本为所用到的资源出处

https://github.com/jedisct1/dnscrypt-proxy/releases

https://github.com/CNMan/dnscrypt-proxy-config

https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-on-OpenWRT

  • 如果你对网络过于 xxx ,请不要直接使用文章下面的文件,自行前往上面的地址获取并于此文章中的配置文件 dnscrypt-proxy.toml 和 forwarding-rules.txt 相整合
  • 整合我的配置文件,只是为了方便你的使用(并不是最好的选择),如果你愿意折腾,请看着官方文档自行配置

dnscrypt-proxy 有什么用处

由于 DNS 解析,默认情况下是没有经过任何加密处理的。所以墙能够很容易的在传输过程中修改 DNS 解析的结果
例如 某根据地,此站套了 CloudFlare 的 CDN,而 CloudFlare 使用的人数众多,墙一个 IP 可能导致大批网站出现问题,所以只能采取 DNS 投毒的方式,让网站解析到错误的 IP 上,使其无法访问

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.
译文(来自 Google Translate):

DNSCrypt 是一种验证 DNS 客户端和 DNS 解析器之间通信的协议。 它可以防止 DNS 欺骗。 它使用加密签名来验证响应是否来自所选的 DNS 解析器并且未被篡改

  • 好处

Steam Community(社区) 可以直接访问
某一些被 DNS 投毒的网站得以解封

  • 坏处

域名解析速度可能会一定程度的下降

2018 年 8 月 2 日 更新

解决由于国内某些网站使用了智能 DNS 导致解析到国外服务器的问题(添加了国内热门网站列表,热门列表内的网站使用国内 DNS 解析,列表的来源文章顶部的第二项有注明)

关闭强制 TCP 以优化解析速度

如何配置安装

下载此压缩包,将其中的文件任意解压至一个文件夹内(路径最好不要包含中文)

打开 service-install.bat

出现如下所示内容,即为启动成功

dnscrypt-proxy 2.0.16
Service started

Thank you for using DNSCrypt-Proxy!
Press [Enter] to exit...

DNSCrypt-Proxy 服务安装

设置 DNS 到 127.0.0.1 即可

  • 注意事项

默认开机自启,以服务的形式(也许某一次开机时突然就不会自动启动了,导致网站无法正常访问,这时则需要到服务中去手动启动 一次(仅一次,下次也许能正常,这个问题只是偶尔出现),服务名称为 DNSCrypt client proxy)

  • Installation on OpenWRT
  • Download

Download the proper binary from the releases page. Get the right binary for your architecture. If you get a strange parse error later when trying to run the executable file, chances are that you didn't pick the right file for the CPU of your router.

  • Optional: compress the executable

The dnscrypt-proxy file is quite large, but can be compressed for a massive reduction of its size, from ~12 Mb down to ~2 Mb.

In order to do so, use UPX on any platform (Windows, Linux, macOS...) with the following command:

upx --lzma dnscrypt-proxy
  • Tweak the example file

Rename example-dnscrypt-proxy.toml to dnscrypt-proxy.toml, and change at least the following line:

listen_addresses = ['127.0.0.1:53', '[::1]:53']

to (notice the IP address change):

listen_addresses = ['127.0.0.53:53']

In order for local host names (.lan) to be resolved, also change

# forwarding_rules = 'forwarding-rules.txt'

to

forwarding_rules = 'forwarding-rules.txt'
  • Install the files on the router

Use scp to copy:

  1. dnscrypt-proxy to /usr/sbin/
  2. The modified dnscrypt-proxy.toml file to /etc/config/
  3. This init.d file by @etam saved as /etc/init.d/dnscrypt-proxy.
  4. The following content as /etc/config/forwarding-rules.txt:
lan 127.0.0.1
10.in-addr.arpa 127.0.0.1
192.in-addr.arpa 127.0.0.1
254.169.in-addr.arpa 127.0.0.1

If your local domain is not .lan, or if you have more, change/add them accordingly in the above file.

Then use ssh to log on the router and type:

chmod +x /usr/sbin/dnscrypt-proxy
chmod +x /etc/init.d/dnscrypt-proxy
  • Install the ca-bundle package on the router

The ca-bundle package is not installed by default in OpenWRT/LEDE, which will cause issues if not installed.

Type:

opkg update
opkg install ca-bundle
  • Check that the proxy is properly installed

Type:

dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check

And watch for possible errors.

Looks good? Start it for real:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start

  • Configure the LAN interface to use the proxy

  • Using the LUCI web interface:

Go to Network/Interfaces/LAN and in the Use custom DNS servers field, enter: 127.0.0.53 and hit Save & Apply.

  • Using the command line:

Edit /etc/config/network to include the following line in the config interface 'lan'section:

option dns '127.0.0.53'

Example:

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '127.0.0.53'

When using the command-line, for the new configuration to be applied, type:

/etc/init.d/network restart

And don't panic (42) if the network appears to be stuck for a couple seconds.

  • Optional: configure the WAN interface the same way

Go to Network/Interfaces/WAN and in Advanced Settings, uncheck If unchecked, the advertised DNS server addresses are ignored.

In addition to 127.0.0.53, you may want to enter an additional backup IP here, for example 1.0.0.1 or 9.9.9.9.

  • Check that your queries are using the proxy:
dnscrypt-proxy -resolve google.com

  • Make sure that the files you added are backuped

  • Using the LUCI web interface:

In the System/Backup/Flash page, click the Configuration tab and add the files you uploaded to the list:

/etc/init.d/dnscrypt-proxy
/usr/sbin/dnscrypt-proxy

Configuration files in /etc/config are automatically saved already.

Using the command line:
Edit /etc/sysupgrade.conf to add files to be included in backups.