$OpenBSD: README-main,v 1.10 2018/09/04 12:46:16 espie Exp $

+-----------------------------------------------------------------------
| Running dnscrypt-proxy on OpenBSD
+-----------------------------------------------------------------------

Basic setup
===========

dnscrypt-proxy listens for DNS queries on a local address and forwards
them to a DNSCrypt resolver over an encrypted channel.

To use this package, two things are required.

Firstly, choose an upstream server. There is no default: the package
lets you make a conscious decision about who to trust. A list of public
servers is in /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv.
It may be easier to read online: https://dnscrypt.org/dnscrypt-resolvers.html

Choose one and configure it:

# rcctl enable dnscrypt_proxy
# rcctl set dnscrypt_proxy flags -E -m1 -R __YOUR_CHOICE__
# rcctl start dnscrypt_proxy

Replace __YOUR_CHOICE__ with one of the names from the first column
(e.g. "cisco", "cs-nl", "dnscrypt-eu.nl"), or use the word "random" to
select a random resolver at startup (chosen from those that claim that
they use DNSSEC and do not log requests).

Secondly, set /etc/resolv.conf to perform queries from dnscrypt-proxy:

nameserver 127.0.0.1
lookup file bind

Note: If fetching your IP address dynamically, dhclient(8) will normally
update resolv.conf with network-provided DNS servers. This can be avoided
by using "ignore domain-name, domain-name-servers;" in /etc/dhclient.conf.


Caching
=======

dnscrypt-proxy does not cache queries. Performance can be improved by
configuring a local caching DNS resolver to forward requests via
dnscrypt-proxy.

In this configuration, the caching resolver should listen on port 53,
and dnscrypt-proxy should be configured to use an alternative port.
For example:

# rcctl set dnscrypt_proxy flags -E -m1 -R __YOUR_CHOICE__ -a 127.0.0.1:40
# rcctl restart dnscrypt_proxy

And an example configuration to use this with Unbound:

# cat /var/unbound/etc/unbound.conf
server:
	interface: 127.0.0.1
	do-not-query-localhost: no
	hide-identity: yes
	hide-version: yes
	# enable dnssec; fetches trust anchor at startup:
	auto-trust-anchor-file: "/var/unbound/db/root.key"
	# provide service to other local machines, if needed:
	#interface: 192.168.1.1
	#access-control: 192.168.1.0/24 allow

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: /var/run/unbound.sock

forward-zone:
	name: "."
	forward-addr: 127.0.0.1@40
	#forward-addr: 127.0.0.1@41 # example failover server, see below

The dnscrypt-proxy utility does not support failover resolvers; as described
in "Using DNSCrypt in combination with a DNS cache" on https://dnscrypt.org/,
you will need to run a second instance of it for DNS redundancy. This can be
handled by rcctl(8) by adding a symbolic link to the script:

# ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2
# rcctl enable dnscrypt_proxy2
# rcctl set dnscrypt_proxy2 flags -E -m1 -R __SECOND_CHOICE__ -a 127.0.0.1:41
# rcctl start dnscrypt_proxy2

For more information, see https://dnscrypt.org/
