Feature Request: dnscrypt plugin support for squid transparent proxy

[opnsenseuser]

@mimugmail the Tool is one of my favorits. Works Great and easy to use. But would be Great if you could manage this Plugin working with transparent proxy (Squid) Regards rene

[mimugmail]

As I said in the forums ... I'm thinking (could take some time) :)

[opnsenseuser]

No Problem. This Plugin is really really great 👍

[mimugmail]

ok, it might be the problem of your local DNS servers Go to System : Settings : General ... remove all dns servers (make backup before) and only use your LAN IP pointing at the NAT port forward you set. Then it reaches port 5353

[opnsenseuser]

Problem is, that i cant do this because some other Clients on another lan Interface (wlan Clients iPad/iPhone) need the dns Servers. They dont use this Plugin, because some Apps like Facebook and Banking Sites do not work with the dnscrypt Plugin. :-(

[mimugmail]

Why shouldnt they work? Then add the domain to forward and set 9.9.9.9 or whatever :)

[opnsenseuser]

i removed all dns servers, saved the settings and made a unbound service restart. then i made a ipconfig /flushdns an my windows client machine.

result -> no difference . same problem! :-(

[opnsenseuser]

by the way....sometimes there is a huge latency when i open websites!

[mimugmail]

I set up transparent proxy at home, will test this evening ..

[opnsenseuser]

👍

[opnsenseuser]

@fichtner can You assign the issue to mimugmail? I do not have the right. Thx, regards rene

[mimugmail]

With the next version you can run this plugin on port 53, so you can disable unbound and set localhost as the system resolver to let squid use it.

[opnsenseuser]

@mimugmail that are really great news..i will Test this. well done 👍

[mimugmail]

@opnsenseuser can you test please and close if it fits your need? :)

[opnsenseuser]

@mimugmail not all my clients should go by dnscrypt proxy. some should use only unbound!. Is this also possible with this solution ? And is there a howto for this plugin avaiable?

thx for your support! rené

[mimugmail]

With transparent proxy this isnt possible as only the proxy does DNS requests.

In docs repo is an open PR with a little documentation (also from a guy in the forums)

[opnsenseuser]

@mimugmail thx very much. I have clients that do not use a transparent proxy. For these clients, would it still be possible to use unbound instead of dnscrypt?

[opnsenseuser]

With transparent proxy this isnt possible as only the proxy does DNS requests.

In docs repo is an open PR with a little documentation (also from a guy in the forums)

where can i find the doc repo´s ?

[fabianfrz]

https://github.com/opnsense/docs

[mimugmail]

@opnsenseuser it heavily depends how you use it. You can run Unbound on any interface port 53, then you add a second loopback IP via Firewall : Virtual IPs : Alias, bind dnscrypt-proxy to it and set it as the system DNS (for transparent proxy). Then all your clients use Unbound and system dnscrypt. Now you can start using NAT rules for the clients that should use dnscrypt to your loopback IP

[fabianfrz]

@mimugmail FYI (you may add a custom DNS server in the squid config): http://www.squid-cache.org/Doc/config/dns_nameservers/

[opnsenseuser]

@mimugmail i changed all the setting you said. i made a virtual ip. made a nat rule to this ip. changed the alternative server in the transparent proxy setting to the virtual ip. changed dnscrypt ip to the virtual ip. but i get the same error if i tried to nslookup 192.168.1.1 (my router) -> see my screenshot

[opnsenseuser]

thats my "nat-rule" with the virtual ip

that is the firewall rule for the interface:

these are the dnscrypt service settings:

these are the transparent proxy settings:

i do not know if i need this rule anymore?

@mimugmail @fabianfrz can you help me with these settings? did i miss something?

[fabianfrz]

I am not involved in any of this settings, so I'm out here (I have not developed nor used any of this settings).

[opnsenseuser]

@mimugmail any news on this?

[mimugmail]

@opnsenseuser you didn't bind dnsproxy to port 53, then it wont work ...

[opnsenseuser]

@mimugmail where do i have to configure this? Can you help me? Regards rene

[mimugmail]

dnscrypt proxy, general, listen address 192.168.1.100:53 and set allow privileged ports ..

[opnsenseuser]

And localhost [::1]:53 too ?

[mimugmail]

No, just this IP and then set dns for squid for this IP The clients which should use Unbound will stick to FW LAN IP port 53 ...

[opnsenseuser]

Ok, and the nat rule i Posten above. Fortward 53 to 5353. is this correct?

[mimugmail]

you told me that only some users need this rule, or other just have to use unbound. the nat rule is only to force dnscrypt for specific clients. you have to decide for which users it should be set.

[opnsenseuser]

Yes, i made a nat rule for Squid Proxy accecpt the noproxy Clients.

[mimugmail]

So, can you close this? Otherwise this would more fit for the forums as dnscrypt is feature complete (besides blacklists)