Getting DNScrypt to work with OpenNIC

Questions about cabled networking
Forum rules
Before you post please read how to get help
Post Reply
User avatar
mr.travo
Level 3
Level 3
Posts: 107
Joined: Fri Aug 05, 2011 1:13 pm

Getting DNScrypt to work with OpenNIC

Post by mr.travo » Sat Mar 10, 2018 5:09 pm

Been trying to over 5 hours now to get DNScrypt to work with OpenNIC. I have tried to keep notes through this whole event, but I know I have lost track. Still not understanding how all of this works. Once I think I am starting to get a foot hold of understanding, something like this blows it to *#&$(

Linux Mint 18.3 Cinnamon
dnscrypt-proxy installed

Code: Select all

mint18@mint18 ~ $ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

nameserver 128.52.130.209
nameserver 127.0.0.1

Code: Select all

mint18@mint18 ~ $ cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
dns-nameservers 127.0.0.2

Code: Select all

mint18@mint18 ~ $ cat /etc/resolvconf/resolv.conf.d/head
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

nameserver 128.52.130.209
OpenNIC server I am trying to setup -
Screenshot from 2018-03-10 16-07-12.png
Frustrated beyond any other thoughts right now. What ticks me off is I KNOW it's going to be something so small and stupid that I'm not doing right..... :evil:

It shows that my DNS is pointed to the server but I am not getting any encryption out of it.
Screenshot from 2018-03-10 16-11-40.png
I tried to sudo wireshark and show only DNS and none come back as being encrypted.
-Travo

"Sometimes i'm not the sharpest shed in the drawer"

User avatar
mr.travo
Level 3
Level 3
Posts: 107
Joined: Fri Aug 05, 2011 1:13 pm

Re: Getting DNScrypt to work with OpenNIC

Post by mr.travo » Sat Mar 10, 2018 5:22 pm

Following instructions on https://wiki.opennic.org/opennic/dnscrypt and my output is:

Code: Select all

mint18@mint18 ~ $ sudo dnscrypt-proxy -r 128.52.130.209:443 -N 2.dnscrypt-cert.onic.csail.mit.edu -k 128D:B1BD:E10C:7CA1:D52B:091F:633E:99C1:937D:14F5:F812:B0CB:5B3C:F5CB:CC04:7272
[NOTICE] Starting dnscrypt-proxy 1.6.1
[INFO] Generating a new session key pair
[INFO] Done
[ERROR] Unable to bind (UDP) [Address already in use]
-Travo

"Sometimes i'm not the sharpest shed in the drawer"

rene
Level 8
Level 8
Posts: 2186
Joined: Sun Mar 27, 2016 6:58 pm

Re: Getting DNScrypt to work with OpenNIC

Post by rene » Sun Mar 11, 2018 5:42 pm

mr.travo wrote:
Sat Mar 10, 2018 5:22 pm

Code: Select all

[ERROR] Unable to bind (UDP) [Address already in use]
When you install dnscrypt-proxy it launches itself which is what you are here told: dnscrypt-proxy in a manner much like dnsmasq in a standard Mint install is a nameserver running on your local machine, forwarding DNS queries to its configured upstream server, which would (should) in this case be 128.52.130.209:443. You however have configured 128.52.130.209 to be your nameserver directly which is incorrect: you are to configure your local nameserver to be dnscrypt-proxy (by default 127.0.2.1:53) and in turn configure dnscrypt to forward to 128.52.130.209:443.

I was looking at providing a more direct answer but unfortunately there are a few complications: a minor one is Mint's NetworkManager using dnsmasq, a more substantial one is the dnscrypt-proxy package having been poorly architected. Specifically its systemd service files depend on a static database of upstream servers which is, of course, chronically out of date and indeed does not list your desired upstream server. Nor does in fact the current upstream version of that database, which leaves you needing to add it manually or edit the systemd service files. Leading you through this would turn this into a two-page post and I thought I'd first check if you are doing something more than just playing around with this stuff since, frankly, I myself wouldn't want any of this crap on my own system.

