hello friends! new(ish)!

DNSCrypt: Difference between revisions

From InstallGentoo Wiki v2
Jump to navigation Jump to search
>Chocolate Chip
m (Chocolate Chip moved page DNSCrypt on wheels to DNSCrypt over redirect: You are a shithead)
>Se7en1
 
(123 intermediate revisions by 5 users not shown)
Line 1: Line 1:
'''DNSCrypt''' acts as a local DNS resolver and uses elliptic-curve cryptography when passing messages to and from the DNS server.  This is extremely useful for mitigating MITM attacks on DNS.   
'''''See also''' [[Anonymizing yourself]]''
[[File:Dnscrypt.png|thumb]]
 
'''DNSCrypt''' is a local DNS resolver and uses [https://github.com/jedisct1/libsodium elliptic-curve cryptography] when passing messages to and from the DNS server—which is extremely useful for mitigating MITM attacks on DNS. It is best used alongside a caching DNS server like [[Unbound]].   


Only a few servers are known to currently support DNSCrypt, however, adoption is growing.
Only a few servers are known to currently support DNSCrypt, however, adoption is growing.


== Installation ==
== Installation ==
=== GNU/Linux ===
=== Unix-like ===
==== Requirements & dependencies ====
==== Requirements & dependencies ====
  `--  dev-libs/libsodium
`--  dev-libs/libsodium
  `--  net-libs/ldns
`--  net-libs/ldns
  `--  [https://wiki.installgentoo.com/index.php/DNSCrypt#Remove_systemd_as_a_dependency sys-apps/systemd] (optional!)
`--  virtual/pkgconfig
  `--  virtual/pkgconfig
 
Arch users can install {{ic|dnscrypt-proxy}} and [http://wiki.archlinux.org/index.php/DNSCrypt set it up manually]. Gentoo users can easily compile DNSCrypt from scratch from the main repository. Debian users can install it from the package {{ic|dnscrypt-proxy}}, but only in testing or unstable.


==== Building ====
==== Building ====
Line 15: Line 19:
# cd dnscrypt-proxy
# cd dnscrypt-proxy
# ./autogen.sh
# ./autogen.sh
# ./configure --prefix=/usr
# CFLAGS="-O3 -march=native" ./configure --prefix=/usr
# make
# make -jn (where n is the number of threads you want to spawn)
# sudo make install
# sudo make install


===== Remove systemd as a dependency =====
===Windows===
In version 1.6 systemd can be removed from the software by leaving its references out of the <code>configure</code> document before compiling.
Use [https://simplednscrypt.org/ SimpleDNSCrypt], it just werks. If it doesn't, go [https://github.com/bitbeans/SimpleDnsCrypt/issues talk to the developer].
Relevant lines can be found around 3258 to 3288 of the <code>configure</code> document.
 
End result should look something like this:
=== iOS ===
# MANUAL SYSTEMD PATCH. GO AWAY NSA.
You will need a jailbroken iOS device (>=5.1.1) in order to install DNSCrypt.
have_systemd=no
 
HAVE_SYSTEMD_TRUE=
# Download the pre-compiled [https://download.dnscrypt.org/dnscrypt-proxy/ binary] for iOS;
HAVE_SYSTEMD_FALSE='#'
# Copy the {bin,sbin,share} directories of the archive into the {bin,sbin,share} directories of the device;
 
# Check whether --with-systemd was given.
#if test "${with_systemd+set}" = set; then :
#  withval=$with_systemd;
#fi
#
#if test "x$with_systemd" = "xyes"; then :
#
#  PKG_CHECK_MODULES(SYSTEMD, libsystemd, have_systemd=yes,
#    PKG_CHECK_MODULES([SYSTEMD_DAEMON], [libsystemd-daemon], [have_systemd=yes], [have_systemd=no])
#  )
#  case $with_systemd:$have_systemd in #(
#  yes:no) :
#    as_fn_error $? "systemd expected but libsystemd not found" #"$LINENO" 5 ;; #(
#  *:yes) :
#
#$as_echo "#define HAVE_LIBSYSTEMD 1" >>confdefs.h
#
#   ;; #(
#  *) :
#    ;;
#esac
#
#fi
# if test "x$have_systemd" = "xyes"; then
#  HAVE_SYSTEMD_TRUE=
#  HAVE_SYSTEMD_FALSE='#'
#else
#  HAVE_SYSTEMD_TRUE='#'
#  HAVE_SYSTEMD_FALSE=
#fi
Now run <code>echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf</code>, <code>sudo ldconfig</code> and <code>./configure</code>, then <code>make</code> and finally <code>sudo make install</code>.


