Skip to content

Instantly share code, notes, and snippets.

@leafsummer
Forked from ahmozkya/README.md
Created December 30, 2015 17:28
Show Gist options
  • Save leafsummer/6529a4f760ae55071968 to your computer and use it in GitHub Desktop.
Save leafsummer/6529a4f760ae55071968 to your computer and use it in GitHub Desktop.
Homebrew with DNSMasq + DNSCrypt-proxy (OpenDNS)

Install & Configure

  1. Install DNSMasq
$ brew install dnsmasq
  1. Install DNSCrypt-proxy
$ brew install dnscrypt-proxy
  1. Configure

  2. /usr/local/etc/dnsmasq.conf ⬇

  3. /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist ⬇

  4. /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist ⬇

  5. Reload dnscrypt-proxy service

    $ cd /Library/LaunchDaemons/
    $ sudo launchctl unload homebrew.mxcl.dnscrypt-proxy.plist && sudo launchctl load homebrew.mxcl.dnscrypt-proxy.plist
  6. Reload dnsmasq service

    $ sudo launchctl unload homebrew.mxcl.dnsmasq.plist && sudo launchctl load homebrew.mxcl.dnsmasq.plist
  7. Set DNS IP: 127.0.0.1

Check

DNS Configuration

$ scutil --dns
...
resolver #1
  search domain[0] : openvpn
  nameserver[0] : 127.0.0.1
  flags    : Request A records, Request AAAA records
  reach    : Reachable,Local Address
...

DNSCrypt

$ nslookup -type=txt debug.opendns.com
Server:     127.0.0.1
Address:    127.0.0.1#53

Non-authoritative answer:
debug.opendns.com	text = "server 7.ams"
debug.opendns.com	text = "flags 20 0 2f4 800000000000000"
debug.opendns.com	text = "id 0"
debug.opendns.com	text = "source xxx.xxx.xxx.xxx:xxxxx"
debug.opendns.com	text = "dnscrypt enabled (xxxxxxxxxxxxxxxx)"

Authoritative answers can be found from:

Useful links:

# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Custom development domains
address=/.dev/127.0.0.1
address=/.dom/127.0.0.1
# Upstream DNSCrypt
server=127.0.0.1#40
#user=
#group=
# Don't read the hostnames in /etc/hosts.
no-hosts
# Do not go into the background at startup but otherwise run as
# normal.
keep-in-foreground
# Do not provide DHCP or TFTP on the loopback interface.
no-dhcp-interface=lo
# Only listen on the loopback interface.
listen-address=127.0.0.1
# Only bind to interfaces dnsmasq is listening on.
bind-interfaces
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Don't read /etc/resolv.conf.
no-resolv
# Reject (and log) addresses from upstream nameservers which are in
# the private IP ranges. This blocks an attack where a browser behind
# a firewall is used to probe machines on the local network.
stop-dns-rebind
# Exempt 127.0.0.0/8 from rebinding checks. This address range is
# returned by realtime black hole servers, so blocking it may disable
# these services.
rebind-localhost-ok
# Never forward plain names (without a dot or domain part).
# domain-needed
# Set the cache size here. If you don't use spam blocking add-ons such
# Adblock Plus or Ghostery, you may want to increase this value as you
# will be resolving more domain names.
cache-size=1000
#no-negcache
#local-ttl=
# Pass through DNSSEC validation results from dnscrypt-proxy.
proxy-dnssec
#mx-host=maildomain.com,servermachine.com,50
#mx-target=servermachine.com
#localmx
#selfmx
#log-queries
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.dnscrypt-proxy</string>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>UserName</key>
<string>root</string>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy</string>
<string>--local-address=127.0.0.1:40</string>
<string>--edns-payload-size=4096</string>
<string>--user=nobody</string>
<string>--resolver-address=208.67.220.220:443</string>
<string>--provider-name=2.dnscrypt-cert.opendns.com</string>
<string>--provider-key=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79</string>
</array>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.dnsmasq</string>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/dnsmasq/sbin/dnsmasq</string>
<string>--keep-in-foreground</string>
</array>
</dict>
</plist>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment