Run multiple instances of dns/dnscrypt-proxy service

arabesc · Oct 1, 2014

I would like to share a modified version of the /usr/local/etc/rc.d/dnscrypt-proxy script which is used to control dns/dnscrypt-proxy service.
New script allows to launch multiple instances of the service with different options.

So, the current syntax in the rc.conf looks like this:

Code:

dnscrypt_proxy_enable="YES"
dnscrypt_proxy_resolver="<server name>"
dnscrypt_proxy_flags="-a 127.0.0.1:65053"

Proposed syntax is like this:

Code:

dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="<server1 name>"
dnscrypt_proxy_1_flags="-a 127.0.0.1:65053"
dnscrypt_proxy_2_resolver="<server2 name>"
dnscrypt_proxy_2_flags="-a 127.0.0.1:65054"
dnscrypt_proxy_3_resolver="<server3 name>"
dnscrypt_proxy_3_flags="-a 127.0.0.1:65055"

Finaly, modified /usr/local/etc/rc.d/dnscrypt-proxy:

Code:

#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
#  List of dnscrypt_proxy instance id's,
#  e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool):  Set to NO by default.
#  Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str):  Set to "_dnscrypt-proxy" by default.
#      User to switch to after starting.
# {instance_id}_resolver (str):  Set to "opendns" by default.
#      Choose a different upstream resolver.
# {instance_id}_pidfile (str):  default: "/var/run/dnscrypt-proxy.pid"
#      Location of pid file.
# {instance_id}_logfile (str):    default: "/var/log/dnscrypt-proxy.log"
#  Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy

load_rc_config ${name}

: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}

dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}

command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy

for i in $dnscrypt_proxy_instances; do
  name=${i}

  eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
  rcvar=${name}_enable

  load_rc_config ${i}

  eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
  eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
  eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
  eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}

:  ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy}  # User to run daemon as
:  ${dnscrypt_proxy_resolver_tmp:=opendns}  # resolver to use
:  ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
:  ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file

  command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"

  pidfile=${dnscrypt_proxy_pidfile_tmp}

  _rc_restart_done=false # workaround for: service dnscrypt-proxy restart

  run_rc_command "$1"
done

It would be great if this or community-improved version of the script will be included in the dns/dnscrypt-proxy package.

ohcaml · Feb 5, 2015

Fixed the script so that the service can run on boot when:

Code:

dnscrypt_proxy_enable="YES"

(Add rcvar=dnscrypt_proxy_enable after name=...)

https://gist.github.com/steakknife/02832ff104df3483c012

The script needs to be further improved so it can be configured with the original settings, making multiple instances optional. This would make it a more viable port improvement.

arp242 · Feb 11, 2015

dnscrypt_proxy_1_flags="-a 127.0.0.1:65053"

One of the downsides of using DNS on a port that's not 53 is that not everything works with this. For example, /etc/resolv.conf, drill(1), or dig(1) don't. This may be useful one day to test something (for example, if you suspect one of the DNS servers that's being proxies is misbehaving).

That's why I generally use an address like 127.0.0.53. Remember that everything in 127.0.0.0/8 is considered local, so you have 16581374 addresses to choose from

Toast · Feb 19, 2015

Carpetsmoker said:
dnscrypt_proxy_1_flags="-a 127.0.0.1:65053"

Click to expand...

One of the downsides of using DNS on a port that's not 53 is that not everything works with this. For example, /etc/resolv.conf, drill(1), or dig(1) don't. This may be useful one day to test something (for example, if you suspect one of the DNS servers that's being proxies is misbehaving).

dig(1) and drill(1) do work on non-standard ports.
# dig/drill -p 65053 @127.0.0.1 freebsd.org

arabesc · Jul 2, 2015

ohcaml said:
Fixed the script so that the service can run on boot when

Thanks, but it should work without your fix. Actually, it works for me on boot without issues.

ohcaml said:
(Add rcvar=dnscrypt_proxy_enable after name=...)

There's such a line in the body of the for loop. The loop executes at least once for the settings in the old format.

ohcaml said:
The script needs to be further improved so it can be configured with the original settings

It's not clear to me what you mean, but this script should handle old settings without their changes.

manas · Jun 28, 2017

Thank you, arabesc

Tested with 10 servers from https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv

Code:

dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3 dnscrypt_proxy_4 dnscrypt_proxy_5 dnscrypt_proxy_6 dnscrypt_proxy_7 dnscrypt_proxy_8 dnscrypt_proxy_9 dnscrypt_proxy_10"
dnscrypt_proxy_1_resolver="ventricle.us"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 --provider-key=E985:F118:AD4E:3CC6:5FF2:2520:1890:C6F5:58B7:5B5A:52F5:6B17:CFEA:C100:5C8B:9BAA --provider-name=2.dnscrypt-cert.dnscrypt.ventricle.us --resolver-address=107.170.57.34 -T -E -l /dev/null"
dnscrypt_proxy_2_resolver="d0wn-us-ns2"
dnscrypt_proxy_2_flags="-a 127.0.0.2:54 --provider-key=729B:FABE:2295:D469:E911:F97E:3EE4:F6DB:0190:EA6F:7CF3:F7EE:BB6B:99B1:698A:237D --provider-name=2.dnscrypt-cert.us2.d0wn.biz --resolver-address=192.252.222.24 -T -E -l /dev/null"
dnscrypt_proxy_3_resolver="d0wn-us-ns4"
dnscrypt_proxy_3_flags="-a 127.0.0.2:55 --provider-key=F392:5D53:A315:66C2:ACF2:B2D2:8A69:6739:B066:1B8C:EF1B:3AFD:E828:0D83:D4EA:6D7D --provider-name=2.dnscrypt-cert.us4.d0wn.biz --resolver-address=107.181.168.52 -T -E -l /dev/null"
dnscrypt_proxy_4_resolver="d0wn-fr-ns2"
dnscrypt_proxy_4_flags="-a 127.0.0.2:56 --provider-key=25A7:DB7B:7835:55D5:7DA4:7C0C:57F8:9C5F:0220:3D09:67E3:585A:723E:E0D1:CB38:F767 --provider-name=2.dnscrypt-cert.fr2.d0wn.biz --resolver-address=37.187.0.40 -T -E -l /dev/null"
dnscrypt_proxy_5_resolver="d0wn-random-ns2"
dnscrypt_proxy_5_flags="-a 127.0.0.2:57 --provider-key=7D73:F486:3C01:4CC9:B278:D107:F254:7A4F:1EA2:1081:07B0:CB82:645A:D8A4:B98A:B327 --provider-name=2.dnscrypt-cert.random2.dnscrypt.d0wn.biz --resolver-address=185.14.29.140 -T -E -l /dev/null"
#dnscrypt_proxy_5_resolver="dnscrypt.eu-nl"
#dnscrypt_proxy_5_flags="-a 127.0.0.2:57 --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66 --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu --resolver-address=176.56.237.171 -T -E -l /dev/null"
dnscrypt_proxy_6_resolver="d0wn-nl-ns2"
dnscrypt_proxy_6_flags="-a 127.0.0.2:58 --provider-key=DFAA:B7D8:29E6:1F34:4FED:2610:4221:70C9:ADC7:7E9F:A65F:4A46:0BAE:A735:3186:3B99 --provider-name=2.dnscrypt-cert.nl2.d0wn.biz --resolver-address=185.83.217.248:1053 -T -E -l /dev/null"
dnscrypt_proxy_7_resolver="d0wn-de-ns2"
dnscrypt_proxy_7_flags="-a 127.0.0.2:59 --provider-key=8C62:691A:A7EA:69D3:8A25:86AA:2715:87F0:9B11:9159:0663:55FC:1CD0:61C5:C863:1940 --provider-name=2.dnscrypt-cert.de2.d0wn.biz --resolver-address=185.137.15.105 -T -E -l /dev/null"
dnscrypt_proxy_8_resolver="d0wn-cr-ns1"
dnscrypt_proxy_8_flags="-a 127.0.0.2:60 --provider-key=408B:5064:1EF0:575F:EC9A:BBF6:FC0A:F83A:F434:22BD:03FA:2663:81B3:DADD:1312:5A85 --provider-name=2.dnscrypt-cert.cr.d0wn.biz --resolver-address=138.59.17.208 -T -E -l /dev/null"
dnscrypt_proxy_9_resolver="d0wn-de-ns1"
dnscrypt_proxy_9_flags="-a 127.0.0.2:61 --provider-key=B040:19F8:8D49:4682:41E3:EB58:5F61:173F:EF8E:55DA:0597:2DB7:27BB:C153:1DD8:D109 --provider-name=2.dnscrypt-cert.de.d0wn.biz --resolver-address=82.211.31.248 -T -E -l /dev/null"
dnscrypt_proxy_10_resolver="d0wn-fr-ns1"
dnscrypt_proxy_10_flags="-a 127.0.0.2:62 --provider-key=58A8:22D3:29EB:C14F:BCEB:45AF:42EB:2F58:C797:0AD3:ED31:397D:1D34:8636:2375:7251 --provider-name=2.dnscrypt-cert.fr.d0wn.biz --resolver-address=151.80.7.115:1053 -T -E -l /dev/null"

with the following in /usr/local/etc/unbound/unbound.conf

Code:

forward-zone:
        name: "."
        forward-addr: 127.0.0.2@53
        forward-addr: 127.0.0.2@54
        forward-addr: 127.0.0.2@55
        forward-addr: 127.0.0.2@56
        forward-addr: 127.0.0.2@57
        forward-addr: 127.0.0.2@58
        forward-addr: 127.0.0.2@59
        forward-addr: 127.0.0.2@60
        forward-addr: 127.0.0.2@61
        forward-addr: 127.0.0.2@62

Beeblebrox · Jun 29, 2017

If you build dns/dnscrypt-proxy with the RCMULTI option, dnscrypt will spawn the multiple threads as specified in /etc/rc.conf or dnscrypt-proxy.conf. Placing these services in a jail with DNSSEC: https://forums.freebsd.org/threads/48966/#post-273718

Run multiple instances of dns/dnscrypt-proxy service

arabesc

ohcaml

arp242

Toast

arabesc

manas

Beeblebrox