Difference between revisions of "DNSCrypt (简体中文)"

From ArchWiki
Jump to: navigation, search
(Update translation.)
(Update translation.)
Line 5: Line 5:
 
[[ja:DNSCrypt]]
 
[[ja:DNSCrypt]]
 
[[pt:DNSCrypt]]
 
[[pt:DNSCrypt]]
{{TranslationStatus (简体中文)|DNSCrypt|2016-12-27|456326}}
+
{{TranslationStatus (简体中文)|DNSCrypt|2018-06-30|525116}}
 
[http://dnscrypt.org/ DNSCrypt] 可以加密和认证用户和 DNS 解析服务器之间的数据传输。IP 数据本身没有任何变化,DNScrypt 可以避免 DNS 查询欺骗,确保 DNS 相应来自选择的 DNS 服务器。[https://www.reddit.com/r/sysadmin/comments/2hn435/dnssec_vs_dnscrypt/ckuhcbu]
 
[http://dnscrypt.org/ DNSCrypt] 可以加密和认证用户和 DNS 解析服务器之间的数据传输。IP 数据本身没有任何变化,DNScrypt 可以避免 DNS 查询欺骗,确保 DNS 相应来自选择的 DNS 服务器。[https://www.reddit.com/r/sysadmin/comments/2hn435/dnssec_vs_dnscrypt/ckuhcbu]
  
Line 12: Line 12:
 
[[安装]] 软件包 {{Pkg|dnscrypt-proxy}}。
 
[[安装]] 软件包 {{Pkg|dnscrypt-proxy}}。
  
== 配置 ==
+
== Configuration ==
  
从 {{ic|/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv}} 选择解析服务器,然后 [[Systemd#Editing provided units|编辑]] 服务文件 {{ic|dnscrypt-proxy.service}}, {{ic|-R}} 选项设置为解析服务器的第一列,例如如果选择 ''dnscrypt.eu-nl'' 作为解析服务器,文件应该是:
+
=== Startup ===
  
  [Service]
+
The service can be started in two mutually exclusive ways (i.e. only one of the two may be enabled):
  ExecStart=
+
 
ExecStart=/usr/bin/dnscrypt-proxy -R dnscrypt.eu-nl
+
* With the {{ic|.service}} file.
 +
 
 +
{{Note|The {{ic|listen_addresses}} option must configured (e.g. {{ic|1=listen_addresses = ['127.0.0.1:53', '[::1]:53']}}) in the configuration file when using the {{ic|.service}} file.}}
 +
 
 +
* Through the {{ic|.socket}} activation.
 +
 
 +
{{Note|When using socket activation the {{ic|listen_addresses}} option must be set to empty (i.e. {{ic|1=listen_addresses = [ ]}}) in the configuration file, since systemd is taking care of the socket configuration.}}
 +
 
 +
=== Select resolver ===
 +
 
 +
By leaving {{ic|server_names}} commented out in the configuration file {{ic|/etc/dnscrypt-proxy/dnscrypt-proxy.toml}}, ''dnscrypt-proxy'' will choose the fastest server from the sources already configured under {{ic|[sources]}} [https://github.com/jedisct1/dnscrypt-proxy/wiki/Configuration#an-example-static-server-entry]. The lists will be downloaded, verified, and automatically updated. [https://github.com/jedisct1/dnscrypt-proxy/wiki/Configuration-Sources#what-is-the-point-of-these-lists]. Thus, configuring a specific set of servers is optional.
 +
 
 +
To manually set which server is used, edit {{ic|/etc/dnscrypt-proxy/dnscrypt-proxy.toml}} and uncomment the {{ic|server_names}} variable, selecting one or more of the servers. For example, to use Cloudflare's servers:
 +
 
 +
  server_names = ['cloudflare', 'cloudflare-ipv6']
 +
 
 +
A full list of resolvers is located at the [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md upstream page] or [https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md Github]. If ''dnscrypt-proxy'' has run successfully on the system before, {{ic|/var/cache/dnscrypt-proxy/public-resolvers.md}} will also contain a list. Look at the description for servers note which validate [[DNSSEC]], do not log, and are uncensored. These requirements can be configured globally with the {{ic|require_dnssec}}, {{ic|require_nolog}}, {{ic|require_nofilter}} options.
 +
 
