How to install DNSCrypt

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Do not start a support topic here please. Before you post please read this

How to install DNSCrypt

Postby xenopeek on Sun Jul 08, 2012 5:00 am

Update Dec 11 2013: Previous1 has added the steps to compile DNSCrypt yourself and get it working, see this topic: viewtopic.php?f=42&t=152600. Please follow that tutorial instead, as the below no longer works.

Update Feb 8 2013: As noted by tommyb. in the comments, the DNSCrypt .deb file downloads are no longer available. This makes this tutorial currently not usable.

Easy installation using your package manager is therefor no longer possible, as was detailed below. You'll need to download the source code from http://dnscrypt.org/, and follow the instructions there on how to compile DNSCrypt yourself. Possibly the below information, about disabling NetworkManager's dnsmasq instance and starting your own DNSCrypt and dnsmasq, may still be useful with that.

I haven't delved into this yet, so if anybody has I welcome feedback on needed changes to the tutorial.
----------------------------------------------------------------------------------------------------------------------------------------------------------------

This tutorial describes how to install and set up DNSCrypt (dnscrypt-proxy with dnsmasq). In a nutshell, it sets up a local DNS forwarder on your computer that encrypts all DNS traffic between your computer and your DNS resolver, which will be OpenDNS instead of your ISP. DNSCrypt and OpenDNS intend to keep you more safe online.

Following are some links for more information about DNSCrypt and OpenDNS:
https://blog.opendns.com/2011/12/06/
https://www.opendns.com/

This tutorial has been succesfully tested on:
  • Linux Mint 11 GNOME
  • Linux Mint 12 KDE
  • Linux Mint 13 MATE
  • Linux Mint 13 Cinnamon
  • Linux Mint 13 Xfce
----------------------------------------------------------------------------------------------------------------------------------------------------------------

1. Download and install dnscrypt-proxy
Visit https://github.com/opendns/dnscrypt-proxy/downloads and download the .deb file for your architecture (i386 for 32 bit, amd64 for 64 bit). Double-click the downloaded .deb file to start the installer, or right-click the file and choose "Open With GDebi Package Installer". Click "Install Package" and complete the installation.

Also download the following attached archive file config.tar.bz2, with the needed configuration files. Extract it and open a terminal on the directory where you extracted the configuration files before you continue (in your file browser, open the File menu and select "Open in Terminal"). Run the commands in the tutorial from this terminal.

config.tar.bz2
(1.43 KiB) Downloaded 566 times

2. Stop Network Manager
Open a terminal and run the following command:
Code: Select all
sudo stop network-manager

3. Reconfigure Network Manager to not use dnsmasq
You must skip this step if you are using Linux Mint 11 or 12.

Edit the configuration file:
Code: Select all
sudo nano /etc/NetworkManager/NetworkManager.conf

Find the line:
Code: Select all
dns=dnsmasq

Replace it with:
Code: Select all
#dns=dnsmasq

Save & close the file with Ctrl+O, Enter, Ctrl+X.

4-7. Create Upstart jobs and copy configuration files
Run the following commands:
Code: Select all
sudo cp init/dnscrypt-proxy.conf /etc/init/
sudo ln -s /lib/init/upstart-job /etc/init.d/dnscrypt-proxy

sudo cp init/dnsmasq.conf /etc/init/
sudo ln -s /lib/init/upstart-job /etc/init.d/dnsmasq

sudo cp dnsmasq.conf /etc/

sudo cp init/ntpdate-dnsmasq.conf /etc/init/
sudo ln -s /lib/init/upstart-job /etc/init.d/ntpdate-dnsmasq

If you want to use OpenDNS's FamilyShield (parental controls), first edit the init/dnscrypt-proxy.conf file and change the last line of that file from:
Code: Select all
exec /usr/sbin/dnscrypt-proxy --local-address=127.0.0.2

to:
Code: Select all
exec /usr/sbin/dnscrypt-proxy --local-address=127.0.0.2 --resolver-address=208.67.222.123

8. Reload Upstart configuration
You can skip this step unless you are doing this on a Live session.

Run the following command:
Code: Select all
sudo initctl reload-configuration

9. Start the services
Start dnscrypt-proxy, which will automatically also start dnsmasq (and ntpdate):
Code: Select all
sudo start dnscrypt-proxy

Start Network Manager:
Code: Select all
sudo start network-manager

10. Reconfigure Network Manager to use DNSCrypt
Open Network Connections from the menu. On the Wired or Wireless tab highlight your active Internet connection. Click "Edit". On the IPv4 Settings tab, set Method to "Automatic (DHCP) addresses only" and set DNS servers to "127.0.0.1". Click "Save". Click "Close".

