mirrors/dnscrypt-proxy
1
0
Fork 0
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git synced 2025-03-04 02:14:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Write working installation guide, at least for Ubuntu

Frank Denis 2025-01-07 14:35:56 +01:00
parent 92a07a3746
commit b24a5072ea
1 changed files with 152 additions and 140 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

292
Installation-on-Debian-and-Ubuntu.md

@ -1,70 +1,19 @@
# Installation on Debian and Ubuntu
Debian Stretch and Ubuntu 18.04 ship with old and unsupported `dnscrypt-proxy` package (1.9.x). Debian Testing and Unstable and Ubuntu 18.10+ have more recent packages.
Before installing DNSCrypt-Proxy 2.x regardless of the method, remove old 1.x version if you have it installed:
```sh
sudo apt purge dnscrypt-proxy
```
## Generic Linux installation procedure
The generic [instructions for Linux](Installation-linux) work fine on Debian and Ubuntu. The additional instructions below are not required if you are going that route.
### Debian Testing _(`bullseye`)_, Debian Unstable _(`sid`)_
Version 2.x of [**DNSCrypt-Proxy**](https://github.com/jedisct1/dnscrypt-proxy) is included with Debian Testing and Debian Unstable. By adding the correspondent repository for either `testing`, `unstable`, or both, you'll be able to install a fully automatic installation of **DNSCrypt-Proxy**. Meaning that no manual configuration is required, and it work after an `apt install dnscrypt-proxy` install.
---
#### Adding Repository
> **Note:** This overwrites existing files. Be sure to check for old files.
##### Debian Testing
```shell
echo "deb https://deb.debian.org/debian/ testing main" | sudo tee /etc/apt/sources.list.d/testing.list
```
##### Debian Unstable
```shell
echo "deb https://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list
```
#### Pin Repository
This step is required so that you don't pull in packages that don't follow your system version.
`/etc/apt/preferences.d/pinning.pref`
```conf
Package: *
Pin: release a=stable
Pin-Priority: 900
Package: *
Pin: release a=testing
Pin-Priority: 500
Package: *
Pin: release a=unstable
Pin-Priority: 100
```
> **NB!** Be careful when doing an upgrade the next time. Make notice if it pull packages that it should not. If so, this might need tweaking. Read the [manual](https://manpages.debian.org/stretch/apt/apt_preferences.5.en.html) for help.
#### Install DNSCrypt-Proxy
##### `testing`
##### `debian testing`
```sh
sudo apt update && \
sudo apt install -t testing dnscrypt-proxy
```
##### `unstable`
##### `debian unstable`
```sh
sudo apt update && \
@ -81,7 +30,155 @@ DNSCrypt-Proxy 2.x is included in Ubuntu 18.10+ repositories, install it with `s
## Configuration
### If dnsmasq is already running
### Remove the previous dnscrypt-proxy service
```sh
sudo dnscrypt-proxy -service stop
sudo dnscrypt-proxy -service uninstall
```
### Copy the example configuration files to /etc/dnscrypt-proxy/
`/etc/dnscrypt-proxy/` is where the Debian/Ubuntu package expects the `dnscrypt-proxy` configuration to be.
So, type the following commands to copy the examples to that directory:
```sh
sudo cp /usr/share/doc/dnscrypt-proxy/examples/* /etc/dnscrypt-proxy/
cd /etc/dnscrypt-proxy
cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
```
The last step is important. You should overwrite the existing `dnscrypt-proxy.toml` with the example.
### Check if the configuration is correct
Type:
```sh
cd /etc/dnscrypt-proxy
dnscrypt-proxy -check
```
If should print `Configuration successfully checked`.
You can also print the list of configured resolvers with:
```sh
cd /etc/dnscrypt-proxy
dnscrypt-proxy -list
```
### Try to run the proxy manually
Type:
```sh
cd /etc/dnscrypt-proxy
sudo dnscrypt-proxy
```
The proxy should start:
```text
[2025-01-07 14:26:33] [NOTICE] Network connectivity detected
[2025-01-07 14:26:33] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2025-01-07 14:26:33] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2025-01-07 14:26:33] [NOTICE] Source [public-resolvers] loaded
[2025-01-07 14:26:33] [NOTICE] Source [relays] loaded
[2025-01-07 14:26:33] [NOTICE] Firefox workaround initialized
[2025-01-07 14:26:33] [NOTICE] [cs-slovakia] OK (DNSCrypt) - rtt: 44ms
[2025-01-07 14:26:34] [NOTICE] [jp.tiar.app] OK (DNSCrypt) - rtt: 266ms
...
```
### Check if the proxy is properly running
Without stopping the proxy, and in a different terminal, type:
```sh
cd /etc/dnscrypt-proxy
dnscrypt-proxy -resolve example.com
```
This should print something like the following:
```text
Resolving [example.com] using 127.0.0.1 port 53
Resolver : 185.117.118.20 (public.deepdns.net.)
Canonical name: example.com.
IPv4 addresses: 93.184.215.14
IPv6 addresses: 2606:2800:21f:cb07:6820:80da:af6b:8b2c
Name servers : a.iana-servers.net., b.iana-servers.net.
DNSSEC signed : yes
Mail servers : 1 mail servers found
HTTPS alias : -
