2018-10-21 13:22:44 +02:00
---
layout: post
comments: true
title: "dnscrypt-proxy v2 on Debian/Ubuntu quickly, dirtily"
category: [english]
2018-10-22 18:15:17 +02:00
tags: [english, dnscrypt, dns, dnscrypt-proxy]
redirect_from:
- /dnscrypt.html
- /dnscrypt-proxy.html
2018-11-25 23:51:24 +01:00
- /english/2018/10/21/dnscrypt-proxy-quick-dirty-debian.html
2018-10-21 13:22:44 +02:00
---
2018-10-22 18:15:17 +02:00
*DNSCrypt-proxy encrypts DNS queries that would otherwise go in plaintext
ensuring that they won't be seen or modified by anyone in the middle. It
works as a localhost DNS server sending queries to configured DNS
resolvers.*
2018-11-03 13:01:07 +01:00
I guess I should also say why you would want dnscrypt v1 vs v2. V1 which
is in most of repos currently uses broken resolver by default and only
supports one resolver at a time, while v2 can use multiple of them while
comparing them for the best ones.
2018-10-22 18:15:17 +02:00
This post is on getting v2 to Debian Stable and Ubuntu pre 18.10 which
2018-11-03 13:01:07 +01:00
contain v1 and I (sadly) don't know a better way to do this.
2018-10-22 18:15:17 +02:00
2018-11-03 13:01:07 +01:00
In order to check which version your distro has available, check the
dnscrypt-proxy search page for your distribution:
* [Debian ](https://packages.debian.org/dnscrypt-proxy )
* 2018-11-03: the version in *stretch (stable)* is `1.9.4-1` which has
the issues why I wrote this post.
* [Ubuntu ](https://packages.ubuntu.com/dnscrypt-proxy )
* 2018-11-03: I cannot find dnscrypt-proxy from Ubuntu at all, while I
am sure it previously had the Debian version 1.
2018-10-22 18:15:17 +02:00
* * * * *
2018-11-03 13:01:07 +01:00
1. Update your local apt cache `sudo apt update` and install curl that will
be used for downloading the package from Debian `sudo apt-get install curl`
2018-10-21 13:22:44 +02:00
2018-11-03 18:26:44 +01:00
Check the version number at [Debian's dnscrypt-proxy package download page ](https://packages.debian.org/sid/amd64/dnscrypt-proxy/download ) and fix it
below:
2018-10-21 13:22:44 +02:00
2018-11-03 13:01:07 +01:00
2: download the package`curl -LO https://deb.debian.org/debian/pool/main/d/dnscrypt-proxy/dnscrypt-proxy_2.0.16-2_amd64.deb`
2018-10-21 13:22:44 +02:00
2018-11-03 13:01:07 +01:00
**WARNING: This part is not supported by either Debian or Ubuntu, you are
taking a package from another distribution and attempting to install it
on another.**
2018-10-21 13:22:44 +02:00
2018-11-03 13:01:07 +01:00
**WARNING: Usually when you use apt, it will verify package signatures and
ensure that the package hasn't been tampered with. I have no idea how to
do that with direct downloads (if it's even possible) so you will be
trusting the Debian repository mirror or CDN blindly.**
2018-10-21 13:22:44 +02:00
2018-11-03 13:01:07 +01:00
3. install the package you downloaded: `sudo dpkg -i dnscrypt-proxy<TAB>`
(TAB (above capslock) automatically completes rest of the filename for
you).
1. In case there was a problem, attmept `sudo apt-get install -f` to fix
broken package depedencies. **Remember to check that what it suggests
looks reasonable!** If it asks to remove dnscrypt-proxy, you are out
of luck and should do that instead of attempting to replace important
system components from another distribution (creating
"Frankendebian").
2018-10-21 13:22:44 +02:00
2018-11-03 13:01:07 +01:00
Hopefully dnscrypt-proxy is now running, check
`journalctl -u dnscrypt-proxy` , there should be a line saying
`[NOTICE] Wiring systemd TCP socket #0, dnscrypt-proxy.socket, 127.0.2.1:53`
2018-10-21 13:22:44 +02:00
2018-11-03 13:01:07 +01:00
Edit `/etc/NetworkManager/NetworkManager.conf` to avoid overlapping
resolvers breaking each other, it should say say `dns=none`
2018-10-21 13:22:44 +02:00
e.g.:
```
[main]
plugins=ifupdown,keyfile
dns=none
```
2018-11-03 13:01:07 +01:00
if it doesn't say dns=none, fix it and restart it with:
`systemctl restart NetworkManager`
2018-10-21 13:22:44 +02:00
Edit your /etc/resolv.conf, for example:
```
sudo su -
rm /etc/resolv.conf
nano /etc/resolv.conf & & chattr +i /etc/resolv.conf
```
chattr +i will prevent modifying the file unless chattr -i is done first.
Example resolv.conf:
```
nameserver 127.0.2.1
options edns0 single-request-reopen
#search mikaela.info
```
2018-11-03 13:01:07 +01:00
Nameserver is the host where dnscrypt-proxy said to be listening on in
journalctl, options are from dnscrypt-proxy documentation and search means
domains that are automatically searched for if you don't use fully
qualified domain names, e.g. `ssh machine` in my (uncommented) config
would turn into `ssh machine.mikaela.info` .
You should also tell dhclient to not touch resolv.conf or you may get many
files into `/etc` beginning with names `resolv.conf.dhclient-new.`
according to
[Debian wiki ](https://wiki.debian.org/resolv.conf#Stop_dhclient_from_modifying_.2Fetc.2Fresolv.conf ) which gives the following two commands and
[Debian bug 860928 ](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860928 ):
```bash
echo 'make_resolv_conf() { :; }' > /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
```
2018-10-21 13:22:44 +02:00
2018-12-03 11:12:30 +01:00
* * * * *
**WARNING from 2018-10-21!** It appears that the cache and log directories
of dnscrypt-proxy don't sometimes get created automatically (at least on
Debian GNU/Linux 9.6 (stretch).
If this happens to you or you would like to be sure to get them:
```
sudo mkdir -p /var/cache/dnscrypt-proxy/ /var/log/dnscrypt-proxy/
sudo chown -R _dnscrypt-proxy:nogroup /var/cache/dnscrypt-proxy /var/log/dnscrypt-proxy
```
* * * * *
For the curious my dnscrypt-proxy config [is in my shell-things repository ](https://github.com/Mikaela/shell-things/tree/master/etc/dnscrypt-proxy ) [mirror ](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/dnscrypt-proxy ).
