Installation on Debian and Ubuntu - DNSCrypt/dnscrypt-proxy GitHub Wiki
Installation on Debian and Ubuntu
Debian Stretch and Ubuntu 18.04 ship with old and unsupported dnscrypt-proxy
package (1.9.x). Debian Testing and Unstable and Ubuntu 18.10+ have more recent packages.
Before installing DNSCrypt-Proxy 2.x regardless of the method, remove old 1.x version if you have it installed:
sudo apt purge dnscrypt-proxy
Generic Linux installation procedure
The generic instructions for Linux work fine on Debian and Ubuntu. The additional instructions below are not required if you are going that route.
bullseye
), Debian Unstable (sid
)
Debian Testing (Version 2.x of DNSCrypt-Proxy is included with Debian Testing and Debian Unstable. By adding the correspondent repository for either testing
, unstable
, or both, you'll be able to install a fully automatic installation of DNSCrypt-Proxy. Meaning that no manual configuration is required, and it work after an apt install dnscrypt-proxy
install.
Adding Repository
Note: This overwrites existing files. Be sure to check for old files.
Debian Testing
echo "deb https://deb.debian.org/debian/ testing main" | sudo tee /etc/apt/sources.list.d/testing.list
Debian Unstable
echo "deb https://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list
Pin Repository
This step is required so that you don't pull in packages that don't follow your system version.
/etc/apt/preferences.d/pinning.pref
Package: *
Pin: release a=stable
Pin-Priority: 900
Package: *
Pin: release a=testing
Pin-Priority: 500
Package: *
Pin: release a=unstable
Pin-Priority: 100
NB! Be careful when doing an upgrade the next time. Make notice if it pull packages that it should not. If so, this might need tweaking. Read the manual for help.
Install DNSCrypt-Proxy
testing
sudo apt update && \
sudo apt install -t testing dnscrypt-proxy
unstable
sudo apt update && \
sudo apt install -t unstable dnscrypt-proxy
And complete the setup with a reboot.
Ubuntu
DNSCrypt-Proxy 2.x is included in Ubuntu 18.10+ repositories, install it with sudo apt install dnscrypt-proxy
Configuration
If dnsmasq is already running
Option 1: remove dnsmasq
dnsmasq performs caching, as does dnscrypt-proxy v2. As such, the redundant caching is unnecessary, and dnsmasq can effectively be disabled. To disable dnsmasq
for NetworkManager, make the /etc/NetworkManager/NetworkManager.conf
file look like this:
[main]
plugins=ifupdown,keyfile,ofono
#dns=dnsmasq
[ifupdown]
managed=false
Option 2: keep dnsmasq
If you want to use dnsmasq, some configuration is needed:
- dnsmasq listens on
127.0.0.1:53
, so configure dnscrypt-proxy to use something different (e.g.127.0.2.1:53
, seelisten_addresses
indnscrypt-proxy.toml
) - configure dnsmasq to use dnscrypt-proxy if file not already configured:
sudo tee /etc/dnsmasq.d/dnscrypt-proxy << EOF
# Redirect everything to dnscrypt-proxy
server=127.0.2.1
no-resolv
proxy-dnssec
EOF
Configure dnscrypt-proxy.toml
cd /etc/dnscrypt-proxy
sudo cp dnscrypt-proxy.toml dnscrypt-proxy.toml.original # non-idempotent
In dnscrypt-proxy.toml
, replace listen_addresses = ['127.0.0.1:53']
with listen_addresses = []
(by default, after DNSCrypt-Proxy install, there shouldn't be any IP address in this option). For some reason, the package installs systemd sockets instead of standard sockets. (However, if User don't want to use such a method, systemd socket activation can be disabled (please check Disable systemd socket activaction.).
Further configuration changes can be made later as needed, but in order to help with troubleshooting, keep the changes to a minimum for now.
Configure resolv.conf
Using the command line
This is just one way to get the nameserver persistently added to resolv.conf
.
Create a file resolv.conf.override
as below. Match the permissions and owner. Here, 127.0.0.1 comes from listen_addresses
in dnscrypt-proxy.toml
.
$ cd /etc
$ ll resolv.conf.override
-rwxrwxr-x 1 root root 172 Jun 26 20:38 resolv.conf.override*
$ cat resolv.conf.override
nameserver 127.0.0.1
Create a script 20-resolv-conf-override
as below. Match the permissions and owner.
$ cd /etc/NetworkManager/dispatcher.d
$ ll 20-resolv-conf-override
-rwxr-xr-x 1 root root 101 Jun 26 20:45 20-resolv-conf-override*
$ cat 20-resolv-conf-override
#!/bin/sh
cp -f /etc/resolv.conf.override /run/resolvconf/resolv.conf
$ sudo ln -f 20-resolv-conf-override ./pre-up.d/
Using the network configuration applet
- Go to network configuration applet. Click
Wifi Icon
> Edit Connections >Click on Wired Connection 1
(if you use wired) or the Wifi name that you currently used and clickEdit
. - In the
Editing...
window, click IPv4 settings, chooseAutomatic (DHCP) address only
on the method. Finally add127.0.0.1
in theDNS servers
Configure NetworkManager.conf
If NetworkManager overwrites resolv.conf
, try configuring NetworkManager.conf
to not modify resolv.conf
with:
[main]
dns=none
Start services
If the PPA installer was used, restart the services:
sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy
The older commands for the same are:
sudo service network-manager restart
sudo service dnscrypt-proxy restart
dnscrypt-proxy.socket
file (e.g. to change the local port)
The The package from the PPA uses unsupported systemd sockets to accept connections. In order to configure the local port, the dnscrypt-proxy.socket
file needs to be edited instead of the standard dnscrypt-proxy.toml
file:
sudo nano /lib/systemd/system/dnscrypt-proxy.socket
Test
dnscrypt-proxy -resolve github.com -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
dig dnscrypt.info | grep SERVER # Must show matching nameserver, e.g. 127.0.0.1#53, in resolv.conf
ping -c1 google.com # Should show matching IP and ping successfully
sudo tcpdump -n dst port 443 # Should show specific resolver if it is not rotating