== Configuration ==
== Configuration ==
=== GNU/Linux ===
=== Linux ===
If you would rather run the commands yourself at boot time, edit your /etc/resolv.conf file to look like this:
{{warning|This section is outdated, and will no longer work due to new versions of DNSCrypt no longer having the same flags. Please edit if you have updated information}}
<code>
If you would rather run the commands yourself at boot time, this section is for you. However, the following step is common amongst all Linux distros: you must edit your /etc/resolv.conf file to look like this:
{{hc|/etc/resolv.conf|
domain home
domain home
nameserver <the DNSCrypt you picked for --local-address>
nameserver <the DNSCrypt you picked for --local-address>
options edns0
options edns0
</code>, lock it with <code>sudo chattr +i /etc/resolv.conf</code>, and then run the following script every time you boot up your PC:
}}
Lock it with {{ic|sudo chattr +i /etc/resolv.conf}}, and then, either move on to [[DNSCrypt#systemd|systemd]]/[[DNSCrypt#OpenRC|OpenRC]], or run the following script every time you boot up your PC:
 
{{bc|<nowiki>sudo dnscrypt-proxy --local-address=<ip>[:port] --daemonize --resolver-address=<Server address> --provider-name=<Provider name> --provider-key=<Public key> --edns-payload-size=4096 --logfile=/var/log/dnscrypt-proxy.log</nowiki>}}
 
{{note|Be aware that you will need to use a port that is not in use by other programs. The default is 53.}}
{{note|Be aware that some DNS daemons are configured to recognize only three nameservers in resolv.conf. Alternative compiling may be necessary. On Debian systems, the packages are compiled to go beyond 3 entries}}
{{Tip|[[DNSCrypt#Additional_considerations|Security considerations]].}}
 
==== systemd ====
If you didn't remove the systemd depedency, the source distribution includes the dnscrypt-proxy.socket and dnscrypt-proxy.service files. As such, in order to activate them, you need only edit them (to pick the server), place them in {{ic|/etc/systemd/system}} and run {{ic|systemctl enable dnscrypt-proxy.service}}, and then {{ic|systemctl start dnscrypt-proxy}}.
 
You can check if it's running by issuing {{ic|systemctl status dnscrypt-proxy.service}}.


<code>sudo dnscrypt-proxy --local-address=<ip>[:port] --daemonize --resolver-address=<Server address> --provider-name=<Provider name> --provider-key=<Public key> --edns-payload-size=4096 --logfile=/var/log/dnscrypt-proxy.log</code>.
{{note|DNSCrypt's systemd socket uses port 53 by default. You can easily change that at will.}}


Note: I recommend using 127.0.0.1 or 127.0.0.2, and port 40 instead of 53, should you ever want to use Unbound or Dnsmasq with it. I also recommend adding a second, or even a third nameserver (that you know works) to your resolv.conf file. Mine looks like [http://pastebin.com/Jt5eaxu0 this].
==== Other init ====


==== Systemd ====
{{hc|/etc/init.d/dnscrypt-proxy|<nowiki>#!/sbin/runscript
WIP


==== OpenRC ====
## Note: This shebang may need to be changed to /bin/bash or something
<code>sudo vim /etc/init.d/dnscrypt-proxy</code> and then
## else depending on what init your system uses.
<code>
 
#!/sbin/runscript
# This script is Copyright (C) 1999-2014 Gentoo Foundation
# $Id$
# Distributed under the terms of the GNU General Public License v2
 
# Uncomment if you use the System V init
#. /etc/init.d/dnscrypt-proxy
 
  # $Id$
   
   
  DNSCRYPT_LOGFILE=${DNSCRYPT_LOGFILE:-/var/log/dnscrypt-proxy.log}
  DNSCRYPT_LOGFILE=${DNSCRYPT_LOGFILE:-/var/log/dnscrypt-proxy.log}
Line 117: Line 106:
  --provider-name=${DNSCRYPT_PROVIDER_NAME} \
  --provider-name=${DNSCRYPT_PROVIDER_NAME} \
  --provider-key=${DNSCRYPT_PROVIDER_KEY}
  --provider-key=${DNSCRYPT_PROVIDER_KEY}
--edns-payload-size=4096
  eend $?
  eend $?
  }
  }
Line 126: Line 114:
  eend $?
  eend $?
  }
  }
</code>
</nowiki>}}


You will need to make it executable, <code>sudo chmod +x /etc/init.d/dnscrypt-proxy</code>.
You will need to make it executable, {{ic|sudo chmod +x /etc/init.d/dnscrypt-proxy}}.