 +
=== Disable any services bound to port 53 ===
 +
{{Tip|If using [[#Unbound]] as your local DNS cache this section can be ignored, as ''unbound'' runs on port 53 by default.}}
 +
To see if any programs are using port 53, run
 +
 
 +
  $ ss -lp 'sport = :domain'
 +
 
 +
If the output contains more than the first line of column names, you need to disable whatever service is using port 53. One common culprit is {{ic|systemd-resolved.service}}, but other network managers may have analogous components. You are ready to proceed once the above command outputs nothing more than the following line:
 +
 
 +
  Netid              State                Recv-Q                Send-Q                                Local Address:Port                                  Peer Address:Port
 +
 
 +
=== Modify resolv.conf ===
  
{{Tip|[https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv 上游页面] 包含最新的版本。}}
+
{{Expansion|Explain what the options mean.}}
  
选择 dnscrypt 解析服务器后,修改 [[resolv.conf]] 文件,将当前解析服务器设置为 ''localhost'':
+
Modify the [[resolv.conf]] file and replace the current set of resolver addresses with the address for ''localhost'' and options [https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-linux#step-4-change-the-system-dns-settings]:
  
 
  nameserver 127.0.0.1
 
  nameserver 127.0.0.1
 +
options edns0 single-request-reopen
  
其它程序可能会覆盖这个设置,处理方式请参考 [[resolv.conf#Preserve DNS settings]] 这里。
+
Other programs may overwrite this setting; see [[resolv.conf#Preserve DNS settings]] for details.
  
最后 [[Enable|启动并启用]] {{ic|dnscrypt-proxy.service}}.
+
=== Start systemd service ===
  
== 提示和技巧==
+
Finally, [[start/enable]] the {{ic|dnscrypt-proxy.service}} unit or {{ic|dnscrypt-proxy.socket}}, depending on which method you chose above.
  
=== DNSCrypt as a forwarder for local DNS cache ===
+
== Tips and tricks ==
  
It is recommended to run DNSCrypt as a forwarder for a local DNS cache, otherwise every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work, examples below show configuration for [[Unbound]], [[dnsmasq]], and [[pdnsd]].
+
=== Local DNS cache configuration ===
  
First configure ''dnscrypt-proxy'' to listen on a port different from the default {{ic|53}}, since the DNS cache needs to listen on {{ic|53}} and query ''dnscrypt-proxy'' on a different port. Port number {{ic|40}} is used as an example in this section:
+
{{Tip|''dnscrypt'' can cache entries without relying on another program. This feature is enabled by default with the line {{ic|1=cache = true}} in your dnscrypt configuration file}}
  
{{hc|# systemctl edit dnscrypt-proxy.socket|2=
+
It is recommended to run DNSCrypt as a forwarder for a local DNS cache if not using ''dnscrypt's'' cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up ''dnscrypt-proxy'', you must setup your local DNS cache program.
[Socket]
+
 
ListenStream=
+
==== Change port ====
ListenDatagram=
+
 
ListenStream=127.0.0.1:40
+
In order to forward queries from a local DNS cache, ''dnscrypt-proxy'' should listen on a port different from the default {{ic|53}}, since the DNS cache itself needs to listen on {{ic|53}} and query ''dnscrypt-proxy'' on a different port. Port number {{ic|53000}} is used as an example in this section. In this example, the port number is larger than 1024 so ''dnscrypt-proxy'' is not required to be run by root.
ListenDatagram=127.0.0.1:40
+
 
}}
+
There are two methods for changing the default port:
 +
 
 +
'''Socket method'''
 +
 
 +
[[Edit]] {{ic|dnscrypt-proxy.socket}} with the following contents:
 +
 
 +
[Socket]
 +
ListenStream=
 +
ListenDatagram=
 +
ListenStream=127.0.0.1:53000
 +
ListenDatagram=127.0.0.1:53000
 +
 
