-
Notifications
You must be signed in to change notification settings - Fork 62
Install DNScrypt proxy (DoH)(oDoH)(Anonymized DNS)
DNScrypt is a flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and Oblivious DoH
(Currently using package for arm platforms in this guide. If using amd(currently named linux_x86_64-2.1.2.tar.gz) or a other platform, please download correct package)
(Check: dpkg --print-architecture
)
For 32bit OS
Switch to opt directory:
cd /opt
Download package:
Go to https://github.com/DNSCrypt/dnscrypt-proxy/releases/, right click on dnscrypt-proxy-linux_arm-x.x.x.tar.gz
and copy link. In terminal type "sudo wget copiedlink". For example:
sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.1/dnscrypt-proxy-linux_arm-2.1.1.tar.gz
Extract(use ls
command to see name of package):
sudo tar -xvf dnscrypt-proxy-linux_arm-x.x.x.tar.gz
Go to the package directory and create dnscrypt-proxy configuration file:
cd linux-arm && sudo nano dnscrypt-proxy.toml
For 64bit OS
Switch to opt directory:
cd /opt
Download package:
Go to https://github.com/DNSCrypt/dnscrypt-proxy/releases/, right click on dnscrypt-proxy-linux_arm64-x.x.x.tar.gz
and copy link. In terminal type "sudo wget copiedlink". For example:
sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.1/dnscrypt-proxy-linux_arm64-2.1.1.tar.gz
Extract(use ls
command to see name of package):
sudo tar -xvf dnscrypt-proxy-linux_arm64-x.x.x.tar.gz
Go to the package directory and create dnscrypt-proxy configuration file:
cd linux-arm64 && sudo nano dnscrypt-proxy.toml
If using with Unbound, run DNScrypt-proxy as a forwarder for a local DNS cache if not using it's cache feature, otherwise, every single query will make a round-trip to the upstream resolver which is redundant caching.
In order to forward queries from a local DNS cache, it should listen on a port different from the default 53
, DNS cache itself needs to listen on 53(using by Unbound) and query DNScrypt-proxy on a different port.
For example:
listen_addresses = ['127.0.0.1:5353', '[::1]:5353']
(can also try ports 5335, 6053, 53000)
- DNS-over-HTTPS[CloudflareServer] (connections to this specific server cannot be anonymized)
- DNS-over-HTTPS[DNScryptServer]+Anonymized DNS Server (dnscrypt's servers supports Anonymized feature but not all do)
- DNS-over-HTTPS[DNScrypt&Cloudflare]+Anonymized DNS (using more than 1 server)
- Oblivious DNS-over-HTTPS)[oDoH-CloudflareServer] (anonymized by default)
- [Oblivious DNS-over-HTTPS][Parental-control] - Servers filtering some websites not suitable for children. Use in coordination with cloaking rules in order to also sanitize search results : Discussions#30
This example is using 1 to 2 servers and relays, you can add more and extra features.
For more info: DNScrypt wiki
Copy and paste the following settings to dnscrypt-proxy.toml
file
(it is currently set for DoH[Cloudflare] only, please read info provided in file and edit to suit):
### More info about dnscrypt-proxy configuration settings
##go to: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
### List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
### Example with both IPv4 and IPv6:
## listen_addresses = ['127.0.0.1:53', '[::1]:53']
## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
listen_addresses = ['127.0.0.1:5353', '[::1]:5353']
### Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = true
block_ipv6 = false
### Enable a DNS cache to reduce latency and outgoing traffic(set false if using Unbound)
cache = false
### Use servers implementing the specific protocol
dnscrypt_servers = false
odoh_servers = false
doh_servers = true
### You can choose other servers from public resolver list that is fastest for you
##go to: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
#or for easier readable & searchable server database: https://theummahentrepreneur.notion.site/DNScrypt-DOH-servers-75553dc433194fd1a4e641f4918611ab
##(not all servers support anonymized DNS feature). Using dnscrypt.ca-1 as example that supports it
### For oDoH, REMOVE 'cloudflare' + 'cloudflare-ipv6' & ADD 'odoh-cloudflare'
### For DoH(dnscrypt) and anonymized dns, REMOVE 'cloudflare' + 'cloudflare-ipv6' & ADD 'dnscrypt.ca-1'
### For DoH(dnscrypt) and anonymized dns with Cloudflare, only ADD 'dnscrypt.ca-1' to server_names
server_names = ['cloudflare', 'cloudflare-ipv6']
