摘自:Wiki Openwrt

DNSCrypt

DNSCrypt offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic — The main objective of DNSCrypt is authentication of the communication channel between the client (you) and a resolver supporting the protocol — This will protect the client from man in the middle attacks. In addition, encryption of DNS communication improves the client's privacy. DNSCrypt is the client-sideversion of dnscrypt-wrapper.

DNSCrypt verifies that responses you get from a DNS provider have been actually sent by that provider, and haven't been tampered with.

This is not a VPN. It doesn't mask your IP address, and if you are using it with a public DNS service, be aware that it will (and has to) decrypt your queries.

If you are using it for privacy, it might do the opposite of what you are trying to achieve. If you are using it to prevent VPN "leaks", this isn't the right tool either: the proper way to prevent VPN "leaks" is to avoid sending data to yet another third party: use a VPN service that operates its own DNSresolvers.

Installation

dnscrypt-proxy and libsodium are in the official repository for Chaos Calmer 15.05 and up.

opkg update
opkg install dnscrypt-proxy
  • If installed skip to configuration.
  • If somehow you can't install it that way, proceed with the following instructions.

In addition, you can install the luci-app-dnscrypt-proxy package, which provides the ability to configure dnscrypt-proxy via the LuCi web interface.

Custom build for ar71xx from black-roland

The OpenWrt package for ar71xx is maintained by black-roland.

Differences with OpenWrt packages:

Package Difference
dnscrypt-proxy Newest version for Chaos Calmer (with ephemeral keys support). Barrier Breaker support. Procd support and possibility of launching multiple instances.
libsodium Newest version for Chaos Calmer. Barrier Breaker support.

This will install dnscrypt-proxy as well as any dependent libraries such as libsodium

Add third-party source to your opkg configuration file /etc/opkg.conf according to your OpenWrt version.

Trunk:

Already have newest dnscrypt-proxy version with possibility of launching multiple instances.

opkg update
opkg install dnscrypt-proxy

Chaos Calmer:

cd /tmp
wget 'http://exopenwrt.roland.black/exopenwrt.pub'
opkg-key add exopenwrt.pub
echo '/etc/opkg/keys/1a929a1dd62138c1' >> /etc/sysupgrade.conf
echo 'src/gz exopenwrt http://exopenwrt.roland.black/chaos_calmer/15.05.1/ar71xx/packages/exopenwrt' >> /etc/opkg.conf

Barrier Breaker:

echo 'src/gz exopenwrt http://exopenwrt.roland.black/barrier_breaker/14.07/ar71xx/packages/exopenwrt' >> /etc/opkg.conf

And proceed with the installation itself:

opkg update
opkg install dnscrypt-proxy

Forum thread

Configuration

DNSCrypt is listening on address and port: 127.0.0.1:5353. We need to set OpenWrt to send DNS request to that address.

Server configuration

dnscrypt-proxy

The config file /etc/config/dnscrypt-proxy is simple and should be edited according to your needs. Possible values for the 'resolver' option are the first column in the list of public DNSCrypt resolvers.

Description:

Name Type Required Default Description
address string yes 127.0.0.1 The IP address of the proxy server.
port string yes 5353 Listening port for DNS queries.
resolver string no cisco DNS service for resolving queries. You can't add more than one resolver.
resolvers_list string no /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv Location of CSV file containing list of resolvers. When you use a custom DNSCrypt server and you later get problems when executing DNSCrypt, have a look in the resolver list (/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv) and make sure the resolver you chose is listed there. If not you may need to manually add it or just update the resolver list with the official one. Make sure to verify the integrity of the file before overwriting the local list!
ephemeral_keys boolean no 0 Improve privacy by using an ephemeral public key for each query. Note that you cannot yet use it with current (Chaos Calmer) version of OpenWrt as the dnscrypt-proxy package is outdated and uses a version of DNSCrypt, which does not support ephemeral keys. Ephemeral keys option requires extra CPU cycles (especially on non-x86 platforms) and can cause huge system load. Disable it in case of performance problems. Also this option is useless with most DNSCrypt servers (all the servers using short TTLs for the certificates, which is done by default in the Docker image).

