How to install DNSCrypt

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

How to install DNSCrypt

Post by xenopeek »

Update Jan 14 2015: tommyb linked to an up to date guide on WebUpd8 for setting up DNSCrypt on Linux Mint 17.x: http://www.webupd8.org/2014/08/encrypt- ... -with.html

Update Dec 11 2013: Previous1 has added the steps to compile DNSCrypt yourself and get it working, see this topic: http://forums.linuxmint.com/viewtopic.php?f=42&t=152600. Please follow that tutorial instead, as the below no longer works.

Update Feb 8 2013: As noted by tommyb. in the comments, the DNSCrypt .deb file downloads are no longer available. This makes this tutorial currently not usable.

Easy installation using your package manager is therefor no longer possible, as was detailed below. You'll need to download the source code from http://dnscrypt.org/, and follow the instructions there on how to compile DNSCrypt yourself. Possibly the below information, about disabling NetworkManager's dnsmasq instance and starting your own DNSCrypt and dnsmasq, may still be useful with that.

I haven't delved into this yet, so if anybody has I welcome feedback on needed changes to the tutorial.
----------------------------------------------------------------------------------------------------------------------------------------------------------------

This tutorial describes how to install and set up DNSCrypt (dnscrypt-proxy with dnsmasq). In a nutshell, it sets up a local DNS forwarder on your computer that encrypts all DNS traffic between your computer and your DNS resolver, which will be OpenDNS instead of your ISP. DNSCrypt and OpenDNS intend to keep you more safe online.

Following are some links for more information about DNSCrypt and OpenDNS:
https://blog.opendns.com/2011/12/06/
https://www.opendns.com/

This tutorial has been succesfully tested on:
  • Linux Mint 11 GNOME
  • Linux Mint 12 KDE
  • Linux Mint 13 MATE
  • Linux Mint 13 Cinnamon
  • Linux Mint 13 Xfce
----------------------------------------------------------------------------------------------------------------------------------------------------------------

1. Download and install dnscrypt-proxy
Visit https://github.com/opendns/dnscrypt-proxy/downloads and download the .deb file for your architecture (i386 for 32 bit, amd64 for 64 bit). Double-click the downloaded .deb file to start the installer, or right-click the file and choose "Open With GDebi Package Installer". Click "Install Package" and complete the installation.

Also download the following attached archive file config.tar.bz2, with the needed configuration files. Extract it and open a terminal on the directory where you extracted the configuration files before you continue (in your file browser, open the File menu and select "Open in Terminal"). Run the commands in the tutorial from this terminal.
config.tar.bz2
2. Stop Network Manager
Open a terminal and run the following command:

Code: Select all

sudo stop network-manager
3. Reconfigure Network Manager to not use dnsmasq
You must skip this step if you are using Linux Mint 11 or 12.

Edit the configuration file:

Code: Select all

sudo nano /etc/NetworkManager/NetworkManager.conf
Find the line:

Code: Select all

dns=dnsmasq
Replace it with:

Code: Select all

#dns=dnsmasq
Save & close the file with Ctrl+O, Enter, Ctrl+X.

4-7. Create Upstart jobs and copy configuration files
Run the following commands:

Code: Select all

sudo cp init/dnscrypt-proxy.conf /etc/init/
sudo ln -s /lib/init/upstart-job /etc/init.d/dnscrypt-proxy

sudo cp init/dnsmasq.conf /etc/init/
sudo ln -s /lib/init/upstart-job /etc/init.d/dnsmasq

sudo cp dnsmasq.conf /etc/

sudo cp init/ntpdate-dnsmasq.conf /etc/init/
sudo ln -s /lib/init/upstart-job /etc/init.d/ntpdate-dnsmasq
If you want to use OpenDNS's FamilyShield (parental controls), first edit the init/dnscrypt-proxy.conf file and change the last line of that file from:

Code: Select all

exec /usr/sbin/dnscrypt-proxy --local-address=127.0.0.2
to:

Code: Select all

exec /usr/sbin/dnscrypt-proxy --local-address=127.0.0.2 --resolver-address=208.67.222.123
8. Reload Upstart configuration
You can skip this step unless you are doing this on a Live session.

Run the following command:

Code: Select all

sudo initctl reload-configuration
9. Start the services
Start dnscrypt-proxy, which will automatically also start dnsmasq (and ntpdate):

Code: Select all

sudo start dnscrypt-proxy
Start Network Manager:

Code: Select all

sudo start network-manager
10. Reconfigure Network Manager to use DNSCrypt
Open Network Connections from the menu. On the Wired or Wireless tab highlight your active Internet connection. Click "Edit". On the IPv4 Settings tab, set Method to "Automatic (DHCP) addresses only" and set DNS servers to "127.0.0.1". Click "Save". Click "Close".