HTTPS info : -
Host info : -
TXT records : v=spf1 -all, wgyf8z8cgvm2qmxpnbnldrcltvk4xqfn
```
### Install the service
If everything appears to be working fine, stop the proxy by hitting `Ctrl`+`C` and/or by closing the terminal window.
Now, it's time to configure it to start automatically at boot:
```sh
cd /etc/dnscrypt-proxy
sudo dnscrypt-proxy -service install
sudo dnscrypt-proxy -service start
```
Whenever you change the configuration, the service can be restarted with the following command:
```sh
sudo dnscrypt-proxy -service restart
```
Note that if you ever want to stop `dnscrypt-proxy` from running at boot (obviously, don't do it now as the next steps wouldn't work), type:
```sh
sudo dnscrypt-proxy -service stop
sudo dnscrypt-proxy -service uninstall
```
### Configure the systemd DNS to use dnscryt-proxy
Type:
```sh
sudo nano /etc/systemd/resolved.conf
```
Locate the `[Resolve]` section. There should be a line like the following:
```toml
#DNS=
```
Replace it with:
```toml
DNS=127.0.0.1
```
Save the file, and restart the systemd DNS cache:
```sh
sudo systemctl restart systemd-resolved
```
Done! Your system is now using `dnscrypt-proxy` to secure and anonymize your DNS traffic.
### If dnsmasq was/is also running
#### Option 1: remove dnsmasq
@ -101,7 +198,7 @@ managed=false
If you want to use dnsmasq, some configuration is needed:
- dnsmasq listens on `127.0.0.1:53`, so configure dnscrypt-proxy to use something different (e.g. `127.0.2.1:53`, see `listen_addresses` in `dnscrypt-proxy.toml`)
- configure dnsmasq to use dnscrypt-proxy if file not already configured:
- configure dnsmasq to use dnscrypt-proxy:
```sh
sudo tee /etc/dnsmasq.d/dnscrypt-proxy << EOF
@ -111,88 +208,3 @@ no-resolv
proxy-dnssec
EOF
```
### Configure dnscrypt-proxy.toml
```sh
cd /etc/dnscrypt-proxy
sudo cp dnscrypt-proxy.toml dnscrypt-proxy.toml.original # non-idempotent
```
In `dnscrypt-proxy.toml`, replace `listen_addresses = ['127.0.0.1:53']` with `listen_addresses = []` (by default, after DNSCrypt-Proxy install, there shouldn't be any IP address in this option). For some reason, the package installs systemd sockets instead of standard sockets. (However, if User don't want to use such a method, systemd socket activation can be disabled (please check [Disable systemd socket activaction.](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/systemd#disable-systemd-socket-activation)).
Further configuration changes can be made later as needed, but in order to help with troubleshooting, keep the changes to a minimum for now.
### Configure resolv.conf
#### Using the command line
This is just one way to get the nameserver persistently added to `resolv.conf`.
Create a file `resolv.conf.override` as below. Match the permissions and owner. Here, 127.0.0.1 comes from `listen_addresses` in `dnscrypt-proxy.toml`.
```sh
$ cd /etc
$ ll resolv.conf.override
-rwxrwxr-x 1 root root 172 Jun 26 20:38 resolv.conf.override*
$ cat resolv.conf.override
nameserver 127.0.0.1
```
Create a script `20-resolv-conf-override` as below. Match the permissions and owner.
```sh
$ cd /etc/NetworkManager/dispatcher.d
$ ll 20-resolv-conf-override
-rwxr-xr-x 1 root root 101 Jun 26 20:45 20-resolv-conf-override*
$ cat 20-resolv-conf-override
#!/bin/sh
cp -f /etc/resolv.conf.override /run/resolvconf/resolv.conf
$ sudo ln -f 20-resolv-conf-override ./pre-up.d/
```
#### Using the network configuration applet
- Go to network configuration applet. Click `Wifi Icon` > Edit Connections > `Click on Wired Connection 1` (if you use wired) or the Wifi name that you currently used and click `Edit`.
- In the `Editing...` window, click IPv4 settings, choose `Automatic (DHCP) address only` on the method. Finally add `127.0.0.1` in the `DNS servers`
### Configure NetworkManager.conf
If NetworkManager overwrites `resolv.conf`, try configuring `NetworkManager.conf` to not modify `resolv.conf` with:
```
[main]
dns=none
```
### Start services
If the PPA installer was used, restart the services:
```sh
sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy
```
The older commands for the same are:
```sh
sudo service network-manager restart
sudo service dnscrypt-proxy restart
```
### The `dnscrypt-proxy.socket` file (e.g. to change the local port)
The package from the PPA uses unsupported systemd sockets to accept connections. In order to configure the local port, the `dnscrypt-proxy.socket` file needs to be edited instead of the standard `dnscrypt-proxy.toml` file:
```sh
sudo nano /lib/systemd/system/dnscrypt-proxy.socket
```
## Test
```sh
dnscrypt-proxy -resolve github.com -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
dig dnscrypt.info | grep SERVER # Must show matching nameserver, e.g. 127.0.0.1#53, in resolv.conf
ping -c1 google.com # Should show matching IP and ping successfully
sudo tcpdump -n dst port 443 # Should show specific resolver if it is not rotating
```