11. Final test
Visit http://www.opendns.com/welcome to test your connection. You should be welcomed to OpenDNS.

Image

----------------------------------------------------------------------------------------------------------------------------------------------------------------
Uninstalling

If you decide you want to remove DNSCrypt, you can revert all changes made with the following steps.

Stop the services and remove all added files
Run the following commands:
Code: Select all
sudo stop network-manager
sudo stop dnscrypt-proxy
sudo rm /etc/init/ntpdate-dnsmasq.conf
sudo rm /etc/init.d/ntpdate-dnsmasq
sudo rm /etc/dnsmasq.conf
sudo rm /etc/init/dnsmasq.conf
sudo rm /etc/init.d/dnsmasq
sudo rm /etc/init/dnscrypt-proxy.conf
sudo rm /etc/init.d/dnscrypt-proxy
sudo initctl reload-configuration
sudo apt-get --purge autoremove dnscrypt-proxy

Reconfigure Network Manager to use dnsmasq
You must skip this step if you are using Linux Mint 11 or 12.
Edit the configuration file:
Code: Select all
sudo nano /etc/NetworkManager/NetworkManager.conf

Find the line:
Code: Select all
#dns=dnsmasq

Replace it with:
Code: Select all
dns=dnsmasq

Save & close the file with Ctrl+O, Enter, Ctrl+X.

Start the services
Start Network Manager:
Code: Select all
sudo start network-manager

Reconfigure Network Manager to not use DNSCrypt
Open Network Connections from the menu. On the Wired or Wireless tab highlight your active Internet connection. Click "Edit". On the IPv4 Settings tab, set Method to "Automatic (DHCP)". Click "Save". Click "Close".
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14967
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Linux Mint is funded by ads and donations.
 

Re: How to install DNSCrypt

Postby jedisct1 on Sun Jul 08, 2012 2:11 pm

Hi,

Note that currently dnscrypt-proxy does not provide for using an OpenDNS account. So you can't yet use OpenDNS' premium features, such as parental controls.


This is not true. Network settings depend on the source IP address. So whatever has been configured for a network still works with dnscrypt, including category filters.

You can also use FamilyShield in order to enable parental controls without creating an account. Just start dnscrypt with --resolver-address=208.67.222.123

And you don't need to disable dnsmasq in order to use dnscrypt. All you need is a line like this one in the dnsmasq.conf file:

server=127.0.0.1#40

Replace 40 with the port number dnscrypt is listening to (--local-port=...)

dnsmasq cache DNS records, which is always a good thing to have if you care about performance.
jedisct1
Level 1
Level 1
 
Posts: 1
Joined: Sun Jul 08, 2012 1:58 pm

Re: How to install DNSCrypt

Postby xenopeek on Sun Jul 08, 2012 3:57 pm

Hi jedisct1, thanks for the updates on that :D I didn't know the OpenDNS accounts worked that way, I'll update the tutorial!

Disabling dnsmasq in Network Manager I did because you can't override the configuration it uses. Network Manager starts dnsmasq with cache-size=0, which makes sense if you can't trust your last mile, but not if you can (with DNSCrypt). DNSCrypt is recommended to be used with a DNS cache. Also, Network Manager starts dnsmasq without some additional settings, like bogus-priv, domain-needed, stop-dns-rebind and rebind-localhost-ok. Allowing for configuring these settings, you need to disable Network Manager from starting dnsmasq, as included in this tutorial.

For your reference, Network Manager's non-configurable startup of dnsmasq is:
Code: Select all
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf --cache-size=0 --proxy-dnssec
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14967
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to install DNSCrypt

Postby MR-X on Thu Jul 12, 2012 7:14 pm

Thank you for this, I was having a hard time getting the new updated dnscrypt-proxy-0.10.1-1 to work on Linux Mint 13 Maya, but thanks to your great tutorial everything is up and running just fine now :D

Now I have Linux Mint 13 running pretty much perfect now that they seemed to have worked out the bugs it was having issues with during its release......