These options are only supported by Trunk:

Name Type Required Default Description
client_key string no none Use a client public key for identification. By default, the client uses a randomized key pair in order to make tracking more difficult. This option does the opposite and uses a static key pair, so that DNS providers can offer premium services to queries signed with a known set of public keys. A client cannot decrypt the received responses without also knowing the secret key. The value of this property is the path to a file containing the secret key. The corresponding public key is computed automatically
syslog boolean no 1 Send logs to the syslog daemon
syslog_prefix string no dnscrypt-proxy Log entries can optionally be prefixed with a string

These options are not supported (at this moment), because DNSCrypt compiled without plugins support:

Name Type Required Default Description
query_log_file string no none Log the received DNS queries to a file, so you can watch in real-time what is happening on the network. The value for this parameter is a full path to the log file. The file name can be prefixed with ltsv: in order to store logs using the LTSV format (ex: ltsv:/tmp/dns-queries.log)
local_cache boolean no 0 Enable cache may speed up dnscrypt-proxy
block_ipv6 boolean no 0 Disable IPv6 may also speed up dnscrypt-proxy
list blacklist string no none Blacklists allow you to block domains, ip, … The value of this property is the blocklist type and path to file (ex: domains:/path/to/domains-blacklist-file.txt or ips:/path/to/ips-blacklist-file.txt). You can specify several blocklists by adding several list blacklist options.

If you need to specify other options, you will have to edit the /etc/init.d/dnscrypt-proxy script.

Note: I've had a little bit of confusion at setup, so I want to remind you; address and port strings are for local proxy server, you just have to pick a DNSCrypt server from the resolvers list, put its name in resolver string and comment out resolvers and resolvers list settings.

Now we will start DNSCrypt and enable auto boot for it:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start

Note: If dnscrypt-proxy is not starting after a router reboot, it may be trying to start before the network interface is fully up. Add the following to /etc/rc.local, above the line "exit 0":

sleep 10
/etc/init.d/dnscrypt-proxy start
dnsmasq

Assuming you are using dnsmasq, edit the bold lines in /etc/config/dhcp

config dnsmasq
    option domainneeded         1
    option boguspriv            1
    option filterwin2k          0
    option localise_queries     1
    option rebind_protection    1
    option rebind_localhost     1
    option local                '/lan/'
    option domain               'lan'
    option expandhosts          1
    option nonegcache           0
    option authoritative        1
    option readethers           1
    option leasefile            '/tmp/dhcp.leases'
#   option resolvfile           '/tmp/resolv.conf.auto'
    option noresolv             1
    list server                 '127.0.0.1#5353'
    list server                 '/pool.ntp.org/208.67.222.222'
#   list server                 '208.67.222.222'
#   list server                 '208.67.220.220'
  • We have disabled /tmp/resolv.conf.auto file since it instructs dnsmasq to use your ISP's DNS.
  • noresolv option also disables /etc/resolv.conf file for similar reason.
  • 127.0.0.1#5353 is the DNSCrypt address.
  • /pool.ntp.org/208.67.222.222 adds an exception for pool.ntp.org, which will be resolved through the standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise it will not resolve any domain, including pool.ntp.org. So if your device's time was incorrect, it could never update its time, and therefore DNSCrypt would never work. So we set this exception so that pool.ntp.org queries will always bypass DNSCrypt and resolve with the standard unencrypted OpenDNS method.

Reboot router or restart dnsmasq for the changes to take effect.

/etc/init.d/dnsmasq restart
Multiple DNSCrypt instances

This option is not available in Chaos Calmer and earlier

Multiple DNSCrypt instances are helpful to provide dnsmasq with a fallback nameserver without losing the privacy benefits of DNSCrypt (source).

Add more resolver entries to your /etc/config/dnscrypt-proxy configuration (note that each resolver must be on a different port):

config dnscrypt-proxy ns1
    option address '127.0.0.1'
    option port '5353'
    option resolver 'fvz-anyone'
    # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
    # option ephemeral_keys '0'

config dnscrypt-proxy ns2
    option address '127.0.0.1'
    option port '5454'
    option resolver 'd0wn-random-ns1'
    # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
    # option ephemeral_keys '0'

Create /etc/resolv-crypt.conf with a single line options timeout:1. This will reduce dnsmasq's upstream timeout to 1 second, so resolution will be more responsive if your primary nameserver is down.

