https://wiki.archlinux.org/api.php?action=feedcontributions&user=Finale&feedformat=atomArchWiki - User contributions [en]2024-03-29T07:43:36ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Dnscrypt-proxy&diff=500171Dnscrypt-proxy2017-11-30T03:22:40Z<p>Finale: Fix capitalization.</p>
<hr />
<div>[[Category:Domain Name System]]<br />
[[Category:Encryption]]<br />
[[es:DNSCrypt]]<br />
[[ja:DNSCrypt]]<br />
[[pt:DNSCrypt]]<br />
[[zh-hans:DNSCrypt]]<br />
[http://dnscrypt.org/ DNSCrypt] encrypts and authenticates DNS traffic between user and DNS resolver. While IP traffic itself is unchanged, it prevents local spoofing of DNS queries, ensuring DNS responses are sent by the server of choice. [https://www.reddit.com/r/sysadmin/comments/2hn435/dnssec_vs_dnscrypt/ckuhcbu]<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|dnscrypt-proxy}} package.<br />
<br />
{{Tip|{{AUR|dnscrypt-proxy-gui}} provides a GUI written in Qt to set the DNS server used by DNSCrypt.}}<br />
<br />
== Configuration ==<br />
<br />
{{Tip|An example configuration file, {{ic|/etc/dnscrypt-proxy.conf.example}} is provided, but note that systemd overrides the {{ic|LocalAddress}} option with a [[#Change_port|socket file]].}}<br />
<br />
To configure ''dnscrypt-proxy'', perform the following steps:<br />
<br />
=== Select resolver ===<br />
<br />
Select a resolver from {{ic|/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv}} and edit {{ic|/etc/dnscrypt-proxy.conf}}, using a short name from the csv file's first column, {{ic|Name}}. For example, to select ''dnscrypt.eu-nl'' as the resolver:<br />
<br />
ResolverName dnscrypt.eu-nl<br />
<br />
{{Tip|<br />
* A potentially more up-to-date list is available directly on the [https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv upstream page].<br />
* At this stage you may also wish to add an unprivileged user to run dnscrypt. See [[#dnscrypt runs with root privileges]].}}<br />
<br />
=== Modify resolv.conf ===<br />
<br />
After selecting a dnscrypt resolver, modify the [[resolv.conf]] file and replace the current set of resolver addresses with address for ''localhost'':<br />
<br />
nameserver 127.0.0.1<br />
<br />
Other programs may overwrite this setting; see [[resolv.conf#Preserve DNS settings]] for details.<br />
<br />
=== Start systemd service ===<br />
<br />
Finally, [[Enable|start and enable]] the {{ic|dnscrypt-proxy.service}}.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Local DNS cache configuration ===<br />
<br />
{{Note|''dnscrypt'' can cache entries without relying on another program. Ensure that {{ic|LocalCache on}} is in your dnscrypt configuration file to enable this feature.}}<br />
<br />
It is recommended to run DNSCrypt as a forwarder for a local DNS cache if not using ''dnscrypt's'' cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up ''dnscrypt-proxy'', you must setup your local DNS cache program. <br />
<br />
==== Change port ====<br />
<br />
{{Note|Changing the IP address or port in {{ic|/etc/dnscrypt-proxy.conf}} [https://github.com/jedisct1/dnscrypt-proxy/issues/528 does not work] when using the provided systemd unit and must be changed in the provided systemd socket as follows.}}<br />
<br />
In order to forward to a local DNS cache, ''dnscrypt-proxy'' should listen on a port different from the default {{ic|53}}, since the DNS cache itself needs to listen on {{ic|53}} and query ''dnscrypt-proxy'' on a different port. Port number {{ic|5353}} is used as an example in this section. In this example, the port number is larger than 1024 so ''dnscrypt-proxy'' is not required to be run by root. [[Edit]] {{ic|dnscrypt-proxy.socket}} with the following contents:<br />
<br />
[Socket]<br />
ListenStream=<br />
ListenDatagram=<br />
ListenStream=127.0.0.1:5353<br />
ListenDatagram=127.0.0.1:5353<br />
<br />
{{Note|UDP Port {{ic|5353}} is used by [[Avahi#Firewall|Avahi]] (if installed and running) and can cause warnings in the journal and [[Avahi]]'s mDNS unreliable.}}<br />
<br />
==== Example local DNS cache configurations====<br />
<br />
The following configurations should work with ''dnscrypt-proxy'' and assume that it is listening on port {{ic|5353}}.<br />
<br />
===== Unbound =====<br />
<br />
Configure [[Unbound]] to your liking (in particular, see [[Unbound#Local DNS server]]) and add the following lines to the end of the {{ic|server}} section in {{ic|/etc/unbound/unbound.conf}}:<br />
<br />
do-not-query-localhost: no<br />
forward-zone:<br />
name: "."<br />
forward-addr: 127.0.0.1@5353<br />
<br />
{{Tip|If you are setting up a server, add {{ic|interface: 0.0.0.0@53}} and {{ic|access-control: ''your-network''/''subnet-mask'' allow}} inside the {{ic|server:}} section so that the other computers can connect to the server. A client must be configured with {{ic|nameserver ''address-of-your-server''}} in {{ic|/etc/resolv.conf}}.}}<br />
<br />
[[Restart]] {{ic|unbound.service}} to apply the changes.<br />
<br />
===== dnsmasq =====<br />
<br />
Configure dnsmasq as a [[dnsmasq#DNS cache setup|local DNS cache]]. The basic configuration to work with DNSCrypt:<br />
<br />
{{hc|/etc/dnsmasq.conf|2=<br />
no-resolv<br />
server=127.0.0.1#5353<br />
listen-address=127.0.0.1<br />
}}<br />
<br />
If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:<br />
<br />
{{hc|/etc/dnsmasq.conf|2=<br />
proxy-dnssec<br />
}}<br />
<br />
Restart {{ic|dnsmasq.service}} to apply the changes.<br />
<br />
===== pdnsd =====<br />
<br />
Install [[pdnsd]]. A basic configuration to work with DNSCrypt is:<br />
<br />
{{hc|/etc/pdnsd.conf|2=<br />
global {<br />
perm_cache = 1024;<br />
cache_dir = "/var/cache/pdnsd";<br />
run_as = "pdnsd";<br />
server_ip = 127.0.0.1;<br />
status_ctl = on;<br />
query_method = udp_tcp;<br />
min_ttl = 15m; # Retain cached entries at least 15 minutes.<br />
max_ttl = 1w; # One week.<br />
timeout = 10; # Global timeout option (10 seconds).<br />
neg_domain_pol = on;<br />
udpbufsize = 1024; # Upper limit on the size of UDP messages.<br />
}<br />
<br />
server {<br />
label = "dnscrypt-proxy";<br />
ip = 127.0.0.1;<br />
port = 5353;<br />
timeout = 4;<br />
proxy_only = on;<br />
}<br />
<br />
source {<br />
owner = localhost;<br />
file = "/etc/hosts";<br />
}<br />
}}<br />
<br />
Restart {{ic|pdnsd.service}} to apply the changes.<br />
<br />
=== Sandboxing ===<br />
<br />
[[Edit]] {{ic|dnscrypt-proxy.service}} to include the following lines:<br />
<br />
[Service]<br />
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SETGID CAP_SETUID<br />
ProtectSystem=strict<br />
ProtectHome=true<br />
ProtectKernelTunables=true<br />
ProtectKernelModules=true<br />
ProtectControlGroups=true<br />
PrivateTmp=true<br />
PrivateDevices=true<br />
MemoryDenyWriteExecute=true<br />
NoNewPrivileges=true<br />
RestrictRealtime=true<br />
RestrictAddressFamilies=AF_INET<br />
SystemCallArchitectures=native<br />
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io<br />
<br />
See {{man|5|systemd.exec}} and [[Systemd#Sandboxing application environments]] for more information. Additionally see [https://github.com/jedisct1/dnscrypt-proxy/pull/601#issuecomment-284171727 upstream comments].<br />
<br />
This can be combined with the additions in [[#dnscrypt runs with root privileges]].<br />
<br />
=== Enable EDNS0 ===<br />
<br />
[[wikipedia:Extension_mechanisms_for_DNS|Extension Mechanisms for DNS]] that, among other things, allows a client to specify how large a reply over UDP can be.<br />
<br />
Add the following line to your {{ic|/etc/resolv.conf}}:<br />
options edns0<br />
<br />
You may also wish to append the following to {{ic|/etc/dnscrypt-proxy.conf}}:<br />
EDNSPayloadSize ''<bytes>''<br />
<br />
Where ''<bytes>'' is a number, the default size being '''1252''', with values up to '''4096''' bytes being purportedly safe. A value below or equal to '''512''' bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.<br />
<br />
==== Test EDNS0 ====<br />
<br />
Make use of the [https://www.dns-oarc.net/oarc/services/replysizetest DNS Reply Size Test Server], use the ''drill'' command line tool to issue a TXT query for the name ''rs.dns-oarc.net'':<br />
$ drill rs.dns-oarc.net TXT<br />
<br />
With '''EDNS0''' supported, the "answer section" of the output should look similar to this:<br />
rst.x3827.rs.dns-oarc.net.<br />
rst.x4049.x3827.rs.dns-oarc.net.<br />
rst.x4055.x4049.x3827.rs.dns-oarc.net.<br />
"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"<br />
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"<br />
<br />
=== Redundant DNSCrypt providers ===<br />
<br />
