Use Git or checkout with SVN using the web URL. Work fast with our official CLI. If nothing happens, download GitHub Desktop and try again. If nothing happens, download GitHub Desktop and try again. If nothing happens, download Xcode and try again. Your codespace will open once ready. With an open specification, DNSCrypt is an older, yet robust method for encrypting DNS. Anonymized DNSCrypt. A lightweight protocol that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of.
- By using the DNSCrypt, you can establish a secure connection between the client device and the DNS (Domain Name Server). It will be through an encrypted protocol. How to install DNSCrypt on Android. There are two ways of doing it. The first is for the Rooted phone, and the second is for regular phones. Install DNSCrypt on Rooted Phone.
- In plain English, what is DNSCrypt? DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security. It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.
Introduction
Historically, DNS is a service that was designed to be unencrypted. Whenever a device from your network is trying to go to a web address, it needs to determine the IP address of the website in order to access it. With the increasing levels of tracking and data sharing/selling, a growing awareness that having DNS traffic unencrypted is not a good idea from a privacy and security standpoint. ISPs and other entities are able to know which sites you visit even if all of your web traffic is encrypted.
Lately there has been a growing desire to encrypt DNS traffic as much as possible – an attempt to escape from some of the madness of increased data collection and tracking. There are a number of ways DNS can be encrypted and there are various pros/cons to each. DNS over HTTPS (DoH) is quickly becoming a popular way to encrypt DNS traffic. Instead of sending DNS traffic on UDP port 53, it is sent over TCP port 443 just like all other encrypted web traffic. The DNS server has to support DoH in order for the DNS lookup to success.
Install the DNSCrypt-Proxy Plugin in OPNsense
When I first looked into configuring DoH in OPNsense, I saw some forum posts about how to do this by manually installing packages via SSH command line and tweaking the configuration. Since then, there is now a DNSCrypt-proxy plugin that can be installed which simplifies the process by exposing the configuration in the web GUI of OPNsense.
To install DNSCrypt-proxy in OPNsense, go to System > Firmware > Plugins. Click the “+” icon beside the os-dnscrypt-proxy plugin to begin the installation. There should be a new menu option under “Services” for “DNSCrypt-Proxy”.
Configuring DNSCrypt-Proxy
Go to the Services > DNSCrypt-Proxy > Configuration page to begin configuring DNSCrypt-proxy. You will need to check “Enable DNSCrypt-Proxy” to enable the service. For the “Listen Address”, it will be defaulted to 127.0.0.1:5353 for IPv4 DNS queries and [::1]:5353 for IPv6 queries (remember that [::1] in IPv6 is equivalent to localhost 127.0.0.1 in IPv4). If you wish to use the default Unbound DNS service in OPNsense, leaving these values at the default is ok.
Warning: If you are also using the multicast DNS (MDNS-Repeater) plugin in OPNsense, you will need to change the default DNSCrypt-proxy port of 5353 to something else. I am using 5300 to keep it similar to the unencrypted port 53 of DNS. It is likely they chose 5353 as the default since it similar to 53, but they likely did not think about the conflicts when enabling the multicast DNS plugin (multicast DNS is designed to use port 5353).
If you are planning to exclusively use DNSCrypt-proxy, you could check the “Allow Privileged Ports” box and then change the “Listen Address” to use port 53. However, in my example I am using Unbound DNS so using DNSCrypt-proxy on port 53 is beyond the scope of this how-to. If you are not using IPv6, you could uncheck “Use IPv6 Servers” box. The next 5 checkboxes (“Use DNSCrypt Servers”, “Use DNS-over-HTTPS”, “Require DNSSEC”, “Require NoLog”, and “Require NoFilter”) I have checked except for “Use DNSCrypt Servers”. Since I am going to later choose specific DNS servers, none of these settings matter as stated in the DNSCrypt-proxy documentation. Those options are the filters used when you allow DNSCrypt-proxy to randomly choose the fastest DNS servers to allow you have control over the types of services you wish to use.
The “Fallback Resolver” value defaults to 9.9.9.9:53 which is for the Quad9 DNS service. You may change it to 1.1.1.1 if you prefer to use Cloudflare. This setting is used to obtain the IP addresses of upstream DNS resolvers in case the normal system DNS is not functioning properly. It is not used to resolve any other domain names that you wish to have encrypted. You may check the “Block IPv6” box if you are not using IPv6. The help information says that there could be a slight performance gain by disabling this option. I suppose that is due to the fact that it does not have to query any IPv6 servers when it is not necessary. It immediately returns a blank response. You may tweak any of the cache settings, but I left mine at the default settings. Finally, there is the “Server List” which allows you to manually specify servers rather than allow a random DNS server selection. I personally feel more comfortable knowing which servers my DNS queries are being performed. I picked Cloudflare and Quad9 since they seem to be trusted, well-known DNS providers. Note that you have to use the name of the server and not the IP addresses. The list of servers can be found here.
