Integrate DNScrypt into unbound on ipfire?

Have you ever tried this ? Does it work with ipfire? I am very interested in dnscrypt. Do I need the freedsb download for this instructions, or other pakage?


How is this better or worst than DoT?


DNS over TLS (RFC7858)

  • thumb_up Full encryption of the DNS protocol
  • thumb_up Has a low, but increasing number of servers in deployment
  • thumb_up Partially specified as a RFC
  • thumb_up Many implementations completed at various stages
  • thumb_down Provides more information than regular DNS to resolver operators in order to fingerprint clients, and this has (intentionally?) never been addressed in the specification
  • thumb_down Uses a dedicated port (853) likely to be blocked or monitored in situations where DNS encryption is useful
  • thumb_down Initial connection is slow due to the long handshake (until TLS 1.3 is deployed, which can take time due to middleboxes)
  • thumb_down Not well understood even by its proponents. It is a truck, as it is heavy and slow to load, but most if not all implementations perform a full round trip for every packet (even the excellent miekg/dns library as used by Tenta).
  • thumb_down Padding rules haven’t been specified besides a draft that doesn’t have any implementations, and a last-minute hack that requires altering DNS record sets before wrapping them
  • thumb_down Requires a full TLS stack, introducing a large attack surface
  • thumb_down Difficult to implement securely. Validating TLS certificates in non-browser software is the most dangerous code in the world
  • thumb_down Readily compatible with industry-standard TLS interception/monitoring devices. Having people install additional root certificates is easier than custom software. Vendors are always ready to passively extract information from TLS 1.3 sessions.
  • thumb_down Requires TCP
  • thumb_down Requires sessions tracking on the server
  • thumb_down TLS is a generic transport mechanism. It doesn’t support reordering and parallelism and doesn’t include any ways to manage priorities. New mechanisms need to be invented and implemented to do so.
  • thumb_down Key management can be surprisingly hard especially if public key pinning is used by clients
  • thumb_down Allows insecure algorithms and parameters
  • thumb_down Will be difficult to improve without introducing more hacks. Unlikely to benefit from any improvements besides new TLS versions or homegrown reinventions.
  • thumb_down Questionable practical benefits over DoH

Why use DNSCrypt?

  • thumb_up Encrypts and authenticates the DNS traffic
  • thumb_up Specifically designed for DNS
  • thumb_up Has been battle tested
  • thumb_up A good amount of servers support the protocol
  • thumb_up Includes mitigations against DNS amplification attacks
  • thumb_up Can use UDP and TCP for transport
  • thumb_up Inherently supports reordering, parallelism and priorities
  • thumb_up Keeps a minimal number of states server-side
  • thumb_up Very simple to implement; requires only two standard cryptographic constructions
  • thumb_up Doesn’t require a TLS stack, which vastly reduces the attack surface
  • thumb_up Doesn’t have any insecure parameters
  • thumb_up Doesn’t rely on X509 certificates and Certificate Authorities
  • thumb_up Cannot be MITM’d by standard tools
  • thumb_up Enforces certificate signatures
  • thumb_up Has a complete specification since 2013
  • thumb_up Regular DNS and DNSCrypt can share the same port (although port 443 is recommended due to routers frequently hijacking port 53)
  • thumb_up DNSCrypt and DoH can also be served simultaneously on the same port
  • thumb_up Can hide client IP addresses from servers (Anonymized DNSCrypt)
  • thumb_up A prototype using post-quantum cryptography is available
  • thumb_down The specification hasn’t been submitted to the IETF yet

many thumbs down for DoT …

1 Like

No expert here.
I ran DNScrypt for awhile on a docker.
DoH will never be a corporate DNS server.
It would be to difficult to manage. Being on the same port as HTTPS and everything else these days.
For Me I see where this makes GoS very difficult to. When every service is running on the same port.
Don’t fully understand the encryption key exchange. If there is any real difference between the 2 DoH vs DoT.
IPFIRE’s implementation of DoT using multiple
DNS servers is very much like DNScrypt.
The granularity of your DNS info being shared
From DNScrypt would be worse.
When each device in your network is using it.
There by sharing DNS info per device.
DoT as implemented in Ipfire would only be
Ipfire it’s self. There by anonymizing your individual requests.
Some smarter than me can chime in on that.
DoH is a way for you to circumvent DNS filtering.
It does not make you anonymous.


How i understand dnscrypt you can use it with this dnscrypt protocol for really anon DNS resolver like where my client IP address is also hidden from the Resolver.
DoH has not my interest.
I only will fight back my privacy and every step to get a little more invisible is a good step in the right direction.

1 Like

Hi all,
unbound do have a --enable-dnscrypt compile time option → unbound.conf(5) — Unbound 1.17.0 documentation which might be interesting in that manner?!




Yes for sure, but I am only a silly user, I don’t know how to use the given Informationen in the documentation to put this on ipfire and how to operate the program unbound.
How can I control unbound, where is the configuration and what about the GUI, doesn’t it overwrite my changes in the DNS settings?

If you want to add DNSCrypt as an option into IPFire for your self then you would need to do a complete build of IPFire2.x including the addition of the DNSCrypt program and any required modifications to the code for the DNS Server WUI page. This build will provide you with an iso and img file which you can use to install your custom version of IPFire.

If you want to run unbound from the command line then the simplest option to find out about the commands is to do a search for “man unbound”.

The initscript for unbound is in /etc/init.d/unbound
Note that it is a more complicated initscript than others for simpler programs such as samba. It has been designed to be triggered by actions carried out on the DNS Server WUI page.

It is in /etc/unbound/

Yes it does and a core update might change even more. If you don’t want that to happen then you would need to do the custom full build as mentioned at the start of this post. You would need to repeat that for each Core Update.

1 Like

Ok thanks, but that is not feasible for me.
This would have to be done after each update and as soon as an error occurs I stand there like a horse in front of the gate.