As DNSCrypt v2 (https://github.com/jedisct1/dnscrypt-proxy) matured, I started using it as my only approach for encrypting DNS traffic. Many thanks to contributors of DNSCrypt v2!!! While the posted wiki guide on how to install and configure DNSCrypt v2 (https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-on-OpenWRT) is a good start, it misses some important configuration points that prevent leaks to ISP. Specifically - it leaves dnsmasq
configured to use resolv.conf
file, which can leak DNS traffic to the ISP. This can be easily reproduced by running tests (e.g. https://www.dnsleaktest.com/ and seeing your ISP listed in there) or just shutting down DNSCrypt and still be able to run DNS queries just fine.
So, I'm trying to create a proper list of DNSCrypt v2 configuration instructions for OpenWRT 18.06+ and need your help in figuring out on how to make it right. Here is my current configuration for domain "foo.com" (unless you use "lan" for the domain), which I called it out here, so you know where it needs to go:
/etc/config/dhcp
(configure to use dedicated DNS server for non-LAN related queries):
config dnsmasq option domainneeded '1' option boguspriv '1' option filterwin2k '1' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' option local '/foo.com/' option domain 'foo.com' option expandhosts '1' option nonegcache '0' option authoritative '1' option readethers '1' option leasefile '/tmp/dhcp.leases' option localservice '1' # Ignore ISP's DNS: option noresolv '1' # Change /etc/resolv.conf to direct local router processes to use local dnsmasq: option localuse '1' list server '127.0.0.53'
/etc/dnsmasq.conf
(to recognize local requests, so they are not sent to the DNS server):
# No forward list: server=/lan/ server=/internal/ server=/intranet/ server=/private/ server=/workgroup/ server=/10.in-addr.arpa/ server=/16.172.in-addr.arpa/ server=/168.192.in-addr.arpa/ server=/254.169.in-addr.arpa/ server=/d.f.ip6.arpa/
/etc/config/dnscrypt-proxy.toml
(only the parts that were changed from the default configuration):
listen_addresses = ['127.0.0.53:53'] blacklist_file = '/etc/config/blacklist.txt'
/etc/config/blacklist.txt
(just in case some process connects to DNSCrypt v2 directly):
*.foo.com *.test *.onion *.localhost *.local *.invalid *.bind *.lan *.internal *.intranet *.private *.workgroup *.10.in-addr.arpa *.16.172.in-addr.arpa *.168.192.in-addr.arpa *.254.169.in-addr.arpa *.d.f.ip6.arpa
*/etc/config/firewall
(prevent clients on the local network from using external DNS servers):
config redirect option name 'Divert-DNS' option src 'lan' option proto 'tcpudp' option src_dport '53' option dest_port '53' option target 'DNAT'
The above configuration tells dnsmasq
to not use the resolv.conf
file and just forward all non-local DNS requests to the dedicated DNSCrypt v2 server. The DNSCrypt v2 will also reject requests for local addresses. Additionally, all requests to external DNS servers from the local clients will be redirected to the router.
Comments and suggestions are welcome!
Update history:
04/04/19: Added firewall rule to prevent clients on the local network from using external DNS servers
03/25/19 : Updated above instructions with suggestions from @vgaetera