A third one is your current setup as indicated in your post not reflecting standard usage; specifically, you having 127.0.0.1 in your final /etc/resolv.conf meaning that you either edited a systemd .socket file already or have yet another layer of complication running: dnscrypt-proxy by default runs on 127.0.2.1:53 and adjusts /etc/resolv.conf to reflect so on service start. That is: unsure what your starting environment is like at the moment.

But then...

1. First of all restore the normal setup: i.e., remove the OpenNIC server from /etc/resolvconf/resolv.conf.d/head, the "dns-nameservers" from /etc/network/interfaces and unedit whichever dnscrypt-proxy config file you may have edited.
2. So as to for now not confuse things disable dnsmasq by commenting out (with a #) the "dns=dnsmasq" in /etc/NetworkManager/NetworkManager.conf. You can optionally re-enable it later.
3. Copy /lib/systemd/system/dnscrypt-proxy.service to /etc/systemd/system and edit it to not use -R/--resolver-name but the -r, -N and -k parameters you need; directly or by adding them to /etc/default/dnscrypt-proxy and then grabbing them in the service file.
4. The /lib/systemd/system/dnscrypt-proxy.socket file should work as is if you use 127.0.2.1:53; should also be copied to /etc/systemd/system and edited if not.

This should basically get things up and running, but...

5. You will note the .socket file to depend on dnscrypt-proxy-resolvconf.service which upon start of the service replaces your /etc/resolv.conf for you. It's better to remove that dependency and just use NetworkManager: set the DNS server for the connection to non-DHCP and 127.0.2.1 manually.
6. If you alternatively wish to reintroduce dnsmasq in the path you should definitely keep dnscrypt-proxy from adjusting /etc/resolv.conf and rather configure 127.0.2.1 as the one and only dnsmasq upstream server, having uncommented "dns=dnsmasq" in /etc/NetworkManager/NetworkManager.conf again: "server=127.0.2.1" in, say, /etc/NetworkManager/dnsmasq.d/dnscrypt.conf. Careful! dnsmasq by default adds dbus-retrieved upstream servers, and most importantly DHCP-retrieved ones. If you want encrypted DNS then dnscrypt-proxy should be your only upstream server so you need to disable dbus for dnsmasq: "enable-dbus" or "enable-dbus=" (i.e., with empty parameter) in, say, /etc/NetworkManager/dnsmasq.d/disable-dbus.conf.

See how this all turns into massive rubbish? You'd as said do yourself a favour by forgetting you ever wanted it but hope it still helps...

rene
Level 8
Level 8
Posts: 2186
Joined: Sun Mar 27, 2016 6:58 pm

Re: Getting DNScrypt to work with OpenNIC

Post by rene » Sun Mar 11, 2018 6:09 pm

Oh, by the way, if indeed you conclude you can do without DNS encryption but still want to configure (an) OpenNIC server(s) you can do so most easily by, starting with a virgin config, add say /etc/NetworkManager/dnsmasq.d/opennic.conf consisting of, again say,

Code: Select all

server=185.121.177.177
server=169.239.202.202
Those IP's are as mentioned on https://wiki.opennic.org/doku.php; you'd preferably use for you more specific ones from https://servers.opennic.org/. Also, if you want the OpenNIC server(s) to be used only for, say, its own .dyn TLD, you can specify this as

Code: Select all

server=/dyn/185.121.177.177
server=/dyn/169.239.202.202

User avatar
mr.travo
Level 3
Level 3
Posts: 107
Joined: Fri Aug 05, 2011 1:13 pm

Re: Getting DNScrypt to work with OpenNIC

Post by mr.travo » Wed Mar 21, 2018 12:10 am

Thank you all! Adding this all to my notes and yes, I am ditching dnscrypt. I just want to use an OpenNic server and call it good. :)

Thank you all for your help and time!

T
-Travo

"Sometimes i'm not the sharpest shed in the drawer"

Post Reply

Return to “Ethernet”