In your config dnsmasq section of your /etc/config/dhcp, remove the line option noresolv 1 and add option resolvfile '/etc/resolv-crypt.conf' along with any other resolvers you created in step 1:

option resolvfile           '/etc/resolv-crypt.conf'
    list server                 '127.0.0.1#5353'
    list server                 '127.0.0.1#5454'
    list server                 '/pool.ntp.org/208.67.222.222'

Reboot router or restart dnscrypt and dnsmasq for the changes to take effect.

/etc/init.d/dnscrypt restart
/etc/init.d/dnsmasq restart

Client configuration

Note: you may need admin privileges to run the commands below.

Linux
sudo /etc/init.d/nscd restart

or

sudo /etc/init.d/networking restart
Windows
ipconfig /flushdns
Mac OS X
  • Mac OSX 10.4 (Tiger)
lookupd -flushcache
  • Mac OSX 10.5/10.6 (Leopard/Snow Leopard)
dscacheutil -flushcache

Troubleshooting

How to check what features are supported by your resolver

  1. The DNS leak test or DNS randomness test will show the actual IP of your DNS. You can check here if the IP is associated with the service you are using (put the IP in the search field).
  2. DNSSEC resolver test determines whether your DNS resolver validates DNSSEC signatures.
  3. If you can access DNSCrypt.bit, your resolver can resolve domain names using Namecoin.

How to check if your DNS queries are using dnscrypt

On the router:

pkill -STOP dnscrypt-proxy

DNS resolution should not work any more.

To restore service, unfreeze the client proxy:

pkill -CONT dnscrypt-proxy

How to check if dnscrypt-proxy is set up and running

The easy way is to look at the log.

  1. Check if dnsmasq is using only dnscrypt. Only the last block of logged nameservers is relevant.
logread | grep -n "using nameserver"
132:Jan  1 01:01:00 openwrt daemon.info dnsmasq[1883]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
133:Jan  1 01:01:00 openwrt daemon.info dnsmasq[1883]: using nameserver 127.0.0.1#5353
  1. Check that dnscrypt-proxy is working.
logread | grep "Proxying from"
Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]: Proxying from 127.0.0.1:5353 to 208.67.220.220:443

If you have problems, check port conflict (for example, between the mDNS ZeroConf Daemon (avahi) and the default port for dnscrypt-proxy).

Suspicious certificate received

A "suspicious" certificate can be reported:

root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -R dnscrypt.eu-nl -a 127.0.0.1:5353
[INFO] Generating a new key pair
[INFO] Done
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
[INFO] Refetching server certificates
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found

Check the date and time on your router: this kind of behavior is usually caused by a system clock that hasn't been set properly.

dnsmasq+dnscrypt-proxy

/etc/dnsmasq.conf

# Change the following lines if you want dnsmasq to serve SRV
# records.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>

# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 289
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389

# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2

# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com

# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD.
# The fields are <name>,<target>
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"

# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf.
# The fields are <name>,<text>,<text>...

#Example SPF.
#txt-record=example.com,"v=spf1 a -all"

#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4

# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
# The fields are <cname>,<target>
#cname=bertand,bert

######dnsmasq的解析流程######
#dnsmasq先去解析hosts文件, 再去解析/etc/dnsmasq.d/下的*.conf文件,并且这些文件的优先级要高于dnsmasq.conf,我们自定义的resolv.dnsmasq.conf中的DNS也被称为上游DNS,这是最后去查询解析的;

#如果不想用hosts文件做解析,我们可以在/etc/dnsmasq.conf中加入no-hosts这条语句,这样的话就直接查询上游DNS了,如果我们不想做上游查询,就是不想做正常的解析,我们可以加入no-reslov这条语句。



##################
# 添加监听地址(其中192.168.10.1为你的lan网关ip)
listen-address=192.168.10.1,127.0.0.1
#要在单台电脑上以守护进程方式启动dnsmasq做DNS缓存服务器,编辑/etc/dnsmasq.conf,添加监听地址:listen-address=127.0.0.1
#如果用此主机为局域网提供默认 DNS,请用为该主机绑定固定 IP 地址,设置:listen-address=192.168.x.x

address=/test.cc/192.168.1.1

#智能DNS加快解析速度
#server=/cn/114.114.114.114
#server=/taobao.com/223.5.5.5
#server=/taobaocdn.com/223.5.5.5

