Run multiple instances of dns/dnscrypt-proxy service

I would like to share a modified version of the /usr/local/etc/rc.d/dnscrypt-proxy script which is used to control dns/dnscrypt-proxy service.
New script allows to launch multiple instances of the service with different options.

So, the current syntax in the rc.conf looks like this:
Code:
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_resolver="<server name>"
dnscrypt_proxy_flags="-a 127.0.0.1:65053"

Proposed syntax is like this:
Code:
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="<server1 name>"
dnscrypt_proxy_1_flags="-a 127.0.0.1:65053"
dnscrypt_proxy_2_resolver="<server2 name>"
dnscrypt_proxy_2_flags="-a 127.0.0.1:65054"
dnscrypt_proxy_3_resolver="<server3 name>"
dnscrypt_proxy_3_flags="-a 127.0.0.1:65055"

Finaly, modified /usr/local/etc/rc.d/dnscrypt-proxy:
Code:
#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
#  List of dnscrypt_proxy instance id's,
#  e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool):  Set to NO by default.
#  Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str):  Set to "_dnscrypt-proxy" by default.
#      User to switch to after starting.
# {instance_id}_resolver (str):  Set to "opendns" by default.
#      Choose a different upstream resolver.
# {instance_id}_pidfile (str):  default: "/var/run/dnscrypt-proxy.pid"
#      Location of pid file.
# {instance_id}_logfile (str):    default: "/var/log/dnscrypt-proxy.log"
#  Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy

load_rc_config ${name}

: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}

dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}

command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy

for i in $dnscrypt_proxy_instances; do
  name=${i}

  eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
  rcvar=${name}_enable

  load_rc_config ${i}

  eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
  eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
  eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
  eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}

:  ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy}  # User to run daemon as
:  ${dnscrypt_proxy_resolver_tmp:=opendns}  # resolver to use
:  ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
:  ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file

  command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"

  pidfile=${dnscrypt_proxy_pidfile_tmp}

  _rc_restart_done=false # workaround for: service dnscrypt-proxy restart

  run_rc_command "$1"
done

It would be great if this or community-improved version of the script will be included in the dns/dnscrypt-proxy package.
 
Last edited by a moderator:
dnscrypt_proxy_1_flags="-a 127.0.0.1:65053"

One of the downsides of using DNS on a port that's not 53 is that not everything works with this. For example, /etc/resolv.conf, drill(1), or dig(1) don't. This may be useful one day to test something (for example, if you suspect one of the DNS servers that's being proxies is misbehaving).

That's why I generally use an address like 127.0.0.53. Remember that everything in 127.0.0.0/8 is considered local, so you have 16581374 addresses to choose from :)
 
dnscrypt_proxy_1_flags="-a 127.0.0.1:65053"
One of the downsides of using DNS on a port that's not 53 is that not everything works with this. For example, /etc/resolv.conf, drill(1), or dig(1) don't. This may be useful one day to test something (for example, if you suspect one of the DNS servers that's being proxies is misbehaving).

dig(1) and drill(1) do work on non-standard ports.
# dig/drill -p 65053 @127.0.0.1 freebsd.org
 
Fixed the script so that the service can run on boot when
Thanks, but it should work without your fix. Actually, it works for me on boot without issues.

(Add rcvar=dnscrypt_proxy_enable after name=...)
There's such a line in the body of the for loop. The loop executes at least once for the settings in the old format.

The script needs to be further improved so it can be configured with the original settings
It's not clear to me what you mean, but this script should handle old settings without their changes.
 
Thank you, arabesc

Tested with 10 servers from https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv

Code:
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3 dnscrypt_proxy_4 dnscrypt_proxy_5 dnscrypt_proxy_6 dnscrypt_proxy_7 dnscrypt_proxy_8 dnscrypt_proxy_9 dnscrypt_proxy_10"
dnscrypt_proxy_1_resolver="ventricle.us"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 --provider-key=E985:F118:AD4E:3CC6:5FF2:2520:1890:C6F5:58B7:5B5A:52F5:6B17:CFEA:C100:5C8B:9BAA --provider-name=2.dnscrypt-cert.dnscrypt.ventricle.us --resolver-address=107.170.57.34 -T -E -l /dev/null"
dnscrypt_proxy_2_resolver="d0wn-us-ns2"
dnscrypt_proxy_2_flags="-a 127.0.0.2:54 --provider-key=729B:FABE:2295:D469:E911:F97E:3EE4:F6DB:0190:EA6F:7CF3:F7EE:BB6B:99B1:698A:237D --provider-name=2.dnscrypt-cert.us2.d0wn.biz --resolver-address=192.252.222.24 -T -E -l /dev/null"
dnscrypt_proxy_3_resolver="d0wn-us-ns4"
dnscrypt_proxy_3_flags="-a 127.0.0.2:55 --provider-key=F392:5D53:A315:66C2:ACF2:B2D2:8A69:6739:B066:1B8C:EF1B:3AFD:E828:0D83:D4EA:6D7D --provider-name=2.dnscrypt-cert.us4.d0wn.biz --resolver-address=107.181.168.52 -T -E -l /dev/null"
dnscrypt_proxy_4_resolver="d0wn-fr-ns2"
dnscrypt_proxy_4_flags="-a 127.0.0.2:56 --provider-key=25A7:DB7B:7835:55D5:7DA4:7C0C:57F8:9C5F:0220:3D09:67E3:585A:723E:E0D1:CB38:F767 --provider-name=2.dnscrypt-cert.fr2.d0wn.biz --resolver-address=37.187.0.40 -T -E -l /dev/null"
dnscrypt_proxy_5_resolver="d0wn-random-ns2"
dnscrypt_proxy_5_flags="-a 127.0.0.2:57 --provider-key=7D73:F486:3C01:4CC9:B278:D107:F254:7A4F:1EA2:1081:07B0:CB82:645A:D8A4:B98A:B327 --provider-name=2.dnscrypt-cert.random2.dnscrypt.d0wn.biz --resolver-address=185.14.29.140 -T -E -l /dev/null"
#dnscrypt_proxy_5_resolver="dnscrypt.eu-nl"
#dnscrypt_proxy_5_flags="-a 127.0.0.2:57 --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66 --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu --resolver-address=176.56.237.171 -T -E -l /dev/null"
dnscrypt_proxy_6_resolver="d0wn-nl-ns2"
dnscrypt_proxy_6_flags="-a 127.0.0.2:58 --provider-key=DFAA:B7D8:29E6:1F34:4FED:2610:4221:70C9:ADC7:7E9F:A65F:4A46:0BAE:A735:3186:3B99 --provider-name=2.dnscrypt-cert.nl2.d0wn.biz --resolver-address=185.83.217.248:1053 -T -E -l /dev/null"
dnscrypt_proxy_7_resolver="d0wn-de-ns2"
dnscrypt_proxy_7_flags="-a 127.0.0.2:59 --provider-key=8C62:691A:A7EA:69D3:8A25:86AA:2715:87F0:9B11:9159:0663:55FC:1CD0:61C5:C863:1940 --provider-name=2.dnscrypt-cert.de2.d0wn.biz --resolver-address=185.137.15.105 -T -E -l /dev/null"
dnscrypt_proxy_8_resolver="d0wn-cr-ns1"
dnscrypt_proxy_8_flags="-a 127.0.0.2:60 --provider-key=408B:5064:1EF0:575F:EC9A:BBF6:FC0A:F83A:F434:22BD:03FA:2663:81B3:DADD:1312:5A85 --provider-name=2.dnscrypt-cert.cr.d0wn.biz --resolver-address=138.59.17.208 -T -E -l /dev/null"
dnscrypt_proxy_9_resolver="d0wn-de-ns1"
dnscrypt_proxy_9_flags="-a 127.0.0.2:61 --provider-key=B040:19F8:8D49:4682:41E3:EB58:5F61:173F:EF8E:55DA:0597:2DB7:27BB:C153:1DD8:D109 --provider-name=2.dnscrypt-cert.de.d0wn.biz --resolver-address=82.211.31.248 -T -E -l /dev/null"
dnscrypt_proxy_10_resolver="d0wn-fr-ns1"
dnscrypt_proxy_10_flags="-a 127.0.0.2:62 --provider-key=58A8:22D3:29EB:C14F:BCEB:45AF:42EB:2F58:C797:0AD3:ED31:397D:1D34:8636:2375:7251 --provider-name=2.dnscrypt-cert.fr.d0wn.biz --resolver-address=151.80.7.115:1053 -T -E -l /dev/null"

with the following in /usr/local/etc/unbound/unbound.conf

Code:
forward-zone:
        name: "."
        forward-addr: 127.0.0.2@53
        forward-addr: 127.0.0.2@54
        forward-addr: 127.0.0.2@55
        forward-addr: 127.0.0.2@56
        forward-addr: 127.0.0.2@57
        forward-addr: 127.0.0.2@58
        forward-addr: 127.0.0.2@59
        forward-addr: 127.0.0.2@60
        forward-addr: 127.0.0.2@61
        forward-addr: 127.0.0.2@62
 
Back
Top