Tutorial Saved! :wink:
http://techroulette.blogspot.com/p/linu ... ps-and.htm <<< Linux Mint 13 Maya "Cinnamon" LTS Tips and Links (QuickGuide)!| My Blog >>> http://techroulette.blogspot.com <<< Tech_Roulette ;)
User avatar
MR-X
Level 1
Level 1
 
Posts: 21
Joined: Fri Jun 08, 2012 3:12 pm

Re: How to install DNSCrypt

Postby MR-X on Thu Jul 12, 2012 8:16 pm

I found a problem, #10 says 127.0.0.1 but the dnscrypt-proxy.conf file for Ubuntu 12.04 based os points to 127.0.0.2 because something else is running on 127.0.0.1 in Ubuntu 12.04 OS, so I rebooted and 127.0.0.1 my Internet did not work until I changed the ipv4 Network DNS settings to 127.0.0.2 now it works, but is it Proper?

is this a problem on my side?
http://techroulette.blogspot.com/p/linu ... ps-and.htm <<< Linux Mint 13 Maya "Cinnamon" LTS Tips and Links (QuickGuide)!| My Blog >>> http://techroulette.blogspot.com <<< Tech_Roulette ;)
User avatar
MR-X
Level 1
Level 1
 
Posts: 21
Joined: Fri Jun 08, 2012 3:12 pm

Re: How to install DNSCrypt

Postby xenopeek on Fri Jul 13, 2012 4:12 am

Did you do step 3? That is also needed on Ubuntu 12.04, to disable Network Manager running its own instance of dnsmasq at 127.0.0.1. If you are sure you did that, you can check what is running on the domain service port on your machine with the following command:
Code: Select all
sudo lsof -i :domain +c 0

With everything configured correctly, it should output the following. Showing our dnsmasq (not Network Manager's) is running on localhost, and dnscrypt-proxy on 127.0.0.2.
Code: Select all
vincent@maya ~ $ sudo lsof -i :domain +c 0
COMMAND         PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dnscrypt-proxy 1328   root    7u  IPv4   9595      0t0  TCP 127.0.0.2:domain (LISTEN)
dnscrypt-proxy 1328   root    8u  IPv4   9596      0t0  UDP 127.0.0.2:domain
dnsmasq        1332 nobody    4u  IPv4   9604      0t0  UDP localhost:domain
dnsmasq        1332 nobody    5u  IPv4   9605      0t0  TCP localhost:domain (LISTEN)
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14967
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to install DNSCrypt

Postby MR-X on Fri Jul 13, 2012 12:45 pm

I think I left that part out I keep forgetting Im using 13 :? not 12, but I use both 12KDE and 13 Maya Cinnamon on the same box soi I need to be more careful....Mine Looks like this?
Code: Select all
COMMAND         PID        USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq        1473 lxc-dnsmasq    6u  IPv4  10658      0t0  UDP 10.0.3.1:domain
dnsmasq        1473 lxc-dnsmasq    7u  IPv4  10659      0t0  TCP 10.0.3.1:domain (LISTEN)
dnsmasq        1473 lxc-dnsmasq   11u  IPv6  10813      0t0  UDP [fe80::d81e:6bff:fe73:a41f]:domain
dnsmasq        1473 lxc-dnsmasq   12u  IPv6  10814      0t0  TCP [fe80::d81e:6bff:fe73:a41f]:domain (LISTEN)
dnscrypt-proxy 2201        root    7u  IPv4  13420      0t0  TCP 127.0.0.2:domain (LISTEN)
dnscrypt-proxy 2201        root    8u  IPv4  13421      0t0  UDP 127.0.0.2:domain


Should I try the steps over again, do I need to delete some files first, will it replace the files with no problem?
http://techroulette.blogspot.com/p/linu ... ps-and.htm <<< Linux Mint 13 Maya "Cinnamon" LTS Tips and Links (QuickGuide)!| My Blog >>> http://techroulette.blogspot.com <<< Tech_Roulette ;)
User avatar
MR-X
Level 1
Level 1
 
Posts: 21
Joined: Fri Jun 08, 2012 3:12 pm

Re: How to install DNSCrypt

Postby xenopeek on Fri Jul 13, 2012 1:16 pm

As it is running as user lxc-dnsmasq, it makes me think you are running LXC? (https://en.wikipedia.org/wiki/LXC) Sorry, I have no experience with that but it appears the dnsmasq is not being run by Network Manager on your, probably virtual, host but by LXC. Not sure if you can safely disable that or not.

