So I finally got dnscrypt-proxy working... sort of.
If I reboot, then in Terminal, I issue:
sudo dnscrypt-proxy status
... it says it cannot load the dnscrypt-proxy.toml configuration file, saying it's a FATAL error. Of course, DNS resolution doesn't work then.
But if I do:
sudo dnscrypt-proxy -c /etc/dnscrypt-proxy/dnscrypt-proxy.toml
... it starts up just fine, and DNS resolution works:
So how do I edit the command to automatically start it at boot so it properly loads the .toml configuration file?
And secondly... systemd-resolved.service is still running... if I disable and stop it, all DNS resolution stops working, but if it's enabled, the browser goes through DNScrypt (listening on 127.0.0.2), whereas doing dig txt debug.opendns.com in Terminal goes through systemd-resolved.service (listening on 127.0.0.53).
How do I get the entire system switched over to use DNScrypt?
You should be able to provide a manual dns preference for the network interface. Set this to your dns proxy.
As for the start up script, are you using a bash script or loading the command through startup apps? If you can type the -c command and get the proxy running, just add that command to the startup list (including the specification of where the toml lives). That should enable it at session start.
It's starting up as a system service during the boot process, but it fails.
sudo systemctl status dnscrypt-proxy
● dnscrypt-proxy.service - DNSCrypt client proxy
Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2022-12-13 22:57:43 CST; 1h 7min ago
TriggeredBy: ● dnscrypt-proxy.socket
Docs: https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Main PID: 5317 (code=exited, status=255/EXCEPTION)
I can start it manually after boot, but that's obviously not ideal, as I have to leave a Terminal window open to keep it running. Something's not right with how it's configured to start during boot, and I suspect it's not loading the .toml file, given that's the error I get when checking dnscrypt-proxy's status.
When attempting to manually restart the service, it tries to start, then fails after it can't bind to 127.0.0.2:53. Nothing else is using that port.
sudo systemctl status dnscrypt-proxy.service
● dnscrypt-proxy.service - DNSCrypt client proxy
Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2022-12-14 00:23:14 CST; 6s ago
TriggeredBy: ● dnscrypt-proxy.socket
Docs: https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Process: 101109 ExecStart=/usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml (code=exited, status=255/EXCEPTION)
Main PID: 101109 (code=exited, status=255/EXCEPTION)
Dec 14 00:23:13 HP-Laptop systemd[1]: Started DNSCrypt client proxy.
Dec 14 00:23:14 HP-Laptop dnscrypt-proxy[101109]: [2022-12-14 00:23:14] [NOTICE] dnscrypt-proxy 2.0.31
Dec 14 00:23:14 HP-Laptop dnscrypt-proxy[101109]: [2022-12-14 00:23:14] [NOTICE] Network connectivity detected
Dec 14 00:23:14 HP-Laptop dnscrypt-proxy[101109]: [2022-12-14 00:23:14] [NOTICE] Source [public-resolvers.md] loaded
Dec 14 00:23:14 HP-Laptop dnscrypt-proxy[101109]: [2022-12-14 00:23:14] [NOTICE] Source [relays.md] loaded
Dec 14 00:23:14 HP-Laptop dnscrypt-proxy[101109]: [2022-12-14 00:23:14] [NOTICE] Firefox workaround initialized
Dec 14 00:23:14 HP-Laptop dnscrypt-proxy[101109]: [2022-12-14 00:23:14] [FATAL] listen udp 127.0.0.2:53: bind: permission denied
Dec 14 00:23:14 HP-Laptop systemd[1]: dnscrypt-proxy.service: Main process exited, code=exited, status=255/EXCEPTION
Dec 14 00:23:14 HP-Laptop systemd[1]: dnscrypt-proxy.service: Failed with result 'exit-code'.
But I can start it manually:
sudo dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
... and it starts up and runs just fine.
I noticed that I was using dnscrypt-proxy 2.0.31, which I'd downloaded and installed via sudo apt install dnscrypt-proxy.
I upgraded to 2.1.2 by downloading the latest from the developer's website, shutting down dnscrypt, extracting the .tar.gz file, then copying over the .bin file, the dnscrypt-proxy.toml configuration file and the dnscrypt-proxy-example.toml example file. I then edited the example file, then saved it as the configuration file.
I get the same behavior... when starting up during boot or restarting the service after boot, it fails after it cannot bind to 127.0.0.2:53 despite nothing else using that port when dnscrypt is shut down:
ss -lp 'sport = :domain'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
But it'll start up manually just fine via:
sudo dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
... and it shows it's binding to that port:
ss -lp 'sport = :domain'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.2:domain 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.2:domain 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
There's obviously something wrong with how the system is starting that service, which is why I need to figure out how to edit those settings.
Ok! Another step closer to fruition.
It was DNSStubListener in /run/systemd/resolve/stub-resolv.conf which was causing part of the problem.
sudoedit /run/systemd/resolve/stub-resolv.conf
Change:
nameserver 127.0.0.53
to:
nameserver 127.0.0.2
sudoedit /run/NetworkManager/resolv.conf
Change:
nameserver 127.0.0.53
to:
nameserver 127.0.0.2
sudoedit /etc/systemd/system/dnscrypt-proxy.service
Change:
After=network.target
to:
After=network.target iptables.service firewalld.service
sudoedit /etc/systemd/resolved.conf
Change:
#DNSStubListener=yes
to:
DNSStubListener=no
sudo systemctl stop systemd-resolved.service
sudo systemctl disable systemd-resolved.service
So now, I've got systemd-resolved.service disabled and DNS resolution is still working.
But I've still got dnscrypt-proxy running manually from Terminal.
I'm going to reboot to see if it'll now start up properly on its own.
Wish me luck.
Mheh... no luck. I'm rolling back until I can do more research. Something is fundamentally broken with dnscrypt-proxy.
NetworkManager keeps resetting the DNS server to 127.0.0.53, despite the fact that stub-resolv and systemd-resolved.service are disabled... there are too many cooks spoiling the broth.
It sounds like it needs something running (network manager) to implement the proxy. You can place a delay on the startup (about ten seconds) and add an iwconfig command to modify the dns on the interface. That may get you where you want to be.