Feature #9315

Add Package: dnscrypt-proxy

Added by neo b. over 1 year ago. Updated 4 months ago.

New Package Request
Target version:
Start date:
Due date:
% Done:


Estimated time:


Hi all,

I've lately been manually installing the awesome GitHub project by jedisct1, named dnscrypt-proxy. Which is "A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPS."

It would be a useful addition to the official pfSense package repo. I believe it is much needed and would be used by many. By default (an option) the project remotely maintains a list of public DNS IPs that support DNSCrpyv2, DoH (DNS-over-HTTPS), and DNSSEC, it automatically updates the list locally and has an option to use the top 2 lowest latency servers.


#1 Updated by Jim Pingle about 1 year ago

  • Category set to New Package Request

#2 Updated by Carlo Hoffmann about 1 year ago

The package 'unbound', used by FreeBSD, supports and uses DNScrypt from version 1.9.1


FreeBSD 12.0 only includes unbound in version 1.8.1

#3 Updated by DRago_Angel [InV@DER] 4 months ago

And Nginx can be used as DoH server with common DNS server as upstream which can be localhost unbound server. One minus here that Nginx used for pfSense Web Control panel which better to be isolated from non management VLAN. So if implement DoH in Nginx I think need to have:
  1. option to enable/disable DoH
  2. option to choose interface and port (this must be mandatory that DoH will be not same nginx server section as pfSense Web Configurator)
  3. option to enable/disable ssl (need to test if it possible to run DoH in nginx without ssl, doesn't know if this possible)
  4. option to choose ssl certificate
  5. disable logging for request to DoH in Nginx as they will be logged at unbound better.

I think it will be enough for any usecase.

Why I speak about option to disable ssl?
- For example if someone using HAproxy or Squid Reverse proxy he already in most cases has SNI on HTTPS 443 port and valid ssl certificate for pfSense Ips, so he can do SSL offloading of nginx which can be binded to with plain custom port like 8090.
In case DoH in Nginx is mandatory to be with ssl then HAproxy users can check on backend that server has ssl enabled, yes - there will be ssl encryption twice.

Also available in: Atom PDF