This init script will of course require a configuration file, located here /etc/conf.d/dnscrypt-proxy file. Pick two [https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv servers] (one will work as the fallback server), whilst making sure they are compatible with the options you will want to use later on (DNSSEC with unbound, for instance), and add the following text:
This init script will of course require a configuration file, located here /etc/conf.d/dnscrypt-proxy file. Pick two [https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv servers] (one will work as the fallback server), whilst making sure they are compatible with the options you will want to use later on (DNSSEC with unbound, for instance), and add the following text:
<code>
{{hc|/etc/conf.d/dnscrypt-proxy|<nowiki>DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=40
DNSCRYPT_LOCALPORT=40
DNSCRYPT_USER=dnscrypt
DNSCRYPT_USER=dnscrypt
   
   
DNSCRYPT_PROVIDER_NAME=
DNSCRYPT_PROVIDER_NAME=
DNSCRYPT_PROVIDER_KEY=
DNSCRYPT_PROVIDER_KEY=
DNSCRYPT_RESOLVERIP=
DNSCRYPT_RESOLVERIP=
   
   
DNSCRYPT_PROVIDER_NAME=
DNSCRYPT_PROVIDER_NAME=
DNSCRYPT_PROVIDER_KEY=
DNSCRYPT_PROVIDER_KEY=
DNSCRYPT_RESOLVERIP=
DNSCRYPT_RESOLVERIP=
 
DNSCRYPT_OPTIONS="--edns-payload-size=4096"
   
   
DNSCRYPT_RESOLVERPORT=443
DNSCRYPT_RESOLVERPORT=443
</code>
</nowiki>}}
Make sure to substitute where appropriate. You will also need to add an account called dnscrypt, with no privileges, by running <code>useradd -G dnscrypt dnscrypt</code>.
 
To activate the init script, issue <code>sudo rc-update add dnscrypt-proxy</code>
Alternatively, you could use this script to get information directly from the csv file containing the data from {{ic|/usr/share/dnscrypt-proxy}} (you would need to move the csv there yourself):
 
{{hc|/etc/init.d/dnscrypt-proxy|<nowiki>#!/sbin/runscript
 
## Note: This shebang may need to be changed to /bin/bash or something
## else depending on what init your system uses.
 
 
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
 
 
# Uncomment if you use the System V init
#. /etc/init.d/dnscrypt-proxy
 
# $Id$
 
DNSCRYPT_LOGFILE=${DNSCRYPT_LOGFILE:-/var/log/dnscrypt-proxy.log}
DNSCRYPT_RESOLVERS_LIST=${DNSCRYPT_RESOLVERS_LIST:-/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv}
 
rundir=${rundir:-/var/run/dnscrypt-proxy}
pidfile=${pidfile:-${rundir}/dnscrypt-proxy.pid}
rundir=${rundir:-/var/run/dnscrypt-proxy}
runas_user=${runas_user:-dnscrypt}
runas_group=${runas_user:-dnscrypt}
 
depend() {
use net
before dns
after logger
}
 
start() {
if [ ! -d "${rundir}" ]; then
mkdir "${rundir}"
if [ -n "${runas_user}" ]; then
touch "${DNSCRYPT_LOGFILE}"
chown ${runas_user}:${runas_group} "${DNSCRYPT_LOGFILE}"
chown -R ${runas_user}:${runas_group} "${rundir}"
fi
fi
 
if [ -n "$DNSCRYPT_RESOLVER_NAME" -a -n "$DNSCRYPT_RESOLVERIP" ]; then
eerror "You must set exactly one of DNSCRYPT_RESOLVER_NAME or DNSCRYPT_RESOLVERIP!"
return 1
elif [ -n "$DNSCRYPT_RESOLVER_NAME" ]; then
resolver_opts="--resolvers-list=${DNSCRYPT_RESOLVERS_LIST} --resolver-name=${DNSCRYPT_RESOLVER_NAME}"
elif [ -n "$DNSCRYPT_RESOLVERIP" ]; then
resolver_opts="--resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} --provider-name=${DNSCRYPT_PROVIDER_NAME} --provider-key=${DNSCRYPT_PROVIDER_KEY}"
else
eerror "You must set exactly one of DNSCRYPT_RESOLVER_NAME or DNSCRYPT_RESOLVERIP!"
return 1
fi
 
ebegin "Starting dnscrypt-proxy"
start-stop-daemon --start --quiet \
--exec /usr/sbin/dnscrypt-proxy \
-- \
${DNSCRYPT_OPTIONS} \
--pidfile="${pidfile}" \
--logfile="${DNSCRYPT_LOGFILE}" \
--daemonize --user=${runas_user} \
--local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
$resolver_opts
eend $?
}
 
stop() {
ebegin "Stopping dnscrypt-proxy"
start-stop-daemon --stop --quiet --exec /usr/sbin/dnscrypt-proxy
eend $?
}
</nowiki>}}
 
