DNSCrypt with Dnsmasq and dnscrypt-proxy2

Installing and Using OpenWrt Network and Wireless Configuration
1

The idea was to encrypt my dns requests and have them answered from the yandex family dns server.

DNSCrypt with Dnsmasq and dnscrypt-proxy2

I thought to have followed the above link to the dot?

#Install the required packages. Enable DNS encryption.
#install packages
opkg update
opkg install dnscrypt-proxy2

service dnsmasq stop
uci set dhcp.@dnsmasq[0].noresolv="1"
uci set dhcp.@dnsmasq[0].cachesize='0'
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="127.0.0.53"
sed -i "32 s/.*/server_names = ['family.dot.dns.yandex.net', 'safe.dot.dns.yande
uci commit dhcp
service dnsmasq start
service dnscrypt-proxy restart

#https://spravke.livejournal.com/1499921.html
#https://www.cnblogs.com/pipci/p/12790503.html
# Ensure, that the NTP server can work without DNS
uci del system.ntp.server
uci add_list system.ntp.server='89.109.251.21'  # ntp1.vniiftri.ru
uci add_list system.ntp.server='89.109.251.22'  # ntp2.vniiftri.ru
uci add_list system.ntp.server='89.109.251.22'  # ntp3.vniiftri.ru
uci add_list system.ntp.server='46.254.241.74'  # ntp1.niiftri.irkutsk.ru
#uci add_list system.ntp.server='8.149.241.96'   # ntp1.aliyun.com alicloud Sing
luci add_list system.ntp.server='203.107.6.88'   # ntp1.aliyun.com alisoft China
#luci add_list system.ntp.server='203.107.6.88'   # ntp7.aliyun.com alisoft Chin
uci commit system

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option noresolv '1'
        list server '127.0.0.53'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '15m'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@router:/etc/config# grep "nameserver" /etc/resolv.conf
nameserver 223.6.6.6
nameserver 2400:3200:baba::1
nameserver 223.5.5.5
nameserver 77.88.8.8
nameserver 77.88.8.8
nameserver 223.6.6.6
nameserver 223.5.5.5
nameserver 217.218.127.127
nameserver 2400:3200:baba::1
nameserver 240c::6644
nameserver 240c::6666
nameserver 2a02:6b8::feed:bad
root@router:/etc/config#

but I can still open sites from 2 diferrent browsers which should be protected by yandex safe family filter.

how to test which dns is serving my and make encryption working?

2

First I recommend starting here for configuration of dnscrypt-proxy2 as it’s always worked for me:

and then Performance:

To test which DNS is in use I use a couple of different sites to test that:

Have fun!