### Example of Quad9 DNS servers with Quad9_DNScrypt anonymized servers:
#server_names = ['quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip6-filter-pri']
### Servers ###
### For more sources and resolver lists: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/DNS-server-sources
[sources]
[sources.'public-resolvers']
url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
### Anonymized DNS relays ####
[sources.'relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md']
cache_file = '/var/cache/dnscrypt-proxy/relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
### oDoH server and relay is already set here. For more servers and relays
##go to: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH
### For DoH(dnscrypt) server with anonymized DNS, replace odoh-cloudflare with 'dnscrypt.ca-1'
### For DoH(dnscrypt) relays set to ['*'] for random server(could get a slow 1)
##or choose a relay server that is fastest for you: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/relays.md
[anonymized_dns]
routes = [
{ server_name='odoh-cloudflare', via=['odohrelay-koki-ams', 'odohrelay-crypto-sx']}
]
### ODoH (Oblivious DoH) servers and relays ###
[sources.'odoh-servers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
cache_file = '/var/cache/dnscrypt-proxy/odoh-servers.md'
refresh_delay = 72
prefix = ''
[sources.'odoh-relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
cache_file = '/var/cache/dnscrypt-proxy/odoh-relays.md'
refresh_delay = 72
prefix = ''
[query_log]
file = '/var/log/dnscrypt-proxy/query.log'
[nx_log]
file = '/var/log/dnscrypt-proxy/nx.log'
Save file after editing (control+x then y then enter)
Create dnscrypt-proxy folder in cache if not already there:
sudo mkdir –p /var/cache/dnscrypt-proxy
Check status:
sudo ./dnscrypt-proxy
FIX:
If the port you're using shows already in use
(for example on the current Raspberry OS avahi-daemon is installed and using port 5353 by default), check what is using it and stop&disable or uninstall it's service:
Check port:
sudo netstat -anp | grep 5353
or
sudo lsof -i :53
or sudo systemctl stop avahi-daemon && sudo systemctl disable avahi-daemon
sudo apt-get remove avahi-daemon
Install and start the DNScrypt proxy as a system service:
sudo ./dnscrypt-proxy -service install && sudo ./dnscrypt-proxy -service start && cd
Reboot if necessary
Check service status:
sudo systemctl status dnscrypt-proxy.service
Example for oDoH(Oblivious DoH):
If not done already, download unbound configuration file with DNS over TLS settings and move it to unbound folder.
sudo wget https://raw.githubusercontent.com/trinib/AdGuard-WireGuard-Unbound-Cloudflare/main/unbound.conf && sudo mv unbound.conf /etc/unbound/unbound.conf.d/
Forward DNScrypt address in Unbound upstreams. Open sudo nano /etc/unbound/unbound.conf.d/
unbound.conf
and uncomment DNScrypt address(remove # infront of line):
Or do it from command line:
sudo awk '{sub(/[#]forward-addr: 127.0.0.1@5353/,"forward-addr: 127.0.0.1@5353") || sub(/[#]forward-addr: ::1@5353/,"forward-addr: ::1@5353")}1' /etc/unbound/unbound.conf.d/unbound.conf > unbound.conf && sudo mv unbound.conf /etc/unbound/unbound.conf.d/
Restart Unbound
sudo systemctl restart unbound
DONE !
Warning
DNScrypt and Stubby cannot be used together when both are set to run as a forwarder, else redundant caching will occur.
Tip
DNScrypt-proxy comes with a load balancing algorithm. It will send consecutive DNS queries to different DNS servers randomly choosen from a sorted (fastest to slowest) set of a choosen option size.
Use one of the 4 values of the "lb_strategy" parameter. Just add your choosen setting to dnscrypt-proxy.toml.
Always pick the fastest server in the list
lb_strategy = 'first'
Randomly choose between the top 2 fastest servers
lb_strategy = 'p2'
Randomly choose between the top fastest half of all servers
lb_strategy = 'ph'
Just picks any random server from the list
lb_strategy = 'random'
Note
If you enable logging and have a look at the dnscrypt-proxy log, you will see the response times of all your servers when the proxy starts