11. Final test
Visit http://www.opendns.com/welcome to test your connection. You should be welcomed to OpenDNS.

Image

----------------------------------------------------------------------------------------------------------------------------------------------------------------
Uninstalling

If you decide you want to remove DNSCrypt, you can revert all changes made with the following steps.

Stop the services and remove all added files
Run the following commands:

Code: Select all

sudo stop network-manager
sudo stop dnscrypt-proxy
sudo rm /etc/init/ntpdate-dnsmasq.conf
sudo rm /etc/init.d/ntpdate-dnsmasq
sudo rm /etc/dnsmasq.conf
sudo rm /etc/init/dnsmasq.conf
sudo rm /etc/init.d/dnsmasq
sudo rm /etc/init/dnscrypt-proxy.conf
sudo rm /etc/init.d/dnscrypt-proxy
sudo initctl reload-configuration
sudo apt-get --purge autoremove dnscrypt-proxy
Reconfigure Network Manager to use dnsmasq
You must skip this step if you are using Linux Mint 11 or 12.
Edit the configuration file:

Code: Select all

sudo nano /etc/NetworkManager/NetworkManager.conf
Find the line:

Code: Select all

#dns=dnsmasq
Replace it with:

Code: Select all

dns=dnsmasq
Save & close the file with Ctrl+O, Enter, Ctrl+X.

Start the services
Start Network Manager:

Code: Select all

sudo start network-manager
Reconfigure Network Manager to not use DNSCrypt
Open Network Connections from the menu. On the Wired or Wireless tab highlight your active Internet connection. Click "Edit". On the IPv4 Settings tab, set Method to "Automatic (DHCP)". Click "Save". Click "Close".
Image
jedisct1

Re: How to install DNSCrypt

Post by jedisct1 »

Hi,
Note that currently dnscrypt-proxy does not provide for using an OpenDNS account. So you can't yet use OpenDNS' premium features, such as parental controls.
This is not true. Network settings depend on the source IP address. So whatever has been configured for a network still works with dnscrypt, including category filters.

You can also use FamilyShield in order to enable parental controls without creating an account. Just start dnscrypt with --resolver-address=208.67.222.123

And you don't need to disable dnsmasq in order to use dnscrypt. All you need is a line like this one in the dnsmasq.conf file:

server=127.0.0.1#40

Replace 40 with the port number dnscrypt is listening to (--local-port=...)

dnsmasq cache DNS records, which is always a good thing to have if you care about performance.
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

Re: How to install DNSCrypt

Post by xenopeek »

Hi jedisct1, thanks for the updates on that :D I didn't know the OpenDNS accounts worked that way, I'll update the tutorial!

Disabling dnsmasq in Network Manager I did because you can't override the configuration it uses. Network Manager starts dnsmasq with cache-size=0, which makes sense if you can't trust your last mile, but not if you can (with DNSCrypt). DNSCrypt is recommended to be used with a DNS cache. Also, Network Manager starts dnsmasq without some additional settings, like bogus-priv, domain-needed, stop-dns-rebind and rebind-localhost-ok. Allowing for configuring these settings, you need to disable Network Manager from starting dnsmasq, as included in this tutorial.

For your reference, Network Manager's non-configurable startup of dnsmasq is:

Code: Select all

/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf --cache-size=0 --proxy-dnssec
Image
MR-X

Re: How to install DNSCrypt

Post by MR-X »

Thank you for this, I was having a hard time getting the new updated dnscrypt-proxy-0.10.1-1 to work on Linux Mint 13 Maya, but thanks to your great tutorial everything is up and running just fine now :D

Now I have Linux Mint 13 running pretty much perfect now that they seemed to have worked out the bugs it was having issues with during its release......

Tutorial Saved! :wink:
MR-X

Re: How to install DNSCrypt

Post by MR-X »

I found a problem, #10 says 127.0.0.1 but the dnscrypt-proxy.conf file for Ubuntu 12.04 based os points to 127.0.0.2 because something else is running on 127.0.0.1 in Ubuntu 12.04 OS, so I rebooted and 127.0.0.1 my Internet did not work until I changed the ipv4 Network DNS settings to 127.0.0.2 now it works, but is it Proper?

is this a problem on my side?
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

Re: How to install DNSCrypt

Post by xenopeek »

Did you do step 3? That is also needed on Ubuntu 12.04, to disable Network Manager running its own instance of dnsmasq at 127.0.0.1. If you are sure you did that, you can check what is running on the domain service port on your machine with the following command:

Code: Select all

sudo lsof -i :domain +c 0
With everything configured correctly, it should output the following. Showing our dnsmasq (not Network Manager's) is running on localhost, and dnscrypt-proxy on 127.0.0.2.

