DNSCrypt How-to guide?

Is there a way to setup DNSCrypt with PiHole?

Here you go:

However, it might not work for you.

Check:

for additional info.

There are several DNSCrypt posts that you can research and get more info on it.

This user has a positive experience with it:

This is the correct guide (for DNSCrypt 2, as DNSCrypt 1 is dead)

I'm using Pi-hole (FTLDNS) with DNSCrypt and my own server, without any problems so far.

1 Like

I got it all setup. However I kind have lost where I actually configure my external DNS servers now. What file do I need to edit if I want to change it.

I also don't think it is fully working as I was able to stop dnscrypt service and it still resolving in my browser.

The guide for sure is not working setup. It doesn't even tell you where to edit the resolving DNS Servers. I have tried to change from what I was originally using and they are still stuck in there somewhere when I using dnsleaktest.

I figured it out. You need to really go through the whole configuration guide and setup sdns resolvers to get things working as you want them. Needs to be clear in the guide that you have to configure your own settings.

I have to disagree, in my opinion the how-to is fine. The intention of the how-to is to connect Pi-hole with dnscrypt-proxy, and it contains all necessary steps. It also names the file you have to work with, dnscrypt-proxy.toml. And dnscrypt-proxy.toml contains comments like

## Servers from the "public-resolvers" source (see down below) can
## be viewed here: https://dnscrypt.info/public-servers
##
## If this line is commented, all registered servers matching the require_* filters
## will be used.
## The proxy will automatically pick the fastest, working servers from the list.
## Remove the leading # first to enable this; lines starting with # are ignored.

# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']

For specific dnscrypt-proxy settings and configuration please follow appropriate dnscrypt-proxy guides.

1 Like

I can confirm the guide to setup version 2 of dnscrypt-proxy works like a charm.

Modifications I made (so far) to dnscrypt-proxy.toml (the configuration file)

server_names = ['d0wn-nl-ns4', 'dnscrypt.eu-dk', 'd0wn-is-ns2', 'dnscrypt.eu-nl']
listen_addresses = ['127.10.10.1:5551', '[::1]:5551']
# I want to use DNSSEC
require_dnssec = true
lb_strategy = 'p2'
log_level = 0
log_file = '/var/log/dnscrypt-proxy.log'
# have been using this with dnscrypt-proxy V1 with success
dnscrypt_ephemeral_keys = true
# non intel cpu's
tls_cipher_suite = [52392, 49199]
# I don't trust the default 9.9.9.9 - use opendns
fallback_resolver = '208.67.222.222:53'
# I don't have ipv6, reference the wiki (making things go fast)
block_ipv6 = true
# dnsmasq already handles the caching
cache = false

'edit'
If you only have IPv4 and you’re using dnsmasq + dnscrypt-proxy V2 + DNSSEC, read this!!!!
'/edit'

The servernames (here) can be found here, options here.
I haven't determined yet if I need to configure logrotation for the log file...

Some things I'm keeping in mind:
With dnscrypt-proxy V1, several listeners are created (if using more than 1 server). This required a dnsmasq configuration, refering each server, something like:

server=127.10.10.1#5551
server=127.10.10.2#5552
server=127.10.10.3#5553
server=127.10.10.4#5554

dnsmasq has a mecanism to test the response time of the servers on a regular base and choose the fastest for a fixed period of time.
Since dnscrypt-proxy V2 is configured on a single IP/port (unless I missed something), dnsmasq now has a single point of failure, the speed test is now integrated in dnscrypt-proxy (if multiple servers are configured).
The dnsmasq cofiguration now looks like:

server=127.0.0.1#5551

The dnscrypt-proxy log indicates:

[2018-04-21 17:04:33] [NOTICE] Server with the lowest initial latency: d0wn-nl-ns4 (rtt: 13ms)
[2018-04-21 17:04:33] [NOTICE] dnscrypt-proxy is ready - live servers: 4

I make it a habit of using the latest (and greatest?) version of dnsmasq.
To achieve this, I download and compile the latest test release here

Regarding FTLDNS (the pihole beta program), I'm wondering if the pihole developers will keep up with new features/fixes/modifications of dnsmasq or will FTLDNS live it's own life?

3 Likes

FTLDNS will keep up to date with the latest stable releases of dnsmasq.

1 Like

Witch version of dnsmasq is currently used to build dnsmasq?

Regarding the setting 'block_ipv6 = true', you should really read this.
basically, it comes down to:
If you only have IPv4 and you’re using dnsmasq + dnscrypt-proxy V2 + DNSSEC, don’t change that setting!!!
Keep the default: 'block_ipv6 = false'

Dnsmasq 2.79

As I also said in the other DNSSEC discussion that is currently going on, we will always keep up-to-date with the latest version of dnsmasq that is known to be stable. We will probably not push out updates on the day they are released as we will let things settle down a little (and monitor the mailing lists) after a fresh release. Also, we will have to test all FTL hooks and if they are affected, but we will try to keep fairly up to date with dnsmasq's stable releases.

I had issues getting DNSCrypt working... took me 10 mins to work out that I needed to set my pi-hole to listen on all interfaces not just eth0 as 127.0.0.1 is NOT eth0 or enxb...

Under DNS in the web interface set listen on all interfaces then work through step 2 again on the guide here:https://discourse.pi-hole.net/clicks/track?url=https%3A%2F%2Fgithub.com%2Fpi-hole%2Fpi-hole%2Fwiki%2FDNSCrypt-2.0&post_id=31246&topic_id=9012

Hope this help someone.
:slight_smile:

What is the difference with DNS of HTTPS?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.