How to use dnscrypt-proxy2 and DoH together?

I'm using the simple-adblock package together with the https-dns-proxy to try to hide DNS queries, but this is a weak solution compared to dnscrypt. I found the dnscrypt-proxy package, but it overrides the https-dns-proxy settings and there is no way to use the two packages together.

dnscrypt-proxy2 promises, in its description, to be able to use DNSDecrypt together with DoH, but I couldn't find any information or tutorial beyond this one and I haven't found documentation that can help me configure it.

Has anyone managed to make this configuration? Using dnscrypt-proxy2 and DoH package together?I'm using the simple-adblock package together with the https-dns-proxy to try to hide DNS queries, but this is a weak solution compared to dnscrypt. I found the dnscrypt-proxy package, but it overrides the https-dns-proxy settings and there is no way to use the two packages together.

dnscrypt-proxy2 promises, in its description, to be able to use DNSDecrypt together with DoH, but I couldn't find any information or tutorial beyond this one and I haven't found documentation that can help me configure it.

Has anyone managed to make this configuration? Using dnscrypt-proxy2 and DoH package together?

Do you care to elaborate on the https-dns-proxy weakness?

1 Like

dnscrypt-proxy2 does not use UCI, and its config is self-documented considerably well:
https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml

But when using DoH, dnscrypt-proxy2 shouldn't have much advantage over https-dns-proxy, if any.

2 Likes

Exactly. The only real difference is that https-dns-proxy allows for one-click DNS capture and you'd have to write equivalent manual firewall rules for dnscrypt-proxy2. Other than that, there's no difference in terms of speed or stability (at least since 21.02.1 which fixed a NASTY memory leak in 21.02).

1 Like

I know it's well documented, but there's nothing talking about how https-dns-proxy works together with dnscrypt-proxy2, as far as I understand https-dns-proxy uses an IP and a port, for example : 127.0.0.1:5053 to do the DoH.

dnscrypt-proxy2 does exactly the same thing, which would nullify https-dns-proxy.

I agree, it may not have much advantage, but the point is to encrypt requests to increase anonymity.

Following the documentation you gave me and a very explanatory video about DNSCrypt I managed to change the configuration to do the DoH together with the encryption.

But using WireShark to see what's happening on the router, I accessed via ssh and it's showing the DNS queries. If it's anonymized, it shouldn't show anything in this filter. Not?

How do I know that OpenWRT is anonymizing client DNS queries?


# server_names = ['cloudflare-security', 'cloudflare']

server_names = ['odoh-cloudflare']

## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`

listen_addresses = ['127.0.0.53:53']

# Use servers reachable over IPv4

ipv4_servers = true

# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity

ipv6_servers = true

# Use servers implementing the DNSCrypt protocol

dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol

doh_servers = true

# Use servers implementing the Oblivious DoH protocol

odoh_servers = true

# Server must support DNS security extensions (DNSSEC)

require_dnssec = false

# Server must not log user queries (declarative)

require_nolog = true

# Server must not enforce its own blocklist (for parental control, ads blocking...)

require_nofilter = true

# Server names to avoid even if they match all criteria

disabled_server_names = []

## DoH: Disable TLS session tickets - increases privacy but also latency

tls_disable_session_tickets = true

tls_cipher_suite = [52392, 49199]

bootstrap_resolvers = ['1.1.1.1:53', '9.9.9.9:53', '8.8.8.8:53']

ignore_system_dns = true

netprobe_address = '1.1.1.1:53'

[sources]

  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

  [sources.'public-resolvers']

    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']

    cache_file = 'public-resolvers.md'

    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

    refresh_delay = 72

    prefix = ''

  ## Anonymized DNS relays

  [sources.'relays']

    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']

    cache_file = 'relays.md'

    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

    refresh_delay = 72

    prefix = ''

  ## ODoH (Oblivious DoH) servers and relays

  [sources.'odoh-servers']

    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh-servers.md']

    cache_file = 'odoh-servers.md'

    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

    refresh_delay = 24

    prefix = ''

  [sources.'odoh-relays']

    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh-relays.md']

    cache_file = 'odoh-relays.md'

    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

    refresh_delay = 24

    prefix = ''

routes = [

   { server_name='*', via=['odohrelay-crypto-sx'] }

]

# Skip resolvers incompatible with anonymization instead of using them directly

skip_incompatible = false

I also made additional firewall, network, and DHCP settings from the documentation.

There should be different types traffic at the same time:

  • Plain DNS traffic:
    • LAN clients <-> Dnsmasq
    • Dnsmasq <-> dnscrypt-proxy2
  • Encrypted DNS traffic:
    • dnscrypt-proxy2 <-> upstream resolvers

Perhaps you are confusing something.

2 Likes

I get it, LAN clients make requests to the DNSMasq of the OpenWRT router, and it sends them to dnscrypt-proxy2, which encrypts and resolves the DNS and sends it to the destination via proxy. The reverse is also true.

So I'm only seeing internal traffic via DNS protocol?

But when I use dnscrypt-proxy2 directly on my computer, it doesn't show anything being sent as DNS protocol, so I find it strange to have traffic inside the router with dnscrypt-proxy active.

Shouldn't the behavior inside the router be the same? What am I missing?

WireShark inside the router via SSH

You aren't seeing them on your computer because you're sniffing the wire, not localhost, which is where the packets are being routed.

Similarly, you're seeing them on the router because you're sniffing the LAN side, not the WAN side. Manually specify your WAN interface for capture and you'll see there's no DNS traffic going out.

2 Likes

Sorry for the delay in replying, a lot of work here.

That's just what was missing, the ODoH applied via odoh-cloudflare seems to be working fine. I have tested the connection speeds and they seem stable and with low latency.

To test if DNSCrypt was working on the router I did this:

  1. I installed the tcpdump package via opkg update && opkg install tcpdump

  2. On Windows (client) I ran on CMD (in powershell it doesn't work) the command:

    • For IPv4: plink.exe -ssh -pw 123456 root@192.168.1.1 "tcpdump -ni eth1.2 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
    • For IPv6: plink.exe -ssh -pw 123456 root@192.168.1.1 "tcpdump -ni eth1 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

For those who are going to run, pay attention to the network port. No DNS requests came out of the router as DNS. Perfect!

If you want to capture the packets on the TTY screen: tcpdump -ni eth1.2 -s 0 -w - not port 22.

Internal traffic is still uncovered, but then the solution is implemented on each client.

This basic configuration can be used for ODoH via CloudFlare:

Currently I can only get DoH by putting ODhO/DoH server in server_names = ['odoh-cloudflare'], which I need to change in the /etc/dnscrypt-proxy2/dnscrypt-proxy.toml file to do this via DNSCrypt for it perform this function?

DoH is encryption, no configuration changes needed. All requests are sent to the appropriate DoH servers by the router encrypted so that your ISP/upstream link can't sniff on them.

1 Like