OpenDNS, the free DNS provider, offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic — DNSCrypt. The main objectives of DNSCrypt is full encryption of the communication channel between the client (you) and server (OpenDNS) — similar to how SSL is used to encrypt HTTP traffic. This will protect the client from man in the middle attacks. In addition, encryption of DNS communication improves the client's privacy. DNSCrypt is the client-side version of DNSCurve.
|The dnscrypt-proxy client project is maintained by OpenDNS employee jedisct1|
The OpenWrt package for ar71xx is maintained by black-roland
This will install
dnscrypt-proxy as well as any dependent libraries such as
Add third-party source to your opkg configuration file
/etc/opkg.conf according to your OpenWRT version:
src/gz exopenwrt http://exopenwrt.and.in.net/barrier_breaker/ar71xx/packages/exOpenWrt
src/gz exopenwrt http://exopenwrt.and.in.net/attitude_adjustment/ar71xx/packages
src/gz exopenwrt http://exopenwrt.and.in.net/trunk/ar71xx/packages/exOpenWrt
And proceed with the installation itself:
$ opkg update $ opkg install dnscrypt-proxy
The OpenWrt package for x86 is maintained by damianorenfer
If not already done, install the CACert SSL certificates :
root@OpenWrt:~# mkdir -p /etc/ssl/certs/ root@OpenWrt:~# wget -P /etc/ssl/certs/ http://curl.haxx.se/ca/cacert.pem
As DNSCrypt depends on libsodium, install it :
root@OpenWrt:~# cd /tmp root@OpenWrt:~# curl -OL --cacert /etc/ssl/certs/cacert.pem https://github.com/damianorenfer/libsodium-openwrt/raw/master/openwrt/bin/x86/libsodium_0.4.5-1_x86.ipk root@OpenWrt:~# opkg install libsodium_0.4.5-1_x86.ipk root@OpenWrt:~# rm -f libsodium*.ipk
Then get the dnscrypt-proxy package from GitHub :
root@OpenWrt:~# cd /tmp root@OpenWrt:~# curl -OL --cacert /etc/ssl/certs/cacert.pem https://github.com/damianorenfer/dnscrypt-proxy-openwrt/raw/master/bin/x86/packages/dnscrypt-proxy_1.4.0-1_x86.ipk root@OpenWrt:~# opkg install dnscrypt-proxy_1.4.0-1_x86.ipk root@OpenWrt:~# rm -f dnscrypt-proxy*.ipk
You can then follow the configuration section below. But default port is
5353 and NOT
2053! Change it in
/etc/config/dnscrypt-proxy if needed.
Note : this is only for x86 systems, but if you have some OpenWrt knowledge you can compile the packages for your platform. Procedure briefly described at https://github.com/damianorenfer/dnscrypt-proxy-openwrt
DNSCrypt is listening on address and port:
127.0.0.1:2053. We need to set OpenWRT to send DNS request to that address.
The config file
/etc/config/dnscrypt-proxy is simple and will be rarely edited. If you are using OpenDNS then this is already the default resolver so you do not have to change anything.
||The IP address of the proxy server.|
||Listening port for DNS queries.|
||DNS service for resolving queries|
||Location of CSV file containing list of resolvers|
If you need to specify other options, you will have to edit the
Now we will start DNSCrypt and enable auto boot for it:
/etc/init.d/dnscrypt-proxy enable /etc/init.d/dnscrypt-proxy start
Assuming you are using
dnsmasq, edit the bold lines in
- We have disabled
/tmp/resolv.conf.autofile since it instruct
dnsmasqto use your ISP's DNS.
noresolvoption also disables
/etc/resolv.conffile for similar reason.
127.0.0.1#2053is the DNSCrypt address.
/pool.ntp.org/188.8.131.52adds an exception for pool.ntp.org, which will be resolved through the standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise it will not resolve any domain, including pool.ntp.org. So if your device's time was incorrect, it could never update its time, and therefore DNSCrypt would never work. So we set this exception so that pool.ntp.org queries will always bypass DNSCrypt and resolve with the standard unencrypted OpenDNS method.
Reboot router or restart
dnsmasq for the changes to take effect.
Note: you may need admin privileges to run the commands below.
sudo /etc/init.d/nscd restartor
sudo /etc/init.d/networking restart
- Mac OSX 10.4 (Tiger)
- Mac OSX 10.5/10.6 (Leopard/Snow Leopard)
nslookup -type=txt debug.opendns.com.
dig debug.opendns.com txt
One of the entries should be "dnscrypt enabled (<number>)". More info
The easy way is to look in the log.
- Check if
dnsmasqis using only dnscrypt. Only the last block of logged nameservers is relevant.
logread | grep -n "using nameserver"
132:Jan 1 01:01:00 openwrt daemon.info dnsmasq: using nameserver 184.108.40.206#53 for domain pool.ntp.org 133:Jan 1 01:01:00 openwrt daemon.info dnsmasq: using nameserver 127.0.0.1#2053
- Check that
logread | grep "Proxying from"
Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy: Proxying from 127.0.0.1:2053 to 220.127.116.11:443
If dnscrypt-proxy is compiled for brcm-2.4 with a standard OpenWrt toolchain, then reception of "suspicious" certificate is reported.
This kind of behavior is caused by a possible optimization bug in gcc-3.4.6 when the following CFLAGS are used
It seems that crypto_hash_sha512() in dnscrypt-proxy/src/libnacl is wrongly optimized by gcc-3.4.6 because the dnscrypt-proxy/src/libnacl/tests/hash3.c test fails.
To fix the problem, one can compile dnscrypt-proxy with -O2 optimization flag. Run
make menuconfigand put
in Advanced configuration options (for developers) → Target Options. Then
produces correct dnscrypt-proxy package.
With -O2 optimization crypto_hash_sha512() in dnscrypt-proxy/src/libnacl is now correctly optimized
and dnscrypt-proxy works flawlessly
- Updates are announced in forum https://forum.openwrt.org/viewtopic.php?id=36380
inbox/dnscrypt.txt · Last modified: 2014/10/01 11:30 by dartraiden