Howto Raspberry pi 3 dnscrypt-proxy, unbound Caching DNS and DHCP Server

This how-to assumes that you are a somewhat experienced FreeBSD user, and understand how to use dd carefully to avoid data loss. It also assumes that you are able to restore your system to a working configuration if anything goes wrong.

There is a Synopsis/Condensed Version below for the experienced and impatient.

rpi3-noexim.jpg


This nano FreeBSD server provides more granular control on my local network. It was built utilizing FreeBSD12.1 RPI3 SD Card Image available at https://www.freebsd.org/where.html

1. Download the image, unzip it, and insert the Micro SD card into a reader connected to your FreeBSD desktop or laptop computer.

2. Identify which device is the card by running “dmesg”. The output will look similar to this:

#dmesg
May 15 19:52:12 kernel: da4 at umass-sim0 bus 0 scbus8 target 0 lun 4
May 15 19:52:12 kernel: da4: <Generic- USB3.0 CRW-SD/MS 1.00> Removable Direct Access SPC-2 SCSI device
May 15 19:52:12 kernel: da4: Serial Number 201006010301
May 15 19:52:12 kernel: da4: 80.000MB/s transfers
May 15 19:52:12 kernel: da4: 60272MB (123437056 512 byte sectors)
May 15 19:52:12 kernel: da4: quirks=0x2<NO_6_BYTE>


You can see in this example that the Micro SD card is /dev/da4. If you downloaded the image to your Downloads folder in your home directory, you would dd the card like this:

#dd if=~/Downloads/FreeBSD-12.1-RELEASE-arm64-aarch64-RPI3.img of=/dev/da4 bs=64k

3. At this point, the card can be inserted into the Raspberry, it will boot and run headless. Network settings are acquired via dhcp, the default credential are freebsd/freebsd and root/root. Change these!

If you need to, you can mount the card's root partition while it’s still in the reader and change some settings before booting it:

#mount /dev/da4s2 /mnt

Add options to its /etc/rc.conf, eg. static IP, if needed. Changing much else, such as attempting usernames and passwords, may cause the boot to fail or leave you locked out of the system. Additionally, there’s no need to grow the file system to fill the free space left on the card, settings in rc.conf will do that on first boot.

4. From here you can install unbound, dnscrypt-proxy, and dhcpd.


#pkg install unbound
#pkg install dnscrypt-proxy
#pkg install dhcpd


6. Add the following lines in /etc/rc.conf:

Code:
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
dnscrypt_proxy_enable=YES
dnscrypt_proxy_flags="-a 127.0.0.2"
dnscrypt_proxy_resolver="soltysiak"
unbound_enable=”YES”
unbound_flags="-c /usr/local/etc/unbound/unbound.conf"
dhcpd_enable=YES

7. Create a /usr/local/etc/unbound/unbound.conf file. Here’s an example for dual stack local lan you can edit to your liking: https://pastebin.com/bpMpwJzq

Run #unbound-control-setup

8. Create a /usr/local/etc/dhcpd.conf. Here’s an example for a lan: https://pastebin.com/m353wb0R

9. Start the services

#service unbound start
#service dnscrypt-proxy start
#service dhcpd start


Conclusion: All services should be running at this point. Mine has been working quite well, up for 3 weeks, has sped up DNS, and obviously nice to have fast encrypted DNS and FQDN for all lan hosts.

SYNOPSIS/CONDENSED VERSION


#wget [URL]http://download.raspbsd.org/FreeBSD-aarch64-12.0-GENERIC-313109M.img.gz[/URL]
#dd if=/path-to/FreeBSD-aarch64-12.0-GENERIC-313109M.img of=/dev/daX bs=64k

(where X=the Micro SD dev)

Insert the Micro SD Card in the Raspberry Pi3 and boot. It’s network settings set via dhcp, ssh to it, credentials are raspberry/raspberry. If you want to add additional settings before you start your pi, there’s more detailed documentation below.

#env ABI=FreeBSD:11:aarch64 pkg bootstrap

And add the following line /usr/local/etc/pkg.conf:
Code:
ABI = "FreeBSD:11:aarch64";

Caveats: It was necessary to unmount /tmp to install pkg and the other binaries to prevent the installations from failing due to “filesystem full” complaints. I remounted /tmp after installing the binaries I wanted.


#pkg install unbound
#pkg install dnscrypt-proxy
#pkg install dhcpd


Add the following lines in /etc/rc.conf:

Code:
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
dnscrypt_proxy_enable=YES
dnscrypt_proxy_flags="-a 127.0.0.2"
dnscrypt_proxy_resolver="soltysiak"
unbound_enable=”YES”
unbound_flags="-c /usr/local/etc/unbound/unbound.conf"
dhcpd_enable=YES

Create an /usr/local/etc/unbound/unbound.conf Example: https://pastebin.com/bpMpwJzq
Create a /usr/local/etc/dhcpd.conf. Example: https://pastebin.com/m353wb0R


#unbound-control-setup
#service unbound start
#service dnscrypt-proxy start
#service dhcpd start

Services should be running.
 
Last edited:
Can you add an http proxy too?
I don't see why not, one might need to adjust /tmp file sizes. I will probably attempt to add a http proxy as soon as I get a better feel for how the SD card performs. I noticed that this image mounts /tmp, /var/tmp and /var/log as memory disks using the md driver. I assume that's because too much rw on the card is a concern. When I have a stable configuration that includes http proxy, I will update this howto.
 
I don't see why not, one might need to adjust /tmp file sizes. I will probably attempt to add a http proxy as soon as I get a better feel for how the SD card performs. I noticed that this image mounts /tmp, /var/tmp and /var/log as memory disks using the md driver. I assume that's because too much rw on the card is a concern. When I have a stable configuration that includes http proxy, I will update this howto.

For what it's worth, I used an SD card as my data storage (home directories, temp, etc.) on a Netbook back when they were a thing. It last 2 years before it died (because of hitting the write limit on flash). Annoyingly it became completely unreadable instead of read-only. Good thing I knew it would die and took daily backups.

On my Raspberry Pi, I use a USB flash drive for /var, /tmp, and swap. Home directories are NFS mounted from another server. Although I haven't yet tried to get FreeBSD to run on the Pi (but the NFS server is FreeBSD).
 
Back
Top