbound into forwarding mode if applicable, modify unbound or dnsmasq config with dnscrypt port info,
    6. starting dnscrypt-proxy with rc.d
    7. logging considerations
    8. lots of new webgui crap, since pfsense users get hives & the shakes when using terminal
    9. other stuff I'm probably forgetting or don't know about

    Overall, quite a bit of work to get running smoothly.



  • I would definitely throw some money at you if you could get this working!



  • I am surprised this is not a feature already, dnscrypt for me is essential.

    I havent used pfsense before (ordered hardware for it tho).  I am a very experienced FreeBSD user but I dont know how much of the FreeBSD system is part of pfsense (e.g. does it have the ports tree?).

    There is a dnscrypt-proxy port on FreeBSD so the OS supports it for sure, but if PFsense has its own package system independent from FreeBSD then I can see the issue and I guess it needs someone to authorise dnscrypt-proxy and all the dependencies into the package system.

    Unbound also has native capabilities to talk to upstream unbound resolvers encrypted however I have never used it in that mode I dont know if is as private as dnscrypt.



  • @chrcoluk:

    .

    There is a dnscrypt-proxy port on FreeBSD so the OS supports it for sure, but if PFsense has its own package system independent from FreeBSD then I can see the issue and I guess it needs someone to authorise dnscrypt-proxy and all the dependencies into the package system.

    This is no longer true in PfSense 2.3+, all the packages are installed as standard PKG(NG) packages and most of the functionality of the packages comes from standard FreeBSD packages but compiled with better default settings for pfSense. For example the openvpn-client-export package is installed as two additional PKG packages, nothing else:

    
    $ pkg info -x openvpn
    openvpn-2.3.11
    openvpn-client-export-2.3.11
    pfSense-pkg-openvpn-client-export-1.3.13
    
    

  • Rebel Alliance Global Moderator

    "talk to upstream unbound resolvers encrypted "

    What mode is this??  Are you thinking dnssec?  dnssec does not encrypt the traffic, it just validates that records are correct via a signature.

    " dnscrypt for me is essential.  "

    And has zero use when running a resolver..



  • johnpoz we get it, you dont like dnscrypt, so why are you in this thread?

    If someone wants to run dnscrypt on their own kit, its none of your business.

    My setup on my existing router which I plan to migrate to pfsense is sort of like this

    local caching resolver -> forwards uncached requests to my own dnscrypt endpoint of which that resolves out on the internet.

    and yes I know what dnssec is and the mode is nothing to do with dnssec.

    uozewe -I am willing to send something your way for the work, a cli only package is good enough for me, so just the binary, rc script and maybe sample configuration.  I got no issue editing unbound and what not to add forwarder manually.