To use several different dnscrypt providers, you may simply copy the original {{ic|dnscrypt-proxy.service}} and {{ic|dnscrypt-proxy.socket}}. Then in your new copy of the service change the command line parameters, either pointing to a new configuration file or naming a different resolver directly. From there change the port in the new copy of the socket. Lastly, update your local DNS cache program to point to new service's port. For example, with [[unbound]] the configuration file would look like if using ports {{ic|5353}} for the original socket and {{ic|5354}} for the new socket.<br />
<br />
{{hc|/etc/unbound/unbound.conf|<br />
do-not-query-localhost: no<br />
forward-zone:<br />
name: "."<br />
forward-addr: 127.0.0.1@5353<br />
forward-addr: 127.0.0.1@5354}}<br />
<br />
==== Create instanced systemd service ====<br />
<br />
An alternative option to copying the systemd service is to used an instanced service.<br />
<br />
===== Create systemd file =====<br />
<br />
First, create {{ic|/etc/systemd/system/dnscrypt-proxy@.service}} containing:<br />
<br />
[Unit]<br />
Description=DNSCrypt client proxy<br />
Documentation=man:dnscrypt-proxy(8)<br />
Requires=dnscrypt-proxy@%i.socket<br />
<br />
[Service]<br />
Type=notify<br />
NonBlocking=true<br />
ExecStart=/usr/bin/dnscrypt-proxy \<br />
--resolver-name=%i<br />
Restart=always<br />
<br />
This specifies an instanced systemd service that starts a dnscrypt-proxy using the service name specified after the @ symbol of a corresponding .socket file.<br />
<br />
===== Add dnscrypt-sockets =====<br />
<br />
To create multiple dnscrypt-proxy sockets, copy {{ic|/usr/lib/systemd/system/dnscrypt-proxy.socket}} to a new file, {{ic|/etc/systemd/system/dnscrypt-proxy@''short-name.here''.socket}}, replacing the socket instance name with one of the short names listed in [[#Select_resolver|{{ic|dnscrypt-resolvers.csv}}]] and [[#Change_port|change the port]]. Use a different port for each instance (5353, 5354, and so forth).<br />
<br />
===== Apply new systemd configuration =====<br />
<br />
Now we need to reload the systemd configuration.<br />
<br />
# systemctl daemon-reload<br />
<br />
Since we are replacing the default service with a different name, we need to explicitly [[stop]] and [[disable]] {{ic|dnscrypt-proxy.service}} and {{ic|dnscrypt-proxy.socket}}.<br />
<br />
Now [[start/enable]] the new service(s), e.g., {{ic|dnscrypt-proxy@dnscrypt.eu-nl}}, etc.<br />
<br />
Finally [[restart]] {{ic|unbound.service}}.<br />
<br />
== Troubleshooting ==<br />
<br />
=== dnscrypt runs with root privileges ===<br />
<br />
See {{Bug|49881}} for more information. To work around this, [[edit]] {{ic|dnscrypt-proxy.service}} to include the following lines:<br />
<br />
[Service]<br />
DynamicUser=yes<br />
<br />
This method can be combined with [[#Sandboxing]].</div>Finalehttps://wiki.archlinux.org/index.php?title=Dnscrypt-proxy&diff=500170Dnscrypt-proxy2017-11-30T02:58:34Z<p>Finale: Privileges/capabilities aren't needed since a systemd socket is now used. Also, a new systemd option can be used rather than creating a permanent user.</p>
<hr />
<div>[[Category:Domain Name System]]<br />
[[Category:Encryption]]<br />
[[es:DNSCrypt]]<br />
[[ja:DNSCrypt]]<br />
[[pt:DNSCrypt]]<br />
[[zh-hans:DNSCrypt]]<br />
[http://dnscrypt.org/ DNSCrypt] encrypts and authenticates DNS traffic between user and DNS resolver. While IP traffic itself is unchanged, it prevents local spoofing of DNS queries, ensuring DNS responses are sent by the server of choice. [https://www.reddit.com/r/sysadmin/comments/2hn435/dnssec_vs_dnscrypt/ckuhcbu]<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|dnscrypt-proxy}} package.<br />
<br />
{{Tip|{{AUR|dnscrypt-proxy-gui}} provides a GUI written in Qt to set the DNS server used by DNSCrypt.}}<br />
<br />
== Configuration ==<br />
<br />
{{Tip|An example configuration file, {{ic|/etc/dnscrypt-proxy.conf.example}} is provided, but note that systemd overrides the {{ic|LocalAddress}} option with a [[#Change_port|socket file]].}}<br />
<br />
To configure ''dnscrypt-proxy'', perform the following steps:<br />
<br />
=== Select resolver ===<br />
<br />
Select a resolver from {{ic|/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv}} and edit {{ic|/etc/dnscrypt-proxy.conf}}, using a short name from the csv file's first column, {{ic|Name}}. For example, to select ''dnscrypt.eu-nl'' as the resolver:<br />
<br />
ResolverName dnscrypt.eu-nl<br />
<br />
{{Tip|<br />
* A potentially more up-to-date list is available directly on the [https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv upstream page].<br />
