Your IP:

Our Forums Have Moved!

Visit our new forums at https://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
  1.  permalink
    Hi all

    DNSCrypt looks like a great idea - but is the intention to make it available at router/proxy level?

    Currently all my home LAN DNS requests are transparently redirected to OpenDNS to avoid any clients bypassing filtering with incorrect or static IP settings.

    Given I use a DD-WRT based router, which just routes DNS traffic, are there any notional plans for an iptables based "kmod" solution, or proxy s/w that traffic could be redirected via?
  2.  permalink
    "is the intention to make it available at router/proxy level?"

    It is open source code, as noted, although not yet posted to the repository. Anyone with the skill can make it work on any platform they choose. I doubt OpenDNS will build binaries for every conceivable use, but some people may get lucky.

    In general, OpenDNS will not say that something is going to be available until they are five minutes from handing it to you. They don't do ETAs for anything at all since a couple years now, but you can go ahead and ask them via support ticket.
    •  
      CommentAuthorjedisct1
    • CommentTimeDec 8th 2011
     permalink
    Administrator
    The source code is now on github: https://github.com/opendns/dnscrypt-proxy

    This is a proxy you can install on your Linux-based router.
    Thankful People: maintenance
  3.  permalink
    Nice. It will work on all the more common Unixy stuff.
  4.  permalink
    i think i got it working on openbsd-current. at least i think thats what its telling me.

    # dnscrypt-proxy
    [INFO] Generating a new key pair
    [INFO] Done
    [INFO] Server certificate #1322295356 received
    [INFO] This certificate looks valid
    [INFO] Server key fingerprint is E07C:5F90:03C2:D764:A9FC:9A1E:6633:632A:0FE0:B1C5:5EF9:894A:FC7A:BA18:4A62:462E
    [INFO] dnscrypt-proxy is ready: proxying from [127.0.0.1] to [208.67.220.220]
  5.  permalink
    It says it is proxying, yes.
    • CommentAuthorjimerickson
    • CommentTimeDec 9th 2011 edited
     permalink
    ok great! also i want to mention that on openbsd the /etc/rc.d/dnscrypt_proxy script always fails. so i have to start it by hand. anyway to fix this? -d reveals the following error:

    [ERROR] Unable to chroot to [/nonexistent]
  6.  permalink
    Unable to chroot to [/nonexistent]

    The directory and/or file isn't there. Check the directory tree. Maybe check under other /etc dirs.
    • CommentAuthorjimerickson
    • CommentTimeDec 10th 2011 edited
     permalink
    could you give me a clue where it is trying to chroot to? i will gladly create a directory for it but so far putting the directory in /, var, tmp, home, and etc didn't work.
  7.  permalink
    i got it. you have to delete the user the install creates and redo it. it wants _dnscrypt-proxy in /home and fully populated.
    Thankful People: zelus, maintenance
  8.  permalink
    I'm glad you figured it out, because I don't know the source or conditions of that error message. :smile:

    As to the directory, I had been thinking that perhaps the /etc wasn't the one in /, but an /etc under another directory, without the full path shown.

    I'm going to have to fire up a BSD box and try this thing out.
    • CommentAuthorjimerickson
    • CommentTimeDec 11th 2011 edited
     permalink
    a word of warning -- do NOT put dnscrypt_proxy in /etc/rc.conf.local it hangs the boot, hard. you will have to boot to single user mode (boot -s) to fix it. believe me just start it by hand. you will be happier.

    also the instructions given in the git README.markdown for unbound don't work. forwarding to port 40 causes dnscrypt-proxy to give an error about the address already being in use. at least i never got it to work. maybe some clarification for us amateurs.
    •  
      CommentAuthorjedisct1
    • CommentTimeDec 11th 2011
     permalink
    Administrator
    Use the latest version from Github, some fixes to the OpenBSD ports have been made recently: https://github.com/opendns/dnscrypt-proxy/tree/master/packages/OpenBSD/net/dnscrypt-proxy

    If you want to use it along with Unbound, make sure that you're starting dnscrypt-proxy with --local-port=40

