updated after some feedback.
Index: Makefile =================================================================== RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v retrieving revision 1.31 diff -u -p -r1.31 Makefile --- Makefile 2 Aug 2017 09:32:40 -0000 1.31 +++ Makefile 9 Nov 2017 16:08:14 -0000 @@ -7,6 +7,7 @@ V= 1.9.5 DISTNAME= dnscrypt-proxy-${V} PKGNAME-main= dnscrypt-proxy-${V} PKGNAME-plugins= dnscrypt-proxy-plugins-${V} +REVISION-main= 0 CATEGORIES= net Index: pkg/README-main =================================================================== RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/README-main,v retrieving revision 1.8 diff -u -p -r1.8 README-main --- pkg/README-main 23 Jan 2017 18:00:23 -0000 1.8 +++ pkg/README-main 9 Nov 2017 16:08:14 -0000 @@ -4,46 +4,85 @@ $OpenBSD: README-main,v 1.8 2017/01/23 1 | Running ${FULLPKGNAME} on OpenBSD +----------------------------------------------------------------------- -In order to perform queries over DNSCrypt, the easiest way is to change -your /etc/resolv.conf file: +Basic setup +=========== + +dnscrypt-proxy listens for DNS queries on a local address and forwards +them to a DNSCrypt resolver over an encrypted channel. + +To use this package, two things are required. + +Firstly, choose an upstream server. There is no default: the package +lets you make a conscious decision about who to trust. A list of public +servers is in ${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv, +or an updated list is at https://dnscrypt.org/dnscrypt-resolvers.html, + +Choose one and configure it: + +# rcctl enable dnscrypt_proxy +# rcctl set dnscrypt_proxy flags -E -m1 -R __YOUR_CHOICE__ +# rcctl start dnscrypt_proxy + +Replace __YOUR_CHOICE__ with one of the names from the first column +(e.g. "cisco", "cs-nl", "dnscrypt-eu.nl"), or use the word "random" to +select a random resolver at startup (chosen from those that claim that +they use DNSSEC and do not log requests). + +Secondly, set /etc/resolv.conf to perform queries from dnscrypt-proxy: nameserver 127.0.0.1 lookup file bind -options edns0 -DNSCrypt does _not_ cache queries, so the recommended way to use it is -as a forwarder for a DNS cache like Unbound. The following unbound.conf -example may be used as a guideline: +Note: If fetching your IP address dynamically, dhclient(8) will normally +update resolv.conf with network-provided DNS servers. This can be avoided +by using "ignore domain-name, domain-name-servers;" in /etc/dhclient.conf. + + +Caching +======= + +dnscrypt-proxy does not cache queries. Performance can be improved by +configuring a local caching DNS resolver to forward requests via +dnscrypt-proxy. + +In this configuration, the caching resolver should listen on port 53, +and dnscrypt-proxy should be configured to use an alternative port. +For example: + +# rcctl set dnscrypt_proxy flags -E -m1 -R __YOUR_CHOICE__ -a 127.0.0.1:40 +# rcctl restart dnscrypt_proxy + +And an example configuration to use this with Unbound: +# cat /var/unbound/etc/unbound.conf server: interface: 127.0.0.1 - interface: 192.168.1.1 # additional addresses to listen on - access-control: 192.168.1.0/24 allow # who's allowed to make queries do-not-query-localhost: no hide-identity: yes hide-version: yes + auto-trust-anchor-file: "/var/unbound/db/root.key" + # provide service to other local machines, if needed: + #interface: 192.168.1.1 + #access-control: 192.168.1.0/24 allow + +remote-control: + control-enable: yes + control-use-cert: no + control-interface: /var/run/unbound.sock forward-zone: - name: "." - forward-addr: 127.0.0.1@40 - #forward-addr: 127.0.0.1@41 # example failover server, see below - -A list of resolvers providing DNSCrypt service is available at -${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv. -Choose one (there is no default) and configure it, for example: - -rcctl enable dnscrypt_proxy -rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a 127.0.0.1:40 -rcctl start dnscrypt_proxy + name: "." + forward-addr: 127.0.0.1@40 + #forward-addr: 127.0.0.1@41 # example failover server, see below The dnscrypt-proxy utility does not support failover resolvers; as described in "Using DNSCrypt in combination with a DNS cache" on https://dnscrypt.org/, you will need to run a second instance of it for DNS redundancy. This can be handled by rcctl(8) by adding a symbolic link to the script: -ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2 -rcctl enable dnscrypt_proxy2 -rcctl set dnscrypt_proxy2 flags -E -m1 -R dnscrypt.eu-dk -a 127.0.0.1:41 -rcctl start dnscrypt_proxy2 +# ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2 +# rcctl enable dnscrypt_proxy2 +# rcctl set dnscrypt_proxy2 flags -E -m1 -R __SECOND_CHOICE__ -a 127.0.0.1:41 +# rcctl start dnscrypt_proxy2 For more information, see https://dnscrypt.org/