tyler.durden
/
pi-hole
mirror of https://github.com/pi-hole/pi-hole.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Page: DNSCrypt 2.0
Pages
Changelogs Contributing to the project DNSCrypt 2.0 Home OpenVPN server: IPv6 Stats monitoring in check_mk_agent
25 DNSCrypt 2.0
Frank Denis edited this page 2018-10-07 00:17:13 +02:00
Table of Contents

This can probably replace the DNSCrypt page, but leaving it for archive purposes until dnscrypt-proxy 2.0 instructions are fully fleshed out.

DNSCrypt-Proxy 2.0

DNSCrypt-Proxy 2.0 by jedisct1 drastically simplifies configuration and installation. There are pre-built binaries as well. The main configuration options are now centralized in a .toml file. Server selection and server updates are handled automatically.

Step 1: Install DNSCrypt-Proxy

  • cd /opt: Move to /opt directory. This is where we will place the dnscrypt-proxy files.
  • Download the latest pre-built binary. I'm using Pi-Hole on Linux x86_64 architecture, so I'll use linux_x86_64. Replace with your system architecture, you can check which you use by running uname -sm. If you are using Pi-Hole 3, you'll use Linux arm (NOT x64) instead.
  • tar xzvf dnscrypt-proxy-linux_x86_64-2.*.tar.gz: Extract prebuilt binary
  • mv linux-x86_64 dnscrypt-proxy: Rename the extracted folder
  • rm dnscrypt-proxy-linux_x86_64-2.*.tar.gz: Remove the archive
  • cd dnscrypt-proxy: cd into extracted dir
  • cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml: Create a configuration file based on the example one
  • sudo nano dnscrypt-proxy.toml: Edit the toml file. This is where all the fancy configuration happens.
  • In the listen_addresses line, edit port to be something other than 53 (since 53 is being used by Pi-Hole). I'll use port 5300 in this example. You can also change both IPv4 and IPv6 as desired.
  • Edit other settings as desired. I set require_dnssec to be true. There are a lot of other options, but server selection and more is already done. If you want to specify the server(s) you want to use, look at this site.
  • sudo ./dnscrypt-proxy -service install: install dnscrypt-proxy service
  • sudo ./dnscrypt-proxy -service start: start the new service

You can see dnscrypt-proxy 2.0 installation instructions on the wiki.

Warning I did not set dnscrypt-proxy to run as non-root user yet.

There are instructions on the wiki

  • sudo setcap cap_net_bind_service=+pe dnscrypt-proxy

Also see the wiki for details on DNS server sources.

Step 2: Modify Pi-Hole

If you're running a new version of Pi-Hole FTLDNS, all custom DNS fields can now take on a port number with the syntax (host#port). Of course, you should remove (uncheck) every other DNS server. Like this:

(replace 5353 with 5300 if this is the port dnscrypt-proxy is listening to, as suggested above)

If you're running an older version of Pi-Hole, then follow these instructions:

  • sudo nano /etc/dnsmasq.d/02-dnscrypt.conf: Create new or edit existing conf.
  • Change server=<IP>#<port> where dnscrypt-proxy is running. For example, my .toml file is listen_addresses = ['127.0.0.1:5300', '[::1]:5300'], so edit the conf file to be server=127.0.0.1#5300
  • sudo nano /etc/pihole/setupVars.conf: Edit setupVars.conf.
  • Comment out all PIHOLE_DNS= lines. (set a # in the beginning of the line)
  • sudo nano /etc/dnsmasq.d/01-pihole.conf
  • Comment out all server=... lines. (set a # in the beginning of the line)
  • sudo service dnsmasq restart: restart dnsmasq

DNSSEC validation

If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq: echo "proxy-dnssec" >> /etc/dnsmasq.d/02-dnscrypt.conf

Test DNSCrypt

Use the built-in client:

./dnscrypt-proxy -resolve google.com

This will display the resolver you are currently using.

  • Test site
  • Test site -- Note that the output of this test is not enough to confirm the absence of leaks. In particular, Cisco and Google will transparently send a copy of your real network address to companies they partner with (edns-clientsubnet mechanism).

There are more links on the first test site as well.