#不读取 resolv-file 来确定上游服务器
no-resolv
# 也不要检测 /etc/dnsmasq/resolv.conf 的变化
no-poll
# 并发查询所有上游DNS服务器
#all-servers 
# 指定上游DNS服务器配置文件路径
#resolv-file=/etc/dnsmasq/resolv.conf


#resolv server 使用本机的dnscrypt-proxy
server=127.0.0.1#5353


# 添加额外hosts规则路径
#192.168.10.1  test.cc
addn-hosts=/etc/dnsmasq/noad.conf


# 如果反向查找的是私有地址例如192.168.X.X,仅从 hosts 文件查找,不再转发到上游服务器
bogus-priv

# 添加DNS解析文件
# conf-file=/etc/dnsmasq.d/fqad.conf
conf-dir=/etc/dnsmasq.d

# 设定域名解析缓存池大小
cache-size=10000

/etc/dnsmasq/resolv.conf

# 上游DNS解析服务器
# 如需根据自己的网络环境优化DNS服务器,可用ping或DNSBench测速
# 选择最快的服务器依次按速度快慢顺序手动改写

# 本地规则查询服务器
nameserver 127.0.0.1

# 电信服务商当地DNS查询服务器
nameserver 211.138.180.2
nameserver 211.138.180.3
nameserver 2409:8030:2000::1
nameserver 2409:8030:2000::2

# 主流公共DNS查询服务器
nameserver 114.114.114.114
nameserver 218.30.118.6
nameserver 114.114.114.119
nameserver 119.29.29.29
nameserver 8.8.4.4
nameserver 4.2.2.2
nameserver 1.2.4.8
nameserver 223.5.5.5
nameserver 223.6.6.6
nameserver 180.76.76.76
nameserver 2400:da00::6666

/etc/config/dnscrypt-poxy.toml

##############################################
#                                            #
#        dnscrypt-proxy configuration        #
#                                            #
##############################################

## This is an example configuration file.
## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
##
## Online documentation is available here: https://dnscrypt.info/doc



##################################
#         Global settings        #
##################################

## List of servers to use
##
## Servers from the "public-resolvers" source (see down below) can
## be viewed here: https://dnscrypt.info/public-servers
##
## If this line is commented, all registered servers matching the require_* filters
## will be used.
##
## The proxy will automatically pick the fastest, working servers from the list.
## Remove the leading # first to enable this; lines starting with # are ignored.

# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']


## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
## Note: When using systemd socket activation, choose an empty set (i.e. [] ).

listen_addresses = ['127.0.0.1:53', '[::1]:53']


## Maximum number of simultaneous client connections to accept

max_clients = 250


## Switch to a different system user after listening sockets have been created.
## Note (1): this feature is currently unsupported on Windows.
## Note (2): this feature is not compatible with systemd socket activation.
## Note (3): when using -pidfile, the PID file directory must be writable by the new user

# user_name = 'nobody'


## Require servers (from static + remote sources) to satisfy specific properties

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = false

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true


## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions (DNSSEC)
require_dnssec = false

# Server must not log user queries (declarative)
require_nolog = true

# Server must not enforce its own blacklist (for parental control, ads blocking...)
require_nofilter = true


## Always use TCP to connect to upstream servers.
## This can be useful if you need to route everything through Tor.
## Otherwise, leave this to `false`, as it doesn't improve security
## (dnscrypt-proxy will always encrypt everything even using UDP), and can
## only increase latency.

force_tcp = false


## SOCKS proxy
## Uncomment the following line to route all TCP connections to a local Tor node
## Tor doesn't support UDP, so set `force_tcp` to `true` as well.

# proxy = "socks5://127.0.0.1:9050"


## HTTP/HTTPS proxy
## Only for DoH servers

# http_proxy = "http://127.0.0.1:8888"


## How long a DNS query will wait for a response, in milliseconds

timeout = 2500


## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds

keepalive = 30


## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'

# lb_strategy = 'p2'


## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)

# log_level = 2


## log file for the application

# log_file = 'dnscrypt-proxy.log'


## Use the system logger (syslog on Unix, Event Log on Windows)

# use_syslog = true


## Delay, in minutes, after which certificates are reloaded

cert_refresh_delay = 240


## DNSCrypt: Create a new, unique key for every single DNS query
## This may improve privacy but can also have a significant impact on CPU usage
## Only enable if you don't have a lot of network load

# dnscrypt_ephemeral_keys = false


## DoH: Disable TLS session tickets - increases privacy but also latency

# tls_disable_session_tickets = false


## DoH: Use a specific cipher suite instead of the server preference
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
##
## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
## the following suite improves performance.
## This may also help on Intel CPUs running 32-bit operating systems.
##
## Keep tls_cipher_suite empty if you have issues fetching sources or
## connecting to some DoH servers. Google and Cloudflare are fine with it.

# tls_cipher_suite = [52392, 49199]


## Fallback resolver
## This is a normal, non-encrypted DNS resolver, that will be only used
## for one-shot queries when retrieving the initial resolvers list, and
## only if the system DNS configuration doesn't work.
## No user application queries will ever be leaked through this resolver,
## and it will not be used after IP addresses of resolvers URLs have been found.
## It will never be used if lists have already been cached, and if stamps
## don't include host names without IP addresses.
## It will not be used if the configured system DNS works.
## A resolver supporting DNSSEC is recommended. This may become mandatory.
##
## People in China may need to use 114.114.114.114:53 here.
## Other popular options include 8.8.8.8 and 1.1.1.1.

fallback_resolver = '9.9.9.9:53'


## Never let dnscrypt-proxy try to use the system DNS settings;
## unconditionally use the fallback resolver.

ignore_system_dns = false


## Maximum time (in seconds) to wait for network connectivity before
## initializing the proxy.
## Useful if the proxy is automatically started at boot, and network
## connectivity is not guaranteed to be immediately available.
## Use 0 to disable.

netprobe_timeout = 60


## Offline mode - Do not use any remote encrypted servers.
## The proxy will remain fully functional to respond to queries that
## plugins can handle directly (forwarding, cloaking, ...)

# offline_mode = false


## Automatic log files rotation

# Maximum log files size in MB
log_files_max_size = 10

# How long to keep backup files, in days
log_files_max_age = 7

# Maximum log files backups to keep (or 0 to keep all backups)
log_files_max_backups = 1



#########################
#        Filters        #
#########################

## Immediately respond to IPv6-related queries with an empty response
## This makes things faster when there is no IPv6 connectivity, but can
## also cause reliability issues with some stub resolvers.
## Do not enable if you added a validating resolver such as dnsmasq in front
## of the proxy.

block_ipv6 = false



##################################################################################
#        Route queries for specific domains to a dedicated set of servers        #
##################################################################################

## Example map entries (one entry per line):
## example.com 9.9.9.9
## example.net 9.9.9.9,8.8.8.8,1.1.1.1

# forwarding_rules = 'forwarding-rules.txt'



###############################
#        Cloaking rules       #
###############################

## Cloaking returns a predefined address for a specific name.
## In addition to acting as a HOSTS file, it can also return the IP address
## of a different name. It will also do CNAME flattening.
##
## Example map entries (one entry per line)
## example.com     10.1.1.1
## www.google.com  forcesafesearch.google.com

# cloaking_rules = 'cloaking-rules.txt'



###########################
#        DNS cache        #
###########################

## Enable a DNS cache to reduce latency and outgoing traffic

cache = true


## Cache size

cache_size = 512


## Minimum TTL for cached entries

cache_min_ttl = 600


## Maximum TTL for cached entries

cache_max_ttl = 86400


## Minimum TTL for negatively cached entries

cache_neg_min_ttl = 60


## Maximum TTL for negatively cached entries

cache_neg_max_ttl = 600



###############################
#        Query logging        #
###############################

## Log client queries to a file

[query_log]

  ## Path to the query log file (absolute, or relative to the same directory as the executable file)

  # file = 'query.log'


  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'


  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.

  # ignored_qtypes = ['DNSKEY', 'NS']



############################################
#        Suspicious queries logging        #
############################################

## Log queries for nonexistent zones
## These queries can reveal the presence of malware, broken/obsolete applications,
## and devices signaling their presence to 3rd parties.

