Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Homebrew with DNSMasq + DNSCrypt-proxy (OpenDNS)

Install & Configure

  1. Install DNSMasq
$ brew install dnsmasq
  1. Install DNSCrypt-proxy
$ brew install dnscrypt-proxy
  1. Configure

  2. /usr/local/etc/dnsmasq.conf ⬇

  3. /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist ⬇

  4. /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist ⬇

  5. Reload dnscrypt-proxy service

    $ cd /Library/LaunchDaemons/
    $ sudo launchctl unload homebrew.mxcl.dnscrypt-proxy.plist && sudo launchctl load homebrew.mxcl.dnscrypt-proxy.plist
  6. Reload dnsmasq service

    $ sudo launchctl unload homebrew.mxcl.dnsmasq.plist && sudo launchctl load homebrew.mxcl.dnsmasq.plist
  7. Set DNS IP: 127.0.0.1

Check

DNS Configuration

$ scutil --dns
...
resolver #1
  search domain[0] : openvpn
  nameserver[0] : 127.0.0.1
  flags    : Request A records, Request AAAA records
  reach    : Reachable,Local Address
...

DNSCrypt

$ nslookup -type=txt debug.opendns.com
Server:     127.0.0.1
Address:    127.0.0.1#53

Non-authoritative answer:
debug.opendns.com	text = "server 7.ams"
debug.opendns.com	text = "flags 20 0 2f4 800000000000000"
debug.opendns.com	text = "id 0"
debug.opendns.com	text = "source xxx.xxx.xxx.xxx:xxxxx"
debug.opendns.com	text = "dnscrypt enabled (xxxxxxxxxxxxxxxx)"

Authoritative answers can be found from:

Useful links:

# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Custom development domains
address=/.dev/127.0.0.1
address=/.dom/127.0.0.1
# Upstream DNSCrypt
server=127.0.0.1#40
#user=
#group=
# Don't read the hostnames in /etc/hosts.
no-hosts
# Do not go into the background at startup but otherwise run as
# normal.
keep-in-foreground
# Do not provide DHCP or TFTP on the loopback interface.
no-dhcp-interface=lo
# Only listen on the loopback interface.
listen-address=127.0.0.1
# Only bind to interfaces dnsmasq is listening on.
bind-interfaces
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Don't read /etc/resolv.conf.
no-resolv
# Reject (and log) addresses from upstream nameservers which are in
# the private IP ranges. This blocks an attack where a browser behind
# a firewall is used to probe machines on the local network.
stop-dns-rebind
# Exempt 127.0.0.0/8 from rebinding checks. This address range is
# returned by realtime black hole servers, so blocking it may disable
# these services.
rebind-localhost-ok
# Never forward plain names (without a dot or domain part).
# domain-needed
# Set the cache size here. If you don't use spam blocking add-ons such
# Adblock Plus or Ghostery, you may want to increase this value as you
# will be resolving more domain names.
cache-size=1000
#no-negcache
#local-ttl=
# Pass through DNSSEC validation results from dnscrypt-proxy.
proxy-dnssec
#mx-host=maildomain.com,servermachine.com,50
#mx-target=servermachine.com
#localmx
#selfmx
#log-queries
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.dnscrypt-proxy</string>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy</string>
<string>--local-address=127.0.0.1:40</string>
<string>--local-address=[::1]:40</string>
<string>--ephemeral-keys</string>
<string>--resolvers-list=/usr/local/Cellar/dnscrypt-proxy/1.6.0_3/share/dnscrypt-proxy/dnscrypt-resolvers.csv</string>
<string>--resolver-name=cisco</string>
<string>--user=nobody</string>
</array>
<key>UserName</key>
<string>root</string>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.dnsmasq</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/dnsmasq/sbin/dnsmasq</string>
<string>--keep-in-foreground</string>
<string>-C</string>
<string>/usr/local/etc/dnsmasq.conf</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
@jamesacampbell

This comment has been minimized.

Copy link

jamesacampbell commented Dec 11, 2017

when you install dnsmasq and dnscrypt-proxy, dont they install and setup sensible defaults in the .conf file and others? Why the need for customization? What is the diffs between them and yours posted here? Thanks

@ngocphamm

This comment has been minimized.

Copy link

ngocphamm commented Apr 9, 2018

@jamesacampbell This might be very late to the game, but I just came across this and I think by default you can't make dsnmasq and dnscrypt-proxy work together, for a simple reason that they both want to listen to port 53. This gist points out that all you need to do is to make dnscrypt-proxy on another port (here is 40), then point dnsmasq to 127.0.0.1#40 for upstream DNS server, while NOT trying any other DNS servers specified in the system.

@ianmustafa

This comment has been minimized.

Copy link

ianmustafa commented Apr 12, 2018

@ngocphamm I can confirm that both dnsmasq and dnscrypt-proxy can indeed work together. I just having trouble to get dnscrypt-proxy to work alone in fresh-installed macOS Sierra, and this gist helps me a lot. I just didn't copy-paste the whole dnsmasq.conf though

@willsalz

This comment has been minimized.

Copy link

willsalz commented Dec 5, 2019

qq: why are you running dnsmasq && dnscrypt-proxy? Aren't they doing essentially the same thing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.