Configuring Unbound DNS (Optional)
If you wish to use Unbound DNS along with DNSCrypt-proxy, this is entirely possible. The main reason I chose to keep using Unbound DNS is that I have it set up to resolve hostnames on my local network. Unbound DNS also automatically advertises itself as the DNS server via DHCP for any LAN/VLAN networks you have set up to use DHCP. I do not know if DNSCrypt-proxy could also be configured to do so if you make it your sole DNS server for your network.
To make Unbound DNS work with DNSCrypt-proxy, go to Services > Unbound DNS > General. Since DNSCrypt-proxy supports DNSSEC, you can check “Enable DNSSEC Support” box if you do not already have it enabled for your existing DNS servers. I do not think this option is necessary since Unbound and DNSCrypt-proxy are running on the same machine. The most important thing is that you need to add the following section to your “Custom options” text box:
Make sure you are using the same port number in the “forward-addr” as you configured for your DNSCrypt-proxy. This will forward all of the DNS lookups from Unbound DNS from all of the devices on your network and send them to the DNSCrypt-proxy. You need to have DNSCrypt-proxy enabled and running before you save your changes because you will now be attempting to use the DNSCrypt-proxy service.
Verify DoH is Configured Properly
Once I was able to get everything up and running, I wanted to verify that it is actually encrypting all of the DNS lookups. There are a number of ways you may try verifying DoH is configured properly. Many of these are described by the DNSCrypt-proxy wiki.
View the DNSCrypt-Proxy Logs
There is a setting called “Fallback Resolver” that allows unencrypted DNS queries, and I was afraid at first that if the DoH configuration was not working that it would fallback to using an unencrypted connection. The help information says it is only used get the IP address of the DNS resolver list. Upon reading more details here, it says the fallback server will not be used for any other queries so one should not have to worry about DNS queries leaking to the unencrypted resolver. Assuming that is accurate, you should be able to know if the DNS queries are encrypted if the results of the DNS queries are showing up in the DNSCrypt-proxy logs by going to Services > DNSCrypt-Proxy > Log File.
Use SSH to Resolve a Hostname using the DNSCrypt-Proxy Command
If you are not satisfied with looking at the DNSCrypt-proxy logs, you could take another approach. In the example provided, I used Cloudflare as my DoH service provider. They provide some documentation on how to verify that DNSCrypt-proxy is running properly. Their example is written generically for those using DNSCrypt-proxy as a client that is installed on any supported platform. The same DNSCrypt-proxy client is used in OPNsense so the same concepts should apply.
If you log into your OPNsense router via SSH, you can run the following command:
You should receive an output similar to the following:
The documentation does not state this, but I am assuming than an incorrect configuration would result in resolution of the domain name to fail. I am also assuming that if it resolves correctly, it is correctly using DNS over HTTPS to resolve the domain name and not using an unencrypted DNS service instead. I wish the documentation was more clear so that I can be assured DoH is configured properly.
I have noticed that if I try testing if DoH works with Cloudflare using their test site, it does not seem to properly detect that DoH is configured properly. I am thinking it is due to how I have my DNS set up in my home network. Since I am using Pi-hole which forwards to Unbound DNS on my OPNsense router and Unbound forwards to DNSCrypt-proxy which is also on my OPNsense router, I suspect that it may seem to Cloudflare that I am not using DoH because by the time the DNS response reaches my devices, it is no longer encrypted on my internal network. The clients in my network are not getting a direct response back from the Cloudfare DNS servers like it would if the web browser itself is configured to use DoH.
To test this theory, I set up Firefox to use DoH and it passed the tests. I feel fairly certain that the Cloudflare test will not work for my network-wide DoH configuration since DoH is not used in the internal network – only on the edge of the network on my router. For my purposes, I am ok with DNS being unencrypted internally and only encrypting all external DNS requests. It makes it easier to inspect the DNS traffic going through my network, and I can still benefit from DoH since the external DNS lookups are encrypted. Keep in mind that ISPs will still be able to see the IP addresses of where you visit, but it will be harder for them to track exactly where you are going since multiple websites can be hosted via the same IP address.
Temporarily Turn Off DNSCrypt-Proxy
One quick way to determine if your DNS lookups are being “leaked” out of your network is to turn off DNSCrypt-proxy after you have it configured properly. When you shut it down, all DNS lookups should fail when trying to open a website, for instance. Once you re-enable it, you should be able to resolve domain names again. If the DNS lookups are being leaked out of your network, you would still be able to access websites, etc. on your network. If that is the case, it means your devices are using an alternate DNS server to perform lookups.
In OPNsense, you can stop a service from running by going to the Lobby > Dashboard. You should be able to see that the DNSCrypt-Proxy service is running and be able to click the “Stop” button. You can also click the “Play” button to start the service again.
