I am using a Netgear Nighthawk R8000 router running the vanilla version of LEDE - 17.01.04. This router is facing my residential ISP on its WAN port and has 14 dhcp clients including IOT devices.
So far I have managed to setup a few static IP addresses, WiFi, Adblock, stealth ports, and changed the DNS settings to point to Google DNS instead of our ISP. I have not modified anything else.
I am now wanting to switch over to using DNS-Over-TLS but in my attempts at locating an appropriate guide to follow, I found it difficult to determine which one to use due to the differences in the following tutorials.
Option 1 - Replacing DNSMasq with Unbound and odhcpd:
If your goal is to encrypt DNS traffic so that your ISP can't see and or sell to 3rd parties, then dnscrypt-proxy is an effective and easy way to do it.
@ leeandy - thanks for the reply. For simplicity, and the fact that I am a novice user, I was kind of hoping that someone would suggest option 1! In this tutorial, the author actually uninstalls DNSMasq using;
@ davidc502 - thanks for your reply. I am actually running your build on another upstream router (WRT1900AC v1) and DNS-Crypt is running great although resolving speed can be rather slow sometimes here in the pacific!
fyi - I am wanting to switch to DNS-Over-TLS due to the abandonment of DNS-Crypt. Correct me if I am wrong but isn't DNS-Over-TLS supposed to be the new best practice implementation?
There is dnscrypt-proxy2 which some have installed an configured to support DNS-Over-TLS. From what I remember, they are able to download the binary and configuration files, and are able to run it without too much trouble. I'd point you to the post on the openwrt forum, but as everyone knows is down.
As a side note, when using your custom build on my WRT1900AC samba, I have full access to the luci-app-dnscrypt-proxy in LUCI web gui.
In the standard build (17.01.04) that I am using on my R8000 gateway, I am only able to install dnscrypt-proxy and dnscrypt-proxy-resolvers. Is there any reason why I cannot find and install the luci-app-dnscrypt-proxy package?
This site is mainly focussed on following the development and deployment of DNS-over-TLS (DOT) and DNS-over-HTTPS (DOH) as the leading solutions for DNS Privacy because DOT is the only protocol currently standardized by the IETF and DOH is expected to be a standard shortly (as of May 2018).
DNS-Crypt is apparently widely deployed, though not an IETF standard or standard-track. That, at some time in the future, it may wane in popularity as a result, does not mean that it is "abandoned". https://github.com/jedisct1/dnscrypt-proxy shows commits as of hours ago right now.
This is not intended to be an endorsement of any particular approach, just to provide references so that an informed decision can be made.
Ok, thanks for letting us know.
Ur builds are working very well, i'd like to stay on ur builds as long as possible...
Hopefully i can try dnscrypt-proxy2 soon, im allready using dnscrypt-proxy and i cant complain.
Ill try to combine it with adblock soon... Pls keep it up david.
Is quite small, lightweight and fast.
It only opens 1 https connection and pipes all dns request through it.
The http2 feature is bugged atm. Resolution stops after sometime. But you can work around
that by using the -x start parameter or compile libcurl without http2 support.
Downside only supports Google and cloudflare.
Dnscryptproxy2 is nice.
The auto server list with the filter options good stuff.
Also the load balancer feature.
But its size is one problem. Very bad choice to use go here, makes adaption to (for?) smaller embedded devices with limited space quite hard.
I also don't like that it opens many connections.
(One downside of the load balancer feature.
it's better to edit the file directly or use the CLI.
I can't remember what works for me. Try one and if it doesn't work, try the other.
If you've used my repo, you can also view /var/logs/dnscrypt-proxy-query.log by using tail -f to see if it's working for you, as you can immediately see any DNS queries coming in.
