OpenDNS, the free DNS provider, offers new way to protect clients against attacks related to modification and manipulation of DNS traffic — DNSCrypt. The main objectives of DNSCrypt is full encryption of the communication channel between the client (you) and server (OpenDNS) — roughly as SSL is used to encrypt HTTP traffic. This will protect the client from the man in the middle attacks. In addition, encryption of DNS communication improves client's privacy. DNSCrypt is client-side version of DNSCurve.
- this HOWTO is aimed towards hardware based on ar71xx architecture
There are no required packages, except
Add third-party source to your
opkg configuration file
src/gz dnscrypt-proxy http://dl.dropbox.com/u/22711927/Permanently/openwrt/ar71xx/packages
And proceed with the installation itself:
opkg update opkg install dnscrypt-proxy
You may want to comment out or delete the new entry in
# src/gz dnscrypt-proxy http://dl.dropbox.com/u/22711927/Permanently/openwrt/ar71xx/packages
DNSCrypt is listening on address and port:
127.0.0.1:2053. We need to set OpenWRT to send DNS request to that address.
The config file
/etc/config/dnscrypt-proxy is simple and will be rarely edited.
||string||yes||(none)||The IP address of the proxy server.|
||string||yes||(none)||Listening port for DNS queries.|
If you need to specify other option, you will have to edit
Now we will start DNSCrypt and enable auto boot for it:
/etc/init.d/dnscrypt-proxy enable /etc/init.d/dnscrypt-proxy start
Assuming you are using
dnsmasq, edit the bold lines in
/etc/config/dhcp config file:
- We have disabled
/tmp/resolv.conf.autofile since it instruct
dnsmasqto use your ISP's DNS.
noresolvoption also disables
/etc/resolv.conffile for similar reason.
127.0.0.1#2053is the DNSCrypt address.
/pool.ntp.org/126.96.36.199adds exception for pool.ntp.org domain, which will be resolved thru standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise you are not able to resolv domain, including pool.ntp.org. OpenDNS server is used for this.
Reboot router or restart
dnsmasq for the changes to take effect.
Note: you may need admin privileges to run the commands below.
sudo /etc/init.d/nscd restartor
sudo /etc/init.d/networking restart
- Mac OSX 10.4 (Tiger)
- Mac OSX 10.5/10.6 (Leopard/Snow Leopard)
The easy way is to look in the log.
- Check if
dnsmasqis using only dnscrypt. Only the last block of logged nameservers is relevant.
logread | grep -n "using nameserver"
132:Jan 1 01:01:00 openwrt daemon.info dnsmasq: using nameserver 188.8.131.52#53 for domain pool.ntp.org 133:Jan 1 01:01:00 openwrt daemon.info dnsmasq: using nameserver 127.0.0.1#2053
- Check that
logread | grep "Proxying from"
Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy: Proxying from 127.0.0.1:2053 to 184.108.40.206:443
If dnscrypt-proxy is compiled for brcm-2.4 with a standard OpenWrt toolchain, then reception of "suspicious" certificate is reported.
This kind of behavior is caused by a possible optimization bug in gcc-3.4.6 when the following CFLAGS are used
It seems that crypto_hash_sha512() in dnscrypt-proxy/src/libnacl is wrongly optimized by gcc-3.4.6 because the dnscrypt-proxy/src/libnacl/tests/hash3.c test fails.
To fix the problem, one can compile dnscrypt-proxy with -O2 optimization flag. Run
make menuconfigand put
in Advanced configuration options (for developers) → Target Options. Then
produces correct dnscrypt-proxy package.
With -O2 optimization crypto_hash_sha512() in dnscrypt-proxy/src/libnacl is now correctly optimized
and dnscrypt-proxy works flawlessly
- Updates are announced in forum https://forum.openwrt.org/viewtopic.php?id=36380&p=1
- Check availability http://www.opendns.com/welcome/
inbox/dnscrypt.txt · Last modified: 2012/10/11 11:22 by omonar