2017-11-09 16:08 GMT+00:00 Stuart Henderson <s...@spacehopper.org>:
>
> updated after some feedback.
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
> retrieving revision 1.31
> diff -u -p -r1.31 Makefile
> --- Makefile 2 Aug 2017 09:32:40 -0000 1.31
> +++ Makefile 9 Nov 2017 16:08:14 -0000
> @@ -7,6 +7,7 @@ V= 1.9.5
> DISTNAME= dnscrypt-proxy-${V}
> PKGNAME-main= dnscrypt-proxy-${V}
> PKGNAME-plugins= dnscrypt-proxy-plugins-${V}
> +REVISION-main= 0
>
> CATEGORIES= net
>
> Index: pkg/README-main
> ===================================================================
> RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/README-main,v
> retrieving revision 1.8
> diff -u -p -r1.8 README-main
> --- pkg/README-main 23 Jan 2017 18:00:23 -0000 1.8
> +++ pkg/README-main 9 Nov 2017 16:08:14 -0000
> @@ -4,46 +4,85 @@ $OpenBSD: README-main,v 1.8 2017/01/23 1
> | Running ${FULLPKGNAME} on OpenBSD
> +-----------------------------------------------------------------------
>
> -In order to perform queries over DNSCrypt, the easiest way is to change
> -your /etc/resolv.conf file:
> +Basic setup
> +===========
> +
> +dnscrypt-proxy listens for DNS queries on a local address and forwards
> +them to a DNSCrypt resolver over an encrypted channel.
> +
> +To use this package, two things are required.
> +
> +Firstly, choose an upstream server. There is no default: the package
> +lets you make a conscious decision about who to trust. A list of public
> +servers is in ${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv,
> +or an updated list is at https://dnscrypt.org/dnscrypt-resolvers.html,
> +
> +Choose one and configure it:
> +
> +# rcctl enable dnscrypt_proxy
> +# rcctl set dnscrypt_proxy flags -E -m1 -R __YOUR_CHOICE__
> +# rcctl start dnscrypt_proxy
> +
> +Replace __YOUR_CHOICE__ with one of the names from the first column
> +(e.g. "cisco", "cs-nl", "dnscrypt-eu.nl"), or use the word "random" to
> +select a random resolver at startup (chosen from those that claim that
> +they use DNSSEC and do not log requests).
> +
> +Secondly, set /etc/resolv.conf to perform queries from dnscrypt-proxy:
>
> nameserver 127.0.0.1
> lookup file bind
> -options edns0
>
> -DNSCrypt does _not_ cache queries, so the recommended way to use it is
> -as a forwarder for a DNS cache like Unbound. The following unbound.conf
> -example may be used as a guideline:
> +Note: If fetching your IP address dynamically, dhclient(8) will normally
> +update resolv.conf with network-provided DNS servers. This can be avoided
> +by using "ignore domain-name, domain-name-servers;" in
/etc/dhclient.conf.
> +
> +
> +Caching
> +=======
> +
> +dnscrypt-proxy does not cache queries. Performance can be improved by
> +configuring a local caching DNS resolver to forward requests via
> +dnscrypt-proxy.
> +
> +In this configuration, the caching resolver should listen on port 53,
> +and dnscrypt-proxy should be configured to use an alternative port.
> +For example:
> +
> +# rcctl set dnscrypt_proxy flags -E -m1 -R __YOUR_CHOICE__ -a
127.0.0.1:40
> +# rcctl restart dnscrypt_proxy
> +
> +And an example configuration to use this with Unbound:
>
> +# cat /var/unbound/etc/unbound.conf
> server:
> interface: 127.0.0.1
> - interface: 192.168.1.1 # additional addresses to listen on
> - access-control: 192.168.1.0/24 allow # who's allowed to make
queries
> do-not-query-localhost: no
> hide-identity: yes
> hide-version: yes
> + auto-trust-anchor-file: "/var/unbound/db/root.key"
> + # provide service to other local machines, if needed:
> + #interface: 192.168.1.1
> + #access-control: 192.168.1.0/24 allow
> +
> +remote-control:
> + control-enable: yes
> + control-use-cert: no
> + control-interface: /var/run/unbound.sock
>
> forward-zone:
> - name: "."
> - forward-addr: 127.0.0.1@40
> - #forward-addr: 127.0.0.1@41 # example failover server, see below
> -
> -A list of resolvers providing DNSCrypt service is available at
> -${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv.
> -Choose one (there is no default) and configure it, for example:
> -
> -rcctl enable dnscrypt_proxy
> -rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a 127.0.0.1:40
> -rcctl start dnscrypt_proxy
> + name: "."
> + forward-addr: 127.0.0.1@40
> + #forward-addr: 127.0.0.1@41 # example failover server, see below
>
> The dnscrypt-proxy utility does not support failover resolvers; as
described
> in "Using DNSCrypt in combination with a DNS cache" on
https://dnscrypt.org/,
> you will need to run a second instance of it for DNS redundancy. This
can be
> handled by rcctl(8) by adding a symbolic link to the script:
>
> -ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2
> -rcctl enable dnscrypt_proxy2
> -rcctl set dnscrypt_proxy2 flags -E -m1 -R dnscrypt.eu-dk -a 127.0.0.1:41
> -rcctl start dnscrypt_proxy2
> +# ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2
> +# rcctl enable dnscrypt_proxy2
> +# rcctl set dnscrypt_proxy2 flags -E -m1 -R __SECOND_CHOICE__ -a
127.0.0.1:41
> +# rcctl start dnscrypt_proxy2
>
> For more information, see https://dnscrypt.org/
>
OK;
tyvm stu and tj.
--
Vinícius Zavam
keybase.io/egypcio/key.asc