[nx_log]

  ## Path to the query log file (absolute, or relative to the same directory as the executable file)

  # file = 'nx.log'


  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'



######################################################
#        Pattern-based blocking (blacklists)        #
######################################################

## Blacklists are made of one pattern per line. Example of valid patterns:
##
##   example.com
##   =example.com
##   *sex*
##   ads.*
##   ads*.example.*
##   ads*.example[0-9]*.com
##
## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
## A script to build blacklists from public feeds can be found in the
## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.

[blacklist]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)

  # blacklist_file = 'blacklist.txt'


  ## Optional path to a file logging blocked queries

  # log_file = 'blocked.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



###########################################################
#        Pattern-based IP blocking (IP blacklists)        #
###########################################################

## IP blacklists are made of one pattern per line. Example of valid patterns:
##
##   127.*
##   fe80:abcd:*
##   192.168.1.4

[ip_blacklist]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)

  # blacklist_file = 'ip-blacklist.txt'


  ## Optional path to a file logging blocked queries

  # log_file = 'ip-blocked.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



######################################################
#   Pattern-based whitelisting (blacklists bypass)   #
######################################################

## Whitelists support the same patterns as blacklists
## If a name matches a whitelist entry, the corresponding session
## will bypass names and IP filters.
##
## Time-based rules are also supported to make some websites only accessible at specific times of the day.

[whitelist]

  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)

  # whitelist_file = 'whitelist.txt'


  ## Optional path to a file logging whitelisted queries

  # log_file = 'whitelisted.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



##########################################
#        Time access restrictions        #
##########################################

## One or more weekly schedules can be defined here.
## Patterns in the name-based blocklist can optionally be followed with @schedule_name
## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
##
## For example, the following rule in a blacklist file:
## *.youtube.* @time-to-sleep
## would block access to YouTube only during the days, and period of the days
## define by the 'time-to-sleep' schedule.
##
## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
## {after= '9:00', before='18:00'} matches 9:00-18:00

[schedules]

  # [schedules.'time-to-sleep']
  # mon = [{after='21:00', before='7:00'}]
  # tue = [{after='21:00', before='7:00'}]
  # wed = [{after='21:00', before='7:00'}]
  # thu = [{after='21:00', before='7:00'}]
  # fri = [{after='23:00', before='7:00'}]
  # sat = [{after='23:00', before='7:00'}]
  # sun = [{after='21:00', before='7:00'}]

  # [schedules.'work']
  # mon = [{after='9:00', before='18:00'}]
  # tue = [{after='9:00', before='18:00'}]
  # wed = [{after='9:00', before='18:00'}]
  # thu = [{after='9:00', before='18:00'}]
  # fri = [{after='9:00', before='17:00'}]



#########################
#        Servers        #
#########################

## Remote lists of available servers
## Multiple sources can be used simultaneously, but every source
## requires a dedicated cache file.
##
## Refer to the documentation for URLs of public sources.
##
## A prefix can be prepended to server names in order to
## avoid collisions if different sources share the same for
## different servers. In that case, names listed in `server_names`
## must include the prefixes.
##
## If the `urls` property is missing, cache files and valid signatures
## must be already present; This doesn't prevent these cache files from
## expiring after `refresh_delay` hours.

[sources]

  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

  ## Quad9 over DNSCrypt - https://quad9.net/

  # [sources.quad9-resolvers]
  # urls = ["https://www.quad9.net/quad9-resolvers.md"]
  # minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
  # cache_file = "quad9-resolvers.md"
  # refresh_delay = 72
  # prefix = "quad9-"

  ## Another example source, with resolvers censoring some websites not appropriate for children
  ## This is a subset of the `public-resolvers` list, so enabling both is useless

  #  [sources.'parental-control']
  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
  #  cache_file = 'parental-control.md'
  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'



## Optional, local, static list of additional servers
## Mostly useful for testing your own servers.

[static]

  # [static.'google']
  # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'

具体配置一:OpenWrt之dnscrypt-poxy.toml

##################################
#         Global settings        #
##################################
listen_addresses = ['127.0.0.1:5353']
max_clients = 250
# user_name = 'nobody'
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
require_dnssec = false
require_nolog = true
require_nofilter = true
force_tcp = true
# proxy = "socks5://127.0.0.1:9050"
timeout = 2500
keepalive = 30
lb_strategy = 'p2'
log_level = 0
log_file = 'dnscrypt-proxy.log'
use_syslog = false
cert_refresh_delay = 240
dnscrypt_ephemeral_keys = false
tls_disable_session_tickets = false
tls_cipher_suite = [52392, 49199]
fallback_resolver = '114.114.114.114:53'
ignore_system_dns = false
netprobe_timeout = 30
# offline_mode = false
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1

