plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

dns/dnscrypt-proxy: Fix ODoH servers not working

Open levelad opened this issue 1 year ago • 6 comments

Adding the dnscrypt variable "odoh_servers" to make dnscrypt work with ODoH relay and target servers.

Referring to:

https://github.com/opnsense/plugins/issues/3783 https://github.com/opnsense/plugins/pull/3810 https://github.com/opnsense/plugins/issues/4367

This is my first ever fork and pull request, so bear with me. :)

levelad avatar Nov 30 '24 10:11 levelad

BTW, so far so good. Thanks for doing this 😊

fichtner avatar Nov 30 '24 10:11 fichtner

I patched my 5 commits to my local OPNsense but it still doesn't seem to work.

I conducted these tests:

  1. "Use Oblivious-DNS-over-HTTPS Servers" disabled, Server List empty, Relay List empty -> Works (expectedly)
  2. "Use Oblivious-DNS-over-HTTPS Servers" enabled, Server List empty, Relay List empty -> Works (unexpectedly)
  3. "Use Oblivious-DNS-over-HTTPS Servers" enabled, Server List filled with "odoh-crypto-sx", Relay List empty -> Doesn't work (expectedly)
  4. "Use Oblivious-DNS-over-HTTPS Servers" enabled, Server List filled with "odoh-crypto-sx", Relay List filled with "odohrelay-crypto-sx" -> Doesn't work (unexpectedly)

Something must still be missing. @ilikenwf do you have any idea?

Edit: I found the problem, the dnscrypt ODoH server and relay lists are not yet added to the dnscrypt-proxy.toml file. Trying to figure out if I can add these.

levelad avatar Nov 30 '24 12:11 levelad

Yay, ODoH is finally working! Tested using odoh-crypto-sx and odohrelay-crypto-sx.

[2024-11-30 15:25:45] [NOTICE] dnscrypt-proxy is ready - live servers: 1	
[2024-11-30 15:25:45] [NOTICE] Server with the lowest initial latency: odoh-crypto-sx (rtt: 45ms)	
[2024-11-30 15:25:45] [NOTICE] [odoh-crypto-sx] OK (ODoH) - rtt: 45ms	
[2024-11-30 15:25:38] [NOTICE] Anonymizing queries for [odoh-crypto-sx] via [odohrelay-crypto-sx]	
[2024-11-30 15:25:32] [NOTICE] Loading the set of forwarding rules from [forwarding-rules.txt]	
[2024-11-30 15:25:32] [NOTICE] Loading the set of cloaking rules from [cloaking-rules.txt]	
[2024-11-30 15:25:32] [NOTICE] Firefox workaround initialized	
[2024-11-30 15:25:32] [NOTICE] Loading the set of allowed names from [whitelist.txt]	
[2024-11-30 15:25:32] [NOTICE] Anonymized DNS: routing everything via [odohrelay-crypto-sx]	
[2024-11-30 15:25:32] [NOTICE] Source [odoh-relays] loaded	
[2024-11-30 15:25:32] [NOTICE] Source [odoh-servers] loaded	
[2024-11-30 15:25:32] [NOTICE] Source [relays] loaded	
[2024-11-30 15:25:32] [NOTICE] Source [public-resolvers] loaded	
[2024-11-30 15:25:32] [NOTICE] Now listening to 0.0.0.0:53 [TCP]	
[2024-11-30 15:25:32] [NOTICE] Now listening to 0.0.0.0:53 [UDP]	
[2024-11-30 15:25:32] [NOTICE] Network connectivity detected	
[2024-11-30 15:25:32] [NOTICE] dnscrypt-proxy 2.1.5

I don't know why but even if ODoH is checked and there are no target and relay servers manually entered other servers still seem to work.

Maybe somebody else wants to test this also. I also noticed "Require DNSSEC" even works when the relay doesn't support it, so it just applies to the target server.

levelad avatar Nov 30 '24 14:11 levelad

So what are the next steps, can this be merged now or did I miss anything?

levelad avatar Dec 09 '24 16:12 levelad

Can the minisign_key not be hardcoded? As depending what that key is used for, having it hard coded and not unique per instance would be a security issue, so that would need to be fixed.

L1ghtn1ng avatar Dec 11 '24 21:12 L1ghtn1ng

Just seen the docs for it and it says to use that key so all good on that front

L1ghtn1ng avatar Dec 11 '24 21:12 L1ghtn1ng

Merged, thanks!

fichtner avatar Jul 26 '25 18:07 fichtner