Make sure to substitute where appropriate. You will also have to manually create a user called dnscrypt, with:
{{hc|/etc/passwd|dnscrypt:x:117:991:/var/empty:/sbin/nologin}}
 
You'll also have to create a group:
{{hc|/etc/group|...
dnscrypt:x:991:}}
 
If you're using OpenRC, to activate the init script, issue {{ic|sudo rc-update add dnscrypt-proxy}}.
 
One last alternative is a simplistic and minimalist init.d configuration that declares all the vars in one file:


Lastly, edit your /etc/resolv.conf file with an editor of your choice, and add the following text:
{{hc|/etc/init.d/dnscrypt-proxy|<nowiki>#! /bin/sh
<code>
### BEGIN INIT INFO
domain home
# Provides:          dnscrypt-proxy
nameserver 127.0.0.1
# Required-Start:   $local_fs $network
options edns0
# Required-Stop:    $local_fs
</code>
# Default-Start:    2 3 4 5
Now you have to do is lock the file with <code>sudo chattr +i /etc/resolv.conf</code>.
# Default-Stop:      0 1 6
# Short-Description: dnscrypt-proxy
# Description:      dnscrypt-proxy secure DNS client
### END INIT INFO


Should anything fail, issue the same command with <code>-i</code> and temporarily change the nameserver to a DNS server of your choice until you fix the issue.
# Authors (in part): https://github.com/simonclausen/dnscrypt-autoinstall/graphs/contributors


=== Windows ===
PATH=/usr/sbin:/usr/bin:/sbin:/bin
Use [https://simplednscrypt.org/ SimpleDNSCrypt], it just werks. If it doesn't, go [https://github.com/bitbeans/SimpleDnsCrypt/issues talk to the developer].
DAEMON=/usr/local/sbin/dnscrypt-proxy
NAME=dnscrypt-proxy
ADDRESS=[Proxy IPv4 or IPv6]
PNAME=[Name of Provider]
PKEY=[Key Fingerprint]
LOG=/var/log/dnscrypt-proxy.log
EDNS=4096
 
case "$1" in
  start)
    echo "Starting $NAME"
    $DAEMON --local-address=127.0.0.1:40 --daemonize --ephemeral-keys --user=dnscrypt --resolver-address=$ADDRESS --provider-name=$PNAME --provider-key=$PKEY --edns-payload-size=$EDNS --logfile=$LOG
    ;;
  stop)
    echo "Stopping $NAME"
    pkill -f $DAEMON
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  *)
    echo "Usage: /etc/init.d/dnscrypt-proxy {start|stop|restart}"
    exit 1
    ;;
esac
 
exit 0</nowiki>}}


=== Mac OSX ===
=== Mac OS X ===
Use the [https://github.com/alterstep/dnscrypt-osxclient dnscrypt-osxclient].


