# Run multiple instances of dns/dnscrypt-proxy service



## arabesc (Oct 1, 2014)

I would like to share a modified version of the /usr/local/etc/rc.d/dnscrypt-proxy script which is used to control dns/dnscrypt-proxy service.
New script allows to launch multiple instances of the service with different options.

So, the current syntax in the rc.conf looks like this:

```
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_resolver="<server name>"
dnscrypt_proxy_flags="-a 127.0.0.1:65053"
```

Proposed syntax is like this:

```
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="<server1 name>"
dnscrypt_proxy_1_flags="-a 127.0.0.1:65053"
dnscrypt_proxy_2_resolver="<server2 name>"
dnscrypt_proxy_2_flags="-a 127.0.0.1:65054"
dnscrypt_proxy_3_resolver="<server3 name>"
dnscrypt_proxy_3_flags="-a 127.0.0.1:65055"
```

Finaly, modified /usr/local/etc/rc.d/dnscrypt-proxy:

```
#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
#  List of dnscrypt_proxy instance id's,
#  e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool):  Set to NO by default.
#  Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str):  Set to "_dnscrypt-proxy" by default.
#      User to switch to after starting.
# {instance_id}_resolver (str):  Set to "opendns" by default.
#      Choose a different upstream resolver.
# {instance_id}_pidfile (str):  default: "/var/run/dnscrypt-proxy.pid"
#      Location of pid file.
# {instance_id}_logfile (str):    default: "/var/log/dnscrypt-proxy.log"
#  Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy

load_rc_config ${name}

: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}

dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}

command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy

for i in $dnscrypt_proxy_instances; do
  name=${i}

  eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
  rcvar=${name}_enable

  load_rc_config ${i}

  eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
  eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
  eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
  eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}

:  ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy}  # User to run daemon as
:  ${dnscrypt_proxy_resolver_tmp:=opendns}  # resolver to use
:  ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
:  ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file

  command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"

  pidfile=${dnscrypt_proxy_pidfile_tmp}

  _rc_restart_done=false # workaround for: service dnscrypt-proxy restart

  run_rc_command "$1"
done
```

It would be great if this or community-improved version of the script will be included in the dns/dnscrypt-proxy package.


----------



## ohcaml (Feb 5, 2015)

Fixed the script so that the service can run on boot when: 
	
	



```
dnscrypt_proxy_enable="YES"
```
(Add rcvar=dnscrypt_proxy_enable after name=...)

https://gist.github.com/steakknife/02832ff104df3483c012

The script needs to be further improved so it can be configured with the original settings, making multiple instances optional.  This would make it a more viable port improvement.


----------



## Carpetsmoker (Feb 11, 2015)

> dnscrypt_proxy_1_flags="-a 127.0.0.1:65053"



One of the downsides of using DNS on a port that's not 53 is that not everything works with this. For example, /etc/resolv.conf, drill(1), or dig(1) don't. This may be useful one day to test something (for example, if you suspect one of the DNS servers that's being proxies is misbehaving).

That's why I generally use an address like 127.0.0.53. Remember that everything in 127.0.0.0/8 is considered local, so you have 16581374 addresses to choose from


----------



## Toast (Feb 19, 2015)

Carpetsmoker said:


> > dnscrypt_proxy_1_flags="-a 127.0.0.1:65053"
> 
> 
> One of the downsides of using DNS on a port that's not 53 is that not everything works with this. For example, /etc/resolv.conf, drill(1), or dig(1) don't. This may be useful one day to test something (for example, if you suspect one of the DNS servers that's being proxies is misbehaving).



dig(1) and drill(1) do work on non-standard ports.
`# dig/drill -p 65053 @127.0.0.1 freebsd.org`


----------



## arabesc (Jul 2, 2015)

ohcaml said:


> Fixed the script so that the service can run on boot when


Thanks, but it should work without your fix. Actually, it works for me on boot without issues.



ohcaml said:


> (Add rcvar=dnscrypt_proxy_enable after name=...)


There's such a line in the body of the _for_ loop. The loop executes at least once for the settings in the old format.



ohcaml said:


> The script needs to be further improved so it can be configured with the original settings


It's not clear to me what you mean, but this script should handle old settings without their changes.


----------



## manas (Jun 28, 2017)

Thank you, arabesc

Tested with 10 servers from https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv


```
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3 dnscrypt_proxy_4 dnscrypt_proxy_5 dnscrypt_proxy_6 dnscrypt_proxy_7 dnscrypt_proxy_8 dnscrypt_proxy_9 dnscrypt_proxy_10"
dnscrypt_proxy_1_resolver="ventricle.us"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 --provider-key=E985:F118:AD4E:3CC6:5FF2:2520:1890:C6F5:58B7:5B5A:52F5:6B17:CFEA:C100:5C8B:9BAA --provider-name=2.dnscrypt-cert.dnscrypt.ventricle.us --resolver-address=107.170.57.34 -T -E -l /dev/null"
dnscrypt_proxy_2_resolver="d0wn-us-ns2"
dnscrypt_proxy_2_flags="-a 127.0.0.2:54 --provider-key=729B:FABE:2295:D469:E911:F97E:3EE4:F6DB:0190:EA6F:7CF3:F7EE:BB6B:99B1:698A:237D --provider-name=2.dnscrypt-cert.us2.d0wn.biz --resolver-address=192.252.222.24 -T -E -l /dev/null"
dnscrypt_proxy_3_resolver="d0wn-us-ns4"
dnscrypt_proxy_3_flags="-a 127.0.0.2:55 --provider-key=F392:5D53:A315:66C2:ACF2:B2D2:8A69:6739:B066:1B8C:EF1B:3AFD:E828:0D83:D4EA:6D7D --provider-name=2.dnscrypt-cert.us4.d0wn.biz --resolver-address=107.181.168.52 -T -E -l /dev/null"
dnscrypt_proxy_4_resolver="d0wn-fr-ns2"
dnscrypt_proxy_4_flags="-a 127.0.0.2:56 --provider-key=25A7:DB7B:7835:55D5:7DA4:7C0C:57F8:9C5F:0220:3D09:67E3:585A:723E:E0D1:CB38:F767 --provider-name=2.dnscrypt-cert.fr2.d0wn.biz --resolver-address=37.187.0.40 -T -E -l /dev/null"
dnscrypt_proxy_5_resolver="d0wn-random-ns2"
dnscrypt_proxy_5_flags="-a 127.0.0.2:57 --provider-key=7D73:F486:3C01:4CC9:B278:D107:F254:7A4F:1EA2:1081:07B0:CB82:645A:D8A4:B98A:B327 --provider-name=2.dnscrypt-cert.random2.dnscrypt.d0wn.biz --resolver-address=185.14.29.140 -T -E -l /dev/null"
#dnscrypt_proxy_5_resolver="dnscrypt.eu-nl"
#dnscrypt_proxy_5_flags="-a 127.0.0.2:57 --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66 --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu --resolver-address=176.56.237.171 -T -E -l /dev/null"
dnscrypt_proxy_6_resolver="d0wn-nl-ns2"
dnscrypt_proxy_6_flags="-a 127.0.0.2:58 --provider-key=DFAA:B7D8:29E6:1F34:4FED:2610:4221:70C9:ADC7:7E9F:A65F:4A46:0BAE:A735:3186:3B99 --provider-name=2.dnscrypt-cert.nl2.d0wn.biz --resolver-address=185.83.217.248:1053 -T -E -l /dev/null"
dnscrypt_proxy_7_resolver="d0wn-de-ns2"
dnscrypt_proxy_7_flags="-a 127.0.0.2:59 --provider-key=8C62:691A:A7EA:69D3:8A25:86AA:2715:87F0:9B11:9159:0663:55FC:1CD0:61C5:C863:1940 --provider-name=2.dnscrypt-cert.de2.d0wn.biz --resolver-address=185.137.15.105 -T -E -l /dev/null"
dnscrypt_proxy_8_resolver="d0wn-cr-ns1"
dnscrypt_proxy_8_flags="-a 127.0.0.2:60 --provider-key=408B:5064:1EF0:575F:EC9A:BBF6:FC0A:F83A:F434:22BD:03FA:2663:81B3:DADD:1312:5A85 --provider-name=2.dnscrypt-cert.cr.d0wn.biz --resolver-address=138.59.17.208 -T -E -l /dev/null"
dnscrypt_proxy_9_resolver="d0wn-de-ns1"
dnscrypt_proxy_9_flags="-a 127.0.0.2:61 --provider-key=B040:19F8:8D49:4682:41E3:EB58:5F61:173F:EF8E:55DA:0597:2DB7:27BB:C153:1DD8:D109 --provider-name=2.dnscrypt-cert.de.d0wn.biz --resolver-address=82.211.31.248 -T -E -l /dev/null"
dnscrypt_proxy_10_resolver="d0wn-fr-ns1"
dnscrypt_proxy_10_flags="-a 127.0.0.2:62 --provider-key=58A8:22D3:29EB:C14F:BCEB:45AF:42EB:2F58:C797:0AD3:ED31:397D:1D34:8636:2375:7251 --provider-name=2.dnscrypt-cert.fr.d0wn.biz --resolver-address=151.80.7.115:1053 -T -E -l /dev/null"
```

with the following in /usr/local/etc/unbound/unbound.conf


```
forward-zone:
        name: "."
        forward-addr: 127.0.0.2@53
        forward-addr: 127.0.0.2@54
        forward-addr: 127.0.0.2@55
        forward-addr: 127.0.0.2@56
        forward-addr: 127.0.0.2@57
        forward-addr: 127.0.0.2@58
        forward-addr: 127.0.0.2@59
        forward-addr: 127.0.0.2@60
        forward-addr: 127.0.0.2@61
        forward-addr: 127.0.0.2@62
```


----------



## Beeblebrox (Jun 29, 2017)

If you build dns/dnscrypt-proxy with the RCMULTI option, dnscrypt will spawn the multiple threads as specified in /etc/rc.conf or dnscrypt-proxy.conf. Placing these services in a jail with DNSSEC: https://forums.freebsd.org/threads/48966/#post-273718


----------