* At this stage you may also wish to add an unprivileged user to run dnscrypt. See [[#dnscrypt runs with root privileges]].}}<br />
<br />
=== Modify resolv.conf ===<br />
<br />
After selecting a dnscrypt resolver, modify the [[resolv.conf]] file and replace the current set of resolver addresses with address for ''localhost'':<br />
<br />
nameserver 127.0.0.1<br />
<br />
Other programs may overwrite this setting; see [[resolv.conf#Preserve DNS settings]] for details.<br />
<br />
=== Start systemd service ===<br />
<br />
Finally, [[Enable|start and enable]] the {{ic|dnscrypt-proxy.service}}.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Local DNS cache configuration ===<br />
<br />
{{Note|''dnscrypt'' can cache entries without relying on another program. Ensure that {{ic|LocalCache on}} is in your dnscrypt configuration file to enable this feature.}}<br />
<br />
It is recommended to run DNSCrypt as a forwarder for a local DNS cache if not using ''dnscrypt's'' cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up ''dnscrypt-proxy'', you must setup your local DNS cache program. <br />
<br />
==== Change port ====<br />
<br />
{{Note|Changing the IP address or port in {{ic|/etc/dnscrypt-proxy.conf}} [https://github.com/jedisct1/dnscrypt-proxy/issues/528 does not work] when using the provided systemd unit and must be changed in the provided systemd socket as follows.}}<br />
<br />
In order to forward to a local DNS cache, ''dnscrypt-proxy'' should listen on a port different from the default {{ic|53}}, since the DNS cache itself needs to listen on {{ic|53}} and query ''dnscrypt-proxy'' on a different port. Port number {{ic|5353}} is used as an example in this section. In this example, the port number is larger than 1024 so ''dnscrypt-proxy'' is not required to be run by root. [[Edit]] {{ic|dnscrypt-proxy.socket}} with the following contents:<br />
<br />
[Socket]<br />
ListenStream=<br />
ListenDatagram=<br />
ListenStream=127.0.0.1:5353<br />
ListenDatagram=127.0.0.1:5353<br />
<br />
{{Note|UDP Port {{ic|5353}} is used by [[Avahi#Firewall|Avahi]] (if installed and running) and can cause warnings in the journal and [[Avahi]]'s mDNS unreliable.}}<br />
<br />
==== Example local DNS cache configurations====<br />
<br />
The following configurations should work with ''dnscrypt-proxy'' and assume that it is listening on port {{ic|5353}}.<br />
<br />
===== Unbound =====<br />
<br />
Configure [[Unbound]] to your liking (in particular, see [[Unbound#Local DNS server]]) and add the following lines to the end of the {{ic|server}} section in {{ic|/etc/unbound/unbound.conf}}:<br />
<br />
do-not-query-localhost: no<br />
forward-zone:<br />
name: "."<br />
forward-addr: 127.0.0.1@5353<br />
<br />
{{Tip|If you are setting up a server, add {{ic|interface: 0.0.0.0@53}} and {{ic|access-control: ''your-network''/''subnet-mask'' allow}} inside the {{ic|server:}} section so that the other computers can connect to the server. A client must be configured with {{ic|nameserver ''address-of-your-server''}} in {{ic|/etc/resolv.conf}}.}}<br />
<br />
[[Restart]] {{ic|unbound.service}} to apply the changes.<br />
<br />
===== dnsmasq =====<br />
<br />
Configure dnsmasq as a [[dnsmasq#DNS cache setup|local DNS cache]]. The basic configuration to work with DNSCrypt:<br />
<br />
{{hc|/etc/dnsmasq.conf|2=<br />
no-resolv<br />
server=127.0.0.1#5353<br />
listen-address=127.0.0.1<br />
}}<br />
<br />
If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:<br />
<br />
{{hc|/etc/dnsmasq.conf|2=<br />
proxy-dnssec<br />
}}<br />
<br />
Restart {{ic|dnsmasq.service}} to apply the changes.<br />
<br />
===== pdnsd =====<br />
<br />
Install [[pdnsd]]. A basic configuration to work with DNSCrypt is:<br />
<br />
{{hc|/etc/pdnsd.conf|2=<br />
global {<br />
perm_cache = 1024;<br />
cache_dir = "/var/cache/pdnsd";<br />
run_as = "pdnsd";<br />
server_ip = 127.0.0.1;<br />
status_ctl = on;<br />
query_method = udp_tcp;<br />
min_ttl = 15m; # Retain cached entries at least 15 minutes.<br />
max_ttl = 1w; # One week.<br />
timeout = 10; # Global timeout option (10 seconds).<br />
neg_domain_pol = on;<br />
udpbufsize = 1024; # Upper limit on the size of UDP messages.<br />
}<br />
<br />
server {<br />
label = "dnscrypt-proxy";<br />
ip = 127.0.0.1;<br />
port = 5353;<br />
timeout = 4;<br />
proxy_only = on;<br />
}<br />
<br />
source {<br />
owner = localhost;<br />