Packet Capture and Examine Outgoing Packets using Wireshark
One last thing you could try if you are super paranoid and/or more technical is to do a packet capture to ensure no DNS port 53 traffic is leaking out of your network. The only exception of unencrypted DNS traffic may be the fallback DNS server that is specified in the DNSCrypt-proxy settings, but that should only be used to get the IP’s of other DNS resolvers. However, if that is happening, it could indicate that there is some configuration issue since the documentation states that the fallback server is only used when the normal means for obtaining the IP addresses of the DNS resolvers fail. OPNsense provides a mechanism to do a packet capture from the web GUI, but you will need an application like Wireshark to analyze the packets. At the time of this writing, I have not attempted to do so, but I wanted to mention this possibility for those who are technically curious (but if you are that technical, you likely do not need me to mention this possibility).
China uses DNS spoofing to block access to websites and prevent connections to VPN servers. This can be prevented by securing your DNS with DNSCrypt.
What is DNS?
DNS stands for Domain Name Systems. It is like a “phonebook for the internet”.
When you use the internet, you do so through domain names. For example, the domain name of this website is tipsforchina.com. While humans use domains names, computer networks use IP addresses. DNS is the system that converts domain names into IP addresses.
What is DNS spoofing?
DNS spoofing (also known as DNS poisoning) is one of the methods that China uses to censor the internet. This happens when a DNS query returns the incorrect IP address for the website or service you are trying to access. The problem with standard DNS requests is that they are sent in plain text (without encryption). So even if you use custom DNS servers (Google, Cloudflare, etc) instead of your ISP DNS servers, DNS spoofing will still happen.
Here is an example.
When I ping the domain name openvpn.net in China, my DNS request returns the IP address 66.220.149.18.
However, this is not the real IP address for the openvpn.net website. In fact, this IP address belongs to Facebook. This kind of DNS spoofing often returns IP addresses that belong to Facebook and Twitter, which are blocked IPs (more on this later).
How does DNSCrypt work?
DNSCrypt is a protocol that prevents DNS spoofing by encrypting and authenticating the communications between a DNS server and client.
Here is the result of my ping to the openvpn.net server after installing Simple DNSCrypt on my computer.
This time, the correct IP address for the openvpn.net domain name is returned.
Can DNSCrypt be used to access blocked websites in China without a VPN?
Usually not, but sometimes.
Unfortunately, DNS spoofing is not the only method that China uses to block websites. The other method is IP blocking. So even if your DNS request returns the correct IP address, the IP address itself will likely be blocked anyway.
You certainly won’t be able to access Google, Facebook, Twitter, or other major websites with well known IP ranges. To get full access to all websites and services, you need to use a VPN service that works well in China.
Having said that, there are a few blocked websites that you can access without a VPN by using DNSCrypt. These are mostly smaller websites that are probably not worth the time of the censors to keep up with blocking their IP addresses.
Dnscrypt Client
At the time of writing this article, I was able to access the following websites in China without a VPN by using DNSCrypt (this may be subject to change if the IP addresses of these sites get blocked in the future).
OpenVPN (VPN software for the OpenVPN protocol)
Duck Duck Go (privacy focused search engine)
Tor Project (download page for the Tor browser)
Surfshark (main website of Surfshark VPN)
VPN.ac (main website of VPN.ac)
What else can DNSCrypt be used for?
Dnscrypt Client Mac
The main advantage of DNSCrypt is that it can help with connecting to a VPN. VPN servers often use hostnames (similar to domain names) instead of IP addresses in the configuration files.
For example, I was unable to connect to a certain Surfshark VPN server when using the manual OpenVPN config with the OpenVPN app because the DNS request for the server name was not returning the correct IP. After enabling DNSCrypt, I was able to connect successfully.
As in the case with accessing websites, your mileage may vary with this trick. Often, when you can’t connect to a VPN server, the IP address of that server is IP blocked. But sometimes only the hostname used to look up the IP is blocked.
How to install Simple DNSCrypt on Windows
DNSCrypt is just a protocol, not a specific software. There are various software implementations for different platforms. The easiest client implementation for Windows is Simple DNSCrypt.
If you use Mac, you can check the list of DNSCrypt client implementations and try one that supports Mac.
After installing Simple DNSCrypt for Windows, you can launch the application and enable these 2 settings.
Turn on the switch to enable the DNSCrypt Service and then click on your Network card (WiFi or LAN) at the bottom.
I suggest leaving the other settings as default unless you know what you are doing.
If you want to disable DNSCrypt, make sure that you click on your network card again (WiFi or LAN) to disable the DNS settings for that card before you exit the application. Do not disable the DNSCrypt service and leave your network card selected. This will leave your network card DNS settings as 127.0.0.1 and cause your internet to stop working after the service is disabled.
DNSCrypt alternative for Android 9
Android 9 supports DNS over TLS, which is another kind of encrypted DNS system.
The specific steps to find this setting will depend on what phone you are using. For my Samsung Galaxy S8+, it can be found here.
Settings > Connections > More connection settings > Private DNS
Select Private DNS provider hostname and then enter the hostname for a DNS provider that supports DNS over TLS. For example, 1dot1dot1dot1.cloudflare-dns.com or dns.quad9.net.