How to Get DNS Crypt Working

Nonetas · 01-13-2018, 03:12 PM

Getting DNS Crypt Working

I have tried downloading and enabling DNS Crypt. The config file, contrary to the notes on the offical website, is to be found in /etc/default, and is specified in the paths directions in /etc/init.d/dnscrypt-proxy. The config has a resolver specified, as well as IPv6 block and cache entries.

DNSCRYPT_PROXY_LOCAL_ADDRESS=127.0.2.1:53
DNS_PROXY_RESOLVER_NAME=dnscrypt.eu-nl
BlockIPv6 yes
LocalCache on
DNSCRYPT_PROXY_OPTIONS=""

Despite these fulfilling the requirements according to the official website, any attempt to run DNS Crypt with "sudo dnscrypt-proxy /etc/default/dnscrypt-proxy.conf" (I added the '.conf' to the file and path specification, just to be sure) will fail with readout claiming no resolver set.

Running DNS Crypt using systemctl (sudo systemctl start dnscrypt-proxy), on the other hand, and then viewing the output of "journalctl -xe" and "lsof -i -n", show that the resolver successfully downloads the certificate and key. But running hostip -r 127.0.0.1 example.com, as recommended, results in a time out, showing that DNS Crypt is failing to resolve hostnames.

What am I missing out? There is no mention of how all this relates to resolv.conf or secondary nameserver lists it may specify, dnsmasq.conf or Network Manager.

geppy · 01-17-2018, 01:51 PM

I think connections to do DNS resolving originates from root user since dnscrypr-proxy uses raw connections.
Connections to download certificates from regular user.

+ allow loopback for any udp connections is easiest option

+ do not download from download.dnscrypt.org, install using apt-get or dnf.

use 127.0.2.1 in resolv.conf(if you know how to modify it to keep changes across reboots) and set 127.0.2.1 as DNS in NetworkManager GUI

Nonetas · 01-21-2018, 07:36 AM

The dnscrypt is apt package, yes. I avoid anything that requires GUI settings, I use configs instead: I suppose the NM alterations would go in NetworkManager.conf, but I would need the correct entries.
If a special entry is needed in resolv.conf, does this mean DNSCrypt cannot (and should not) be used with proxies like Tor (that demands local host set in resolv.conf)?

geppy · 01-21-2018, 12:56 PM

Dont use TOR Browser. (at least disable scripts in about:config)

Use payed ipsec with strongswan or cryptostorm. They both have in-house defences against quantum insert and tls handshake decryption if asked politely.