=== Android ===
=== Android ===


=== iOS ===
=== iOS ===
# Edit the {{ic|org.dnscrypt.osx.DNSCryptProxy.plist}} file to set the resolver name to use, by editing this string {{ic|<nowiki><string>--resolver-name=***CHANGETHIS***</string></nowiki>}};
# Copy the {{ic|org.dnscrypt.osx.DNSCryptProxy.plist}} file into /Libary/LaunchDaemons on the device;
To get it working, simply:
# Reboot or type {{ic|launchctl load org.dnscrypt.osx.DNSCryptProxy.plist}};
# Change your wifi settings to use 127.0.0.1 as a DNS resolver;
# Enjoy being less susceptible to MITM attacks whilst on public WiFis.
== Additional considerations ==
=== Picking a server ===
One must take a few considerations when picking a server:
* Does it keep logs? Ideally, it shouldn't.
* Is the server located in a country where servers are mandated by law to hold data for over n months? If it is, previous point is moot.
* Does it support the DNSCrypt [https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/DNSCRYPT-V2-PROTOCOL.txt protocol specification]?
* Does it support DNSSEC (assuming you want to use it in conjunction with DNSCrypt, and use Unbound to enforce it)? Highly recommendable. Your security is only as strong as the weakest link.
* Is the latency low enough? Ping it.
* Is the company or individual running the server trustworthy, or do they appear to have ulterior motives?
By default, DNSCrypt's configuration is set to [https://dnscrypt.eu/ dnscrypt-eu servers], as it is often considered the most trustworthy resolvers. However, if you have no need for DNSSEC support, you can look into the various cryptostorm servers (if you're not in Europe), or the OpenNIC ones, if you'd like to make use of their extra TLDs.
=== Fallback DNS servers ===
It is also recommended to add a second, or even a third nameserver (that you know works) to your resolv.conf file. The default maximum you can have is 6, but you can change this number to whatever you want, by hacking MAXDNSRCH and defdname in resolv.h and recompiling the then patched libc. A resolv.conf (with more than 6 nameservers) may look like [http://pastebin.com/raw/Jt5eaxu0 this].
{{note|the fallback servers listed in resolv.conf will '''''NOT''''' go through DNSCrypt, meaning they will not be encrypted and your local network will be vulnerable to DNS spoofing (unless you're visiting a DNSSEC page and using Unbound or something else to enforce it). In order to have DNSCrypt fallback servers, [https://github.com/jedisct1/dnscrypt-proxy/issues/228 you'll need to run multiple instances of the program].}}
=== Creating a new user and group ===
It is possible to sandbox DNSCrypt, and even recommended. You can also create an extra user/group to run it, with no privileges, and no home folder for an additional layer of protection, by issuing {{ic|sudo useradd -U -r -d /var/dnscrypt -m -s /sbin/nologin dnscrypt}} (for the user), and {{ic|sudo usermod -g dnscrypt dnscrypt}} (for the group).
=== Sandboxing ===
It is possible to sandbox DNSCrypt, and even recommended.
To sandbox DNSCrypt, simply install firejail, and edit your systemd/OpenRC scripts, adding the prefix 'firejail' before dnscrypt. Firejail comes bundled with a profile for DNSCrypt and many more, which you can analyse, and even edit, by issuing {{ic|vim /etc/firejail/dnscrypt-proxy.profile}}. Alternatively, you can use systemd's native sandbox.


== Troubleshooting ==
== Troubleshooting ==
Run <code>hostip -r 127.0.0.1 example.com</code>. If that outputs an IP, then dnscrypt is working and the problem lies with whatever DNS cache you're using (most likely Dnsmasq or Unbound).
Run {{ic|hostip example.com}}. If that outputs an IP, then DNSCrypt is working and the problem lies with whatever DNS cache you're using (most likely Dnsmasq, or Unbound not forwarding the right address/port). If not, then your DNS server might be down, in which case you should ping it, and maybe issue {{ic|sudo chattr -i /etc/resolv.conf}} to unlock your resolv.conf, and temporarily change the nameserver to a DNS server of your choice until you fix the issue (not necessary if you have fall-back DNS servers, as you should).
 
Sometimes, the issue is that NetworkManager edits the resolv.conf file on boot, which would mean you didn't properly lock the file with chattr.
 
If none of this fixes it, look at /var/log/dnscrypt-proxy.log and figure it out yourself, or are you not a true /g/entooman?


If it doesn't look at /var/log/dnscrypt-proxy.log and figure it out yourself, or are you not a true /g/entooman?
{{tip|If you are using [[Unbound]], or another caching DNS server of that sort, it is possible something is wrong with it and thus, you should also visit that program's log file and look for potential errors or warnings.}}


== External Links ==
== External links ==
[http://dnscrypt.org/ DNSCrypt Homepage]
*[http://dnscrypt.org/ DNSCrypt Homepage]
*[https://github.com/jedisct1/dnscrypt-proxy/ Official project page]
*[https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv Official DNSCrypt servers]
*[https://www.dnsleaktest.com/ DNS leak test]


[[Category:Software]]
[[Category:DNS]][[Category:Security]][[Category:Software]]

Latest revision as of 16:09, 27 June 2021

See also Anonymizing yourself

Dnscrypt.png

DNSCrypt is a local DNS resolver and uses elliptic-curve cryptography when passing messages to and from the DNS server—which is extremely useful for mitigating MITM attacks on DNS. It is best used alongside a caching DNS server like Unbound.

Only a few servers are known to currently support DNSCrypt, however, adoption is growing.

Installation

Unix-like

Requirements & dependencies

`--  dev-libs/libsodium
`--  net-libs/ldns
`--  virtual/pkgconfig

Arch users can install dnscrypt-proxy and set it up manually. Gentoo users can easily compile DNSCrypt from scratch from the main repository. Debian users can install it from the package dnscrypt-proxy, but only in testing or unstable.

