Skip to content
Sebastian Schmidt edited this page Apr 5, 2021 · 22 revisions

Introduction

dnscrypt-proxy is a DNS proxy that implements the DNSCrypt and DNS-over-HTTPS (DoH) protocols

Installation

NOTE: This package is incompatible with the DNS server package from Synology!

For the NAS devices please follow the instructions here: https://synocommunity.com/. You will need to enable Beta packages in the Package Center to find it.

On routers you need to download the spk file for the correct architecture. The spk files can be found here: https://synocommunity.com/package/dnscrypt-proxy. Development builds are here: https://github.com/publicarray/spksrc/releases. Next you need to change the trust level in your Package Center settings to Any publisher. If you have the know how I suggest unzipping and inspecting the scripts inside of the spk file. This is to make sure that there is nothing malicious going on. Finally click the 'Manual Install' button in the Package Center and Install the spk file.

  • RT2600ac = ipq806x
  • RT1900ac = northstarplus
  • Both + MR2200ac = armv7-1.2

Install

  • IPv6 Servers: Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
  • Server Names: List of servers to use. If empty, all registered servers matching the require_* filters will be used, The proxy will automatically pick the fastest, working servers from the list.

Configuration

GUI

  • Generate Blacklist: will fetch provided lists and update the var/blacklist.txt file using the generate-domains-blacklist.py script
  • Save: Saves the file to disk. You need to manually restart dnscrypt-proxy to apply changes

Change the default DNS Server for your network (via DHCP)

  • SRM 1.1

    • Change Network Center > Local Network > General > Primary DNS to your router's IP address, you can leave the secondary blank. 2
  • SRM 1.2

    • If you have Safe Access enabled in your router:
      • Change Network Center > Internet > Connection > DNS server to your router's IP address. 1
      • With SRM 1.2 and Safe Access enabled the router intercepts all DNS queries so the above setting is the networks sole DNS server. I assume it's done to prevent trivial bypasses of the routers security/parental controls (blocklists etc.) 4
    • Without Safe Access you can use the same procedure from SRM 1.1:
      • Change Network Center > Local Network > General > Primary DNS to your router's IP address, you can leave the secondary blank. 2
  • DSM via DHCP 3

    • Note this is an uncommon setup, usually your gateway is also your DHCP server.
    1. Go to Control Panel > DHCP Server > Network Interface
    2. Select a network interface (e.g. LAN 1) to assign IP addresses to, and click Edit
    3. On the pop-up window, click DHCP Server tab and change the Primary DNS to the NASs IP

Optional: Network devices configuration

Cloudflare has some good instructions on how to change your DNS settings to point to a custom DNS server. Instead of 1.1.1.1 you need to use your Synology's IP address. e.g. 192.168.1.1

Optional: Test that everything is working as expected.

Also see the dnscrypt-proxy wiki on the topic. Checking that your DNS traffic is encrypted and authenticated

To see which servers are resolving your queries you can visit dnsleaktest.com

If you prefer the command line you can use dig whoami.akamai.net, drill resolver.dnscrypt.org, kdig txt whoami.v4.powerdns.org, kdig txt whoami.v6.powerdns.org or nslookup whoami.ultradns.net to find out which resolver is currently in use.

Using the output the SERVER should be the IP address of the device running dnscrypt-proxy. The IP address in the ANSWER SECTION should be your preferred DNS resolver. Note that on anycast networks like 1.1.1.1 or 8.8.8.8 the IPs will differ and can checked by the ASN

Example:

$ drill whoami.akamai.net
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 12996
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; whoami.akamai.net.	IN	A

;; ANSWER SECTION:
whoami.akamai.net.	119	IN	A	35.201.20.179

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 113 msec
;; EDNS: version 0; flags: ; udp: 4096
;; SERVER: 192.168.1.1
;; WHEN: Wed Jun 20 20:43:26 2018
;; MSG SIZE  rcvd: 79
  • Here the SERVER is 192.168.1.1. Which so happens to be my gateway and the device running dnscrypt-proxy.
  • The ANSWER SECTION has one of my chosen servers IP address: 35.201.20.179

If the selected DNS servers support DNSSEC you can test it here.

If you like to run some more tests: https://github.com/publicarray/dns-resolver-infra/wiki/DNS-Tests

Author notice

If you find an issue with this package please mention me (@publicarray).

Clone this wiki locally