Skip to content

Instantly share code, notes, and snippets.

@ahmozkya
Last active July 7, 2023 09:27
Show Gist options
  • Save ahmozkya/8456503 to your computer and use it in GitHub Desktop.
Save ahmozkya/8456503 to your computer and use it in GitHub Desktop.
Homebrew with DNSMasq + DNSCrypt-proxy (OpenDNS)

Do not use this guide. The dnscrypt protocol and dnscrypt-proxy configuration file have changed a lot since I wrote this gist. Check the following links for help:

Install & Configure

  1. Install DNSMasq
$ brew install dnsmasq
  1. Install DNSCrypt-proxy
$ brew install dnscrypt-proxy
  1. Configure

  2. /usr/local/etc/dnsmasq.conf ⬇

  3. /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist ⬇

  4. /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist ⬇

  5. Reload dnscrypt-proxy service

    $ cd /Library/LaunchDaemons/
    $ sudo launchctl unload homebrew.mxcl.dnscrypt-proxy.plist && sudo launchctl load homebrew.mxcl.dnscrypt-proxy.plist
  6. Reload dnsmasq service

    $ sudo launchctl unload homebrew.mxcl.dnsmasq.plist && sudo launchctl load homebrew.mxcl.dnsmasq.plist
  7. Set DNS IP: 127.0.0.1

Check

DNS Configuration

$ scutil --dns
...
resolver #1
  search domain[0] : openvpn
  nameserver[0] : 127.0.0.1
  flags    : Request A records, Request AAAA records
  reach    : Reachable,Local Address
...

DNSCrypt

$ nslookup -type=txt debug.opendns.com
Server:     127.0.0.1
Address:    127.0.0.1#53

Non-authoritative answer:
debug.opendns.com	text = "server 7.ams"
debug.opendns.com	text = "flags 20 0 2f4 800000000000000"
debug.opendns.com	text = "id 0"
debug.opendns.com	text = "source xxx.xxx.xxx.xxx:xxxxx"
debug.opendns.com	text = "dnscrypt enabled (xxxxxxxxxxxxxxxx)"

Authoritative answers can be found from:

Useful links:

# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Custom development domains
address=/.dev/127.0.0.1
address=/.dom/127.0.0.1
# Upstream DNSCrypt
server=127.0.0.1#40
#user=
#group=
# Don't read the hostnames in /etc/hosts.
no-hosts
# Do not go into the background at startup but otherwise run as
# normal.
keep-in-foreground
# Do not provide DHCP or TFTP on the loopback interface.
no-dhcp-interface=lo
# Only listen on the loopback interface.
listen-address=127.0.0.1
# Only bind to interfaces dnsmasq is listening on.
bind-interfaces
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Don't read /etc/resolv.conf.
no-resolv
# Reject (and log) addresses from upstream nameservers which are in
# the private IP ranges. This blocks an attack where a browser behind
# a firewall is used to probe machines on the local network.
stop-dns-rebind
# Exempt 127.0.0.0/8 from rebinding checks. This address range is
# returned by realtime black hole servers, so blocking it may disable
# these services.
rebind-localhost-ok
# Never forward plain names (without a dot or domain part).
# domain-needed
# Set the cache size here. If you don't use spam blocking add-ons such
# Adblock Plus or Ghostery, you may want to increase this value as you
# will be resolving more domain names.
cache-size=1000
#no-negcache
#local-ttl=
# Pass through DNSSEC validation results from dnscrypt-proxy.
proxy-dnssec
#mx-host=maildomain.com,servermachine.com,50
#mx-target=servermachine.com
#localmx
#selfmx
#log-queries
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.dnscrypt-proxy</string>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy</string>
<string>--local-address=127.0.0.1:40</string>
<string>--local-address=[::1]:40</string>
<string>--ephemeral-keys</string>
<string>--resolvers-list=/usr/local/Cellar/dnscrypt-proxy/1.6.0_3/share/dnscrypt-proxy/dnscrypt-resolvers.csv</string>
<string>--resolver-name=cisco</string>
<string>--user=nobody</string>
</array>
<key>UserName</key>
<string>root</string>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.dnsmasq</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/dnsmasq/sbin/dnsmasq</string>
<string>--keep-in-foreground</string>
<string>-C</string>
<string>/usr/local/etc/dnsmasq.conf</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
@ngocphamm
Copy link

@jamesacampbell This might be very late to the game, but I just came across this and I think by default you can't make dsnmasq and dnscrypt-proxy work together, for a simple reason that they both want to listen to port 53. This gist points out that all you need to do is to make dnscrypt-proxy on another port (here is 40), then point dnsmasq to 127.0.0.1#40 for upstream DNS server, while NOT trying any other DNS servers specified in the system.

@ianmustafa
Copy link

@ngocphamm I can confirm that both dnsmasq and dnscrypt-proxy can indeed work together. I just having trouble to get dnscrypt-proxy to work alone in fresh-installed macOS Sierra, and this gist helps me a lot. I just didn't copy-paste the whole dnsmasq.conf though

@willsalz
Copy link

willsalz commented Dec 5, 2019

qq: why are you running dnsmasq && dnscrypt-proxy? Aren't they doing essentially the same thing?

@james-see
Copy link

@willsalz dnscrypt-proxy encrypts your requests, dnsmasq caches your requests.

@james-see
Copy link

@ngocphamm as of the current version of Mac OS in 2022, I just install both out of the box and it works fine. I updated and tested my fresh mac os installer baseline here if anyone is interested: https://github.com/james-see/fresh-mac

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment