Skip to content

Instantly share code, notes, and snippets.

@valyakuttan

valyakuttan/dnscrypt-proxy-as-podman-container.md

Last active April 13, 2024 11:26
Show Gist options
  • Save valyakuttan/fc6abe06b02adb3959b36d2ebad169e4 to your computer and use it in GitHub Desktop.
Save valyakuttan/fc6abe06b02adb3959b36d2ebad169e4 to your computer and use it in GitHub Desktop.
Download ZIP
Configue dnscrypt-proxy as a podman container in Fedora Silverblue
Raw
dnscrypt-proxy-as-podman-container.md

Configure dnscrypt-proxy as a podman container in Fedora Silverblue

Download dnscrypt-proxy and dnscrypt-proxy.toml

  • Pull dnscrypt-proxy docker image from dockerhub

    
$ sudo podman pull docker.io/klutchell/dnscrypt-proxy

  • Download dnscrypt-proxy.toml from github repo

    
$ sudo mkdir /etc/dnscrypt-proxy

$ sudo bash -c \
    'curl https://raw.githubusercontent.com/klutchell/dnscrypt-proxy-docker/main/dnscrypt-proxy.toml -o /etc/dnscrypt-proxy/dnscrypt-proxy.toml'

  • Edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml so that it contains

    
doh_servers = false
    
odoh_servers = true
    
require_dnssec = true

# comment out [sources.public-resolvers]

# comment out [sources.relays]

# uncomment [sources.'odoh-servers'] and [sources.'odoh-relays'] in [sources] section
    
# add routes to [anonymized_dns] section for odoh servers, similar to the one given below
    
routes = [
  #  { server_name='odoh-cloudflare', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
  #        'odohrelay-se', 'odohrelay-ibksturm' ] },
  { server_name='odoh-crypto-sx', via=[ 'odohrelay-ams',  'odohrelay-se',
    'odohrelay-ibksturm' ] },
  { server_name='odoh-ibksturm', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
    'odohrelay-se' ] },
  { server_name='odoh-id-gmail', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
    'odohrelay-se', 'odohrelay-ibksturm' ] },
  { server_name='odoh-jp.tiar.app', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
    'odohrelay-se', 'odohrelay-ibksturm' ] },
  { server_name='odoh-jp.tiarap.org', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
    'odohrelay-se', 'odohrelay-ibksturm' ] },
  { server_name='odoh-koki-ams', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
    'odohrelay-se', 'odohrelay-ibksturm' ] },
  { server_name='odoh-koki-noads-ams', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
    'odohrelay-se', 'odohrelay-ibksturm' ] },
  { server_name='odoh-koki-noads-se', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
    'odohrelay-se', 'odohrelay-ibksturm' ] },
  { server_name='odoh-koki-se', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
    'odohrelay-se', 'odohrelay-ibksturm' ] },
  { server_name='odoh-marco.cx', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
    'odohrelay-se', 'odohrelay-ibksturm' ] },
  { server_name='odoh-tiarap.org', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx',
    'odohrelay-se', 'odohrelay-ibksturm' ] }
]

NetworkManager configuration

  • Disable systemd-resolved service

    
$ sudo systemctl disable --now systemd-resolved.service

  • Edit /etc/resolv.conf. If resolv.conf is a symbolic link remove it

    nameserver 127.0.0.1

options edns0 single-request-reopen trust-ad

  • Create /etc/NetworkManager/conf.d/90-dns-none.conf to avoid rewriting resol.conf

    [main]
   dns=none

dnscrypt-proxyContiner configuration

  • Create /etc/containers/systemd/dnscrypt-proxy.container unit file

    
[Unit]
Description=Podman container-dnscrypt-proxy.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target

[Container]
ContainerName=dnscrypt-proxy
Image=docker.io/klutchell/dnscrypt-proxy
AutoUpdate=registry
PublishPort=53:5053/tcp
PublishPort=53:5053/udp
Volume=/etc/dnscrypt-proxy:/config:z

[Install]
# Start by default on boot
WantedBy=default.target

Start dnscrypt-proxy service

  • Inform systemd about the new unit file.

    
$ sudo systemctl daemon-reload

$ sudo systemctl start dnscrypt-proxy.service

  • Reload NetworkManager service

    $ sudo systemctl reload NetworkManager

  • Check dnscrypt-proxy configuratioln

    
$ systemctl status dnscrypt-proxy.service

# display the status of service

$ sudo podman ps

# display currently running podman containers

$ ss -nlt

# should have a line containing 0.0.0.0:53

$ dig fedoraproject.org

# should have line containing 127.0.0.1#53
@valyakuttan
Copy link
Author

Change selinux labeling options from Z to z, so that the bind mount content is shared among multiple containers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment