DNSCrypt-Proxy version 2 implements the DNSCrypt v2, DNSCrypt v1 and DNS-over-HTTP/2 protocols that encrypt and authenticate DNS traffic between the DNS resolver and the user's PC.
Version 2 has a long list of improvements over version 1. Among other version 2 will load-balance the DNS resolvers making it much more robust in the face of resolver failures. Another improvement that is felt right away is the built in cache. Because of it we no longer have to front DNSCrypt-Proxy with DNSMasq making the setup a lot simpler. Maintenance is also a breeze because the list of public resolvers is automatically downloaded on first use and regularly updated in the background.
You can check out the full list of changes here.
Version 2 is not available from the official Ubuntu package repositories prior to Ubuntu 18.10. Instead we opt to install DNSCrypt-Proxy from a tarball.
Head over to https://github.com/jedisct1/dnscrypt-proxy/releases/ and grab the latest release. At the time of writing it is dnscrypt-proxy-linux_x86_64-2.0.23.tar.gz.
After downloading the file hit the terminal with ctrl+alt+t and unpack the file.
$ cd Downloads
$ tar xvzf dnscrypt-proxy-linux_x86_64-2.0.23.tar.gz
It's time to go root, move the files to /usr/local/dnscrypt-proxy and set root as owner.
$ sudo -s $ mv linux-x86_64/ /usr/local/dnscrypt-proxy $ chown root:root -R /usr/local/dnscrypt-proxy
Before we proceed any further lets make sure we don't have an old installation of DNSCrypt-Proxy version 1 and DNSMasq running (DNSMasq is not needed with DNSCrypt-Proxy version 2).
$ systemctl stop dnscrypt-proxy.service dnsmasq.service
$ apt purge dnscrypt-proxy dnsmasq
Create a configuration file from example-dnscrypt-proxy.toml and do a test launch of DNSCrypt-Proxy version 2.
$ cd /usr/local/dnscrypt-proxy $ cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml $ ./dnscrypt-proxy [2019-05-31 16:46:36] [NOTICE] Source [public-resolvers.md] loaded [2019-05-31 16:46:36] [NOTICE] dnscrypt-proxy 2.0.23 [2019-05-31 16:46:36] [NOTICE] Now listening to 127.0.0.1:53 [UDP] [2019-05-31 16:46:36] [NOTICE] Now listening to 127.0.0.1:53 [TCP] [2019-05-31 16:46:36] [NOTICE] Now listening to [::1]:53 [UDP] [2019-05-31 16:46:36] [NOTICE] Now listening to [::1]:53 [TCP] [2019-05-31 16:46:46] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [doh.appliedprivacy.net] using fallback resolver [220.127.116.11:53] [2019-05-31 16:46:46] [NOTICE] [doh.appliedprivacy.net] OK (DoH) - rtt: 42ms [2019-05-31 16:46:47] [NOTICE] [arvind-io] OK (DNSCrypt) - rtt: 319ms [2019-05-31 16:46:47] [NOTICE] [bottlepost-dns-nl] OK (DNSCrypt) - rtt: 23ms [2019-05-31 16:46:47] [NOTICE] [charis] OK (DNSCrypt) - rtt: 21ms [2019-05-31 16:46:47] [NOTICE] [cloudflare] OK (DoH) - rtt: 11ms [2019-05-31 16:46:47] [NOTICE] [cpunks-ru] OK (DNSCrypt) - rtt: 39ms ... [2019-05-31 16:47:12] [NOTICE] dnscrypt-proxy is ready - live servers: 73
In its first run DNSCrypt-Proxy will download the list of public resolvers and store it under /usr/local/dnscrypt-proxy/public-resolvers.md. In this sample configuration it will load-balance DNS queries among a subset of the fastest resolvers.
We can test DNSCrypt-Proxy in a new terminal window ctrl+alt+t by sending a DNS query directly to 127.0.0.1 on port 53 using the dig command (part of the dnsutils package).
$ sudo su -
$ apt-get install dnsutils $ dig google.com @127.0.0.1 -p 53
Applications in general use the glibc resolver API to lookup domain names. This API reads its nameserver configuration from /etc/resolv.conf. We need to configure it to use DNSCrypt-Proxy on 127.0.0.1.
The resolv.conf file can be overwritten by a multitude of services. Rather than try to figure out what service(s) is trying to manage the file, we are going to edit the file and then lock the file for modification. But first we recreate it because it might be a link (on my system it was a link to /run/resolvconf/resolv.conf).
$ rm /etc/resolv.conf $ vim /etc/resolv.conf
Press i to enter insert mode and then enter this content
Press ESC to exit insert mode and type ":wq" to write and quit.
Make the file readable and lock it for modification.
$ chmod a+r /etc/resolv.conf $ chattr +i /etc/resolv.conf
Check that apps that use the resolver API, such as a web browser, still work. If everything is OK then stop the dnscrypt-crypt process we started manually by pressing ctrl+c in the terminal where we opened it.
Now setup DNSCrypt-Proxy as a Systemd managed service.
$ ./dnscrypt-proxy -service install $ ./dnscrypt-proxy -service start
You can find the new Systemd unitfile for DNSCrypt-Proxy under /etc/systemd/system/dnscrypt-proxy.service.
If you want to use a particular set of resolvers, then open dnscrypt-proxy.toml, uncomment the server_names option and add the servers you want from the public resolver list.
# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
When you are done tinkering with the configuration, restart the DNSCrypt-Proxy service with systemctl.
$ systemctl restart dnscrypt-proxy.service