Resolving LAN hostnames through DNSCrypt-Proxy

So I have an interesting home network setup: I wanted to protect my kids' devices from the filth found all over the internet, so I did the following:

  1. Setup DNSCrypt-Proxy on loopback port 5353, and pointed it at AdGuard Family Shield DNS server.
  2. Enable DNSMasq as the local DNS server broadcasted over DHCP.
  3. Disable ISP supplied DNS Servers, and force all DNS requests coming in to DNSMasq to be forwarded to DNSCrypt-Proxy.

So this way, EVERY device on my network will be routed through family safe DNS Servers (yes, even if you try to go to, say,, my firewall rules will catch that and re-route accordingly).

I found this to be a great solution for my children and my peace of mind, but bit too restrictive for the wife and myself. We do want to be able to browse adult content, BUT only on a restricted set of devices, explicitly enabled one by one.

So I further modified my network setup in following ways:

  1. Created 2nd instance of DNSCrypt-Proxy on loopback port 5354, and point it at Adguard DNS Server (which only blocks ads, nothing more)
  2. Assigned static IPs to the 5 devices on my home network which I want to have unrestricted DNS query access.
  3. Finally, created firewall rules (listed below) to route the 5 specific devices STRAIGHT to DNSCrypt-Proxy on port 5354, followed by more rules that capture ALL OTHER DNS traffic and route it to DNSMasq on the router, which in turn forwards to safe DNS server.

I hope this clearly describes my setup.

Now here is the problem I have:

My laptop, with has its DNS requests routed to DNSCrypt-Proxy on port 5354, BYPASSING DNSMasq, can no longer resolve local hostnames. Whereas other lan clients can, because they go through DNSMasq which knows about the hostnames on the lan from DHCP requests. So basically the DNSCrypt-Proxy instance meant for my unrestricted devices is completely unaware of other hosts on the lan.

How can I fix this? Ideally without adding entries to the routers /etc/hosts file. How can I make local DNSCrypt instance be able to resolve LAN hostnames?

Thank you for reading this far!

Firewall rules below.
BTW, I had to put this "echo 1 > /proc/sys/net/ipv4/conf/br-lan/route_localnet" command in my /etc/rc.local to enable routing from br-lan to loopback interface. without it the rules forwarding unrestricted DNS queries to were doing NOTHING.

UNRESTRICTED_CLIENTS="-m iprange --src-range"

iptables -t nat -A zone_lan_prerouting -p tcp $UNRESTRICTED_CLIENTS --dport 53 -j DNAT --to $UNRESTRICTED_DNS
iptables -t nat -A zone_lan_prerouting -p udp $UNRESTRICTED_CLIENTS --dport 53 -j DNAT --to $UNRESTRICTED_DNS

iptables -t nat -A zone_lan_prerouting -p tcp $RESTRICTED_CLIENTS --dport 53 -j DNAT --to $RESTRICTED_DNS
iptables -t nat -A zone_lan_prerouting -p udp $RESTRICTED_CLIENTS --dport 53 -j DNAT --to $RESTRICTED_DNS

  • Add another Dnsmasq instance listening on a custom port.
  • Use firewall rules to redirect DNS queries to that Dnsmasq instance.

But that DNSMasq instance would not be handling DHCP, so how would it know about the lan hosts?

You can try to forward zone lan to your main instance.

that's why I read about in the documentation of DNSCrypt-Proxy V2, but I installed the one available through OpenWrt package manager, and it's V1.9.5. and for the life of me I cannot find a configuration option that would allow me to do that :frowning:

(Old thread, but as I just came across it and found an answer I will post it here so that future searchers mayfind it.)

DNSCrypt-Proxy can do "Forwarding". See:

If you look in your dnscrypt-proxy.toml configuration file there's a (commented out, most likely) line that says:

forwarding _rules = 'forwarding-rules.txt'

Uncomment that. Then create a file called forwarding-rules.txt. In that file you can put:

lan #Or the IP address of your DNS, be it your local router or whatever you want to use.

In this example, then when I go to https://nas.lan on my computer, it routes that query to my local DNS server which knows that nas.lan is a server on my local network and I correctly connect to it.