Ubuntu DNSCrypt Howto

 

This Howto has been moved to the miniguide section and will be maintained there from now on.

h2. Introduction

This Howto describes setting up DNScrypt on Ubuntu Linux using packages from Linux Mint/PPA.

Installing dnscrypt_proxy  

Open the Terminal. Add the Linux Mint PPA repository to your apt-cache, update the list of available packages and install dnscrypt-proxy via apt-get with root permissions.

$ sudo add-apt-repository ppa:anton+/dnscrypt
$ sudo apt-get update
$ sudo apt-get install dnscrypt-proxy

Configuring dnscrypt_proxy  

dnscrypt_proxy is listening on the loopback device lo. dnscrypt_proxy is bound to 127.0.0.2 on port 53. It uses one of the public IPredator resolvers with the IP address 194.132.32.32.

Edit /etc/default/dnscrypt-proxy and add the following lines:

provider-name=2.dnscrypt-cert.ipredator.se
provider-key=F581:BDCD:C1F7:469C:6B55:A144:39AA:F2F6:3AD1:8C5F:AE57:7EE1:06C9:B2EC:D29E:6849
resolver-address=194.132.32.32

Starting dnscrypt_proxy  

To start the dnscrypt_proxy without rebooting your machine, just restart the Network Manager while you are still in the Terminal:

$ /etc/init.d/networking restart

Testing dnscrypt_proxy  

Use dig to send a query for the A record of ipredator.se to the dnscrypt_proxy listening on 127.0.0.2:

# dig ipredator.se @127.0.0.2

; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> @127.0.0.2 ipredator.se
; (1 server found)
;; global options:  cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24172
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
;ipredator.se.                  IN      A
;; QUESTION SECTION:
;ipredator.se.                  IN      A
    
;; ANSWER SECTION:
ipredator.se.           508     IN      A       193.234.198.40
ipredator.se.           508     IN      A       193.234.198.41
 
;; AUTHORITY SECTION:
ipredator.se.           599     IN      NS      ns3u.resolv.to.
ipredator.se.           599     IN      NS      ns1a.resolv.to.
ipredator.se.           599     IN      NS      ns2u.resolv.to.
ipredator.se.           599     IN      NS      ns1u.resolv.to.

;; Query time: 245 msec
;; SERVER: 127.0.0.2#53(127.0.0.2)
;; WHEN: Mon Jun 29 23:45:52 2015
;; MSG SIZE  rcvd: 147

If you see results in the ANSWER SECTION like above, dnscrypt_proxy basically works.

System wide DNS configuration  

When using DHCP to configure your host's IP address, dhclient needs to supersede the nameservers it receives from local DHCP servers with 127.0.0.2. You still receive an IP address from the network range your machine sits in as well es a default gateway, but all your DNS queries are safely piped through dnscrypt_proxy.

$ echo "supersede domain-name-servers 127.0.0.2;" >> /etc/dhcp/dhclient.conf

Now restart the Network Manager again.

$ /etc/init.d/networking restart

Superseding the Domain Name Servers via dhclient does not mean that this change is directly visible in /etc/resolv.conf. The nameserver configured in /etc/resolv.conf still is the default resolver running on an Ubuntu Desktop. Instead the local resolvers forwards all queries to dnscrypt-proxy.

To verify that your system really is using 127.0.0.2 as its resolver, let the Network Manager write out its current state:

$ nm-tool

NetworkManager Tool

State: connected (global)

- Device: eth0  [Wired connection 1] -
  Type:              Wired
  Driver:            e1000
  State:             connected
  Default:           yes
  HW Address:        08:00:27:8C:5B:95

  Capabilities:
    Carrier Detect:  yes
    Speed:           1000 Mb/s

  Wired Properties
    Carrier:         on

  IPv4 Settings:
    Address:         10.0.2.15
    Prefix:          24 (255.255.255.0)
    Gateway:         10.0.2.2

    DNS:             127.0.0.2

The last line reveals which DNS server your system really is using. For this Howto 127.0.0.2 is the expected result.

If you experience any problems after following this Howto, please contact support@ipredator.se. For error corrections or feedback please write an email to feedback@ipredator.se. Of course we are also available via our Online Chat.