m0n0wall with DNSCrypt
Published on 9 March, 2014
I have written some patches to enable DNSCrypt support in m0n0wall 1.8.1. It seems like there is currently no interest to include this in the official m0n0wall release. So I am posting my patches here including some explanations what the patches are actually changing. If you want to use m0n0wall with DNSCrypt, using my patches, you have to build your own m0n0wall image. The following link contains a guide how to compile m0n0wall: The complete guide to building a m0n0wall image from scratch. The patches can be applied against the freebsd8 branch of the m0n0wall svn-repository.
DNSCrypt allows to send encrypted DNS requests using elyptic curves. See DNSCrypt.org for further details on how it actually works. This page also contains a list of DNS servers with DNSCrypt support.
Usage
The patch m0n0wall-1.8-webgui-dnscrypt.patch adds a new option under "Advanced Setup". This allows to enable/disable DNSCrypt and to set the DNS server address/port (See image below).
When enabled, dnscrypt-proxy will run as a service and is listening on localhost:40. In addition the DNS forwarder dnsmasq will then forward all DNS requests to port 40 of localhost where dnscrypt-proxy is listening. Dnscrypt-proxy passes the requests encrypted further to the configured DNSCrypt enabled DNS server.
This means all requests from clients that are using dnsmasq as DNS forwarder are using DNSCrypt. DNS requests from m0n0wall itself will still use the dns servers configured under "General Setup". When changing this address to 127.0.0.1, all requests will go through dnscrypt.
Only the ntp-server hostnames, configured under "General Setup", will always be excluded because DNScrypt needs an exact time to verify the key from the DNS server.
Download
This patch modifies the build scripts of m0n0wall so that DNSCrypt and libsodium will be compiled and included in the final image.
This patch adds dnscrypt-proxy as a service to m0n0wall and modifies the dnsmasq configuration
This adds the DNSCrypt settings to the GUI
NOTE: I have made the changes for my own need. I don't take responsibility for any bugs or problems that may occure because of the use of these patches.
