Add Package: dnscrypt-proxy
I've lately been manually installing the awesome GitHub project by jedisct1, named dnscrypt-proxy. Which is "A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPS."
It would be a useful addition to the official pfSense package repo. I believe it is much needed and would be used by many. By default (an option) the project remotely maintains a list of public DNS IPs that support DNSCrpyv2, DoH (DNS-over-HTTPS), and DNSSEC, it automatically updates the list locally and has an option to use the top 2 lowest latency servers.
Updated by Carlo Hoffmann about 2 years ago
The package 'unbound', used by FreeBSD, supports and uses DNScrypt from version 1.9.1
FreeBSD 12.0 only includes unbound in version 1.8.1
Updated by DRago_Angel [InV@DER] over 1 year ago
- option to enable/disable DoH
- option to choose interface and port (this must be mandatory that DoH will be not same nginx server section as pfSense Web Configurator)
- option to enable/disable ssl (need to test if it possible to run DoH in nginx without ssl, doesn't know if this possible)
- option to choose ssl certificate
- disable logging for request to DoH in Nginx as they will be logged at unbound better.
I think it will be enough for any usecase.
Why I speak about option to disable ssl?
- For example if someone using HAproxy or Squid Reverse proxy he already in most cases has SNI on HTTPS 443 port and valid ssl certificate for pfSense Ips, so he can do SSL offloading of nginx which can be binded to 127.0.0.1 with plain custom port like 8090.
In case DoH in Nginx is mandatory to be with ssl then HAproxy users can check on backend that server has ssl enabled, yes - there will be ssl encryption twice.
According to "DNSCrypt Options" at https://nlnetlabs.nl/documentation/unbound/unbound.conf/ it seems the DNScrypt in unbound only support unbound to act as a dnscrypt server. It does not support upstream resolving of names. You would still need dnscrypt-proxy to be able to forward name resolving to an upstream dnscrypt server.
It's not possible to anonymize communications between a DNS client (pfsense) and an upstream DNS resolver without the use of dnscrypt-proxy. Normal DoH servers will know who asked for what.
In dnscrypt we are able to encrypt, authenticate and optionally anonymize.
Please add dnscrypt-proxy to the official pfsense package repository :)