Feature #9315


Add Package: dnscrypt-proxy

Added by neo b. over 4 years ago. Updated about 2 years ago.

New Package Request
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:


Hi all,

I've lately been manually installing the awesome GitHub project by jedisct1, named dnscrypt-proxy. Which is "A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPS."

It would be a useful addition to the official pfSense package repo. I believe it is much needed and would be used by many. By default (an option) the project remotely maintains a list of public DNS IPs that support DNSCrpyv2, DoH (DNS-over-HTTPS), and DNSSEC, it automatically updates the list locally and has an option to use the top 2 lowest latency servers.

Actions #1

Updated by Jim Pingle almost 4 years ago

  • Category set to New Package Request
Actions #2

Updated by Carlo Hoffmann over 3 years ago

The package 'unbound', used by FreeBSD, supports and uses DNScrypt from version 1.9.1


FreeBSD 12.0 only includes unbound in version 1.8.1

Actions #3

Updated by DRago_Angel [InV@DER] about 3 years ago

And Nginx can be used as DoH server with common DNS server as upstream which can be localhost unbound server. One minus here that Nginx used for pfSense Web Control panel which better to be isolated from non management VLAN. So if implement DoH in Nginx I think need to have:
  1. option to enable/disable DoH
  2. option to choose interface and port (this must be mandatory that DoH will be not same nginx server section as pfSense Web Configurator)
  3. option to enable/disable ssl (need to test if it possible to run DoH in nginx without ssl, doesn't know if this possible)
  4. option to choose ssl certificate
  5. disable logging for request to DoH in Nginx as they will be logged at unbound better.

I think it will be enough for any usecase.

Why I speak about option to disable ssl?
- For example if someone using HAproxy or Squid Reverse proxy he already in most cases has SNI on HTTPS 443 port and valid ssl certificate for pfSense Ips, so he can do SSL offloading of nginx which can be binded to with plain custom port like 8090.
In case DoH in Nginx is mandatory to be with ssl then HAproxy users can check on backend that server has ssl enabled, yes - there will be ssl encryption twice.

Actions #4

Updated by Idar Lund about 2 years ago

According to "DNSCrypt Options" at it seems the DNScrypt in unbound only support unbound to act as a dnscrypt server. It does not support upstream resolving of names. You would still need dnscrypt-proxy to be able to forward name resolving to an upstream dnscrypt server.

It's not possible to anonymize communications between a DNS client (pfsense) and an upstream DNS resolver without the use of dnscrypt-proxy. Normal DoH servers will know who asked for what.
In dnscrypt we are able to encrypt, authenticate and optionally anonymize.

Please add dnscrypt-proxy to the official pfsense package repository :)


Also available in: Atom PDF