 +
When queries are forwarded from the local DNS cache to {{ic|53000}}, {{ic|dnscrypt-proxy.socket}} will start {{ic|dnscrypt-proxy.service}}.
 +
 
 +
'''Service method'''
 +
 
 +
Edit the {{ic|listen_addresses}} option in {{ic|/etc/dnscrypt-proxy/dnscrypt-proxy.toml}} with the following:
  
{{Note|The {{ic|ListenStream}} and {{ic|ListenDatagram}} options need to be cleared with empty assignment before overriding, otherwise the new address would be ''added'' to the list of sockets. See [[systemd#Editing provided units]] for details.}}
+
listen_addresses = ['127.0.0.1:53000', '[::1]:53000']
  
Then restart {{ic|dnscrypt-proxy.socket}} and ''stop'' {{ic|dnscrypt-proxy.service}} if already running to let it be started by the ''.socket'' unit.
+
==== Example local DNS cache configurations====
  
 +
The following configurations should work with ''dnscrypt-proxy'' and assume that it is listening on port {{ic|53000}}.
  
==== Example: configuration for Unbound ====
+
===== Unbound =====
  
 
Configure [[Unbound]] to your liking (in particular, see [[Unbound#Local DNS server]]) and add the following lines to the end of the {{ic|server}} section in {{ic|/etc/unbound/unbound.conf}}:
 
Configure [[Unbound]] to your liking (in particular, see [[Unbound#Local DNS server]]) and add the following lines to the end of the {{ic|server}} section in {{ic|/etc/unbound/unbound.conf}}:
  
do-not-query-localhost: no
+
  do-not-query-localhost: no
 
  forward-zone:
 
  forward-zone:
 
   name: "."
 
   name: "."
   forward-addr: 127.0.0.1@40
+
   forward-addr: 127.0.0.1@53000
  
 
{{Tip|If you are setting up a server, add {{ic|interface: 0.0.0.0@53}} and {{ic|access-control: ''your-network''/''subnet-mask'' allow}} inside the {{ic|server:}} section so that the other computers can connect to the server. A client must be configured with {{ic|nameserver ''address-of-your-server''}} in {{ic|/etc/resolv.conf}}.}}
 
{{Tip|If you are setting up a server, add {{ic|interface: 0.0.0.0@53}} and {{ic|access-control: ''your-network''/''subnet-mask'' allow}} inside the {{ic|server:}} section so that the other computers can connect to the server. A client must be configured with {{ic|nameserver ''address-of-your-server''}} in {{ic|/etc/resolv.conf}}.}}
Line 64: Line 110:
 
[[Restart]] {{ic|unbound.service}} to apply the changes.
 
[[Restart]] {{ic|unbound.service}} to apply the changes.
  
==== Example: configuration for dnsmasq ====
+
===== dnsmasq =====
  
 
Configure dnsmasq as a [[dnsmasq#DNS cache setup|local DNS cache]]. The basic configuration to work with DNSCrypt:
 
Configure dnsmasq as a [[dnsmasq#DNS cache setup|local DNS cache]]. The basic configuration to work with DNSCrypt:
Line 70: Line 116:
 
{{hc|/etc/dnsmasq.conf|2=
 
{{hc|/etc/dnsmasq.conf|2=
 
no-resolv
 
no-resolv
server=127.0.0.1#40
+
server=127.0.0.1#53000
 
listen-address=127.0.0.1
 
listen-address=127.0.0.1
 
}}
 
}}
Line 82: Line 128:
 
Restart {{ic|dnsmasq.service}} to apply the changes.
 
Restart {{ic|dnsmasq.service}} to apply the changes.
  
==== Example: configuration for pdnsd ====
+
===== pdnsd =====
  
 
Install [[pdnsd]]. A basic configuration to work with DNSCrypt is:
 
Install [[pdnsd]]. A basic configuration to work with DNSCrypt is:
Line 104: Line 150:
 
     label = "dnscrypt-proxy";
 
     label = "dnscrypt-proxy";
 
     ip = 127.0.0.1;
 
     ip = 127.0.0.1;
     port = 40;
+
     port = 53000;
 
     timeout = 4;
 
     timeout = 4;
 
     proxy_only = on;
 
     proxy_only = on;
Line 116: Line 162:
  
 
Restart {{ic|pdnsd.service}} to apply the changes.
 
