DNSCrypt Installation

dnscrypt-installation.md

Create and enter a working directory

mkdir -p ~/dnscrypt-working-directory && cd ~/dnscrypt-working-directory

Become root

sudo -s

Install the appropriate tools

apt-get install -y automake libtool build-essential ca-certificates checkinstall

Download the latest libsodium version

wget https://download.libsodium.org/libsodium/releases/libsodium-0.4.5.tar.gz

Download the latest dnscrypt version

wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.3.3.tar.bz2

Extract each downloaded file

tar xzf libsodium-*.tar.gz
tar xjf dnscrypt-proxy-*.tar.bz2

Enter the libsodium directory

cd libsodium-*/

Build and install libsodum

./autogen.sh
./configure
make
make check
checkinstall
ldconfig

Enter the dnscrypt directory

cd ..
cd dnscrypt-proxy-*/

Build and install dnscrypt

./autogen.sh
./configure
make
checkinstall

Create the dnscrypt user

mkdir -vp /var/run/dnscrypt
useradd -d /var/run/dnscrypt --system dnscrypt
chown dnscrypt /var/run/dnscrypt

If using NetworkManager, edit each system connection

nano /etc/NetworkManager/system-connections/*

Ensure that the following exists in section [ipv4]

[ipv4]
dns=127.0.0.12;127.0.0.13;
ignore-auto-dns=true

If using dhclient, edit NetworkManager.conf

nano /etc/NetworkManager/NetworkManager.conf

Ensure that the following values exist:

[main]
dhcp=dhclient

[ifupdown]
managed=true

Edit dhclient.conf

nano /etc/dhcp/dhclient.conf

Add the following line:

prepend domain-name-servers 127.0.0.12, 127.0.0.13;

Create the dnscrypt init script

• Replace the bits under start as desired to change providers. See dnscrypt.org for details.

echo '#!/bin/sh
### BEGIN INIT INFO
# Provides:          dnscrypt-proxy
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: dnscrypt-proxy
# Description:       dnscrypt-proxy secure DNS client
### END INIT INFO

PATH=/usr/sbin:/usr/bin:/sbin:/bin
case "$1" in
    start)
        echo "Starting dnscrypt-proxy"
        mkdir -p /run/dnscrypt
        /usr/local/sbin/dnscrypt-proxy \
            --daemonize \
            --user=dnscrypt \
            --local-address=127.0.0.12 \
            --resolver-address=176.56.237.171 \
            --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu \
            --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66 \
            --pidfile=/run/dnscrypt/dnscrypt-proxy.pid
        /usr/local/sbin/dnscrypt-proxy \
            --daemonize \
            --user=dnscrypt \
            --local-address=127.0.0.13 \
            --resolver-address=77.66.84.233 \
            --provider-name=2.dnscrypt-cert.resolver2.dnscrypt.eu \
            --provider-key=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A:9955 \
            --pidfile=/var/run/dnscrypt/dnscrypt-proxy.pid
    ;;
    stop)
        echo "Stopping dnscrypt-proxy"
        pkill -f dnscrypt-proxy
    ;;
    *)
        echo "Usage: /etc/init.d/dnscrypt-proxy {start|stop}"
        exit 1
    ;;
esac

exit 0
' > /etc/init.d/dnscrypt-proxy

Launch the dnscrypt-proxy daemon

chmod +x /etc/init.d/dnscrypt-proxy
update-rc.d dnscrypt-proxy defaults
/etc/init.d/dnscrypt-proxy start

Update the DNS servers in resolv.conf

• You may wish to create a backup before doing this.

echo "nameserver 127.0.0.12" > /etc/resolv.conf
echo "nameserver 127.0.0.13" >> /etc/resolv.conf

Everything should be all set. Reboot at your earliest convenience and re-check resolv.conf to ensure that the new DNS servers are persisting -- dhclient and NetworkManager like to change them automatically.

At your liesure, remove the working directory created for building libsodium and dnscrypt:

sudo rm -rf ~/dnscrypt-working-directory/

Test that your DNS servers are the servers configured through dnscrypt at dnsleaktest.com

Test that your computer is indeed running DNS (port 53) on 127.0.0.12 and 127.0.0.13

$(nc -z -w1 127.0.0.12 53) && echo "DNS is running on 127.0.0.12:53" || echo "DNS is NOT running on 127.0.0.12:53"
$(nc -z -w1 127.0.0.13 53) && echo "DNS is running on 127.0.0.13:53" || echo "DNS is NOT running on 127.0.0.13:53"