Installation on EdgeOS

Following instruction was tested on ERLite-3 running 1.10.x EdgeOS.

Prerequisites

Install dnsutils. Check this in case of problems with installation.

sudo apt-get install -y dnsutils
sudo ntpdate -b 216.239.35.0

Remove the dnssec option from /etc/dnsmasq.conf.

Download pre-compiled package

Login to your router with ssh. Download MIPS64 binary from releases page (update version number):

curl -L -o dnscrypt-proxy.tar.gz https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.28/dnscrypt-proxy-linux_mips64-2.0.28.tar.gz

Unpack the content of this package:

tar xzf dnscrypt-proxy.tar.gz

This will create linux-mips64 folder. Check, if the downloaded binary is compatible with your processor:

linux-mips64/dnscrypt-proxy -version

If you see version, it's all good. Otherwise, try different binary. Maybe you have ER-X, so try MIPSLE binary.

Configure router

Now is a good moment to create and edit configuration file:

cp linux-mips64/example-dnscrypt-proxy.toml linux-mips64/dnscrypt-proxy.toml
vi linux-mips64/dnscrypt-proxy.toml

Most important part is to edit listen_address. I propose the following change:

listen_addresses = ['127.0.0.1:5353']

Optionally, improve performance enabling this entry:

tls_cipher_suite = [52392, 49199]

When done, move whole folder to /config/, under new name:

mv linux-mips64 /config/dnscrypt-proxy

Create executable script, which will reinstall and start dnscrypt-proxy after system upgrade:

echo '#!/bin/sh' > /config/scripts/post-config.d/dnscrypt.sh
echo '/config/dnscrypt-proxy/dnscrypt-proxy -service install' >> /config/scripts/post-config.d/dnscrypt.sh
echo '/config/dnscrypt-proxy/dnscrypt-proxy -service start' >> /config/scripts/post-config.d/dnscrypt.sh

chmod +x /config/scripts/post-config.d/dnscrypt.sh

Now you can try to start dnscrypt-proxy. Use freshly created script:

sudo /config/scripts/post-config.d/dnscrypt.sh

If no error thrown, check, if proxy is able to resolve names:

dig @localhost -p 5353 google.com

You should get an answer.

If all went well, configure router settings and redirect queries to dnscrypt-proxy:

configure
delete service dns forwarding system 
set service dns forwarding options 'server=127.0.0.1#5353'
commit

Check the connection. Initially, it can take while until all your devices will react correctly. If nothing works, check logs in /var/log/messages. Revert back router DNS redirect with:

load;commit

When DNS works as expected, save configuration and make it permanent:

save

Test

Assuming eth0 is your WAN interface, run:

sudo tcpdump -i eth0 dst host 1.1.1.1 or dst host 1.0.0.1 or src host 1.1.1.1 or src host 1.0.0.1 -n

In example above tcpdump displays traces of secured communication between you and Cloudflare DNS. If you use another provider, change IP addresses accordingly.

Test, if there are no queries sent in "open text":

tcpdump -i eth0 dst port 53 or src port 53 -n -x -X -v

This should give no output.