So I finally got dnscrypt-proxy working... sort of.
If I reboot, then in Terminal, I issue: sudo dnscrypt-proxy status
... it says it cannot load the dnscrypt-proxy.toml configuration file, saying it's a FATAL error. Of course, DNS resolution doesn't work then.
But if I do: sudo dnscrypt-proxy -c /etc/dnscrypt-proxy/dnscrypt-proxy.toml
... it starts up just fine, and DNS resolution works:
So how do I edit the command to automatically start it at boot so it properly loads the .toml configuration file?
And secondly... systemd-resolved.service is still running... if I disable and stop it, all DNS resolution stops working, but if it's enabled, the browser goes through DNScrypt (listening on 127.0.0.2), whereas doing dig txt debug.opendns.com in Terminal goes through systemd-resolved.service (listening on 127.0.0.53).
How do I get the entire system switched over to use DNScrypt?
You should be able to provide a manual dns preference for the network interface. Set this to your dns proxy.
As for the start up script, are you using a bash script or loading the command through startup apps? If you can type the -c command and get the proxy running, just add that command to the startup list (including the specification of where the toml lives). That should enable it at session start.
It's starting up as a system service during the boot process, but it fails.
sudo systemctl status dnscrypt-proxy
● dnscrypt-proxy.service - DNSCrypt client proxy
Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2022-12-13 22:57:43 CST; 1h 7min ago
TriggeredBy: ● dnscrypt-proxy.socket
Docs: https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Main PID: 5317 (code=exited, status=255/EXCEPTION)
I can start it manually after boot, but that's obviously not ideal, as I have to leave a Terminal window open to keep it running. Something's not right with how it's configured to start during boot, and I suspect it's not loading the .toml file, given that's the error I get when checking dnscrypt-proxy's status.
I noticed that I was using dnscrypt-proxy 2.0.31, which I'd downloaded and installed via sudo apt install dnscrypt-proxy.
I upgraded to 2.1.2 by downloading the latest from the developer's website, shutting down dnscrypt, extracting the .tar.gz file, then copying over the .bin file, the dnscrypt-proxy.toml configuration file and the dnscrypt-proxy-example.toml example file. I then edited the example file, then saved it as the configuration file.
I get the same behavior... when starting up during boot or restarting the service after boot, it fails after it cannot bind to 127.0.0.2:53 despite nothing else using that port when dnscrypt is shut down:
ss -lp 'sport = :domain'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
But it'll start up manually just fine via: sudo dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
... and it shows it's binding to that port:
ss -lp 'sport = :domain'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.2:domain 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.2:domain 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
There's obviously something wrong with how the system is starting that service, which is why I need to figure out how to edit those settings.
Mheh... no luck. I'm rolling back until I can do more research. Something is fundamentally broken with dnscrypt-proxy.
NetworkManager keeps resetting the DNS server to 127.0.0.53, despite the fact that stub-resolv and systemd-resolved.service are disabled... there are too many cooks spoiling the broth.
It sounds like it needs something running (network manager) to implement the proxy. You can place a delay on the startup (about ten seconds) and add an iwconfig command to modify the dns on the interface. That may get you where you want to be.