file = "/etc/hosts";<br />
}<br />
}}<br />
<br />
Restart {{ic|pdnsd.service}} to apply the changes.<br />
<br />
=== Sandboxing ===<br />
<br />
[[Edit]] {{ic|dnscrypt-proxy.service}} to include the following lines:<br />
<br />
[Service]<br />
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SETGID CAP_SETUID<br />
ProtectSystem=strict<br />
ProtectHome=true<br />
ProtectKernelTunables=true<br />
ProtectKernelModules=true<br />
ProtectControlGroups=true<br />
PrivateTmp=true<br />
PrivateDevices=true<br />
MemoryDenyWriteExecute=true<br />
NoNewPrivileges=true<br />
RestrictRealtime=true<br />
RestrictAddressFamilies=AF_INET<br />
SystemCallArchitectures=native<br />
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io<br />
<br />
See {{man|5|systemd.exec}} and [[Systemd#Sandboxing application environments]] for more information. Additionally see [https://github.com/jedisct1/dnscrypt-proxy/pull/601#issuecomment-284171727 upstream comments].<br />
<br />
This can be combined with the additions in [[#dnscrypt runs with root privileges]].<br />
<br />
=== Enable EDNS0 ===<br />
<br />
[[wikipedia:Extension_mechanisms_for_DNS|Extension Mechanisms for DNS]] that, among other things, allows a client to specify how large a reply over UDP can be.<br />
<br />
Add the following line to your {{ic|/etc/resolv.conf}}:<br />
options edns0<br />
<br />
You may also wish to append the following to {{ic|/etc/dnscrypt-proxy.conf}}:<br />
EDNSPayloadSize ''<bytes>''<br />
<br />
Where ''<bytes>'' is a number, the default size being '''1252''', with values up to '''4096''' bytes being purportedly safe. A value below or equal to '''512''' bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.<br />
<br />
==== Test EDNS0 ====<br />
<br />
Make use of the [https://www.dns-oarc.net/oarc/services/replysizetest DNS Reply Size Test Server], use the ''drill'' command line tool to issue a TXT query for the name ''rs.dns-oarc.net'':<br />
$ drill rs.dns-oarc.net TXT<br />
<br />
With '''EDNS0''' supported, the "answer section" of the output should look similar to this:<br />
rst.x3827.rs.dns-oarc.net.<br />
rst.x4049.x3827.rs.dns-oarc.net.<br />
rst.x4055.x4049.x3827.rs.dns-oarc.net.<br />
"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"<br />
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"<br />
<br />
=== Redundant DNSCrypt providers ===<br />
<br />
To use several different dnscrypt providers, you may simply copy the original {{ic|dnscrypt-proxy.service}} and {{ic|dnscrypt-proxy.socket}}. Then in your new copy of the service change the command line parameters, either pointing to a new configuration file or naming a different resolver directly. From there change the port in the new copy of the socket. Lastly, update your local DNS cache program to point to new service's port. For example, with [[unbound]] the configuration file would look like if using ports {{ic|5353}} for the original socket and {{ic|5354}} for the new socket.<br />
<br />
{{hc|/etc/unbound/unbound.conf|<br />
do-not-query-localhost: no<br />
forward-zone:<br />
name: "."<br />
forward-addr: 127.0.0.1@5353<br />
forward-addr: 127.0.0.1@5354}}<br />
<br />
==== Create instanced systemd service ====<br />
<br />
An alternative option to copying the systemd service is to used an instanced service.<br />
<br />
===== Create systemd file =====<br />
<br />
First, create {{ic|/etc/systemd/system/dnscrypt-proxy@.service}} containing:<br />
<br />
[Unit]<br />
Description=DNSCrypt client proxy<br />
Documentation=man:dnscrypt-proxy(8)<br />
Requires=dnscrypt-proxy@%i.socket<br />
<br />
[Service]<br />
Type=notify<br />
NonBlocking=true<br />
ExecStart=/usr/bin/dnscrypt-proxy \<br />
--resolver-name=%i<br />
Restart=always<br />
<br />
This specifies an instanced systemd service that starts a dnscrypt-proxy using the service name specified after the @ symbol of a corresponding .socket file.<br />
<br />
===== Add dnscrypt-sockets =====<br />
<br />
To create multiple dnscrypt-proxy sockets, copy {{ic|/usr/lib/systemd/system/dnscrypt-proxy.socket}} to a new file, {{ic|/etc/systemd/system/dnscrypt-proxy@''short-name.here''.socket}}, replacing the socket instance name with one of the short names listed in [[#Select_resolver|{{ic|dnscrypt-resolvers.csv}}]] and [[#Change_port|change the port]]. Use a different port for each instance (5353, 5354, and so forth).<br />
<br />
