DNSCrypt in Ubuntu 16.04 (DNSCrypt-proxy)

In Ubuntu 16.04 DNSCrypt can be installed from apt-get:

sudo apt-get install dnscrypt-proxy

Installing DNSCrypt will change the DNS settings on the local machine as set using

sudo nano "/etc/default/dnscrypt-proxy"

The top of this file reads something like

# What local IP the daemon will listen to, with an optional port.
# The default port is 53. If using systemd, this is not used and must be
# specified in dnscrypt-proxy.socket.
DNSCRYPT_PROXY_LOCAL_ADDRESS=127.0.0.1:53

LIES, lies from tiny eyes, I am using systemd (Ubuntu 16.04). Since I am using DHCP to get an IP address on my RPi, I want that to apply for DNSCrypt as well. If I use 0.0.0.0:53 then that will show up at the top of /etc/resolv.conf followed by my DHCP DNS IPs, If I use 127.0.0.1:53, then that will be the only address in /etc/resolv.conf. I tested this with

sudo systemctl restart dnscrypt-proxy.service && sudo systemctl restart dnscrypt-proxy.socket

I used 0.0.0.0, which will allow the RPi to have DNS if the DNSCrypt service isn’t working (somewhat likely after testing many servers on the dnscrypt-resolvers.csv file)

I opened

sudo systemctl edit --full dnscrypt-proxy.socket

and changed the Listen IPs accordingly:

[Socket]
ListenStream=0.0.0.0:53
ListenDatagram=0.0.0.0:53

I downloaded the latest resolvers file from Github: dnscrypt-resolvers.csv and copied it to /usr/share/dnscrypt-proxy/

$cd /usr/share/dnscrypt-proxy/
$sudo mv "/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv" "/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv.old"
$sudo wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv

which allowed me to find an active working local resolver with this test command:

sudo dnscrypt-proxy -E --resolver-name=cisco --test=0

I edited /etc/default/dnscrypt-proxy with option E:

DNSCRYPT_PROXY_OPTIONS="-E"

The the recommendation  “Having a dedicated system user, with no privileges and with an empty home directory, is highly recommended.” it seems is already followed by the service, and looking at the USER of the dnscrypt-proxy process with command

sudo lsof -i -n

The DNS resolver can be tested using:

hostip -r 127.0.0.1 resolver.dnscrypt.org

 

One Reply to “DNSCrypt in Ubuntu 16.04 (DNSCrypt-proxy)”

Leave a Reply

Your email address will not be published. Required fields are marked *