#########################
#        Filters        #
#########################
block_ipv6 = true

##################################################################################
#        Route queries for specific domains to a dedicated set of servers        #
##################################################################################
forwarding_rules = 'dnscrypt-forwarding-rules.txt'

###############################
#        Cloaking rules       #
###############################
# cloaking_rules = 'dnscrypt-cloaking-rules.txt'

###########################
#        DNS cache        #
###########################
cache = true
cache_size = 512
cache_min_ttl = 600
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600

###############################
#        Query logging        #
###############################
[query_log]
  file = 'dnscrypt-query.log'
  format = 'tsv'

############################################
#        Suspicious queries logging        #
############################################
[nx_log]
  file = 'dnscrypt-nxdomain.log'
  format = 'tsv'

######################################################
#        Pattern-based blocking (blacklists)         #
######################################################
[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'
  log_file = 'dnscrypt-blacklist-domains.log'
  log_format = 'tsv'

###########################################################
#        Pattern-based IP blocking (IP blacklists)        #
###########################################################
[ip_blacklist]
  blacklist_file = 'dnscrypt-blacklist-ips.txt'
  log_file = 'dnscrypt-blacklist-ips.log'
  log_format = 'tsv'

######################################################
#   Pattern-based whitelisting (blacklists bypass)   #
######################################################
[whitelist]
  whitelist_file = 'dnscrypt-whitelist.txt'
  log_file = 'dnscrypt-whitelisted.log'
  log_format = 'tsv'

#########################
#        Servers        #
#########################
[static]
  [static.'cisco']
  stamp = 'sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ'
  [static.'cloudflare']
  stamp = 'sdns://AgcAAAAAAAAABzEuMC4wLjGgENk8mGSlIfMGXMOlIlCcKvq7AVgcrZxtjon911-ep0cg63Ul-I8NlFj4GplQGb_TTLiczclX57DvMV8Q-JdjgRgSZG5zLmNsb3VkZmxhcmUuY29tCi9kbnMtcXVlcnk'
#  [static.'google']
#  stamp = 'sdns://AgUAAAAAAAAAACDyXGrcc5eNecJ8nomJCJ-q6eCLTEn6bHic0hWGUwYQaA5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs'

具体配置二:Windows之dnscrypt-poxy.toml

#server_names = ['publicarray-au-doh', 'google', 'gridns-sg', 'cloudflare']
#listen_addresses = ['127.0.0.1:53']
listen_addresses = ['127.0.0.1:53', '[::1]:53']
max_clients = 1024
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
require_dnssec = true
require_nolog = false
require_nofilter = true
force_tcp = false
timeout = 2000
keepalive = 30
use_syslog = false
cert_refresh_delay = 300
#fallback_resolver = '180.76.76.76:53'
fallback_resolver = '114.114.114.114:53'
#ignore_system_dns = false启用系统DNS
ignore_system_dns = true
netprobe_timeout = 30
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
block_ipv6 = true

cloaking_rules = 'dnscrypt-proxy-cloaking.txt'  #启用dnscrypt-host文件


forwarding_rules = 'forwarding-rules.txt'

cache = true
cache_size = 10240
cache_min_ttl = 600
cache_max_ttl = 1800
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600

