πŸ”’ How to Set Up DNSCrypt-Proxy on OPNsense | Protect & Encrypt Your DNS Traffic πŸ›‘οΈ

Author:

πŸ”’ Protect Your Network with Encrypted DNS Queries! This step-by-step tutorial will guide you through setting up DNSCrypt-Proxy on OPNsense, ensuring a secure, private, and leak-free DNS resolution. We’ll configure DNSCrypt-Proxy on port 15353 and [::1]:15353, integrate it with your firewall, and verify its functionality using a DNS leak test.

βœ… What You’ll Learn:
βœ”οΈ How to install and enable DNSCrypt-Proxy on OPNsense
βœ”οΈ Set up OPNsense to use 127.0.0.1:15353 and ::1:15353
βœ”οΈ Configure firewall rules to forward DNS queries to DNSCrypt-Proxy
βœ”οΈ Option 1: DNSCrypt as Secondary DNS Server
βœ”οΈ Option 2: DNSCrypt as Primary DNS Server
βœ”οΈ Perform a DNS leak test to ensure privacy

πŸ”§ Why Use DNSCrypt-Proxy?
DNSCrypt-Proxy encrypts your DNS traffic, preventing ISP tracking, DNS hijacking, and MITM attacks. If you’re serious about privacy and network security, this setup is a must-have!

Here is the video version of this written tutorial:

Prerequisites

  • An OPNsense firewall (latest version recommended)
  • Access to the OPNsense WebGUI
  • Basic networking knowledge

Step 1: Install DNSCrypt-Proxy on OPNsense

  1. Log into OPNsense WebGUI
    • Navigate to System > Firmware > Plugins.
    • Search for os-dnscrypt-proxy and install it.
  2. Enable DNSCrypt-Proxy
    • Go to Services > DNSCrypt-Proxy > Configuration > General Settings.
    • Check the Enable DNSCrypt-Proxy box.
    • Set the Listen Addresses to: 127.0.0.1:15353,[::1]:15353
    • Click Save & Apply.

Step 2: Configure OPNsense to Use DNSCrypt-Proxy

  1. Disable DNS server list to be overridden by DHCP/PPP on WAN
    • Navigate to Settings > General.
    • Uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN.
    • Click Save & Apply.
  2. Ensure No DNS Servers are listed under DHCP
    • Navigate to ISC DHCPv4 > Select an Interface
    • Make sure No DNS Servers are listed under DHCP
  3. Enable DNSCrypt-Proxy
    • Go to Services > DNSCrypt-Proxy > Configuration > General
    • Set Set the Listen Addresses to: 127.0.0.1:15353,[::1]:15353
    • Check Use IPv4 Servers (Let DNSCrypt-Proxy use IPv4 enabled servers).
    • Check Use IPv6 Servers (Optional/Let DNSCrypt-Proxy use IPv6 enabled servers).
    • Check Use DNSCrypt Servers (Optional/Let DNSCrypt-Proxy use servers with DNSCrypt protocol enabled).
    • Check Use DNS-over-HTTPS Servers (Optional/Let DNSCrypt-Proxy use servers with DNS-over-HTTPS protocol enabled).
    • Check Require DNSSEC
    • Check Require NoLog
    • Check Require NoFilter (Only use DNS server without own blacklisting. There are many servers deleting ads or with parental control enabled).
    • Check Block IPv6 (Optional/Immediately respond to IPv6-related queries with an empty response. This makes things faster when there is no IPv6 connectivity.)
    • Check Cache (Enable a DNS cache to reduce latency and outgoing traffic).
    • Server List: let you choose your custom servers from the list of known servers.
    • Check Enable query logs (Optional, but recommended during the initial setup for troubleshooting purposes).
    • Click Save

Option 1: DNSCrypt as Secondary DNS Server

In this setup, Unbound DNS remains the primary DNS resolver and is responsible for filtering traffic (e.g., blocking ads, malware domains, or applying parental controls). DNSCrypt-Proxy acts as a secondary DNS resolver, providing an unfiltered and encrypted DNS option for devices that need it. This setup allows for flexibility, where most traffic is filtered while certain clients can bypass filtering by manually setting their DNS to DNSCrypt.

  1. Navigate to Firewall > Alias
    • Add a new alias
    • Name: Loopback_IPv4_IPv6
    • Type: Host(s)
    • Content: 127.0.0.1,::1
    • Description: Loopback IPv4+IPv6
  2. Navigate to Firewall > NAT > Port Forward
    • Add a new rule to Redirect external DNS requests to the local DNS resolver:
      • Interface: Select interface(s) that you want to redirect DNS queries to DNS-Crypt (e.g., VLAN20_GAME)
      • TCP/IP Version: IPv4+IPv6
      • Protocol: TCP/UDP
      • Destination: Interface_Name net (e.g., VLAN20_GAME net)
      • Destination port range: DNS to DNS
      • Redirect target IP:
        • Loopback_IPv4_IPv6
        • Redirect target port:
          • Other
          • 15353
        • Description: Redirect external DNS requests to local DNS resolver
        • Click Save & Apply.

Option 2: DNSCrypt as Primary DNS Server


This is the most balanced approach, allowing Unbound DNS to handle local domain resolution while securely forwarding external queries to DNSCrypt-Proxy for encryption. This ensures that local devices can communicate using their hostnames, while external traffic is securely encrypted. This configuration provides the best of both worldsβ€”privacy, encryption, and local DNS resolution.

  1. Go to Services > Unbound DNS > General
    • Ensure Enable Unbound DNS is checked.
    • Under Network Interfaces, select All or LAN/VLANs.
    • Enable DNS Query Forwarding.
      • Navigate to Services > Unbound DNS > Query Forwarding
      • Uncheck Use System Nameservers
      • Add Server:
        • Server IP: 127.0.0.1
        • Server Port: 15353
        • Description: Forward DNS requests over IPv4 to DNS-Crypt
        • Server IP: ::1
        • Server Port: 15353
        • Description: Forward DNS requests over IPv6 to DNS-Crypt
      • Disable/Delete DNS over TLS (as DNS over TLS will be preferred).
    • Click Save & Apply

DNS Leak Test

  1. Go to https://browserleaks.com/dns
  2. If DNSCrypt-Proxy works correctly, it should show the resolver(s) you selected in DNSCrypt settings (i3D.net B.V is Quad9 server in this example).

Best Practices

  • Use Reliable DNS Resolvers
    • In Services > DNSCrypt-Proxy > Resolvers, choose trusted providers like Cloudflare, Quad9, or OpenDNS.
  • Enable DNS Query Logging (for debugging)
    • Go to Services > DNSCrypt-Proxy > Logging and enable it.
  • Monitor DNS Traffic
    • Use System > Log Files > DNSCrypt-Proxy to check logs.

With these steps, you should have a fully encrypted DNS setup using DNSCrypt-Proxy on OPNsense, protecting your network from DNS leaks and improving privacy. πŸš€

#OPNsenseVLAN #VLANSetup #OPNsenseFirewall #NATConfiguration #WiFiVLAN #SecureNetwork #NetworkSecurity #OPNsenseConfig #FirewallRules #NetworkSetup #GuestWiFi #VLANNetworking #CyberSecurity #ITNetworking #StepByStepGuide #OPNsenseTutorial #TechGuide #NetworkingTips #WiFiSetup #VLANConfiguration #SysAdmin #Networking #Cybersecurity

πŸ’™ Want to support my channel? Check out ways to help here:

Ways to support my channel
Categories: Firewall, OPNsense
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate Β»