10 step dnscrypt-proxy V2 install
Easy to install script now available.
Download the script, unzip, change permissions to execute, and install.
Download the script here
*Warning* Be sure to edit the following file - /etc/config/dnscrypt-proxy.toml
Change the listening address to the following value --- listen_addresses = ['127.0.0.1:5300']
If you have never used this script before or have never used dnscrypt-proxy Version 2 before, you can Ignore this Warning.
Manual Installation steps
What is dnscrypt-proxy version 2? Dnscrypt-proxy version 2 is a program that encrypts name resolution requests and sends those encrypted requests to dns servers to resolve to an IP address.
Why do I want to use dnscrypt-proxy version 2? One word "Privacy". It is well known ISP's, and others, have been caching in "$" by using tools which allows them to monitor users Internet habits, and sell those habits to 3rd parties.
*NOTE* There are many different ways to do this. The instructions below is just 1 way.
Another resource though some steps are different -- https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-on-OpenWRT
These configuration steps assume clients on your network are going to your router for dns resolution. After following the below configuration steps, each client will send regular dns requests to the router on port 53 as it normally would, from there the router will forward these requests to 127.0.0.1 on port 5300. Dnscrypt-proxy version 2 will be listening on port 5300, and send those requests to CloudFlare's dns servers. The dns responses will be sent back to your clients in a normal fashion. I've found CloudFlare's DNS servers to be very fast.
The dnscrypt-proxy version 2 configuration file is set up to load balance between CloudFlare's two dns servers 220.127.116.11 and 18.104.22.168.
If the two CloudFlare DNS servers become unavailable, google dns 22.214.171.124 is the configured fallback.
IPV6 is disabled.
This is a basic configuration. No Cloaking, Suspicious queries, Pattern Blocking (blacklists), or Whitelists have been configured.
Assumes ca-bundle is already installed. If using davidc502 build, ca-bundle is already installed, so no need to do anything.
1. Uninstall the default dnscrypt-proxy Version 1. Assumes you have dnscrypt-proxy Version 1 installed (You will uninstall this version below from Command Line.)
opkg remove --autoremove luci-app-dnscrypt-proxy
2. Download the dnscrypt-proxy version 2 package securely from dc502wrt.org via command line.
a. change directory to /tmp
b. get the dnscrypt-proxy package and download it to /tmp, uncompress, untar and delete the old .tar. Copy and run the line below.
wget https://dc502wrt.org/releases/dnscrypt-proxy.tar.gz ; gunzip -d dnscrypt-proxy.tar.gz ; tar xvf dnscrypt-proxy.tar ; rm -f dnscrypt-proxy.tar
3. Don't forget to Kill the current dnscrypt-proxy version 1 process if it is running.
4. Copy dnscrypt-proxy to /usr/sbin/ and make sure it is executable
cp /tmp/dnscrypt-proxy/dnscrypt-proxy /usr/sbin/ ; chmod 755 /usr/sbin/dnscrypt-proxy
5. Copy dnscrypt-proxy.toml to /etc/config/
cp /tmp/dnscrypt-proxy/dnscrypt-proxy.toml /etc/config/
6. Copy the init script and change permissions to 755.
cp /tmp/dnscrypt-proxy/init.d/dnscrypt-proxy /etc/init.d/ ; chmod 755 /etc/init.d/dnscrypt-proxy
7. In Luci Forward DNS requests to 127.0.0.1#5300. In DNS/DHCP configuration, under General Settings, add a forward to 127.0.0.1#5300 and save.
8. By this point everything should be in place to do a test. Look for errors, but at this point it should come back successfully.
dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check
9. Enable and start new dnscrypt-proxy version 2
10. From command line check to make sure resolution is working. Also, check one of your clients and make sure you can get to a webpage or run the nslookup command.
dnscrypt-proxy -resolve google.com
If all is good then enjoy. Just remember the next sysupgrade will not have dnscrypt-proxy version 2 installed, and some of the above steps will need to be followed again.