[Setting up dnscrypt-proxy on Fedora 38]

Fedora_38.md

Setting up dnscrypt-proxy on Fedora 38

Installation

1. Install dnscrypt-proxy

        $ sudo dnf install dnscrypt-proxy

Configuration

1. Edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml so that it contains

        listen_addresses = ['127.0.0.1:53', '[::1]:53']
        
        ipv6_servers = true
        
        doh_servers = false
        
        odoh_servers = true
        
        require_dnssec = true
        
        # uncomment [sources.'odoh-servers'] and [sources.'odoh-relays'] in [sources] section
        
        # add routes to [anonymized_dns] section for odoh servers, similar to the one given below
        
        routes = [
            { server_name='odoh-koki-ams', via=['odohrelay-crypto-sx', 'odohrelay-surf'] },
            { server_name='odoh-cloudflare', via=['odohrelay-crypto-sx', 'odohrelay-surf',
                          'odohrelay-ibksturm', 'odohrelay-koki-se', 'odohrelay-koki-ams'] },
            { server_name='odoh-crypto-sx', via=['odohrelay-surf', 'odohrelay-ibksturm',
                          'odohrelay-koki-se', 'odohrelay-koki-ams'] },
            { server_name='odoh-ibksturm', via=['odohrelay-crypto-sx', 'odohrelay-surf',
                          'odohrelay-koki-se', 'odohrelay-koki-ams'] },
            { server_name='odoh-koki-se', via=['odohrelay-crypto-sx', 'odohrelay-surf', 'odohrelay-ibksturm'] },
            { server_name='odoh-jp.tiar.app', via=['odohrelay-crypto-sx', 'odohrelay-surf', 'odohrelay-ibksturm',
                          'odohrelay-koki-se', 'odohrelay-koki-ams'] }
                 ]

2. Check any services bound to port 53. To see the list of processes using port 53, run

        ss -lp 'sport = :domain'

3. Disable those services. Most probably systemd-resolved.service needs to be disabled

        $ sudo systemctl disable --now systemd-resolved.service

4. Edit /etc/resolv.conf. If resolv.conf is a symbolic link remove it

        nameserver ::1
        nameserver 127.0.0.1
        options edns0 single-request-reopen trust-ad

5. To prevent programs from overwriting /etc/resolv.conf, set the immutable file attribute

        $ sudo chattr +i /etc/resolv.conf

Enable and start systemd and NetworkManager services

1. Enable systemd service

        sudo systemctl enable --now dnscrypt-proxy.service

2. Restart NetworkManager service

        sudo systemctl restart NetworkManager.service

3. Check system log

        journalctl -u dnscrypt-proxy.service