OpenDNS, the free DNS provider, offers new way to protect clients against attacks related to modification and manipulation of DNS traffic — DNSCrypt. The main objectives of DNSCrypt is full encryption of the communication channel between the client (you) and server (OpenDNS) — roughly as SSL is used to encrypt HTTP traffic. This will protect the client from the man in the middle attacks. In addition, encryption of DNS communication improves client's privacy. DNSCrypt is client-side version of DNSCurve.

The dnscrypt-proxy package is obtained from third-party.



  • this HOWTO is aimed towards hardware based on ar71xx architecture

Required Packages

There are no required packages, except dnscrypt-proxy itself.


Since the Dropbox feed mentioned in the original installation instructions is gone, I've tossed my own build of dnscrypt-proxy 1.2.1 for the ar71xx here on a web site, pending Black Roland's feed restoration. I've not set up a feed, or built for any other platforms.

cd /tmp
wget http://bitsum.com/files/packages/ar71xx/dnscrypt-proxy_1.2.1-1.E_ar71xx.ipk
opkg install dnscrypt-proxy_1.2.1-1.E_ar71xx.ipk
rm -f dnscrypt-proxy*.ipk

Add third-party source to your opkg configuration file /etc/opkg.conf: src/gz dnscrypt-proxy http://dl.dropbox.com/u/22711927/Permanently/openwrt/ar71xx/packages And proceed with the installation itself: opkg update opkg install dnscrypt-proxy You may want to comment out or delete the new entry in /etc/opkg.conf. # src/gz dnscrypt-proxy http://dl.dropbox.com/u/22711927/Permanently/openwrt/ar71xx/packages


DNSCrypt is listening on address and port: We need to set OpenWRT to send DNS request to that address.

Server configuration


The config file /etc/config/dnscrypt-proxy is simple and will be rarely edited.

config dnscrypt-proxy option address '' option port '2053'


Name Type Required Default Description
address string yes (none) The IP address of the proxy server.
port string yes (none) Listening port for DNS queries.

If you need to specify other option, you will have to edit /etc/init.d/dnscrypt-proxy script.

Now we will start DNSCrypt and enable auto boot for it:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start


Assuming you are using dnsmasq, edit the bold lines in /etc/config/dhcp config file:

config dnsmasq option domainneeded 1 option boguspriv 1 option filterwin2k 0 option localise_queries 1 option rebind_protection 1 option rebind_localhost 1 option local '/lan/' option domain 'lan' option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' # option resolvfile '/tmp/resolv.conf.auto' option noresolv 1 list server '' list server '/pool.ntp.org/' # list server '' # list server ''
  • We have disabled /tmp/resolv.conf.auto file since it instruct dnsmasq to use your ISP's DNS.
  • noresolv option also disables /etc/resolv.conf file for similar reason.
  • is the DNSCrypt address.
  • /pool.ntp.org/ adds exception for pool.ntp.org domain, which will be resolved thru standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise you are not able to resolv domain, including pool.ntp.org. OpenDNS server is used for this.

Reboot router or restart dnsmasq for the changes to take effect.

/etc/init.d/dnsmasq restart

Client configuration

Note: you may need admin privileges to run the commands below.


sudo /etc/init.d/nscd restart
sudo /etc/init.d/networking restart


ipconfig /flushdns

Mac OS X

  • Mac OSX 10.4 (Tiger)
    • lookupd -flushcache
  • Mac OSX 10.5/10.6 (Leopard/Snow Leopard)
    • dscacheutil -flushcache



How to check you are using OpenDNS servers

  1. The OpenDNS welcome page should display Oops…, otherwise your clients are using OpenDNS directly, i.e. they are bypassing DNSCrypt.
  2. The OpenDNS demonstration phishing test page should block you.
  3. The OpenDNS typo test page should resolve to real Craiglist site.
  4. The DNS randomness test will show you actual IP of your DNS. You can check here if the IP is associated with OpenDNS (put the IP in search field).

How to check your DNS is encrypted

The easy way is to look in the log.

  1. Check if dnsmasq is using only dnscrypt. Only the last block of logged nameservers is relevant.
    • logread | grep -n "using nameserver"
    • 132:Jan  1 01:01:00 openwrt daemon.info dnsmasq[1883]: using nameserver for domain pool.ntp.org
      133:Jan  1 01:01:00 openwrt daemon.info dnsmasq[1883]: using nameserver
  2. Check that dnscrypt-proxy is working.
    • logread | grep "Proxying from"
    • Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]: Proxying from to

Suspicious certificate received [brcm-2.4]

If dnscrypt-proxy is compiled for brcm-2.4 with a standard OpenWrt toolchain, then reception of "suspicious" certificate is reported.

root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -a [INFO] Generating a new key pair [INFO] Done [ERROR] Suspicious certificate received [ERROR] No useable certificates found [INFO] Refetching server certificates [ERROR] Suspicious certificate received [ERROR] No useable certificates found

This kind of behavior is caused by a possible optimization bug in gcc-3.4.6 when the following CFLAGS are used

-Os -pipe -mips32 -mtune=mips32 -funit-at-a-time

It seems that crypto_hash_sha512() in dnscrypt-proxy/src/libnacl is wrongly optimized by gcc-3.4.6 because the dnscrypt-proxy/src/libnacl/tests/hash3.c test fails.

root@OpenWrtRouter:/tmp# ./hash3.exe > hash3.txt root@OpenWrtRouter:/tmp# cat hash3.txt 2b05e11a68d27841f23040799b036d1849bbc9d2b8dbd18b86073207e93e3ae5b74446174314163e67254466d89cb05cf995582f08547324f6b9aa45646d6c28 root@OpenWrtRouter:/tmp# cat hash3.out 24f950aac7b9ea9b3cb728228a0c82b67c39e96b4b344798870d5daee93e3ae5931baae8c7cacfea4b629452c38026a81d138bc7aad1af3ef7bfd5ec646d6c28

To fix the problem, one can compile dnscrypt-proxy with -O2 optimization flag. Run

make menuconfig
and put

-O2 -pipe -mips32 -mtune=mips32 -funit-at-a-time

in Advanced configuration options (for developers) → Target Options. Then

make package/dnscrypt-proxy/compile V=99

produces correct dnscrypt-proxy package.

With -O2 optimization crypto_hash_sha512() in dnscrypt-proxy/src/libnacl is now correctly optimized

root@OpenWrtRouter:/tmp# ./hash3.exe > hash3.txt root@OpenWrtRouter:/tmp# cat hash3.txt 24f950aac7b9ea9b3cb728228a0c82b67c39e96b4b344798870d5daee93e3ae5931baae8c7cacfea4b629452c38026a81d138bc7aad1af3ef7bfd5ec646d6c28 root@OpenWrtRouter:/tmp# cat hash3.out 24f950aac7b9ea9b3cb728228a0c82b67c39e96b4b344798870d5daee93e3ae5931baae8c7cacfea4b629452c38026a81d138bc7aad1af3ef7bfd5ec646d6c28

and dnscrypt-proxy works flawlessly

root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -a [INFO] Generating a new key pair [INFO] Done [INFO] Server certificate #1346958918 received [INFO] This certificate looks valid [INFO] Server key fingerprint is 6228:62A6:CA4D:F1E8:37A7:C486:4F66:E692:0B5E:34F8:B110:597D:5BA0:BAB6:AF03:FA75 [INFO] Proxying from to


Back to top

inbox/dnscrypt.txt · Last modified: 2013/06/29 04:05 by jcollake