-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
FAQ dnscrypt proxy
dnscrypt-proxy is a DNS proxy that implements the DNSCrypt and DNS-over-HTTPS (DoH) protocols
NOTE: This package is incompatible with the DNS server package from Synology!
For the NAS devices please follow the instructions here: https://synocommunity.com/. You will need to enable Beta packages in the Package Center to find it.
On routers you need to download the spk file for the correct architecture. The spk files can be found here: https://synocommunity.com/package/dnscrypt-proxy. Development builds are here: https://github.com/publicarray/spksrc/releases. Next you need to change the trust level in your Package Center settings to Any publisher
. If you have the know how I suggest unzipping and inspecting the scripts inside of the spk file. This is to make sure that there is nothing malicious going on. Finally click the 'Manual Install' button in the Package Center and Install the spk file.
- RT2600ac = ipq806x
- RT1900ac = northstarplus
- Both + MR2200ac = armv7-1.2
- IPv6 Servers: Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
-
Server Names: List of servers to use. If empty, all registered servers matching the
require_*
filters will be used, The proxy will automatically pick the fastest, working servers from the list.
- Generate Blacklist: will fetch provided lists and update the var/blacklist.txt file using the generate-domains-blacklist.py script
- Save: Saves the file to disk. You need to manually restart dnscrypt-proxy to apply changes
-
SRM 1.1
- Change
Network Center > Local Network > General > Primary DNS
to your router's IP address, you can leave the secondary blank. 2
- Change
-
SRM 1.2
- If you have Safe Access enabled in your router:
- Change
Network Center > Internet > Connection > DNS server
to your router's IP address. 1 - With SRM 1.2 and Safe Access enabled the router intercepts all DNS queries so the above setting is the networks sole DNS server. I assume it's done to prevent trivial bypasses of the routers security/parental controls (blocklists etc.) 4
- Change
- Without Safe Access you can use the same procedure from SRM 1.1:
- Change
Network Center > Local Network > General > Primary DNS
to your router's IP address, you can leave the secondary blank. 2
- Change
- If you have Safe Access enabled in your router:
-
DSM via DHCP 3
- Note this is an uncommon setup, usually your gateway is also your DHCP server.
- Go to
Control Panel > DHCP Server > Network Interface
- Select a network interface (e.g. LAN 1) to assign IP addresses to, and click
Edit
- On the pop-up window, click DHCP Server tab and change the Primary DNS to the NASs IP
Cloudflare has some good instructions on how to change your DNS settings to point to a custom DNS server. Instead of 1.1.1.1
you need to use your Synology's IP address. e.g. 192.168.1.1
Also see the dnscrypt-proxy wiki on the topic. Checking that your DNS traffic is encrypted and authenticated
To see which servers are resolving your queries you can visit dnsleaktest.com
If you prefer the command line you can use dig whoami.akamai.net
, drill resolver.dnscrypt.org
, kdig txt whoami.v4.powerdns.org
, kdig txt whoami.v6.powerdns.org
or nslookup whoami.ultradns.net
to find out which resolver is currently in use.
Using the output the SERVER
should be the IP address of the device running dnscrypt-proxy. The IP address in the ANSWER SECTION
should be your preferred DNS resolver. Note that on anycast networks like 1.1.1.1
or 8.8.8.8
the IPs will differ and can checked by the ASN
Example:
$ drill whoami.akamai.net
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 12996
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; whoami.akamai.net. IN A
;; ANSWER SECTION:
whoami.akamai.net. 119 IN A 35.201.20.179
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 113 msec
;; EDNS: version 0; flags: ; udp: 4096
;; SERVER: 192.168.1.1
;; WHEN: Wed Jun 20 20:43:26 2018
;; MSG SIZE rcvd: 79
- Here the
SERVER
is192.168.1.1
. Which so happens to be my gateway and the device running dnscrypt-proxy. - The
ANSWER SECTION
has one of my chosen servers IP address:35.201.20.179
If the selected DNS servers support DNSSEC you can test it here.
If you like to run some more tests: https://github.com/publicarray/dns-resolver-infra/wiki/DNS-Tests
If you find an issue with this package please mention me (@publicarray
).
- Home
-
Packages
- Adminer
- Aria2
- Beets
- BicBucStriim
- Borgmatic
- cloudflared
- Comskip
- Debian Chroot
- Deluge
- Duplicity
- dnscrypt-proxy
- FFmpeg
- FFsync
- Flexget
- Gstreamer
- Google Authenticator
- Home Assistant Core
- Jellyfin
- Kiwix
- [matrix] Synapse homeserver
- MinIO
- Mono
- Mosh
- Mosquitto
- Node-Exporter
- Radarr/Sonarr/Lidarr/Jackett
- SaltStack
- SickBeard Custom
- SynoCLI-Disk
- SynoCLI-Devel
- SynoCLI-File
- SynoCLI-Kernel
- SynoCLI-Misc.
- SynoCLI-Monitor
- SynoCLI-NET
- Synogear
- Concepts
- Development
- Resources