Feature #9315
open
Add Package: dnscrypt-proxy
Added by neo b. almost 6 years ago.
Updated over 3 years ago.
Category:
New Package Request
Description
Hi all,
I've lately been manually installing the awesome GitHub project by jedisct1, named dnscrypt-proxy. Which is "A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPS."
https://github.com/jedisct1/dnscrypt-proxy
It would be a useful addition to the official pfSense package repo. I believe it is much needed and would be used by many. By default (an option) the project remotely maintains a list of public DNS IPs that support DNSCrpyv2, DoH (DNS-over-HTTPS), and DNSSEC, it automatically updates the list locally and has an option to use the top 2 lowest latency servers.
- Category set to New Package Request
And Nginx can be used as DoH server with common DNS server as upstream which can be localhost unbound server. One minus here that Nginx used for pfSense Web Control panel which better to be isolated from non management VLAN. So if implement DoH in Nginx I think need to have:
- option to enable/disable DoH
- option to choose interface and port (this must be mandatory that DoH will be not same nginx server section as pfSense Web Configurator)
- option to enable/disable ssl (need to test if it possible to run DoH in nginx without ssl, doesn't know if this possible)
- option to choose ssl certificate
- disable logging for request to DoH in Nginx as they will be logged at unbound better.
I think it will be enough for any usecase.
Why I speak about option to disable ssl?
- For example if someone using HAproxy or Squid Reverse proxy he already in most cases has SNI on HTTPS 443 port and valid ssl certificate for pfSense Ips, so he can do SSL offloading of nginx which can be binded to 127.0.0.1 with plain custom port like 8090.
In case DoH in Nginx is mandatory to be with ssl then HAproxy users can check on backend that server has ssl enabled, yes - there will be ssl encryption twice.
According to "DNSCrypt Options" at https://nlnetlabs.nl/documentation/unbound/unbound.conf/ it seems the DNScrypt in unbound only support unbound to act as a dnscrypt server. It does not support upstream resolving of names. You would still need dnscrypt-proxy to be able to forward name resolving to an upstream dnscrypt server.
It's not possible to anonymize communications between a DNS client (pfsense) and an upstream DNS resolver without the use of dnscrypt-proxy. Normal DoH servers will know who asked for what.
In dnscrypt we are able to encrypt, authenticate and optionally anonymize.
Please add dnscrypt-proxy to the official pfsense package repository :)
Also available in: Atom
PDF