Installation on Debian and Ubuntu

Installation on Debian and Ubuntu

Debian Stretch and Ubuntu currently ship with old and unsupported dnscrypt-proxy package (1.9.x). Debian Testing and Unstable have up to date packages.

Generic Linux installation procedure

The generic instructions for Linux work fine on Debian and Ubuntu. The additional instructions below are not required if you are going that route.

However, if you had an old dnscrypt-proxy 1.x version installed, remove it first with:

sudo apt purge dnscrypt-proxy

Debian Testing (buster), Debian Unstable (sid)

Version 2.x of DNSCrypt-Proxy is included with Debian Testing and Debian Unstable. By adding the correspondent repository for either testing, unstable, or both, you'll be able to install a fully automatic installation of DNSCrypt-Proxy. Meaning that no manual configuration is required, and it work after an apt install dnscrypt-proxy install.

---

Adding Repository

NB! This overwrites existing files. Be sure to check for old files.

Debian Testing

echo "deb https://deb.debian.org/debian/ testing main" | sudo tee /etc/apt/sources.list.d/testing.list

Debian Unstable

echo "deb https://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list

Pin Repository

This step is required so that you don't pull in packages that don't follow your system version.

/etc/apt/preferences.d/pinning.pref

Package: *
Pin: release a=stable
Pin-Priority: 900

Package: *
Pin: release a=testing
Pin-Priority: 500

Package: *
Pin: release a=unstable
Pin-Priority: 100

NB! Be careful when doing an upgrade the next time. Make notice if it pull packages that it should not. If so, this might need tweaking. Read the manual for help.

Install DNSCrypt-Proxy

testing

sudo apt update && \
sudo apt install -t testing dnscrypt-proxy

unstable

sudo apt update && \
sudo apt install -t unstable dnscrypt-proxy

And complete the setup with a reboot.

---

Ubuntu 18.10+

DNSCrypt-Proxy 2.x is included in Ubuntu 18.10+ repositories, install it with sudo apt install dnscrypt-proxy

Ubuntu PPA

For older Ubuntu versions, or if you need newer DNSCrypt-Proxy version than included in Ubuntu repositories, you can use PPA:

sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy && \
sudo apt update && \
sudo apt install dnscrypt-proxy

Do not upgrade from v1.x on Ubuntu Xenial. Instead first backup your systemd units (service and socket) then remove the old version and delete the systemd service file (keep the socket), then upgrade (replace artful with xenial in ppa sources.list). If you don't remove the old systemd unit service, the upgrade will not replace it and the new version will attempt to be started using the old systemd unit, which will fail.

Package also configures dnsmasq to use dnscrypt-proxy (see /etc/dnsmasq.d/dnscrypt-proxy).

The same package should also work fine on Debian.

Configuration

If dnsmasq is already running

Option 1: remove dnsmasq

dnsmasq performs caching, as does dnscrypt-proxy v2. As such, the redundant caching is unnecessary, and dnsmasq can effectively be disabled. To disable dnsmasq for NetworkManager, make the /etc/NetworkManager/NetworkManager.conf file look like this:

[main]
plugins=ifupdown,keyfile,ofono
#dns=dnsmasq

[ifupdown]
managed=false

Option 2: keep dnsmasq

If you want to continue to use dnsmasq (default on Ubuntu), some configuration is needed:

• dnsmasq listens on 127.0.0.1:53, so configure dnscrypt-proxy to use something different (e.g. 127.0.2.1:53, see listen_addresses in dnscrypt-proxy.toml)
• configure dnsmasq to use dnscrypt-proxy if file not already configured:

sudo tee /etc/dnsmasq.d/dnscrypt-proxy << EOF
# Redirect everything to dnscrypt-proxy
server=127.0.2.1
no-resolv
proxy-dnssec
EOF

Configure dnscrypt-proxy.toml

cd /etc/dnscrypt-proxy
sudo cp dnscrypt-proxy.toml dnscrypt-proxy.toml.original  # non-idempotent

In dnscrypt-proxy.toml, replace listen_addresses = ['127.0.0.1:53'] with listen_addresses = []. For some reason, the package installs systemd sockets instead of standard sockets.

Further configuration changes can be made later as needed, but in order to help with troubleshooting, keep the changes to a minimum for now.

Configure resolv.conf

Using the command line

This is just one way to get the nameserver persistently added to resolv.conf.

Create a file resolv.conf.override as below. Match the permissions and owner. Here, 127.0.0.1 comes from listen_addresses in dnscrypt-proxy.toml.

$ cd /etc
$ ll resolv.conf.override
-rwxrwxrwx 1 root root 172 Jun 26 20:38 resolv.conf.override*
$ cat resolv.conf.override
nameserver 127.0.0.1

Create a script 20-resolv-conf-override as below. Match the permissions and owner.

$ cd /etc/NetworkManager/dispatcher.d
$ ll 20-resolv-conf-override
-rwxr-xr-x 1 root root 101 Jun 26 20:45 20-resolv-conf-override*
$ cat 20-resolv-conf-override
#!/bin/sh
cp -f /etc/resolv.conf.override /run/resolvconf/resolv.conf
$ sudo ln -f 20-resolv-conf-override ./pre-up.d/

Using the network configuration applet

• Go to network configuration applet. Click Wifi Icon > Edit Connections > Click on Wired Connection 1 (if you use wired) or the Wifi name that you currently used and click Edit.
• In the Editing... window, click IPv4 settings, choose Automatic (DHCP) address only on the method. Finally add 127.0.0.1 in the DNS servers

Start services

If the PPA installer was used, restart the services:

sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy

The older commands for the same are:

sudo service network-manager restart
sudo service dnscrypt-proxy restart

If instead the installation was done manually:

sudo ./dnscrypt-proxy -service install
sudo ./dnscrypt-proxy -service start

Test

dnscrypt-proxy -resolve github.com
dig dnscrypt.info | grep SERVER # Must show matching nameserver, e.g. 127.0.0.1#53, in resolv.conf
ping -c1 google.com # Should show matching IP and ping successfully
sudo tcpdump  # Should show specific resolver if it is not rotating