Support Dnscrypt


#1

Dnscrypt as an integrated feature (like dnssec) would give more confidence in the reliability of the solution. No problems with the Wki-article but always a bit nervous an update of the Pi will break the functionality.


DNSCurve to raise Privacy
#2

I also would like to see dnscrypt as part of pi-hole, and maybe even asking the user to activate it on new installs.


#3

Personally I don’t see actual support for DNSCrypt happening, since this is a piece of thirdparty-software that has to be compiled. So unless someone packages it and maintains it of course, I don’t think it practical.

What WOULD be nice, if we could define a custom port number in the GUI (and therefore in the configuration) so that we can refer to our DNSCrypt proxies. (( I was actually about to make this suggestion :slight_smile: - But then I found this one ))


#4

Support out of the box would be amazing


#5

I found some guide to extend Pi-hole with dnscrypt-proxy. It sounds good to encrypt calls to resolver.

Many of them I tried unsuccessful but just destroyed my pihole installation on my raspberry.

The only guide I found working for me is https://www.reddit.com/r/pihole/comments/65su4b/dnscrypt_simple_install_simple_config/

Unfortunately after a pi-hole update it has to configured again and as my know how is low I am never sure how to test whether dnscrypt works as supposed or not.

It would logic to me to have dnscrypt-proxy integrated in a future version of Pi-Hole.


#6

I’d like to add my support for the integration of DNSCrypt. I followed few guides, but never got it working reliably - DNS queries would take minutes to complete if at all.
I imagine a limitation is that dnscrypt-proxy is only included in the repositories for Raspbian Stretch, not in Jessie (hence @ApplePie having to compile it). One of the guides did include modifying the APT settings in Jessie to allow DNSCrypt to be apt-get installed (basically force it to look at the Stretch repos for dnscrypt-proxy and its dependencies only) - that bit I got working. https://blog.milne.it/2017/06/04/dnscrypt-proxy-revisited-installing-on-debian-raspbian-jessie/
So I think moving pi-hole support officially to Stretch is the first priority - I’ve got it running OK, and I think 3.2 has the requirement for netstat removed so that it works on Stretch.
Once Stretch is the default distribution, I’d like to see DNSCrypt integration - it would be great as an optional feature with the settings etc. all integrated into the dashboard, but a fair amount of work.


#7

Has no one seen this?..


#8

Yes, but I think what the others are calling for is native, built-in DNScrypt functionality. These kinds of guides tend to be a bit convoluted for those who don’t have solid/advanced technical know-how.


#9

On Raspbian Stretch I followed the updated instructions for DNSCrypt v2 (This one and not the one included in Raspbian apt, which is deprecated and not maintained anymore).
Follow this step-by-step guide, there’s one precompiled binay to download and 3 config files to edit, it’s well documented and nothing complex to install :


I’ve been using it with for a few weeks now with no issues, it runs reliably and fast (no resolution delay added).

However, here are the 2 things to know when using DNScrypt-proxy 2 with PiHole :

  • the real difficulty is to find a reliable and fast DNScrypt compatible public server, a list is available here but it’s not always clear whether the server supports DNSSec, anonymize queries, etc. so I had to live-check almost the whole list one by one, some of them are really slow, some don’t support DNSSec (while they are shown as supporting it in the above list). That took me some time, and in the end only the “scaleway-fr” server suit my needs (I guess it depends on everyone’s location) so I don’t have a “backup upstream server” and PiHole won’t be able to resolve if this server fails
  • due to a bug in dnsmask < 2.78 (Raspbian dnsmasq version is 2.76), you can’t use DNSSec verification on Pihole side (see here for the full bug description), thus the importance of chosing a DNSSec enabled server (I hope this issue is fixed with the new FTLDNS based on dnsmask 2.78, I can’t test right now cause I have issues updating to beta version).

For DNScrypt-proxy 2 to be integrated in Pihole, that would require that both teams that work on those 2 different projects agree to share some more work and support, and above all that a lot more public dnscrypt 2 compatible servers are deployed, maintained and documented around the world.


DNSCrypt How-to guide?