mikaela.github.io/blog/_posts/2018-10-21-dnscrypt-proxy-quick-dirty-debian.md

---
layout: post
comments: true
title: "dnscrypt-proxy v2 on Debian/Ubuntu quickly, dirtily"
category: [english]
tags: [english, dnscrypt, dns, dnscrypt-proxy]
redirect_from:
  - /dnscrypt.html
  - /dnscrypt-proxy.html
  - /english/2018/10/21/dnscrypt-proxy-quick-dirty-debian.html
---

_DNSCrypt-proxy encrypts DNS queries that would otherwise go in plaintext
ensuring that they won't be seen or modified by anyone in the middle. It
works as a localhost DNS server sending queries to configured DNS
resolvers._

I guess I should also say why you would want dnscrypt v1 vs v2. V1 which
is in most of repos currently uses broken resolver by default and only
supports one resolver at a time, while v2 can use multiple of them while
comparing them for the best ones.

This post is on getting v2 to Debian Stable and Ubuntu pre 18.10 which
contain v1 and I (sadly) don't know a better way to do this.

In order to check which version your distro has available, check the
dnscrypt-proxy search page for your distribution:

- [Debian](https://packages.debian.org/dnscrypt-proxy)
  - 2018-11-03: the version in _stretch (stable)_ is `1.9.4-1` which has
    the issues why I wrote this post.
- [Ubuntu](https://packages.ubuntu.com/dnscrypt-proxy)
  - 2018-11-03: I cannot find dnscrypt-proxy from Ubuntu at all, while I
    am sure it previously had the Debian version 1.

---

1. Update your local apt cache `sudo apt update` and install curl that will
   be used for downloading the package from Debian `sudo apt-get install curl`

Check the version number at [Debian's dnscrypt-proxy package download page](https://packages.debian.org/sid/amd64/dnscrypt-proxy/download) and fix it
below:

2: download the package`curl -LO https://deb.debian.org/debian/pool/main/d/dnscrypt-proxy/dnscrypt-proxy_2.0.16-2_amd64.deb`

**WARNING: This part is not supported by either Debian or Ubuntu, you are
taking a package from another distribution and attempting to install it
on another.**

**WARNING: Usually when you use apt, it will verify package signatures and
ensure that the package hasn't been tampered with. I have no idea how to
do that with direct downloads (if it's even possible) so you will be
trusting the Debian repository mirror or CDN blindly.**

3. install the package you downloaded: `sudo dpkg -i dnscrypt-proxy<TAB>`
   (TAB (above capslock) automatically completes rest of the filename for
   you).
   1. In case there was a problem, attmept `sudo apt-get install -f` to fix
      broken package depedencies. **Remember to check that what it suggests
      looks reasonable!** If it asks to remove dnscrypt-proxy, you are out
      of luck and should do that instead of attempting to replace important
      system components from another distribution (creating
      "Frankendebian").

Hopefully dnscrypt-proxy is now running, check
`journalctl -u dnscrypt-proxy`, there should be a line saying
`[NOTICE] Wiring systemd TCP socket #0, dnscrypt-proxy.socket, 127.0.2.1:53`

Edit `/etc/NetworkManager/NetworkManager.conf` to avoid overlapping
resolvers breaking each other, it should say say `dns=none`
e.g.:

```
[main]
plugins=ifupdown,keyfile
dns=none
```

if it doesn't say dns=none, fix it and restart it with:
`systemctl restart NetworkManager`

Edit your /etc/resolv.conf, for example:

```
sudo su -
rm /etc/resolv.conf
nano /etc/resolv.conf && chattr +i /etc/resolv.conf
```

chattr +i will prevent modifying the file unless chattr -i is done first.

Example resolv.conf:

```
nameserver 127.0.2.1
options edns0 single-request-reopen
#search mikaela.info
```

Nameserver is the host where dnscrypt-proxy said to be listening on in
journalctl, options are from dnscrypt-proxy documentation and search means
domains that are automatically searched for if you don't use fully
qualified domain names, e.g. `ssh machine` in my (uncommented) config
would turn into `ssh machine.mikaela.info`. Update: I find this a privacy
leakage (whenever NXDOMAIN happens), which is why I nowadays have it commented.

You should also tell dhclient to not touch resolv.conf or you may get many
files into `/etc` beginning with names `resolv.conf.dhclient-new.`
according to
[Debian wiki](https://wiki.debian.org/resolv.conf#Stop_dhclient_from_modifying_.2Fetc.2Fresolv.conf) which gives the following two commands and
[Debian bug 860928](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860928):

```bash
echo 'make_resolv_conf() { :; }' > /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
```

---

**WARNING from 2018-10-21!** It appears that the cache and log directories
of dnscrypt-proxy don't sometimes get created automatically (at least on
Debian GNU/Linux 9.6 (stretch).

If this happens to you or you would like to be sure to get them:

```
sudo mkdir -p /var/cache/dnscrypt-proxy/ /var/log/dnscrypt-proxy/
sudo chown -R _dnscrypt-proxy:nogroup /var/cache/dnscrypt-proxy /var/log/dnscrypt-proxy
```

---

For the curious my dnscrypt-proxy config [is in my shell-things repository](https://github.com/Mikaela/shell-things/tree/master/etc/dnscrypt-proxy) [mirror](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/dnscrypt-proxy).

---

## 2019-07-22 update

I have also started performing local DNSSEC validation by running Unbound
in front of DNSCrypt-proxy, so my queries go resolv.conf -> Unbound ->
dnscrypt-proxy -> configured resolvers. This has the advantage that if the
resolver didn't perform DNSSEC validation or lied about performing it, the
protection by DNSSEC would still be received.

The steps are simple:

1. `sudo apt install unbound`
   - You should see a file `/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf`
     which simply says `server:` and on another line after intending
     `auto-trust-anchor-file: "/var/lib/unbound/root.key"` (the path varies
     by distribution) which means it's performing DNSSEC validation with
     those trust anchors.
2. `sudo nano /etc/unbound/unbound.conf.d/dnscrypt-proxy.conf`

```
do-not-query-localhost: no
forward-zone:
    name: "."
    forward-addr: 127.0.2.1@53
```

3. `sudo systemctl restart unbound`
4. Ensure `/etc/resolv.conf` points to `127.0.0.1` and optionally `::1`
   instead of `127.0.2.1` where dnscrypt-proxy runs by default. For more
   details, CTRL + F for resolv.conf or chattr.