===== Apply new systemd configuration =====<br />
<br />
Now we need to reload the systemd configuration.<br />
<br />
# systemctl daemon-reload<br />
<br />
Since we are replacing the default service with a different name, we need to explicitly [[stop]] and [[disable]] {{ic|dnscrypt-proxy.service}} and {{ic|dnscrypt-proxy.socket}}.<br />
<br />
Now [[start/enable]] the new service(s), e.g., {{ic|dnscrypt-proxy@dnscrypt.eu-nl}}, etc.<br />
<br />
Finally [[restart]] {{ic|unbound.service}}.<br />
<br />
== Troubleshooting ==<br />
<br />
=== dnscrypt runs with root privileges ===<br />
<br />
See {{Bug|49881}} for more information. To work around this, [[Edit]] {{ic|dnscrypt-proxy.service}} to include the following lines:<br />
<br />
[Service]<br />
DynamicUser=yes<br />
<br />
This method can be combined with [[#Sandboxing]].</div>Finalehttps://wiki.archlinux.org/index.php?title=Dash&diff=337185Dash2014-09-25T00:22:56Z<p>Finale: Remove accuracy flag /* Use DASH as default shell */</p>
<hr />
<div>[[Category:Command shells]]<br />
[http://en.wikipedia.org/wiki/Debian_Almquist_shell Dash] is a minimalist POSIX-compliant shell. It can be much faster than Bash, and takes up less memory when in use. Most POSIX compliant scripts specify {{ic|/bin/sh}} at the first line of the script, which means it will run {{ic|/bin/sh}} as the shell, which by default in Arch is a symlink to {{ic|/bin/bash}}.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|dash}} from the [[official repositories]].<br />
<br />
== Use DASH as default shell ==<br />
<br />
{{expansion}}<br />
<br />
You can re-symlink {{ic|/bin/sh}} to {{ic|/bin/dash}}, which can improve system performance, but first you must verify that none of the scripts that aren't explicitly {{ic|#!/bin/bash}} scripts are safely POSIX compliant and do not require any of Bash's features.<br />
<br />
=== Identifying bashisms ===<br />
<br />
Features of bash that aren't included in Dash ('bashisms') will not work without being explicitly pointed to {{ic|/bin/bash}}. The following instructions will allow you to find any scripts that may need modification. <br />
<br />
Install {{AUR|checkbashisms}} from the [[AUR]].<br />
<br />
==== Common places to check ====<br />
<br />
* Installed scripts with a {{ic|#!/bin/sh}} shebang:<br />
$ find {,/usr}/bin -type f \<br />
-exec grep -q -- '^#! ?/bin/(env )?sh' {} \; \<br />
-exec checkbashisms -f -p {} +<br />
<br />
=== Relinking /bin/sh ===<br />
<br />
Once you have verified that it won't break any functionality, it should be safe to relink {{ic|/bin/sh}}. To do so use the following command:<br />
# ln -sfT dash /bin/sh<br />
Updates of Bash could overwrite {{ic|/bin/sh}}. To prevent this, add the following lines to the [option] section of {{ic|/etc/pacman.conf}}:<br />
NoUpgrade = usr/bin/sh<br />
NoExtract = usr/bin/sh<br />
<br />
== See also ==<br />
<br />
http://article.gmane.org/gmane.linux.arch.devel/11418:<br />
* https://mailman.archlinux.org/pipermail/arch-dev-public/2007-November/003053.html<br />
* https://launchpad.net/ubuntu/+spec/dash-as-bin-sh<br />
* https://wiki.ubuntu.com/DashAsBinSh</div>Finalehttps://wiki.archlinux.org/index.php?title=Dash&diff=337184Dash2014-09-25T00:19:42Z<p>Finale: Package install scripts no longer need to be checked, as they are always run with bash (https://bugs.archlinux.org/task/20557)</p>
<hr />
<div>[[Category:Command shells]]<br />
[http://en.wikipedia.org/wiki/Debian_Almquist_shell Dash] is a minimalist POSIX-compliant shell. It can be much faster than Bash, and takes up less memory when in use. Most POSIX compliant scripts specify {{ic|/bin/sh}} at the first line of the script, which means it will run {{ic|/bin/sh}} as the shell, which by default in Arch is a symlink to {{ic|/bin/bash}}.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|dash}} from the [[official repositories]].<br />
<br />
== Use DASH as default shell ==<br />
<br />
{{expansion}}<br />
{{accuracy}}<br />
<br />
You can re-symlink {{ic|/bin/sh}} to {{ic|/bin/dash}}, which can improve system performance, but first you must verify that none of the scripts that aren't explicitly {{ic|#!/bin/bash}} scripts are safely POSIX compliant and do not require any of Bash's features.<br />
<br />
=== Identifying bashisms ===<br />
<br />
Features of bash that aren't included in Dash ('bashisms') will not work without being explicitly pointed to {{ic|/bin/bash}}. The following instructions will allow you to find any scripts that may need modification. <br />