Code: Select all

vincent@maya ~ $ sudo lsof -i :domain +c 0
COMMAND         PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dnscrypt-proxy 1328   root    7u  IPv4   9595      0t0  TCP 127.0.0.2:domain (LISTEN)
dnscrypt-proxy 1328   root    8u  IPv4   9596      0t0  UDP 127.0.0.2:domain 
dnsmasq        1332 nobody    4u  IPv4   9604      0t0  UDP localhost:domain 
dnsmasq        1332 nobody    5u  IPv4   9605      0t0  TCP localhost:domain (LISTEN)
Image
MR-X

Re: How to install DNSCrypt

Post by MR-X »

I think I left that part out I keep forgetting Im using 13 :? not 12, but I use both 12KDE and 13 Maya Cinnamon on the same box soi I need to be more careful....Mine Looks like this?

Code: Select all

COMMAND         PID        USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq        1473 lxc-dnsmasq    6u  IPv4  10658      0t0  UDP 10.0.3.1:domain 
dnsmasq        1473 lxc-dnsmasq    7u  IPv4  10659      0t0  TCP 10.0.3.1:domain (LISTEN)
dnsmasq        1473 lxc-dnsmasq   11u  IPv6  10813      0t0  UDP [fe80::d81e:6bff:fe73:a41f]:domain 
dnsmasq        1473 lxc-dnsmasq   12u  IPv6  10814      0t0  TCP [fe80::d81e:6bff:fe73:a41f]:domain (LISTEN)
dnscrypt-proxy 2201        root    7u  IPv4  13420      0t0  TCP 127.0.0.2:domain (LISTEN)
dnscrypt-proxy 2201        root    8u  IPv4  13421      0t0  UDP 127.0.0.2:domain 
Should I try the steps over again, do I need to delete some files first, will it replace the files with no problem?
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

Re: How to install DNSCrypt

Post by xenopeek »

As it is running as user lxc-dnsmasq, it makes me think you are running LXC? (https://en.wikipedia.org/wiki/LXC) Sorry, I have no experience with that but it appears the dnsmasq is not being run by Network Manager on your, probably virtual, host but by LXC. Not sure if you can safely disable that or not.

What possibly may work is changing your /etc/dnsmasq.conf file and replacing the line:

Code: Select all

listen-address=127.0.0.1
with:

Code: Select all

listen-address=127.0.0.3
And then point Network Manager not at 127.0.0.1 but at 127.0.0.3. But again, I have no experience with LXC so am not sure why that is running its own dnsmasq or if you need to use it for some reason.
Image
MR-X

Re: How to install DNSCrypt

Post by MR-X »

I Have Open DNS setup on my router so I unplugged it and plugged it straight into my machine, and i went to http://www.opendns.com/welcome/ and it says I am OK and this site https://www.dns-oarc.net/oarc/services/dnsentropy says im using opendns servers for my DNS! 204.194.238.24 Source Port Randomness: GREAT, 204.194.238.24 (m14.dfw.opendns.com), And DNS Leak Test http://www.dnsleaktest.com/ points to IP: 204.194.238.24 Hostname: m14.dfw.opendns.com so It looks like im ok atm, but im wondering what lxc-dnsmasq is doing and what is its purpose :?: and still wondering if I should kill or just leave it be?
masuch

Re: How to install DNSCrypt

Post by masuch »

Thanks a lot for this post.

Would it be working and how it should be setup for IPv6 ?
What IPv6 should I put on network connection->wired->IPv6 settings for DNS servers if I changed to Automatic (DHCP) addresses only ? Is it ::1 correct ?

thank you.
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

Re: How to install DNSCrypt

Post by xenopeek »

To use this with IPv6 you have to make some changes. I'm not sure if these are all the changes, but you will need to apply these for sure (and if IPv6 is working, probably that is all). You can either edit the files before installing them to /etc or you can edit them there. OpenDNS have some links for you to confirm IPv6 is working on your machine: https://www.opendns.com/technology/ipv6/. Please let us know if this works! Sorry I can't be of more help here; I'm currently selecting a new ISP to get IPv6 support on my Internet connection...

dnsmasq.conf or /etc/dnsmasq.conf: init/dnscrypt-proxy.conf or /etc/init/dnscrypt-proxy.conf
  • Change:

    Code: Select all

    exec /usr/sbin/dnscrypt-proxy --local-address=127.0.0.2
    to:

    Code: Select all

    exec /usr/sbin/dnscrypt-proxy --local-address=::1 --local-port=1053 --resolver-address=2620:0:ccc::2
Finally, in step 10 you have to go to the IPv6 tab and make it use the DNS at ::1. (dnsmasq will run at the default DNS port 53 and dnscrypt-proxy at custom port 1053. As IPv6 only allows ::1 for localhost, unlike IPv4 where you can have 127.0.0.1, 127.0.0.2 and so on, both these programs will run at address ::1.)
Image
tommyb.