    Unbound also requires this extra configuration line if dnscrypt-proxy is listening to 127.0.0.1:

    do-not-query-localhost: no

    The README.markdown file has been updated to mention this.
    Thankful People: maintenance, jimerickson
  9.  permalink
    thank you very much!!
  10.  permalink
    i must not be doing it right. the only way i could get it to work with a forward-zone statement was to have unbound answer querys from port 40, forward to port 53, and have dnscrypt-proxy use --local-port=53. also the /etc/rc.d/dnscrypt_proxy no longer hangs the boot but still fails.
    •  
      CommentAuthorjedisct1
    • CommentTimeDec 12th 2011
     permalink
    Administrator
    It may work that way, provided that you include something like:

    nameserver [127.0.0.1]:40

    in your /etc/resolv.conf file - the brackets are required in order to specify a non-standard port.

    OpenBSD may need to perform some DNS queries *before* daemons installed from the port system have been fired up.
    For example, spamd, NFS volumes and smtpd are started before unbound and dnscrypt.

    One way to cope with that is to have additional entries in your resolv.conf, just to have a fallback, non-local resolver.

    Another way, which is more of a disgusting hack, it to start these daemons from the /etc/rc script.
    Thankful People: maintenance, jimerickson
  11.  permalink
    thanks for that information jedisct1. i will modify my resolv.conf immediately. you have been a great help!
  12.  permalink
    for those who want to know the solution to my problem was to set domain-name-server in dhclient.conf to prepend rather than supersede and to set the ports in unbound.conf all back to default. then call "dnscrypt-proxy -P 40 -u _dnscrypt-proxy -d" and now it works like a charm. like jedisct1 said you need a fallback non-local resolver when booting.
    Thankful People: maintenance
    • CommentAuthorjimerickson
    • CommentTimeDec 15th 2011 edited
     permalink
    just built dnscrypt-proxy-0.8 and it works beautifully. can even supersede domain-name-server in dhclient.conf no fallback resolver needed now. thanks jedisct1. should also add that /etc/rc.d/dnscrypt_proxy still fails but i just start it on the cli so no big deal.
    Thankful People: maintenance
    •  
      CommentAuthorjedisct1
    • CommentTimeDec 15th 2011
     permalink
    Administrator
    jim: try this: usermod -d /var/empty _dnscrypt-proxy
    It should fix your /etc/rc.d/dnscrypt_proxy issue.
    Thankful People: maintenance
    • CommentAuthorjimerickson
    • CommentTimeDec 15th 2011 edited
     permalink
    tried that but no luck. should i be adding "--local-port=40" to "daemon_flags" in /etc/rc.d/dnscrypt_proxy? or is that only for the command line?

    edit: added "local-port=40" to daemon_flags but /etc/rc.d/dnscrypt_proxy still fails. is there some special order i must start scripts in?
    • CommentAuthorjimerickson
    • CommentTimeDec 19th 2011 edited
     permalink
    changed /etc/rc.d/dnscrypt_proxy. now it all just works!

    #!/bin/sh
    daemon="/usr/local/sbin/dnscrypt-proxy"
    daemon_flags="--local-port=40 --user=_dnscrypt-proxy -d"
    . /etc/rc.d/rc.subr
    rc_reload=NO
    rc_cmd $1
  13.  permalink
    "fails to start."

    You would have to manually start the daemon if you don't reboot.

    You might also need a reference in /etc/rc.conf for the daemon to start at boot.
    (dnscrypt-proxy_enable="YES" or something like that).
    • CommentAuthorextrao
    • CommentTimeDec 20th 2011
     permalink
    I don't see any other mention of this here: DNSCrypt installs OK on my MacBook, but gives an error message that it can't be run on an Intel based Mac. Surely at this point the majority of Macs out in cyberland are Intel based, hopefully there'll be a REAL current Mac version before too long.
    • CommentAuthorzelus
    • CommentTimeDec 20th 2011
     permalink
    >>"DNSCrypt installs OK on my MacBook, but gives an error message that it can't be run on an Intel based Mac. Surely at this point the majority of Macs out in cyberland are Intel based, hopefully there'll be a REAL current Mac version before too long. "

    Is your Macbook an Intel Core Duo, Intel Core *2* Duo, or Intel Core i5/i7?
  14.  permalink

This discussion has been inactive for longer than 30 days, and is thus closed.