From 7114c3b1340e10fe9a3262746005efc2f9fa94e2 Mon Sep 17 00:00:00 2001 From: Frank Denis <124872+jedisct1@users.noreply.github.com> Date: Sat, 10 Feb 2018 14:35:38 +0100 Subject: [PATCH] Updated DNSCrypt 2.0 (markdown) --- DNSCrypt-2.0.md | 50 ++++++++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/DNSCrypt-2.0.md b/DNSCrypt-2.0.md index b11be62..2910ba1 100644 --- a/DNSCrypt-2.0.md +++ b/DNSCrypt-2.0.md @@ -6,40 +6,48 @@ This can probably replace the DNSCrypt page, but leaving it for archive purposes ## Step 1: Install DNSCrypt-Proxy -* mkdir -p /dnsproxy: (this is just a folder to store everything. Pihole instructions have this on the root of the partition, but should work from anywhere), suggest opt or etc. -* Download [latest](https://github.com/jedisct1/dnscrypt-proxy/releases/latest) pre-built binary. I'm using Debian, so I used linux_x86_64. There is a binary for arm. -* tar -xf : extract prebuilt binary -* cd linux_x86-64: cd into extracted dir -* nano/vi example-dnscrypt-proxy.toml: Edit the toml file. This is where all the fancy configuration happens. -* Edit port to be something other than 53 (since 53 is being used by PiHole). This is the listen_addresses line. Change both IPv4 and IPv6 as desired. -* Edit other settings as desired. I set dnssec to be True. There are a lot of other options, but server selection and more is already done. -* cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml -* dnscrypt-proxy -service install: install dnscrypt-proxy service -* dnscrypt-proxy -service start: start the new service +* `mkdir -p /dnsproxy`: (this is just a folder to store everything. Pihole instructions have this on the root of the partition, but should work from anywhere), suggest opt or etc. +* Download [latest](https://github.com/jedisct1/dnscrypt-proxy/releases/latest) pre-built binary. I'm using Debian, so I used `linux_x86_64`. There is a binary for arm. +* `tar -xf `: extract prebuilt binary +* `cd linux_x86-64`: cd into extracted dir +* `cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml` +* `nano/vi dnscrypt-proxy.toml`: Edit the toml file. This is where all the fancy configuration happens. +* Edit port to be something other than 53 (since 53 is being used by Pi-Hole). This is the listen_addresses line. Change both IPv4 and IPv6 as desired. +* Edit other settings as desired. I set `dnssec` to be `true`. There are a lot of other options, but server selection and more is already done. +* `dnscrypt-proxy -service install`: install dnscrypt-proxy service +* `dnscrypt-proxy -service start`: start the new service You can see dnscrypt-proxy 2.0 installation instructions on the [wiki](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation). -!Warning! I did not set dnscrypt-proxy to run as non-root user yet. There are instructions on the [wiki](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation#running-it-as-a-non-root-user-on-linux) +**Warning** I did not set `dnscrypt-proxy` to run as non-root user yet. -Also see [wiki](https://github.com/jedisct1/dnscrypt-proxy/wiki/DNS-server-sources) for details on DNS server sources. +There are instructions on the [wiki](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation#running-it-as-a-non-root-user-on-linux) + +Also see the [wiki](https://github.com/jedisct1/dnscrypt-proxy/wiki/DNS-server-sources) for details on DNS server sources. ## Step 2: Modify Pi-Hole These instructions are the [same](https://github.com/pi-hole/pi-hole/wiki/DNSCrypt#change-your-dnsmasq-config), but will copy them here. -* sudo nano /etc/dnsmasq.d/02-dnscrypt.conf: Create new or edit existing conf. -* Change servers=# where your dnscrypt-proxy is running. For example, my .toml file is listen_addresses = ['127.0.0.1:54', '[::1]:54'], so edit the conf file to be server=127.0.0.1#54 -* sudo nano /etc/pihole/setupVars.conf: Edit setupVars.conf. -* Comment out #PIHOLE_DNS#= lines. -* sudo nano /etc/dnsmasq.d/01-pihole.conf -* Comment out #server=... lines -* sudo service dnsmasq restart: restart dnsmasq +* `sudo nano /etc/dnsmasq.d/02-dnscrypt.conf`: Create new or edit existing conf. +* Change `servers=#` where `dnscrypt-proxy` is running. For example, my `.toml` file is `listen_addresses = ['127.0.0.1:54', '[::1]:54']`, so edit the conf file to be `server=127.0.0.1#54` +* `sudo nano /etc/pihole/setupVars.conf`: Edit setupVars.conf. +* Comment out `#PIHOLE_DNS#=` lines. +* `sudo nano /etc/dnsmasq.d/01-pihole.conf` +* Comment out `#server=...` lines +* `sudo service dnsmasq restart`: restart dnsmasq ## Test DNSCrypt +Use the built-in client: + +```sh +dnscrypt-proxy -resolve google.com +``` + +This will display the resolver you are currently using. * [Test site](https://dnssec.vs.uni-due.de/) -* [Test site](https://www.dnsleaktest.com/) - +* [Test site](https://www.dnsleaktest.com/) -- Note that the output of this test is not enough to confirm the absence of leaks. In particular, Cisco and Google will transparently send a copy of your **real** network address to companies they partner with (edns-clientsubnet mechanism). There are more links on the first test site as well. \ No newline at end of file