From eba731061642a8becb53d0ba45ffeb00ea3fa3a2 Mon Sep 17 00:00:00 2001 From: Flaxe Date: Sat, 9 Jun 2018 18:45:49 +0200 Subject: [PATCH] Removed unnecessary information and added DNSSEC validation config --- DNSCrypt-2.0.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/DNSCrypt-2.0.md b/DNSCrypt-2.0.md index eb852f8..da7811d 100644 --- a/DNSCrypt-2.0.md +++ b/DNSCrypt-2.0.md @@ -27,9 +27,10 @@ There are instructions on the [wiki](https://github.com/jedisct1/dnscrypt-proxy/ Also see the [wiki](https://github.com/jedisct1/dnscrypt-proxy/wiki/DNS-server-sources) for details on DNS server sources. ## Step 2: Modify Pi-Hole -If you're running a newer version of Pi-Hole (might only be available on FTLDNS at the moment), you have the possibility to specify a "**Local DNS server on custom port**" in the Web interface by going to **Settings -> DNS**. Simply check the checkbox and enter 5353 as the port. In newer versions of FTLDNS, this option is no longer present, but all custom DNS fields can now take on a port number with the syntax (**host#port**). Of course, you should remove (uncheck) every other DNS server. +If you're running a new version of Pi-Hole FTLDNS, all custom DNS fields can now take on a port number with the syntax (**host#port**). Of course, you should remove (uncheck) every other DNS server. Like this: +![](https://i1.wp.com/pi-hole.net/wp-content/uploads/2018/05/RecursiveResolver.png?w=577&ssl=1) -If you're running a older version of Pi-Hole, then follow these instructions: +If you're running an older version of Pi-Hole, then follow these instructions: * `sudo nano /etc/dnsmasq.d/02-dnscrypt.conf`: Create new or edit existing conf. * Change `server=#` where `dnscrypt-proxy` is running. For example, my `.toml` file is `listen_addresses = ['127.0.0.1:5353', '[::1]:5353']`, so edit the conf file to be `server=127.0.0.1#5353` * `sudo nano /etc/pihole/setupVars.conf`: Edit setupVars.conf. @@ -38,6 +39,10 @@ If you're running a older version of Pi-Hole, then follow these instructions: * Comment out all `server=...` lines. (set a # in the beginning of the line) * `sudo service dnsmasq restart`: restart dnsmasq +### DNSSEC validation +If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq: +`echo "proxy-dnssec" >> /etc/dnsmasq.d/02-dnscrypt.conf` + ## Test DNSCrypt Use the built-in client: