Solved Dnscrypt-proxy and IPFW rules

User7 · Apr 6, 2015

I was install and configure dnscrypt-proxy bunt when I enable IPFW cuts me from DNS, And I can't use it together. I tried use some rules like:

Code:

ipfw add 007 allow udp from any to 172.0.0.1 dst-port 53 keep-state 
ipfw add 008 allow tcp from any to 172.0.0.1 dst-port 53 keep-state
ipfw add 009 allow udp from me to any dst-port 53 keep-state
ipfw add 010 allow tcp from me to any dst-port 53 keep-state

But still doesn't work. Any idea?

jrm@ · Apr 6, 2015

Try letting port 443 out. Also, did you intend to write 172.0.0.1?

User7 · Apr 6, 2015

Thanks for a request. I had unlocked 443 port before, but my new DNS uses UDP at port 2053, and the solution is unlocking port 2053, or allowing connection only to DNS:
ipfw add 007 allow udp from me to 178.216.201.222 dst-port 2053 keep-state

I tried that before and it didn't work because DHCP sets the default router DNS into /etc/resolv.conf and after reboot IPFW rules don't work anymore. Solution is set chflags(1) on file: chflags schg /etc/resolv.conf

junovitch@ · Apr 7, 2015

User7 said:
I tried that before and it didn't work because DHCP sets the default router DNS into /etc/resolv.conf and after reboot IPFW rules don't work anymore. Solution is set chflags() on file: chflags schg /etc/resolv.conf

That's a pretty fragile solution. You may want to make a dhclient.conf(5) that sets the options you desire.

EXAMPLE:

Code:

interface "em3"
{
  supersede domain-name "mydomain.com";
  supersede domain-name-servers 127.0.0.1;
}

User7 · Apr 7, 2015

I have this:

Code:

#...
#  defaults are usually fine.
#

supercede domain-name-servers 127.0.0.1; # use dnscrypt instead

But DHCP sets the default router DNS. I don't know why. Maybe by tags { } ?

junovitch@ · Apr 8, 2015

Subtle fix, supercede -> supersede.

User7 · Apr 10, 2015

Now, it works

Solved Dnscrypt-proxy and IPFW rules

User7

jrm@

User7

junovitch@

User7

junovitch@

User7