Re: How to install DNSCrypt

Post by tommyb. »

.
I seem to have a problem..... I followed your tutorial (thnks by the way), didn't receive error messages, Y E T it won't autostart (=I have to manually start it with "sudo start dnscrypt-proxy" (w/o "")). Please note that I had a previous 0.094v of dnscrypt installed, which worked well from a users point-of-view, not security wise perhaps.
.
Do you have any advice or command handy to double my config or ..??? to fix my autostart problem? TY :D
.
.
Your "sudo lsof -i :domain +c 0" shows first nothing (cause it is not running, then as required
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dnscrypt-proxy 2886 root 7u IPv4 19391 0t0 UDP 127.0.0.2:domain
dnscrypt-proxy 2886 root 9u IPv4 19393 0t0 TCP 127.0.0.2:domain (LISTEN)
dnsmasq 2887 nobody 4u IPv4 19382 0t0 UDP localhost:domain
dnsmasq 2887 nobody 5u IPv4 19383 0t0 TCP localhost:domain (LISTEN)
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

Re: How to install DNSCrypt

Post by xenopeek »

If it is not starting automatically, the event that triggers dnscrypt-proxy is not occurring. The configuration for that is:

Code: Select all

start on (local-filesystems
      and net-device-up IFACE!=lo)
stop on runlevel [016]
Basically that is saying, once local filesytems have been mounted and a network connection is available (not loopback), to start dnscrypt-proxy. But, if you are logged in as root (single-user mode), it would not start as the stop condition is triggered.

Perhaps you are running on some virtualization software? Which should work fine, at least VirtualBox 4.x has been tested. Or perhaps you have some special kind of network device? Like something USB attached for which you need to do something manual to get a Internet connection, instead of a built-in ethernet or wifi device?

Else please check the steps for the dnscrypt-proxy have been done correctly. Please share the output of the following commands. But I guess that should all be fine, as you can start it manually.

Code: Select all

ls -l /etc/init.d/dnscrypt-proxy
ls -l /etc/init/dnscrypt-proxy.conf
cat /etc/init/dnscrypt-proxy.conf
Lastly, you might want to try editing /etc/init/dnscrypt-proxy.conf and change the start condition. Some other websites have the following start condition for dnscrypt-proxy:

Code: Select all

start on (local-filesystems
      and started dbus
      and stopped udevtrigger)
stop on runlevel [016]
Image
tommyb.

Re: How to install DNSCrypt

Post by tommyb. »

Thnks a lot.... :oops: it seems to work now, without further ado.
.
Honestly I dont fully understand this dnscrypt thing, but it seems as you perhaps trying to say in your first paragraph, it starts as soon as a live connection is available. If not, "sudo lsof -i :domain +c 0" wont show anything, unless triggered manually with this command "sudo start dnscrypt-proxy".
.
Possibly my cleaning up of older dnscrypt entries found in /etc (well i took a chance there, but they seemed from the older dnscrypt version)
.
.
Thanks again for answering so eloquently!
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

Re: How to install DNSCrypt

Post by xenopeek »

Having files from a previous dnscrypt-proxy installation would possibly explain it not starting automatically. Please note, at the top of the article I link to the full tutorial on the Community website. That includes uninstallation instructions, should you ever have need to remove dnscrypt-proxy or install it anew from a different source.
Image
tommyb.

Re: How to install DNSCrypt

Post by tommyb. »

xenopeek wrote:Having files from a previous dnscrypt-proxy installation would possibly explain it not starting automatically. Please note, at the top of the article I link to the full tutorial on the Community website. That includes uninstallation instructions, should you ever have need to remove dnscrypt-proxy or install it anew from a different source.
Thanks! :idea:
jvossler

Re: How to install DNSCrypt

Post by jvossler »

I notice that these instructions are for the Ubuntu based editions. How do I get it working in LMDE?
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

Re: How to install DNSCrypt

Post by xenopeek »

jvossler wrote:I notice that these instructions are for the Ubuntu based editions. How do I get it working in LMDE?
Perhaps post a support request for that in the LMDE section of the forum? I'm not very experienced with SysV init scripts. While all the steps here would also need to be done for LMDE, the way to do those steps would differ. You can skip step 3, but other than steps 1, 10 and 11, all the steps need to be adjusted for LMDE / SySV init scripts.
Image
tommyb.

Re: How to install DNSCrypt

Post by tommyb. »

.
Just a little feedback:
Your instructions seem to work fine on
"Linux Mint 14 Mate 32-bit"

(just did the install process) :)
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

Re: How to install DNSCrypt

Post by xenopeek »

Thanks for sharing it works on Linux Mint 14 also :D
Image
Post Reply

Return to “Tutorials”