<br />
Install {{AUR|checkbashisms}} from the [[AUR]].<br />
<br />
==== Common places to check ====<br />
<br />
* Installed scripts with a {{ic|#!/bin/sh}} shebang:<br />
$ find {,/usr}/bin -type f \<br />
-exec grep -q -- '^#! ?/bin/(env )?sh' {} \; \<br />
-exec checkbashisms -f -p {} +<br />
<br />
=== Relinking /bin/sh ===<br />
<br />
Once you have verified that it won't break any functionality, it should be safe to relink {{ic|/bin/sh}}. To do so use the following command:<br />
# ln -sfT dash /bin/sh<br />
Updates of Bash could overwrite {{ic|/bin/sh}}. To prevent this, add the following lines to the [option] section of {{ic|/etc/pacman.conf}}:<br />
NoUpgrade = usr/bin/sh<br />
NoExtract = usr/bin/sh<br />
<br />
== See also ==<br />
<br />
http://article.gmane.org/gmane.linux.arch.devel/11418:<br />
* https://mailman.archlinux.org/pipermail/arch-dev-public/2007-November/003053.html<br />
* https://launchpad.net/ubuntu/+spec/dash-as-bin-sh<br />
* https://wiki.ubuntu.com/DashAsBinSh</div>Finalehttps://wiki.archlinux.org/index.php?title=Bluetooth_keyboard&diff=237732Bluetooth keyboard2012-12-02T23:30:17Z<p>Finale: </p>
<hr />
<div>{{delete | These commands are deprecated in bluez v4 and seem not to work.}}<br />
[[Category:Bluetooth]]<br />
[[Category:Keyboards]]<br />
[[ru:Bluetooth Keyboard]]<br />
{{Warning|hidd is deprecated in bluez v4. The current procedure is given in [[Bluetooth mouse configuration]].<br />
}}<br />
This article describes how to set up a Bluetooth keyboard with Arch Linux, bluez version 3. I used an Apple Wireless Keyboard (aluminium) but it should work for other models.<br />
<br />
The setup is similar than the one of a [[Bluetooth Mouse]]. Follow this guide first to add kernel modules, bluetooth libraries.<br />
<br />
The tricky part for the Apple Wireless Keyboard is to have the correct settings in ''/etc/bluetooth/hcid.conf''. Obviously you need to replace the mac address with yours:<br />
<br />
device 00:01:02:03:04:05 {<br />
name "Apple Wireless Keyboard";<br />
auth disable;<br />
encrypt disable;<br />
}<br />
<br />
And then to have ''/etc/conf.d/bluetooth'' with the following options to connect automatically when starting the bluetooth daemon:<br />
<br />
HCID_ENABLE="true"<br />
HIDD_ENABLE="true"<br />
HIDD_OPTIONS="--timeout 8 --master --server --connect 00:01:02:03:04:05"<br />
<br />
If you loaded the bluetooth modules from the [[Bluetooth Mouse]] guide you can now test by doing a ''/etc/rc.d/bluetooth restart''<br />
<br />
== Bluetooth Keyboard at Startup ==<br />
<br />
in ''/etc/rc.conf'' add the following modules:<br />
<br />
MODULES=(... hci_usb bluetooth hidp l2cap)<br />
<br />
and add the bluetooth daemon:<br />
DAEMONS=(... @bluetooth ...)<br />
<br />
Then it should work on reboot automatically !<br />
<br />
== Bluez v4.39 ==<br />
In this version of bluez, there is no ''/etc/bluetooth/hcid.conf''<br />
To create a trust between your BT adapter and a BT device, add the device's BT address to a file called ''trusts'' inside /var/lib/bluetooth/<MAC address of BT host adapter>/trusts, like so:<br />
echo "00:02:76:05:45:E1 [all]" >> /var/lib/bluetooth/00\:1E\:37\:B0\:47\:24/trusts<br />
This line appends a new line to that file.</div>Finalehttps://wiki.archlinux.org/index.php?title=Bluetooth_keyboard&diff=237731Bluetooth keyboard2012-12-02T23:18:57Z<p>Finale: hidd is deprecated and this did not work for me</p>
<hr />
<div>[[Category:Bluetooth]]<br />
[[Category:Keyboards]]<br />
[[ru:Bluetooth Keyboard]]<br />
{{Warning|hidd is deprecated in bluez v4. The current procedure is given in [[Bluetooth mouse configuration]].<br />
}}<br />
This article describes how to set up a Bluetooth keyboard with Arch Linux, bluez version 3. I used an Apple Wireless Keyboard (aluminium) but it should work for other models.<br />
<br />
The setup is similar than the one of a [[Bluetooth Mouse]]. Follow this guide first to add kernel modules, bluetooth libraries.<br />
<br />
The tricky part for the Apple Wireless Keyboard is to have the correct settings in ''/etc/bluetooth/hcid.conf''. Obviously you need to replace the mac address with yours:<br />
<br />
device 00:01:02:03:04:05 {<br />
name "Apple Wireless Keyboard";<br />
auth disable;<br />
encrypt disable;<br />
}<br />
<br />
