Setup DNSCrypt Proxy With Knot Reolver Kresd On FreeBSD

DNSCrypt is an application implemented in unbundled software, such as dnsdist, dnscrypt-wrapper, and dnscrypt-proxy. The application supports modern encrypted DNS protocols DNSCrypt v2, DNS-over-HTTPS, and Anonymous DNSCrypt.

DNSCrypt-proxy is a dynamic and flexible DNS proxy service. This application can be installed on almost all computers, routers on all operating systems. Its ease of installation makes DNSCrypt-proxy so popular, as you can block unwanted content locally, find out where your device is sending data, speed up applications by caching DNS responses, and increase security and privacy by communicating with DNS servers over a secure channel and trustworthy.

In the previous video, the installation process for DNSCrypt-proxy with Unbound and PFSense was explained. In this article, we will review the DNSCrypt proxy installation process with Knot Resolver. In this discussion we will use DNSCrypt-proxy as the backend of the "Knot Resolver" DNS server.
Look at the image below.

1. System Specifications

OS: FreeBSD 13.2
IP address:
Hostname: ns3
Knot resolver version:  knot-resolver-5.7.0_1
DNSCrypt proxy version: dnscrypt-proxy2-2.1.5_2

2. Install DNSCrypt-Proxy

FreeBSD makes it easy for you to install DNSCrypt-proxy, because dnscrypt-proxy is available in the official repo. To start the installation process, you can use the ports system or the FreeBSD PKG package. In this article we will use the ports system for the DNSCrypt-proxy installation process.

If you are using a Windows system to run the FReeBSD server, open the Putty application, and in the Putty shell type the following command.
root@ns3:~ # cd /usr/ports/dns/dnscrypt-proxy2
root@ns3:/usr/ports/dns/dnscrypt-proxy2 # make config
root@ns3:/usr/ports/dns/dnscrypt-proxy2 # make install clean
After the installation process is complete, you create Start Up rc.d, so that DNSCrypt-proxy can run automatically. To make it, you only need to edit the "/etc/rc/conf" file and enter the script below into the file.

dnscrypt_proxy_conf =""/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"

With the script above, when your computer restarts or turns it off, DNSCrypt-proxy will automatically run, according to the script in the "/etc/rc/conf" file.

The next step, you change the DNSCrypt-proxy configuration file. The config file is located in the "/usr/local/etc/dnscrypt-proxy" directory. You open the "dnscrypt-proxy.toml" file then just change a few scripts, like the example below.

server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
listen_addresses = ['']

Leave the other scripts at default, you only need to change the 2 scripts above.

If you have finished configuring everything, perform the Restart command on DNSCrypt-proxy.
root@ns3:~ # service dnscrypt-proxy restart

3. Knot Resolver Configuration

In this article we will not explain the Knot Reslover installation process. If you need an explanation of Knot Resolver installation, you can read our previous article.

The process of configuring "Knot Resolver" so that it can connect to the DNSCrypt-proxy server is very easy. You just need to change the basic configuration file of Knot Resolver which is "kresd.conf". Open the "/usr/local/etc/knot-resolver/kresd.conf" file and delete all the contents of the script then replace it with the script below.

net.listen('', 53, { kind = 'dns' })

-- Load useful modules
modules = {
	'policy',                    -- Block queries to local zones/bad sites
        'hints > iterate',       -- Allow loading /etc/hosts or custom root hints
        'serve_stale < cache',   -- Allows stale-ness by up to one day, after roughly four seconds trying to contact the servers
        'workarounds < iterate', -- Alters resolver behavior on specific broken sub-domains
        'predict',               -- Prefetch expiring/frequent records
        'stats',                 -- Track internal statistics

internal_domains = policy.todnames({

-- Answers for reverse queries about the subnet
-- are to be obtained from IP address port 5353(dnscrypt-proxy) 
-- or port 5053(cloudflared-tunnel)
-- This disables DNSSEC validation !!!


-- policy.add(policy.suffix(policy.PASS, {todname('')}))

-- Cache size
cache.size = 100 * MB

End of configuration in this article, restart Knot Resolver and DNSCrypt-proxy.
root@ns3:~ # service kresd restart
root@ns3:~ # service dnscrypt-proxy restart
The installation and configuration process is complete. Your FreeBSD server now has Knot Resolver running which forwards to the DNSCrypt-proxy server.

You now have a secure DNS resolver configured in the cloud, as well as a local proxy client connected to it. Using a DNSCrypt server and client, you can easily provide privacy and security for both server clusters and home networks.
    Iwan Setiawan

    I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

    Post a Comment

    Previous Post Next Post