Ubuntu / Linux news and application reviews.

This article was posted a while back but I've decided to repost it because there's a new PPA that you can use to install dnscrypt-proxy in Ubuntu ( 14.04) and also, some parts of the article needed to be updated.

DNSCrypt is a protocol for securing communications between a client and a DNS resolver, preventing spying, spoofing or man-in-the-middle attacks. To use it, you'll need a tool called dnscrypt-proxy, which "can be used directly as your local resolver or as a DNS forwarder, authenticating requests using the DNSCrypt protocol and passing them to an upstream server".

Update: for Ubuntu 16.04, 16.10 and 17.04 / Linux Mint 18.x, DNSCrypt (dnscrypt-proxy) is available in the official repositories.

The official Ubuntu DNSCrypt packages use OpenDNS as the default resolver.

Thanks to Pascal Mons (work based on  Sergey "Shnatsel" Davidoff's initial PPA, which doesn't have packages for Ubuntu 14.04 or 14.10 right now), you can easily install DNSCrypt in Ubuntu 14.04 / Linux Mint 17.x. His packages use 127.0.0.2 as the local IP address (like the now official Ubuntu packages) so it doesn't interfere with Ubuntu's default setup. Also, for extra security, the packages use a dedicated system user, with no privileges - DNSCrypt will chroot to this user's home directory and drop root privileges for this user's uid as soon as possible.

The default DNSCrypt-enabled resolver used by Pascal's package is DNSCrypt.eu Resolver #1 @ The Hague, Holland.

The resolver, along with other settings, can be changed by editing the /etc/default/dnscrypt-proxy configuration file (use "sudo service dnscrypt-proxy restart" after making changes to the configuration file).

A list of public DNS resolvers supporting DNSCrypt can be found HERE (note that to get to the actual provider name, address and public key, you need to scroll to the right - annoying, I know).

According to Pascal, he didn't use the US based OpenDNS resolver, because it keeps logs of the websites you visit and it hijacks the homepage on all browsers, redirecting any URL bar search to its own servers in some cases, which does not happen with the DNSCrypt.eu servers.

If you want to add DNSCrypt support to your own public or private resolver, check out DNSCrypt-Wrapper, a server-side dnscrypt proxy that works with any name resolver.


Install DNSCrypt (dnscrypt-proxy) in Ubuntu or Linux Mint

1. Install DNSCrypt Proxy

For Ubuntu 17.04, 16.10 and 16.04 / Linux Mint 18.x, dnscrypt-proxy is available in the official Ubuntu repositories:
sudo apt-get install dnscrypt-proxy

For Ubuntu 14.04 / Linux Mint 17.x, you can use Pascal's DNSCrypt PPA:
sudo add-apt-repository ppa:anton+/dnscrypt
sudo apt-get update
sudo apt-get install dnscrypt-proxy
Note: the PPA description provides information on how to check the authenticity of the code used for building the packages.

2. After installing DNSCrypt, you need to set your network connection DNS server to 127.0.0.2. 

To do this in Unity, from the Network Manager indicator select Edit Connections, then select the connection and click Edit, switch to the IPv4 Settings tab and:

- if you're using Manual (static IP) as the "Method", enter "127.0.0.2" under "DNS servers" (and remember / note your original DNS server in case you want to go back to it), then click "Save":


- if you're using "Automatic (DHCP)" as the "Method", switch it to "Automatic (DHCP) addresses only" and enter "127.0.0.2" under "DNS servers", then click "Save":


3. And finally, restart your network connection (under Unity: select Network indicator > Enable Networking twice to disable and then re-enable it) and web browser.

You may want to check if the "127.0.0.2" DNS is actually in use (it needs to be the only DNS) - to do this in Unity, from the Network indicator select Connection Information.

To check if your DNS is now encrypted:

- for Ubuntu 16.04, 16.10 and 17.04 / Linux Mint 18 (using the dnscrypt-proxy package from the official repositories; this assumes you're using the default server!), run the following command:
dig txt debug.opendns.com
... which should display something like this:

$ dig txt debug.opendns.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt debug.opendns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48647
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.  IN TXT

;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server m2.otp"
debug.opendns.com. 0 IN TXT "flags 20 0 70 7950800000000000000"
debug.opendns.com. 0 IN TXT "originid 0"
debug.opendns.com. 0 IN TXT "actype 0"
debug.opendns.com. 0 IN TXT "source [REDACTED-YOUR IP]"
debug.opendns.com. 0 IN TXT "dnscrypt enabled (717473654A614970)"

;; Query time: 31 msec
;; SERVER: 127.0.2.1#53(127.0.2.1)
;; WHEN: Wed Feb 08 16:46:09 EET 2017
;; MSG SIZE  rcvd: 249

- for Ubuntu 14.04 / Linux Mint 17.x: because the dnscrypt-proxy packages from Pascal's PPA don't use OpenDNS, you can't check to see if the DNS are used via the "dig txt debug.opendns.com" command or by visiting OpenDNS' test pages. However, you can check this by visiting https://dnsleaktest.com/ and running a DNS check - if you didn't change the default dnscrypt-proxy package resolver, it should display something like this:


This also works with for Ubuntu 16.04, 16.10 and 17.04 / Linux Mint 18 (using the dnscrypt-proxy package from the official repositories): visit https://dnsleaktest.com/, click "Standard test" - the result should say that you're using OpenDNS, like this:


Another way of checking if dnscrypt-proxy is working, if you're using a non-default server is to use the following command:
sudo tcpdump -i NETWORK-INTERFACE dst host 176.56.237.171
... and then visiting some website in your web browser.

(where NETWORK-INTERFACE is your active network interface like eth0, p5p1, etc. - you can find it using "ifconfig" -, and "176.56.237.171" is the default resolver used by Pascal's packages - if you've used a different one, change it in the command above with yours!)

The command output should look like this:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p5p1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:14:53.142488 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.142514 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.291372 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.291450 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.464624 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.464641 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.751950 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.815789 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512

Tip: DNSCrypt can be used with Unbound or dnsmasq (I didn't test it though) - for this and other tips, see THIS ArchWiki entry.

For more information on DNSCrypt / dnscrypt-proxy, check out the following links:


Update: Get DNSCrypt Proxy not working after a system restart in Ubuntu 16.04 or 16.10


In some cases, you may notice that there's no Internet connection available after system restart in Ubuntu 16.04 or 16.10 / Linux Mint 18, after using DNSCrypt Proxy. It looks like the Debian implementation of DNSCrypt Proxy is a bit buggy, so here's how to fix it:

1. Run the following command to edit the dnscrypt-proxy.service file:
sudo systemctl edit --full dnscrypt-proxy.service
...and in this file, after the "After=network.target iptables.service firewalld.service" line, paste the following as a new line:
Before=nss-lookup.target
Do not modify anything else in this file! Once you're done, save the file and exit (if Nano is your default console editor, press Ctrl + O, then Enter to save the file, then Ctrl + X to exit).

2. Run the following command to edit the dnscrypt-proxy.socket file:
sudo systemctl edit --full dnscrypt-proxy.socket
... and from this file, remove the "After=network.target" line without modifying anything else, then save the file (if Nano is your default console editor, press Ctrl + O, then Enter to save the file, then Ctrl + X to exit).

seen @ desdelinux.net, thanks to Pascal Mons for the PPA!