What possibly may work is changing your /etc/dnsmasq.conf file and replacing the line:
Code: Select all
listen-address=127.0.0.1

with:
Code: Select all
listen-address=127.0.0.3

And then point Network Manager not at 127.0.0.1 but at 127.0.0.3. But again, I have no experience with LXC so am not sure why that is running its own dnsmasq or if you need to use it for some reason.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14967
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to install DNSCrypt

Postby MR-X on Fri Jul 13, 2012 2:46 pm

I Have Open DNS setup on my router so I unplugged it and plugged it straight into my machine, and i went to http://www.opendns.com/welcome/ and it says I am OK and this site https://www.dns-oarc.net/oarc/services/dnsentropy says im using opendns servers for my DNS! 204.194.238.24 Source Port Randomness: GREAT, 204.194.238.24 (m14.dfw.opendns.com), And DNS Leak Test http://www.dnsleaktest.com/ points to IP: 204.194.238.24 Hostname: m14.dfw.opendns.com so It looks like im ok atm, but im wondering what lxc-dnsmasq is doing and what is its purpose :?: and still wondering if I should kill or just leave it be?
http://techroulette.blogspot.com/p/linu ... ps-and.htm <<< Linux Mint 13 Maya "Cinnamon" LTS Tips and Links (QuickGuide)!| My Blog >>> http://techroulette.blogspot.com <<< Tech_Roulette ;)
User avatar
MR-X
Level 1
Level 1
 
Posts: 21
Joined: Fri Jun 08, 2012 3:12 pm

Re: How to install DNSCrypt

Postby masuch on Sat Jul 14, 2012 6:24 am

Thanks a lot for this post.

Would it be working and how it should be setup for IPv6 ?
What IPv6 should I put on network connection->wired->IPv6 settings for DNS servers if I changed to Automatic (DHCP) addresses only ? Is it ::1 correct ?

thank you.
masuch
Level 1
Level 1
 
Posts: 5
Joined: Tue Jun 12, 2012 5:11 am

Re: How to install DNSCrypt

Postby xenopeek on Sat Jul 14, 2012 12:11 pm

To use this with IPv6 you have to make some changes. I'm not sure if these are all the changes, but you will need to apply these for sure (and if IPv6 is working, probably that is all). You can either edit the files before installing them to /etc or you can edit them there. OpenDNS have some links for you to confirm IPv6 is working on your machine: https://www.opendns.com/technology/ipv6/. Please let us know if this works! Sorry I can't be of more help here; I'm currently selecting a new ISP to get IPv6 support on my Internet connection...

dnsmasq.conf or /etc/dnsmasq.conf:
init/dnscrypt-proxy.conf or /etc/init/dnscrypt-proxy.conf
  • Change:
    Code: Select all
    exec /usr/sbin/dnscrypt-proxy --local-address=127.0.0.2

    to:
    Code: Select all
    exec /usr/sbin/dnscrypt-proxy --local-address=::1 --local-port=1053 --resolver-address=2620:0:ccc::2
Finally, in step 10 you have to go to the IPv6 tab and make it use the DNS at ::1. (dnsmasq will run at the default DNS port 53 and dnscrypt-proxy at custom port 1053. As IPv6 only allows ::1 for localhost, unlike IPv4 where you can have 127.0.0.1, 127.0.0.2 and so on, both these programs will run at address ::1.)
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14967
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to install DNSCrypt

Postby tommyb. on Mon Jul 23, 2012 2:01 am

.
I seem to have a problem..... I followed your tutorial (thnks by the way), didn't receive error messages, Y E T it won't autostart (=I have to manually start it with "sudo start dnscrypt-proxy" (w/o "")). Please note that I had a previous 0.094v of dnscrypt installed, which worked well from a users point-of-view, not security wise perhaps.
.
Do you have any advice or command handy to double my config or ..??? to fix my autostart problem? TY :D
.
.
Your "sudo lsof -i :domain +c 0" shows first nothing (cause it is not running, then as required
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dnscrypt-proxy 2886 root 7u IPv4 19391 0t0 UDP 127.0.0.2:domain
dnscrypt-proxy 2886 root 9u IPv4 19393 0t0 TCP 127.0.0.2:domain (LISTEN)
dnsmasq 2887 nobody 4u IPv4 19382 0t0 UDP localhost:domain
dnsmasq 2887 nobody 5u IPv4 19383 0t0 TCP localhost:domain (LISTEN)
*** :lol: As some may have noticed my help files are available from Dropbox. If you like to help me, use my referral http://db.tt/AsmPmOv please and we both get a 500MB cloudspace bonus each :D
tommyb.
Level 2
Level 2
 
Posts: 66
Joined: Wed May 30, 2012 12:04 pm

Re: How to install DNSCrypt

Postby xenopeek on Mon Jul 23, 2012 3:45 am

If it is not starting automatically, the event that triggers dnscrypt-proxy is not occurring. The configuration for that is:
Code: Select all
start on (local-filesystems
      and net-device-up IFACE!=lo)
stop on runlevel [016]

Basically that is saying, once local filesytems have been mounted and a network connection is available (not loopback), to start dnscrypt-proxy. But, if you are logged in as root (single-user mode), it would not start as the stop condition is triggered.