Building

  1. git clone git://github.com/jedisct1/dnscrypt-proxy.git
  2. cd dnscrypt-proxy
  3. ./autogen.sh
  4. CFLAGS="-O3 -march=native" ./configure --prefix=/usr
  5. make -jn (where n is the number of threads you want to spawn)
  6. sudo make install

Windows

Use SimpleDNSCrypt, it just werks. If it doesn't, go talk to the developer.

iOS

You will need a jailbroken iOS device (>=5.1.1) in order to install DNSCrypt.

  1. Download the pre-compiled binary for iOS;
  2. Copy the {bin,sbin,share} directories of the archive into the {bin,sbin,share} directories of the device;

Configuration

Linux

Warning: This section is outdated, and will no longer work due to new versions of DNSCrypt no longer having the same flags. Please edit if you have updated information

If you would rather run the commands yourself at boot time, this section is for you. However, the following step is common amongst all Linux distros: you must edit your /etc/resolv.conf file to look like this:

/etc/resolv.conf
domain home
nameserver <the DNSCrypt you picked for --local-address>
options edns0

Lock it with sudo chattr +i /etc/resolv.conf, and then, either move on to systemd/OpenRC, or run the following script every time you boot up your PC:

sudo dnscrypt-proxy --local-address=<ip>[:port] --daemonize --resolver-address=<Server address> --provider-name=<Provider name> --provider-key=<Public key> --edns-payload-size=4096 --logfile=/var/log/dnscrypt-proxy.log
Note: Be aware that you will need to use a port that is not in use by other programs. The default is 53.
Note: Be aware that some DNS daemons are configured to recognize only three nameservers in resolv.conf. Alternative compiling may be necessary. On Debian systems, the packages are compiled to go beyond 3 entries
Tip: Security considerations.

systemd

If you didn't remove the systemd depedency, the source distribution includes the dnscrypt-proxy.socket and dnscrypt-proxy.service files. As such, in order to activate them, you need only edit them (to pick the server), place them in /etc/systemd/system and run systemctl enable dnscrypt-proxy.service, and then systemctl start dnscrypt-proxy.

You can check if it's running by issuing systemctl status dnscrypt-proxy.service.

Note: DNSCrypt's systemd socket uses port 53 by default. You can easily change that at will.

Other init

/etc/init.d/dnscrypt-proxy
#!/sbin/runscript

## Note: This shebang may need to be changed to /bin/bash or something
## else depending on what init your system uses.

# This script is Copyright (C) 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

# Uncomment if you use the System V init
#. /etc/init.d/dnscrypt-proxy

  # $Id$
 
 DNSCRYPT_LOGFILE=${DNSCRYPT_LOGFILE:-/var/log/dnscrypt-proxy.log}
 
 rundir=${rundir:-/var/run/dnscrypt-proxy}
 pidfile=${pidfile:-${rundir}/dnscrypt-proxy.pid}
 rundir=${rundir:-/var/run/dnscrypt-proxy}
 runas_user=${runas_user:-dnscrypt}
 runas_group=${runas_user:-dnscrypt}
 
 depend() {
 	use net
 	before dns
 	after logger
 }
 
 start() {
 	if [ ! -d "${rundir}" ]; then
 		mkdir "${rundir}"
 		if [ -n "${runas_user}" ]; then
 			touch "${DNSCRYPT_LOGFILE}"
 			chown ${runas_user}:${runas_group} "${DNSCRYPT_LOGFILE}"
 			chown -R ${runas_user}:${runas_group} "${rundir}"
 		fi
 	fi
 
 	ebegin "Starting dnscrypt-proxy"
 	start-stop-daemon --start --quiet \
 		--exec /usr/sbin/dnscrypt-proxy \
 		-- \
 		--pidfile="${pidfile}" \
 		--logfile="${DNSCRYPT_LOGFILE}" \
 		--daemonize --user=${runas_user} \
 		--local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
 		--resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} \
 		--provider-name=${DNSCRYPT_PROVIDER_NAME} \
 		--provider-key=${DNSCRYPT_PROVIDER_KEY}
 	eend $?
 }
 
 stop() {
 	ebegin "Stopping dnscrypt-proxy"
 	start-stop-daemon --stop --quiet --exec /usr/sbin/dnscrypt-proxy
 	eend $?
 }

You will need to make it executable, sudo chmod +x /etc/init.d/dnscrypt-proxy.

