Created
July 16, 2021 23:53
-
-
Save crashangelbr/f7d983207c54a99088b111fa72bf9dd2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://tokyobreeze.wordpress.com/2015/01/29/install-and-configure-dnscrypt-in-your-router/ | |
There are many reasons why we should use DNSCrypt, probably now more than ever. I deployed DNSCrypt in my OpenWrt router and it was a fairly simple process. This post would outline my steps on installing, configuring and getting DNSCrypt up and running in my router. | |
Assumptions: | |
You already have OpenWrt onboard and can ssh into the router. | |
You (preferably) have LuCI installed and configured. | |
You router’s IP is 192.168.1.1 (if not, then change 192.168.1.1 in the scripts below with the one of your router). | |
Installation: | |
DNSCrypt is managed by a source NOT directly included in opkg lists. So, first step is to add the Source to opkg list by adding following line at the end of ‘/etc/opkg.conf’. (Note: Following URL is appropriate for my router HW, so you should change the ‘ar71xx’ part in the URL depending on your router’s HW.) | |
src/gz exopenwrt http://exopenwrt.and.in.net/barrier_breaker/ar71xx/packages/exOpenWrt | |
In LuCI → System → Software, update the repository. Then install ‘dnscrypt-proxy’. Alternatively, via ssh: | |
opkg update | |
opkg install dnscrypt-proxy | |
Confirm that the installation went fine: | |
opkg status | grep -n "dnscrypt-proxy" | |
#Would show output like below: | |
230:Package: dnscrypt-proxy | |
236: /etc/config/dnscrypt-proxy ff316755d745da9b15b7166b667ed108 | |
Clean windows linefeed (a.k.a ^M Character) from the file containing list of resolvers: | |
cd /usr/share/dnscrypt-proxy | |
mv dnscrypt-resolvers.csv dnscrypt-resolvers.csv_ori | |
tr -d '\r' <dnscrypt-resolvers.csv_ori >dnscrypt-resolvers.csv | |
rm dnscrypt-resolvers.csv_ori | |
Configuration: | |
Edit ‘/etc/config/dnscrypt-proxy’ so that it looks like below. Initially, we are configuring it to use ‘OpenDNS’. | |
config dnscrypt-proxy | |
option address '192.168.1.1' | |
option port '2053' | |
option resolver 'opendns' | |
option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' | |
Assign read permission for ‘/etc/config/dnscrypt-proxy’: | |
chmod a+r /etc/config/dnscrypt-proxy | |
Enable dnscrypt-proxy init script: | |
/etc/init.d/dnscrypt-proxy enable | |
Start dnscrypt: | |
/etc/init.d/dnscrypt-proxy start | |
Now we would change the dnsmasq to use dnscrypt. First take a backup of ‘/etc/config/dhcp’. | |
Edit ‘/etc/config/dhcp’ so that the ‘dnsmasq’ configuration looks like below. ‘list server’ lines are of particular interest and both MUST be present. Basically, for NTP requests we are specifying a non-encrypted DNS connection and all other DNS requests will use the DNSCrypt-Proxy we have installed. If you are not using Adblock at your router, you can also omit the last line. | |
config dnsmasq | |
option domainneeded '1' | |
option boguspriv '1' | |
option localise_queries '1' | |
option rebind_protection '1' | |
option rebind_localhost '1' | |
option local '/lan/' | |
option domain 'lan' | |
option expandhosts '1' | |
option authoritative '1' | |
option readethers '1' | |
option leasefile '/tmp/dhcp.leases' | |
option noresolv '1' | |
list server '192.168.1.1#2053' | |
list server '/pool.ntp.org/208.67.222.222' | |
list addnhosts '/etc/adblock/block.hosts' | |
Restart dnsmasq: | |
/etc/init.d/dnsmasq restart | |
OPTIONAL: We can also add following rules to our firewall [(LuCI -> Network -> Firewall -> Custom Rules) or (edit /etc/firewall.user)]. In my case, Adblock scripts are already taking care of this. If you don’t have Adblock and want to add these rules – you must reboot your router before proceeding with testing. | |
iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 | |
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 | |
Testing: | |
Check if dnsmasq is using only dnscrypt. | |
logread | grep -n "using nameserver" | |
# Should give output like below | |
........ | |
........ openwrt daemon.info dnsmasq[13292]: using nameserver 208.67.222.222#53 for domain pool.ntp.org | |
........ openwrt daemon.info dnsmasq[13292]: using nameserver 192.168.1.1#2053 | |
Check that dnscrypt-proxy is working: | |
logread | grep "Proxying from" | |
# Should give output like below | |
........ | |
........ openwrt daemon.info dnscrypt-proxy[13289]: Proxying from 192.168.1.1:2053 to 208.67.220.220:443 | |
Test from of a PC connected to our router: | |
Flush DNS cache from command line (ipconfig/flushdns). | |
Restart the Browser if it was running while we were doing the things above. | |
Visit DNSLeakTest and do ‘Extended Test’. You should get only 1 DNS server in the result and that server should be the one specified in ‘/etc/config/dnscrypt-proxy’. | |
Other Tests, in case you are interested: | |
DNS randomness test | |
DNSSEC resolver test | |
Additional – Changing the Resolver: | |
Initially we configured DNSCrypt to use ‘OpenDNS’, but you can change to any resolver listed in ‘/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv’ (just open it in vi/nano and look at the options). If you want to change to another server, steps are below: | |
Change the ‘/etc/config/dnscrypt-proxy’ file to reflect the new resolver name (name MUST BE matching with a name from ‘/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv’. Example of ‘/etc/config/dnscrypt-proxy’ file after change: | |
config dnscrypt-proxy | |
option address '192.168.1.1' | |
option port '2053' | |
# option resolver 'opendns' | |
option resolver 'dnscrypt.eu-nl' | |
option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv | |
Stop and Start the dnscrypt-proxy service: | |
/etc/init.d/dnscrypt-proxy stop | |
/etc/init.d/dnscrypt-proxy start | |
Restart dnsmasq: | |
killall dnsmasq | |
/etc/init.d/dnsmasq start | |
Execute steps mentioned in ‘Testing’ section. | |
That’s it. Enjoy your ‘Peace of Mind’ 🙂 | |
Update: | |
My router is set to reboot once a week. Though I have enabled ‘dnscrypt-proxy’ init service to start up at boot, I found that dnscrypt was not starting automatically at boot for some reason. I could deep-dive to find out the cause, but I am little busy off late and just took the easy path of adding following to my ‘/etc/rc.local’ to stop/start the service at boot time. Now dnscrypt is working fine across reboots. | |
# Sleep for 2 minutes for other things to load | |
sleep 120 | |
# Restart dnscrypt-proxy - in case it has not started | |
/etc/init.d/dnscrypt-proxy stop | |
sleep 10 | |
/etc/init.d/dnscrypt-proxy start | |
References: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment