$OpenBSD: README-main,v 1.8 2017/01/23 18:00:23 tj Exp $

+-----------------------------------------------------------------------
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------

In order to perform queries over DNSCrypt, the easiest way is to change
your /etc/resolv.conf file:

nameserver 127.0.0.1
lookup file bind
options edns0

DNSCrypt does _not_ cache queries, so the recommended way to use it is
as a forwarder for a DNS cache like Unbound. The following unbound.conf
example may be used as a guideline:

server:
	interface: 127.0.0.1
	interface: 192.168.1.1 # additional addresses to listen on
	access-control: 192.168.1.0/24 allow # who's allowed to make queries
	do-not-query-localhost: no
	hide-identity: yes
	hide-version: yes

forward-zone:
        name: "."
        forward-addr: 127.0.0.1@40
       #forward-addr: 127.0.0.1@41 # example failover server, see below

A list of resolvers providing DNSCrypt service is available at
${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv.
Choose one (there is no default) and configure it, for example:

rcctl enable dnscrypt_proxy
rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a 127.0.0.1:40
rcctl start dnscrypt_proxy

The dnscrypt-proxy utility does not support failover resolvers; as described
in "Using DNSCrypt in combination with a DNS cache" on https://dnscrypt.org/,
you will need to run a second instance of it for DNS redundancy. This can be
handled by rcctl(8) by adding a symbolic link to the script:

ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2
rcctl enable dnscrypt_proxy2
rcctl set dnscrypt_proxy2 flags -E -m1 -R dnscrypt.eu-dk -a 127.0.0.1:41
rcctl start dnscrypt_proxy2

For more information, see https://dnscrypt.org/