This init script will of course require a configuration file, located here /etc/conf.d/dnscrypt-proxy file. Pick two servers (one will work as the fallback server), whilst making sure they are compatible with the options you will want to use later on (DNSSEC with unbound, for instance), and add the following text:

/etc/conf.d/dnscrypt-proxy
DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=40
DNSCRYPT_USER=dnscrypt
 
DNSCRYPT_PROVIDER_NAME=
DNSCRYPT_PROVIDER_KEY=
DNSCRYPT_RESOLVERIP=
 
DNSCRYPT_PROVIDER_NAME=
DNSCRYPT_PROVIDER_KEY=
DNSCRYPT_RESOLVERIP=

DNSCRYPT_OPTIONS="--edns-payload-size=4096"
 
DNSCRYPT_RESOLVERPORT=443

Alternatively, you could use this script to get information directly from the csv file containing the data from /usr/share/dnscrypt-proxy (you would need to move the csv there yourself):

/etc/init.d/dnscrypt-proxy
#!/sbin/runscript

## Note: This shebang may need to be changed to /bin/bash or something
## else depending on what init your system uses.


# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2


# Uncomment if you use the System V init
#. /etc/init.d/dnscrypt-proxy

# $Id$

DNSCRYPT_LOGFILE=${DNSCRYPT_LOGFILE:-/var/log/dnscrypt-proxy.log}
DNSCRYPT_RESOLVERS_LIST=${DNSCRYPT_RESOLVERS_LIST:-/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv}

rundir=${rundir:-/var/run/dnscrypt-proxy}
pidfile=${pidfile:-${rundir}/dnscrypt-proxy.pid}
rundir=${rundir:-/var/run/dnscrypt-proxy}
runas_user=${runas_user:-dnscrypt}
runas_group=${runas_user:-dnscrypt}

depend() {
	use net
	before dns
	after logger
}

start() {
	if [ ! -d "${rundir}" ]; then
		mkdir "${rundir}"
		if [ -n "${runas_user}" ]; then
			touch "${DNSCRYPT_LOGFILE}"
			chown ${runas_user}:${runas_group} "${DNSCRYPT_LOGFILE}"
			chown -R ${runas_user}:${runas_group} "${rundir}"
		fi
	fi

	if [ -n "$DNSCRYPT_RESOLVER_NAME" -a -n "$DNSCRYPT_RESOLVERIP" ]; then
		eerror "You must set exactly one of DNSCRYPT_RESOLVER_NAME or DNSCRYPT_RESOLVERIP!"
		return 1
	elif [ -n "$DNSCRYPT_RESOLVER_NAME" ]; then
		resolver_opts="--resolvers-list=${DNSCRYPT_RESOLVERS_LIST} --resolver-name=${DNSCRYPT_RESOLVER_NAME}"
	elif [ -n "$DNSCRYPT_RESOLVERIP" ]; then
		resolver_opts="--resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} --provider-name=${DNSCRYPT_PROVIDER_NAME} --provider-key=${DNSCRYPT_PROVIDER_KEY}"
	else
		eerror "You must set exactly one of DNSCRYPT_RESOLVER_NAME or DNSCRYPT_RESOLVERIP!"
		return 1
	fi

	ebegin "Starting dnscrypt-proxy"
	start-stop-daemon --start --quiet \
		--exec /usr/sbin/dnscrypt-proxy \
		-- \
		${DNSCRYPT_OPTIONS} \
		--pidfile="${pidfile}" \
		--logfile="${DNSCRYPT_LOGFILE}" \
		--daemonize --user=${runas_user} \
		--local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
		$resolver_opts
	eend $?
}

stop() {
	ebegin "Stopping dnscrypt-proxy"
	start-stop-daemon --stop --quiet --exec /usr/sbin/dnscrypt-proxy
	eend $?
}

Make sure to substitute where appropriate. You will also have to manually create a user called dnscrypt, with:

/etc/passwd
dnscrypt:x:117:991:/var/empty:/sbin/nologin

You'll also have to create a group:

/etc/group
...
dnscrypt:x:991:

If you're using OpenRC, to activate the init script, issue sudo rc-update add dnscrypt-proxy.

One last alternative is a simplistic and minimalist init.d configuration that declares all the vars in one file:

/etc/init.d/dnscrypt-proxy
#! /bin/sh
### BEGIN INIT INFO
# Provides:          dnscrypt-proxy
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: dnscrypt-proxy
# Description:       dnscrypt-proxy secure DNS client
### END INIT INFO

