So first, obviously, you need to sign up and be using OpenDNS’ service. Secondly, I am using dnsmasq for DNS and DHCP – if you are using BIND or something else, then you will require extra/different steps. Thirdly, I have this setup on my Linux (CentOS) firewall/gateway/router at home which is the gateway to the Internet for all Internet traffic on my home network. If you want to use this for a single device that isn’t a firewall/gateway/router, you may require an extra dash of trickery. So here are the resources that I used to set this up and my own personal notes:
The networkfilter.blogspot.fr post I’ve provided above was my main resource and some (possibly all?) of my notes are probably also on that blog. I’ve actually probably copied and pasted some parts into my notes (once I confirmed they worked of course).
## DOWNLOAD So I think you can download two ways: wget: wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.2.0.tar.bz2 or git: cd /usr/local/src git clone https://github.com/opendns/dnscrypt-proxy.git dnscrypt-proxy I used wget initially, but it's probably a good idea to use git for easier upgrading. ## INSTALL useradd -r opendns -s /sbin/nologin mkdir /home/opendns; chown -R opendns.opendns /home/opendns tar -jvxf dnscrypt-proxy*.tar.bz2; cd dnscrypt-proxy* ./configure make -j2 (-j2 will use two CPU cores) make install ## CONFIGURE DNSMASQ vi /etc/dnsmasq.conf # Make sure you have something like below listen-address=127.0.0.1,x.x.x.x bind-interfaces resolv-file=/etc/resolv.conf.dnsmasq and then create /etc/resolv.conf.dnsmasq vi /etc/resolv.conf.dnsmasq nameserver 127.0.0.2 ## START DNSCRYPT /usr/local/sbin/dnscrypt-proxy -a 127.0.0.2:53 --daemonize --logfile=/var/log/dnscrypt-proxy.log --user=opendns netstat -antlp | grep 127.0.0.2 tcp 0 0 127.0.0.2:53 0.0.0.0:* LISTEN 28066/dnscrypt-proxy tail /var/log/dnscrypt-proxy.log [INFO] Generating a new key pair [INFO] Done ... etc ... [INFO] Proxying from 127.0.0.2:53 to 184.108.40.206:443 ## TEST Run the following command on the DNS server (firewall/gateway/router): tcpdump -i eth0 dst host 220.127.116.11 or dst host 18.104.22.168 or src host 22.214.171.124 or src host 126.96.36.199 -n Run the following on a device on your network: dig www.cbc.ca You should see the following in your tcpdump: 15:08:36.102759 IP x.x.x.x.47220 > 188.8.131.52.https: UDP, length 132 15:08:36.130898 IP 184.108.40.206.https > x.x.x.x.47220: UDP, length 304 (x.x.x.x is your public IP) Notice the "https"