Add Package: dnscrypt-proxy
I've lately been manually installing the awesome GitHub project by jedisct1, named dnscrypt-proxy. Which is "A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPS."
It would be a useful addition to the official pfSense package repo. I believe it is much needed and would be used by many. By default (an option) the project remotely maintains a list of public DNS IPs that support DNSCrpyv2, DoH (DNS-over-HTTPS), and DNSSEC, it automatically updates the list locally and has an option to use the top 2 lowest latency servers.
#2 Updated by Carlo Hoffmann 10 months ago
The package 'unbound', used by FreeBSD, supports and uses DNScrypt from version 1.9.1
FreeBSD 12.0 only includes unbound in version 1.8.1
#3 Updated by DRago_Angel [InV@DER] about 2 months ago
- option to enable/disable DoH
- option to choose interface and port (this must be mandatory that DoH will be not same nginx server section as pfSense Web Configurator)
- option to enable/disable ssl (need to test if it possible to run DoH in nginx without ssl, doesn't know if this possible)
- option to choose ssl certificate
- disable logging for request to DoH in Nginx as they will be logged at unbound better.
I think it will be enough for any usecase.
Why I speak about option to disable ssl?
- For example if someone using HAproxy or Squid Reverse proxy he already in most cases has SNI on HTTPS 443 port and valid ssl certificate for pfSense Ips, so he can do SSL offloading of nginx which can be binded to 127.0.0.1 with plain custom port like 8090.
In case DoH in Nginx is mandatory to be with ssl then HAproxy users can check on backend that server has ssl enabled, yes - there will be ssl encryption twice.