[sources]
    [sources.'public-resolvers']
    urls = ['https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md', 'https://www.evilvibes.com/list/public-resolvers.md']
    cache_file = 'public-resolvers.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    [sources.'parental-control']
    urls = ['https://download.dnscrypt.info/dnscrypt-resolvers/v2/parental-control.md', 'https://www.evilvibes.com/list/parental-control.md']
    cache_file = 'parental-control.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    [sources.'opennic']
    urls = ['https://download.dnscrypt.info/dnscrypt-resolvers/v2/opennic.md', 'https://www.evilvibes.com/list/opennic.md']
    cache_file = 'opennic.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
[static]
    # [static.'google']
    # stamp = 'sdns://AgUAAAAAAAAAACAe9iTP_15r07rd8_3b_epWVGfjdymdx-5mdRZvMAzBuQ5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs'
    # [static.'cloudflare']
    # stamp = 'sdns://AgcAAAAAAAAABzEuMC4wLjGgENk8mGSlIfMGXMOlIlCcKvq7AVgcrZxtjon911-ep0cg63Ul-I8NlFj4GplQGb_TTLiczclX57DvMV8Q-JdjgRgSZG5zLmNsb3VkZmxhcmUuY29tCi9kbnMtcXVlcnk'
    # [static.'securedns']
    # stamp = 'sdns://AQcAAAAAAAAAEzE0Ni4xODUuMTY3LjQzOjUzNTMgs6WXaRRXWwSJ4Z-unEPmefryjFcYlwAxf3u0likfsJUcMi5kbnNjcnlwdC1jZXJ0LnNlY3VyZWRucy5ldQ'

Installation on OpenWRT

摘自:https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-on-OpenWRT

Download

Download the proper binary from the releases page. Get the right binary for your architecture. If you get a strange parse error later when trying to run the executable file, chances are that you didn't pick the right file for the CPU of your router.

Optional: compress the executable

The dnscrypt-proxy file is quite large, but can be compressed for a massive reduction of its size, from ~12 Mb down to ~2 Mb.

In order to do so, use UPX on any platform (Windows, Linux, macOS...) with the following command:

upx --lzma dnscrypt-proxy

Tweak the example file

Rename example-dnscrypt-proxy.toml to dnscrypt-proxy.toml, and change at least the following line:

listen_addresses = ['127.0.0.1:53', '[::1]:53']

to (notice the IP address change):

listen_addresses = ['127.0.0.53:53']

In order for local host names (.lan) to be resolved, also change

# forwarding_rules = 'forwarding-rules.txt'

to

forwarding_rules = 'forwarding-rules.txt'

Install the files on the router

Use scp to copy:

  • dnscrypt-proxy to /usr/sbin/
  • The modified dnscrypt-proxy.toml file to /etc/config/
  • This init.d file by @etam saved as /etc/init.d/dnscrypt-proxy.
  • The following content as /etc/config/forwarding-rules.txt:
lan 127.0.0.1
10.in-addr.arpa 127.0.0.1
192.in-addr.arpa 127.0.0.1
254.169.in-addr.arpa 127.0.0.1

If your local domain is not .lan, or if you have more, change/add them accordingly in the above file.

Then use ssh to log on the router and type:

chmod +x /usr/sbin/dnscrypt-proxy
chmod +x /etc/init.d/dnscrypt-proxy

Install the ca-bundle package on the router

The ca-bundle package is not installed by default in OpenWRT/LEDE, which will cause issues if not installed.

Type:

opkg update
opkg install ca-bundle

Check that the proxy is properly installed

Type:

dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check

And watch for possible errors.

Looks good? Start it for real:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start

Configure the LAN interface to use the proxy

Using the LUCI web interface:

Go to Network/Interfaces/LAN and in the Use custom DNS servers field, enter: 127.0.0.53 and hit Save & Apply.

Using the command line:

Edit /etc/config/network to include the following line in the config interface 'lan' section:

option dns '127.0.0.53'

Example:

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '127.0.0.53'

When using the command-line, for the new configuration to be applied, type:

/etc/init.d/network restart

And don't panic (42) if the network appears to be stuck for a couple seconds.

Optional: configure the WAN interface the same way

Go to Network/Interfaces/WAN and in Advanced Settings, uncheck If unchecked, the advertised DNS server addresses are ignored.

In addition to 127.0.0.53, you may want to enter an additional backup IP here, for example 1.0.0.1 or 9.9.9.9.

Check that your queries are using the proxy:

dnscrypt-proxy -resolve google.com

Make sure that the files you added are backuped

Using the LUCI web interface:

In the System/Backup/Flash page, click the Configuration tab and add the files you uploaded to the list:

/etc/init.d/dnscrypt-proxy
/usr/sbin/dnscrypt-proxy

Configuration files in /etc/config are automatically saved already.

Using the command line:

Edit /etc/sysupgrade.conf to add files to be included in backups.

Are these instructions not clear? Wrong? Insufficient? This documentation page is a Wiki, so you can contribute by improving it!