I'm having a whole lot of trouble installing DNScrypt on Zorin 15.3 core. I'm suspicious that the issue is with Zorin. Can somebody else try to install it and confirm/disprove?
Instructions: https://www.linuxuprising.com/2018/10/install-and-enable-dnscrypt-proxy-2-in.html
Can you describe what method of installation you used and what your troubles are?
I'm installing it via the sudo apt install dnscrypt-proxy command but mid-installation it gets stuck and finishes the installation with this error: Job for dnscrypt-proxy.service failed because a timeout was exceeded. I can't get it to work at all. Even tried it on a fresh Zorin installation but I get the same error.
That sounds like a repo issue.
Can you remove existing files first:
sudo apt purge dnscrypt-proxy
Then add the repo, update and then install:
sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy
sudo apt-get update
sudo apt install dnscrypt-proxy
Yes, you were right. I was not expecting it to be a repo issue! Thanks.
Did you get it to work? Because I've been trying, but every time I stop and disable systemd-resolved (so only dnscrypt-proxy is listening on port 53), it won't resolve URLs.
I've got a long record of everything I did (see below). I even edited the .toml file so it was identical to the settings I had when I was running Simple DNSCrypt under Windows, and I edited resolve.conf to reflect the different listening IP address, and NetworkManager.conf (hoping that I could replace dns=dnsmasq with dns=dnscrypt-proxy)... all no joy.
I ended up purging dnscrypt and reenabling and restarting systemd-resolved, whereupon DNS resolution started working again.
Here's what I did:
First, we want to make sure everything is up to date, so we issue the command:
sudo apt update
... and if anything needs updating, we issue the command:
sudo apt upgrade
Then we can fetch DNSCrypt (latest version: 2.0.31) by issuing the command:
sudo apt install dnscrypt-proxy
We need to know if anything is listening on port 53, so we issue the command:
ss -lp 'sport = :domain'
You should see output like this:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.2.1:domain 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 4096 127.0.2.1:domain 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
Now issue the commands:
systemctl stop systemd-resolved
systemctl disable systemd-resolved
And just to be sure that only DNSCrypt is now listening on port 53, issue the command again:
ss -lp 'sport = :domain'
You should see output like this:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.2.1:domain 0.0.0.0:*
tcp LISTEN 0 4096 127.0.2.1:domain 0.0.0.0:*
Now we need to configure the .toml configuration file. The easiest way of doing that is to start gedit as root:
sudo gedit
Then open the file at /usr/share/doc/dnscrypt-proxy/examples/example-dnscrypt-proxy.toml, edit it, then save it to /etc/dnscrypt-proxy/dnscrypt-proxy.toml (NOTE THE CHANGE IN FILE NAME). This gives you the chance to edit the file to your liking before saving it.
In that file, I changed:
listen_addresses = ['127.0.0.1:53', '[::1]:53']
to:
listen_addresses = []
Note: I first tried this with 127.0.0.1:53... apparently making this blank is required because it installs systemd sockets instead of standard sockets. Alternatively, you can disable systemd sockets and keep the listen-addresses entries:
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/systemd#disable-systemd-socket-activation
and:
force_tcp = false
to:
force_tcp = true
and...
# log_level = 2
to:
log_level = 6
and...
# dnscrypt_ephemeral_keys = false
to:
dnscrypt_ephemeral_keys = true
and...
# tls_disable_session_tickets = false
to:
tls_disable_session_tickets = true
and...
ignore_system_dns = false
to:
ignore_system_dns = true
and (because I'm on an IPv4 network)...
block_ipv6 = false
to:
block_ipv6 = true
... and I uncommented:
lb_strategy = 'p2'
lb_estimator = true
use_syslog = true
Then issue the commands:
systemctl enable dnscrypt-proxy
systemctl start dnscrypt-proxy
Now we have to connect DNSCrypt to Network Manager:
sudo gedit
Open /etc/NetworkManager/NetworkManager.conf
... and change:
[main]
plugins=ifupdown,keyfile
to:
[main]
plugins=ifupdown,keyfile
dns=dnscrypt-proxy
... then save that file.
Then we have to change the system DNS settings. Issue the command:
sudo gedit
... and open the file /etc/resolv.conf, and save it as /etc/resolv.conf.backup
Then go back and reopen /etc/resolv.conf and edit it so it shows the following:
nameserver 127.0.0.1
options edns0 trust-ad
... and save that file.
Then we need to set up dnscrypt-proxy as a system service.
In Terminal, type:
cd /etc/dnscrypt-proxy
dnscrypt-proxy -service install
dnscrypt-proxy -service start
In your Network Settings, change DNS server from 'Automatic' to '127.0.0.2'.
Then issue the command:
sudo systemctl restart NetworkManager.service
Then reboot your computer.
If you decide that DNSCrypt isn't for you, you can remove it by issuing:
dnscryptproxy -service stop
sudo apt purge dnscrypt-proxy
systemctl enable systemd-resolved
systemctl start systemd-resolved
Can anyone see what I'm doing wrong?
I think Comcast is doing DNS hijacking... even though I've got other DNS servers set up (on the computer and in the router, using regular DNS, not DoH nor encrypted DNS), Comcast's DNS servers always show up as what I'm using.
DNSCrypt will fix that (just as it did under Windows), if I can get it working.
I would not be surprised... Very Glad that ComCast is not out where I am, monopolizing...
Well, it is better here in TX than in the SF Bay Area... you'd think the heart of silicon valley would have the fastest internet speeds... but the ISPs have set up non-compete clauses so a lot of places are only served by one ISP, and the fastest DSL we were provisioned for was 3 Mbps with 250 GB/month cap, but it was unstable because they've deferred maintenance on the telephone system, so they dropped us back to 1.5 Mbps. The slowest I could get here in TX was 300 Mbps with a 1 TB/month cap (and it's cheaper than the old DSL connection)... I don't know what to do with that kind of speed.
Move out here rural in TX and you'll find the average available is 10mb/s;)
At $400 per month.
Viasat...
We built a tower to avoid that. Tried Viasat for one month and said NOPE.
Anyway, I thought setting up DNSCrypt under Zorin OS would be pretty much the same as Simple DNSCrypt under Windows... disable the built-in DNS resolver service, set up DNSCrypt listening locally on the correct ports, redirect your Wifi or wired connection to connect to DNSCrypt, and you're up and running.
DNSCrypt-proxy is starting up alright, it's loading in the .toml configuration file, and I've got it configured so the Wifi connection connects to the local DNSCrypt-proxy, but something's not working. It can't be the firewall, as it doesn't work even with the firewall turned off.
I messed around with this again... still no joy. No matter what, as soon as you issue:
sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved.service
... DNS resolution stops, even with DNSCrypt-proxy running and listening on the correct port.
This is one of the last 'to-do's for this system... anyone got any ideas on how to get it working? I even tried to force it to work by editing resolve.conf and by manually setting a DNS IP address in Network Manager.