dns/dnscrypt-proxy: allow dns server port

[thutex]

We now have the dnscrypt proxy. great.
However, when setting it up i was trying to have this situation:

• clients query the firewalls local dns server (for local domains and filtering etc etc, port 53)
• if the firewall needs to resolve the query, it should use the dnscrypt server (localhost port 5353)

however in system/general/settings under networking - where we enter the general dns servers to use - we cannot specify the port.
this means i cannot have dnscrypt running on port 5353 and have the firewall use this proxy to resolve queries.

[mimugmail]

Yep, you need to run it on port 53, thats why I added the checkbox for higher privileges.

[fichtner]

The system servers are for resolv.conf, which does not support any other port than 53. The way this is supposed to work is to create an alias for loopback that is not 127.0.0.1 -- there's all of 127.0.0.0/8 to choose from -- and let dnscrypt-proxy listen on a particular loopback IP on port 53 which can then be added as a system server. But I'm not sure if @mimugmail already has that included.

[mimugmail]

An IP alias for an unassigned interface? Is this possible?

[thutex]

i have dnsmasq running on port 53 for all my vlans, so dnscrypt has to run on another port.
if an ip alias cant work, maybe add an option to dnsmasq (and unbound) ?
i know dnsmasq supports dns servers on other ports with server=127.0.0.1#5353, but there is no option to add the (general) dns servers to use since it are the system ones by default.

[fichtner]

Loopback is not unassigned ;) You can actually select it from VIPs...

[fichtner]

Again, you need to run it on 127.0.0.2:53 or other. It's impossible to move the port to somewhere else.

[mimugmail]

Oh, I totally overlooked this :/ Maybe because Interface is called Localhost

[fichtner]

Good point, let me change that...

[thutex]

@fichtner : i have the proxy running on 127.0.0.1:5353, point the general dns/resolv.conf to 127.0.0.1, where dnsmasq is listening.
using the advanced options i added server=127.0.0.1#5353 to point to the proxy.

so it is perfectly possible, but the question is if its the best way to do this.
(i like how we dont have to give the proxy any elevated privileges this way)

[mimugmail]

This is perfectly fine. Some ppl. are concerned about a second resolver involved cause of latency, but sine this is just a local connection it should be minimal ...

I added some stuff for the docs:
https://github.com/opnsense/docs/pull/92/files

[thutex]

@mimugmail maybe also add an option to set the static sources instead of the public lists?
great work btw :)

[mimugmail]

I have to think about this.

In general I don't like the idea because when provider blocks the host or port you're out. It's also prone to user errors leading to more tickets (and work) :)

For now we'll stick with the file, but if more users complaining I'm the last one stopping progress :)

[fichtner]

@thutex right, for chaining that is correct in advanced options

[mimugmail]

This can be closed as 1.1 supports static Servers?

[fichtner]

Perfect, thanks!