The Go Blog

dnsmasq and dnscrypt-proxy

bantana and
10 July 2019

Introduct

dns resolv --> dnsmasq --> dnscrypt-proxy --> internet dnscrypt

Install

If en0 is internet link:

sudo tcpdump -i en0 -vvv 'port 443'

Install dnscrypt-proxy:

brew install dnscrypt-proxy

sudo vi /usr/local/etc/dnscrypt-proxy.toml

>> modify:

  listen_addresses = ['127.0.0.1:5300', '[::1]:5300']

sudo brew services restart dnscrypt-proxy

Install dnsmasq:

brew install dnsmasq

sudo vi /usr/local/etc/dnsmasq.conf

>> modify:

  server=127.0.0.1#5300

sudo brew services restart dnsmasq

Change local dns resolv with 127.0.0.1.

Debug

$ dig +dnssec icann.org

  ; <<>> DiG 9.10.6 <<>> +dnssec icann.org
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50952
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags: do; udp: 1472
  ;; QUESTION SECTION:
  ;icann.org.            IN    A

  ;; ANSWER SECTION:
  icann.org.        3554    IN    A    192.0.43.7
  icann.org.        3554    IN    RRSIG    A 7 2 600 20190719002550 20190627174048 61202 icann.org. YQzj2jgkjzjX+LqU7eajQxD4hnACTSX3JtrZOpbEzUoUG2BlJ13CcTKs Q1JPaEo6AR5U22J2tEyHzrnv0bF5Wj8erdtRjmIKMTVuWNOYDI76iBWZ Vm2DT5WlXSypkqXz3bdkr5I0gb6bvnICVzCOejS/QIQiO4c6f6qJcaT2 U0U=

  ;; Query time: 0 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Wed Jul 10 18:20:14 CST 2019
  ;; MSG SIZE  rcvd: 223