And then to have ''/etc/conf.d/bluetooth'' with the following options to connect automatically when starting the bluetooth daemon:<br />
<br />
HCID_ENABLE="true"<br />
HIDD_ENABLE="true"<br />
HIDD_OPTIONS="--timeout 8 --master --server --connect 00:01:02:03:04:05"<br />
<br />
If you loaded the bluetooth modules from the [[Bluetooth Mouse]] guide you can now test by doing a ''/etc/rc.d/bluetooth restart''<br />
<br />
== Bluetooth Keyboard at Startup ==<br />
<br />
in ''/etc/rc.conf'' add the following modules:<br />
<br />
MODULES=(... hci_usb bluetooth hidp l2cap)<br />
<br />
and add the bluetooth daemon:<br />
DAEMONS=(... @bluetooth ...)<br />
<br />
Then it should work on reboot automatically !<br />
<br />
== Bluez v4.39 ==<br />
In this version of bluez, there is no ''/etc/bluetooth/hcid.conf''<br />
To create a trust between your BT adapter and a BT device, add the device's BT address to a file called ''trusts'' inside /var/lib/bluetooth/<MAC address of BT host adapter>/trusts, like so:<br />
echo "00:02:76:05:45:E1 [all]" >> /var/lib/bluetooth/00\:1E\:37\:B0\:47\:24/trusts<br />
This line appends a new line to that file.</div>Finalehttps://wiki.archlinux.org/index.php?title=Bluetooth_mouse&diff=237652Bluetooth mouse2012-12-02T14:46:13Z<p>Finale: bluez-libs and bluez-utils are now provided by bluez</p>
<hr />
<div>[[Category:Mice]]<br />
[[Category:Bluetooth]]<br />
[[cs:Bluetooth Mouse]]<br />
[[ru:Bluetooth Mouse]]<br />
This article describes how to set up a bluetooth mouse with Arch Linux. I used a Logitech v270 with a Trendnet TBW-101UB USB Bluetooth dongle, but the general process should be the same for any model.<br />
<br />
== Required software ==<br />
<br />
You need the '''bluez''' package from the extra repository. Looks like you also need '''dbus''' for automating things, otherwise hcid reports errors such as: "hcid[14851]: Unable to get on D-Bus". Enabling D-Bus also solved problems for local bluetooth device recognition.<br />
<br />
== Configuration ==<br />
The pertinent options in /etc/conf.d/bluetooth are <br />
HIDD_ENABLE=true<br />
after that, start bluetooth services with<br />
/etc/rc.d/bluetooth start<br />
<br />
== Finding out your mouse's bdaddr ==<br />
<br />
It is of the form ''12:34:56:78:9A:BC''. Either find it in the documentation of your mouse, on the mouse itself or with the '''hcitool scan''' command.<br />
<br />
== kernel modules ==<br />
<br />
The command<br />
# modprobe -v btusb bluetooth hidp l2cap<br />
loads the kernel modules you need, if they weren't loaded automatically. <br />
<br />
(See below for some tips if you're stuck at this point)<br />
<br />
== Connecting the mouse ==<br />
hidd --search<br />
hcitool inq<br />
are good for device scanning.<br />
hidd --connect <bdaddr><br />
to actually connect.<br />
hidd --show<br />
will show your currently connected devices. The mouse should show up in this list. If it doesn't, press the reset button to make it discoverable.<br />
<br />
Note: If you have the ipw3945 module loaded (wifi on HP computer) the bluetooth wont work.<br />
<br />
== Connecting the mouse at startup ==<br />
Edit /etc/conf.d/bluetooth:<br />
# Arguments to hidd<br />
HIDD_OPTIONS="--connect <enter here your bluetooth mouse address>"<br />
<br />
and test the new settings:<br />
/etc/rc.d/bluetooth stop<br />
hidd --killall (drop mouse connection)<br />
/etc/rc.d/bluetooth start<br />
<br />
Note: The above instructions to start the mouse at startup do not work with the now outdated 3.11 bluetooth packages. New versions such as the current (3.32) packages are not affected. If you are using an older version, then to start the mouse at startup, add:<br />
hidd --connect <enter here your bluetooth mouse address (No capitals!!!)><br />
to your /etc/rc.local file.<br />
<br />
Note #2: You can connect any bluetooth mouse and/or keyboard without any further configuration and without knowing the device address. You can do it by adding the --master and/or --server option in HIDD_OPTIONS depending on your device.<br />
<br />
== Troubleshooting tips ==<br />
<br />
If you have trouble with your USB dongle, you may also want to try<br />
# modprobe -v rfcomm<br />
<br />
At this point, you should get an hci0 device with<br />
# hcitool dev<br />
<br />
Sometimes the device is not active right away - try starting the interface with<br />
# hciconfig hci0 up<br />
and searching for devices as shown above.</div>Finale