-
Notifications
You must be signed in to change notification settings - Fork 1k
Installation on EdgeOS
Following instruction was tested on ERLite-3 running 1.10.x EdgeOS.
Install dnsutils
. Check this in case of problems with installation.
sudo apt-get install -y dnsutils
sudo ntpdate -b 216.239.35.0
Remove the dnssec
option from /etc/dnsmasq.conf
.
It's safe to set system DNS for the router, even if it will be ignored by dnsmaq. This can prevent problems while rourer boots and dnscrypt-proxy is not yet available. Call:
show dns forwarding nameservers
If there are no nameservers provided via system, or there is only nameserver from your ISP, configure one:
configure
set system name-server 1.1.1.1
commit
save
Login to your router with ssh. Download MIPS64 binary from releases page (update version number):
curl -L -o dnscrypt-proxy.tar.gz https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.45/dnscrypt-proxy-linux_mips64-2.0.45.tar.gz
Unpack the content of this archive:
tar xzf dnscrypt-proxy.tar.gz
This will create linux-mips64 folder. Check, if the downloaded binary is compatible with your processor:
linux-mips64/dnscrypt-proxy -version
If you see version, it's all good. Otherwise, try different binary. Maybe you have ER-X, so try MIPSLE binary.
Now is a good moment to create and edit configuration file:
cp linux-mips64/example-dnscrypt-proxy.toml linux-mips64/dnscrypt-proxy.toml
vi linux-mips64/dnscrypt-proxy.toml
Most important part is to edit listen_address
. I propose the following change:
listen_addresses = ['127.0.0.1:5353']
Optionally, improve performance enabling this entry:
tls_cipher_suite = [52392, 49199]
When done, move whole folder to /config/
, under new name:
sudo mv linux-mips64 /config/dnscrypt-proxy
Create executable script, which will reinstall and start dnscrypt-proxy after system upgrade:
echo '#!/bin/sh' | sudo tee /config/scripts/post-config.d/dnscrypt.sh
echo '/config/dnscrypt-proxy/dnscrypt-proxy -service install' | sudo tee -a /config/scripts/post-config.d/dnscrypt.sh
echo '/config/dnscrypt-proxy/dnscrypt-proxy -service start' | sudo tee -a /config/scripts/post-config.d/dnscrypt.sh
sudo chmod +x /config/scripts/post-config.d/dnscrypt.sh
Now you can try to start dnscrypt-proxy. Use freshly created script:
sudo /config/scripts/post-config.d/dnscrypt.sh
If no error thrown, see what nameservers dnscrypt-proxy is using:
/config/dnscrypt-proxy/dnscrypt-proxy -list
Check, if proxy is able to resolve names:
/config/dnscrypt-proxy/dnscrypt-proxy -resolve dnscrypt.info
dig @localhost -p 5353 google.com
You should get an answer. Refer to /var/log/messages
for debugging.
If all went well, configure router settings:
configure
Redirect DNS requests to dnscrypt-proxy:
set service dns forwarding options 'server=127.0.0.1#5353'
set service dns forwarding options proxy-dnssec
Prevent dnsmasq using your ISP's DNS (eth0 is WAN port):
set interfaces ethernet eth0 dhcp-options name-server no-update
Make sure dnsmasq is not using system nameserver:
delete service dns forwarding system
Remove dnsmasq cache, because dnscrypt-proxy caches internally and it's unnecesary to double-cache queries:
set service dns forwarding cache-size 0
Make sure dnsmasq is not using the content of /etc/resolv.conf
:
set service dns forwarding options no-resolv
Commit changes and activate redirection to proxy:
commit
Check the connection. Initially, it can take a while until all your devices will react correctly.
Test, if there are no queries sent in "open text":
sudo tcpdump -i eth0 dst port 53 or src port 53 -n -x -X -v
Important: make tests while using internet from devices within your local network. For comparison, run this from another session on router:
sudo nslookup dnscrypt.info
ping github.com
This will produce tons of open text output, as locally run requests travel through system nameserver and are not encrypted.
If nothing works, check logs in /var/log/messages
. Revert back router DNS redirect with:
load; commit
When DNS works as expected, save configuration and make it permanent:
save
In somecases if you want to run dnscrypt-proxy as a non-root user you'll get the error "[FATAL] listen udp 0.0.0.0:53: bind: permission denied"
to solve this problem you can run the following command and allow dnscrypt to have access to a low level port :
sudo setcap cap_net_bind_service=+ep $(which dnscrypt-proxy)
- Home
- Installation
- Configuration
- Checking that your DNS traffic is encrypted
- Automatic Updates
- Server sources
- Combining blocklists
- Public Blocklist and other configuration files
- Building from source
- Run your own DNSCrypt server in under 10 minutes
- DNS stamps specifications
- Windows Tips
- dnscrypt-proxy in the media
- Planned Features