Perhaps you are running on some virtualization software? Which should work fine, at least VirtualBox 4.x has been tested. Or perhaps you have some special kind of network device? Like something USB attached for which you need to do something manual to get a Internet connection, instead of a built-in ethernet or wifi device?

Else please check the steps for the dnscrypt-proxy have been done correctly. Please share the output of the following commands. But I guess that should all be fine, as you can start it manually.
Code: Select all
ls -l /etc/init.d/dnscrypt-proxy
ls -l /etc/init/dnscrypt-proxy.conf
cat /etc/init/dnscrypt-proxy.conf

Lastly, you might want to try editing /etc/init/dnscrypt-proxy.conf and change the start condition. Some other websites have the following start condition for dnscrypt-proxy:
Code: Select all
start on (local-filesystems
      and started dbus
      and stopped udevtrigger)
stop on runlevel [016]
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14967
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to install DNSCrypt

Postby tommyb. on Mon Jul 23, 2012 5:23 am

Thnks a lot.... :oops: it seems to work now, without further ado.
.
Honestly I dont fully understand this dnscrypt thing, but it seems as you perhaps trying to say in your first paragraph, it starts as soon as a live connection is available. If not, "sudo lsof -i :domain +c 0" wont show anything, unless triggered manually with this command "sudo start dnscrypt-proxy".
.
Possibly my cleaning up of older dnscrypt entries found in /etc (well i took a chance there, but they seemed from the older dnscrypt version)
.
.
Thanks again for answering so eloquently!
*** :lol: As some may have noticed my help files are available from Dropbox. If you like to help me, use my referral http://db.tt/AsmPmOv please and we both get a 500MB cloudspace bonus each :D
tommyb.
Level 2
Level 2
 
Posts: 66
Joined: Wed May 30, 2012 12:04 pm

Re: How to install DNSCrypt

Postby xenopeek on Mon Jul 23, 2012 6:24 am

Having files from a previous dnscrypt-proxy installation would possibly explain it not starting automatically. Please note, at the top of the article I link to the full tutorial on the Community website. That includes uninstallation instructions, should you ever have need to remove dnscrypt-proxy or install it anew from a different source.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14967
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to install DNSCrypt

Postby tommyb. on Sun Jul 29, 2012 10:39 pm

Vincent Vermeulen wrote:Having files from a previous dnscrypt-proxy installation would possibly explain it not starting automatically. Please note, at the top of the article I link to the full tutorial on the Community website. That includes uninstallation instructions, should you ever have need to remove dnscrypt-proxy or install it anew from a different source.


Thanks! :idea:
*** :lol: As some may have noticed my help files are available from Dropbox. If you like to help me, use my referral http://db.tt/AsmPmOv please and we both get a 500MB cloudspace bonus each :D
tommyb.
Level 2
Level 2
 
Posts: 66
Joined: Wed May 30, 2012 12:04 pm

Re: How to install DNSCrypt

Postby jvossler on Mon Jul 30, 2012 7:32 pm

I notice that these instructions are for the Ubuntu based editions. How do I get it working in LMDE?
jvossler
Level 2
Level 2
 
Posts: 69
Joined: Sun Apr 11, 2010 8:00 pm

Re: How to install DNSCrypt

Postby xenopeek on Tue Jul 31, 2012 12:07 pm

jvossler wrote:I notice that these instructions are for the Ubuntu based editions. How do I get it working in LMDE?

Perhaps post a support request for that in the LMDE section of the forum? I'm not very experienced with SysV init scripts. While all the steps here would also need to be done for LMDE, the way to do those steps would differ. You can skip step 3, but other than steps 1, 10 and 11, all the steps need to be adjusted for LMDE / SySV init scripts.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14967
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to install DNSCrypt

Postby tommyb. on Sat Dec 01, 2012 12:15 am

.
Just a little feedback:
Your instructions seem to work fine on
"Linux Mint 14 Mate 32-bit"

(just did the install process) :)
*** :lol: As some may have noticed my help files are available from Dropbox. If you like to help me, use my referral http://db.tt/AsmPmOv please and we both get a 500MB cloudspace bonus each :D
tommyb.
Level 2
Level 2
 
Posts: 66
Joined: Wed May 30, 2012 12:04 pm

Re: How to install DNSCrypt

Postby xenopeek on Sat Dec 01, 2012 6:47 am

Thanks for sharing it works on Linux Mint 14 also :D
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14967
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Linux Mint is funded by ads and donations.
 
Next

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 13 guests