Bolt LEDE/OpenWrt Community firmware

Compiled from Trunk sources for the Linksys 1900, 3200, and 1200 series routers

10 step dnscrypt-proxy V2 install


What is dnscrypt-proxy version 2? Dnscrypt-proxy version 2 is a program that encrypts name resolution requests and sends those encrypted requests to dns servers to resolve to an IP address.

Why do I want to use dnscrypt-proxy version 2? One word "Privacy". It is well known ISP's, and others, have been caching in "$" by using tools which allows them to monitor users Internet habits, and sell those habits to 3rd parties.

*NOTE* There are many different ways to do this. The instructions below is just 1 way.

Another resource though some steps are different -- https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-on-OpenWRT

These configuration steps assume clients on your network are going to your router for dns resolution. After following the below configuration steps, each client will send regular dns requests to the router on port 53 as it normally would, from there the router will forward these requests to 127.0.0.1 on port 5353. Dnscrypt-proxy version 2 will be listening on port 5353, and send those requests to CloudFlare's dns servers. The dns responses will be sent back to your clients in a normal fashion. I've found CloudFlare's DNS servers to be very fast.

The dnscrypt-proxy version 2 configuration file is set up to load balance between CloudFlare's two dns servers 1.1.1.1 and 1.0.0.1.

If the two CloudFlare DNS servers become unavailable, google dns 8.8.8.8 is the configured fallback.

IPV6 is disabled.

This is a basic configuration. No Cloaking, Suspicious queries, Pattern Blocking (blacklists), or Whitelists have been configured.

Assumes ca-bundle is already installed. If using davidc502 build, ca-bundle is already installed, so no need to do anything.

Installation steps

1. Uninstall the default dnscrypt-proxy Version 1. Assumes you have dnscrypt-proxy Version 1 installed (You will uninstall this version below from Command Line.)
opkg remove --autoremove luci-app-dnscrypt-proxy

2. Download the dnscrypt-proxy version 2 package securely from davidc502sis.dynamic-dns.net via command line.
a. change directory to /tmp
cd /tmp

b. get the dnscrypt-proxy package and download it to /tmp, uncompress, untar and delete the old .tar. Copy and run the line below.
wget https://davidc502sis.dynamic-dns.net/releases/dnscrypt-proxy.tar.gz ; gunzip -d dnscrypt-proxy.tar.gz ; tar xvf dnscrypt-proxy.tar ; rm -f dnscrypt-proxy.tar

3. Don't forget to Kill the current dnscrypt-proxy version 1 process if it is running.

4. Copy dnscrypt-proxy to /usr/sbin/ and make sure it is executable
cp /tmp/dnscrypt-proxy/dnscrypt-proxy /usr/sbin/ ; chmod 755 /usr/sbin/dnscrypt-proxy

5. Copy dnscrypt-proxy.toml to /etc/config/
cp /tmp/dnscrypt-proxy/dnscrypt-proxy.toml /etc/config/

6. Copy the init script and change permissions to 755.
cp /tmp/dnscrypt-proxy/init.d/dnscrypt-proxy /etc/init.d/ ; chmod 755 /etc/init.d/dnscrypt-proxy

7. In Luci Forward DNS requests to 127.0.0.1#5353. In DNS/DHCP configuration, under General Settings, add a forward to 127.0.0.1#5353 and save.

8. By this point everything should be in place to do a test. Look for errors, but at this point it should come back successfully.
dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check

9. Enable and start new dnscrypt-proxy version 2
/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start

10. From command line check to make sure resolution is working. Also, check one of your clients and make sure you can get to a webpage or run the nslookup command.
dnscrypt-proxy -resolve google.com

If all is good then enjoy. Just remember the next sysupgrade will not have dnscrypt-proxy version 2 installed, and some of the above steps will need to be followed again.



Vulnerability Scanner