A fix to doc page "DNSCrypt with Dnsmasq and dnscrypt-proxy2"

Please consider (possibly @vgaetera as last page editor) to fix first command-line quote to this on the page DNSCrypt with Dnsmasq and dnscrypt-proxy2.

# Install package
opkg update
opkg install dnscrypt-proxy2

# Modify dnsmasq configuration
uci set dhcp.@dnsmasq[0].noresolv="1"
uci set dhcp.@dnsmasq[0].localuse="1"
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#5353"
uci commit dhcp

# Enable DNS encryption
sed -i '/^listen_addresses/ s/:53/:5353/' /etc/dnscrypt-proxy2/*.toml
sed -i "32 s/.*/server_names = ['google', 'cloudflare']/" /etc/dnscrypt-proxy/*.toml                                                                                                                                                          
service dnsmasq restart                                                                                                                                                                                                                        
service dnscrypt-proxy restart                                                                                                                                                                                                                 

Reason...

dnsmasq in current stable release (23.05.2) does not work as advertised. dnsmasq listens all interfaces although configured not to listen for preventing a conflict with default dnscrypt-proxy2 configuration. Also OpenWrt defaults make dnsmasq to listen all interfaces.

# grep interface /var/etc/dnsmasq.conf.cfg01411c
interface=eth0
except-interface=lo
no-dhcp-interface=eth1

# netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1583/uhttpd
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1583/uhttpd 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      4823/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      691/dropbear
tcp        0      0 :::443                  :::*                    LISTEN      1583/uhttpd
tcp        0      0 :::80                   :::*                    LISTEN      1583/uhttpd
tcp        0      0 :::53                   :::*                    LISTEN      4823/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      691/dropbear
udp        0      0 0.0.0.0:53              0.0.0.0:*                           4823/dnsmasq                                                                                                                                                   
udp        0      0 :::53                   :::*                                4823/dnsmasq
udp        0      0 :::123                  :::*                                6869/ntpd

# logread -e dnscrypt
...
Sat Mar  9 21:05:53 2024 daemon.err dnscrypt-proxy[5058]: [2024-03-09 19:05:53] [FATAL] listen udp 127.0.0.1:53: bind: address already in use
Sat Mar  9 21:05:53 2024 daemon.info procd: Instance dnscrypt-proxy::instance1 s in a crash loop 6 crashes, 0 seconds since last crash

So dnscrypt-proxy must move away to another port. dnsmasq behaviour looks like a bug, but I may be missing something and is a subject to another topic elsewhere.

dnsmasq has always defaulted to listen to “any” as long as I’ve been here.

I just add interface=br-lan at the end of /etc/dnsmasq.conf.

dnsmasq has always defaulted to listen to “any” as long as I’ve been here.

Exactly my view also. That is why the doc has a profound error in it, I think. The guide is about making dnscrypt-proxy2 and dnsmasq work together on an OpenWrt system. Secondly dnscrypt-proxy2 package should not make defaults, what can't work with defaults of dnsmasq on OpenWrt.

I just add interface=br-lan at the end of /etc/dnsmasq.conf.

Did not work for me. Beside my board has no br-lan interface but lan and wan interfaces.

Relevant setting in OpenWrt LuCI web-interface says (Network -> DHCP and DNS -> Devices & Ports -> Listen interfaces):

Listen only on the specified interfaces, and loopback if not excluded explicitly.

That is, what I showed up above as effective settings for dnsmasq. Despite the settings dnscrypt-proxy didn't start, as dnsmasq had port 53 open at loopback interface. Or vice versa when dnscrypt-proxy2 is started before dnsmasq.

dnscrypt-proxy guide has it right. The guide moves dnscrypt-proxy to port 5353. The dnscrypt-proxy package has the appropriate port setting as default.

A note: dnscrypt-proxy and dnscrypt-proxy2 are two different packages, although, they both provide similarly named binary and service. The former has uci interface and seems to be better integrated to OpenWrt. The latter has no uci, a bug in integration and error in OpenWrt documentation as I'm trying to prove.

I tried to make sense, how the two packages relate. Both provide an implementation of DNScrypt protocol, that's a relation. Information does not really strike out, whether -proxy2 is totally new implementation with accidentally the same name or an abandoned project refreshed.

Package dnscrypt-proxy seems to base on some older implementation, what initial developer/maintainer has abandoned and the package has years old source. dnscrypt-proxy2 seems to have more recently active source.

If someone has better insights to the relation, I hope it is appended to the doc page. I'd like to make more easy judgement, which software package to base on from now on.

My current understanding, it is dnscrypt-proxy2 despite of its shortcomings causing more labourious deployment on OpenWrt.

No doubt.

Well, they’re apples to oranges in my estimation. The former hasn’t been maintained since 2019 as you noted while dnscrypt-proxy2 has been maintained/upgraded regularly since I came here. No, there is no uci integration. The uci structure is too simplistic to handle the .toml syntax. But, it is wonderfully easy to read/implement anything that dnscrypt-proxy2 can do.

I don’t recall that I followed the wiki at the time to configure it. I went to the horse’s mouth and used the official GitHub documentation.

In fact, I remembered that I put up a How-To on the @davidc502 Community Build based on the dnscrypt-proxy2 site documentation for installation on OpenWrt. The How-To is here

Looking back over it, and the current wiki, I don’t see any fault to the wiki content. in fact, I’ve carried the same config over the last 4 years over a number of different devices without ANY issues. It works exactly as advertised always and without fail.

You pointed me to the GUI in your last post Network/DHCP and DNS/General (I seldom use it), but I’m curious what you have configured for DNS Forwardings on that same page.