# Authors (in part): https://github.com/simonclausen/dnscrypt-autoinstall/graphs/contributors

PATH=/usr/sbin:/usr/bin:/sbin:/bin
DAEMON=/usr/local/sbin/dnscrypt-proxy
NAME=dnscrypt-proxy
ADDRESS=[Proxy IPv4 or IPv6]
PNAME=[Name of Provider]
PKEY=[Key Fingerprint]
LOG=/var/log/dnscrypt-proxy.log
EDNS=4096

case "$1" in
  start)
    echo "Starting $NAME"
    $DAEMON --local-address=127.0.0.1:40 --daemonize --ephemeral-keys --user=dnscrypt --resolver-address=$ADDRESS --provider-name=$PNAME --provider-key=$PKEY --edns-payload-size=$EDNS --logfile=$LOG
    ;;
  stop)
    echo "Stopping $NAME"
    pkill -f $DAEMON
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  *)
    echo "Usage: /etc/init.d/dnscrypt-proxy {start|stop|restart}"
    exit 1
    ;;
esac

exit 0

Mac OS X

Use the dnscrypt-osxclient.

Android

iOS

  1. Edit the org.dnscrypt.osx.DNSCryptProxy.plist file to set the resolver name to use, by editing this string <string>--resolver-name=***CHANGETHIS***</string>;
  2. Copy the org.dnscrypt.osx.DNSCryptProxy.plist file into /Libary/LaunchDaemons on the device;

To get it working, simply:

  1. Reboot or type launchctl load org.dnscrypt.osx.DNSCryptProxy.plist;
  2. Change your wifi settings to use 127.0.0.1 as a DNS resolver;
  3. Enjoy being less susceptible to MITM attacks whilst on public WiFis.

Additional considerations

Picking a server

One must take a few considerations when picking a server:

  • Does it keep logs? Ideally, it shouldn't.
  • Is the server located in a country where servers are mandated by law to hold data for over n months? If it is, previous point is moot.
  • Does it support the DNSCrypt protocol specification?
  • Does it support DNSSEC (assuming you want to use it in conjunction with DNSCrypt, and use Unbound to enforce it)? Highly recommendable. Your security is only as strong as the weakest link.
  • Is the latency low enough? Ping it.
  • Is the company or individual running the server trustworthy, or do they appear to have ulterior motives?

By default, DNSCrypt's configuration is set to dnscrypt-eu servers, as it is often considered the most trustworthy resolvers. However, if you have no need for DNSSEC support, you can look into the various cryptostorm servers (if you're not in Europe), or the OpenNIC ones, if you'd like to make use of their extra TLDs.

Fallback DNS servers

It is also recommended to add a second, or even a third nameserver (that you know works) to your resolv.conf file. The default maximum you can have is 6, but you can change this number to whatever you want, by hacking MAXDNSRCH and defdname in resolv.h and recompiling the then patched libc. A resolv.conf (with more than 6 nameservers) may look like this.

Note: the fallback servers listed in resolv.conf will NOT go through DNSCrypt, meaning they will not be encrypted and your local network will be vulnerable to DNS spoofing (unless you're visiting a DNSSEC page and using Unbound or something else to enforce it). In order to have DNSCrypt fallback servers, you'll need to run multiple instances of the program.

Creating a new user and group

It is possible to sandbox DNSCrypt, and even recommended. You can also create an extra user/group to run it, with no privileges, and no home folder for an additional layer of protection, by issuing sudo useradd -U -r -d /var/dnscrypt -m -s /sbin/nologin dnscrypt (for the user), and sudo usermod -g dnscrypt dnscrypt (for the group).

Sandboxing

It is possible to sandbox DNSCrypt, and even recommended.

To sandbox DNSCrypt, simply install firejail, and edit your systemd/OpenRC scripts, adding the prefix 'firejail' before dnscrypt. Firejail comes bundled with a profile for DNSCrypt and many more, which you can analyse, and even edit, by issuing vim /etc/firejail/dnscrypt-proxy.profile. Alternatively, you can use systemd's native sandbox.

Troubleshooting

Run hostip example.com. If that outputs an IP, then DNSCrypt is working and the problem lies with whatever DNS cache you're using (most likely Dnsmasq, or Unbound not forwarding the right address/port). If not, then your DNS server might be down, in which case you should ping it, and maybe issue sudo chattr -i /etc/resolv.conf to unlock your resolv.conf, and temporarily change the nameserver to a DNS server of your choice until you fix the issue (not necessary if you have fall-back DNS servers, as you should).

Sometimes, the issue is that NetworkManager edits the resolv.conf file on boot, which would mean you didn't properly lock the file with chattr.

If none of this fixes it, look at /var/log/dnscrypt-proxy.log and figure it out yourself, or are you not a true /g/entooman?

Tip: If you are using Unbound, or another caching DNS server of that sort, it is possible something is wrong with it and thus, you should also visit that program's log file and look for potential errors or warnings.

External links