Restart {{ic|pdnsd.service}} to apply the changes.
 +
 +
=== Sandboxing ===
 +
 +
[[Edit]] {{ic|dnscrypt-proxy.service}} to include the following lines:
 +
 +
[Service]
 +
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
 +
ProtectSystem=strict
 +
ProtectHome=true
 +
ProtectKernelTunables=true
 +
ProtectKernelModules=true
 +
ProtectControlGroups=true
 +
PrivateTmp=true
 +
PrivateDevices=true
 +
MemoryDenyWriteExecute=true
 +
NoNewPrivileges=true
 +
RestrictRealtime=true
 +
RestrictAddressFamilies=AF_INET AF_INET6
 +
SystemCallArchitectures=native
 +
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io
 +
 +
See {{man|5|systemd.exec}} and [[Systemd#Sandboxing application environments]] for more information. Additionally see [https://github.com/jedisct1/dnscrypt-proxy/pull/601#issuecomment-284171727 upstream comments]{{Dead link|2018|01|08}}.
  
 
=== Enable EDNS0 ===
 
=== Enable EDNS0 ===
 +
 +
{{Expansion|Name the advantages/motivation for enabling this.}}
  
 
[[wikipedia:Extension_mechanisms_for_DNS|Extension Mechanisms for DNS]] that, among other things, allows a client to specify how large a reply over UDP can be.
 
[[wikipedia:Extension_mechanisms_for_DNS|Extension Mechanisms for DNS]] that, among other things, allows a client to specify how large a reply over UDP can be.
  
 
Add the following line to your {{ic|/etc/resolv.conf}}:
 
Add the following line to your {{ic|/etc/resolv.conf}}:
 +
 
  options edns0
 
  options edns0
  
You may also wish to add the following argument to ''dnscrypt-proxy'':
+
{{Out of date|dnscrypt-proxy2 uses different config file.}}
  --edns-payload-size=<bytes>
+
 
 +
You may also wish to append the following to {{ic|/etc/dnscrypt-proxy.conf}}:
 +
 
 +
  EDNSPayloadSize ''<bytes>''
  
The default size being '''1252''' bytes, with values up to '''4096''' bytes being purportedly safe.  A value below or equal to '''512''' bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.
+
Where ''<bytes>'' is a number, the default size being '''1252''', with values up to '''4096''' bytes being purportedly safe.  A value below or equal to '''512''' bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.
  
 
==== Test EDNS0 ====
 
==== Test EDNS0 ====
  
Make use of the [https://www.dns-oarc.net/oarc/services/replysizetest DNS Reply Size Test Server], use the ''dig'' command line tool from the {{Pkg|bind-tools}} package to issue a TXT query for the name ''rs.dns-oarc.net'':
+
Make use of the [https://www.dns-oarc.net/oarc/services/replysizetest DNS Reply Size Test Server], use the ''drill'' command line tool to issue a TXT query for the name ''rs.dns-oarc.net'':
  $ dig +short rs.dns-oarc.net TXT
+
 
 +
  $ drill rs.dns-oarc.net TXT
 +
 
 +
With '''EDNS0''' supported, the "answer section" of the output should look similar to this:
  
With '''EDNS0''' supported, the output should look similar to this:
 
 
  rst.x3827.rs.dns-oarc.net.
 
  rst.x3827.rs.dns-oarc.net.
 
  rst.x4049.x3827.rs.dns-oarc.net.
 
  rst.x4049.x3827.rs.dns-oarc.net.
Line 143: Line 219:
 
=== Redundant DNSCrypt providers ===
 
=== Redundant DNSCrypt providers ===
  
{{Style|Needs some tweaks to comply with [[Help:Style]], e.g avoid writing in first person and link to [[enable]], [[start]] and similar instead of explicit systemctl commands.}}
+
{{Remove|Out of date and irrelevant since dnscrypt-proxy2 handles the configuration of multiple sources.}}
 
 
==== Add new forward address ====
 
 
 
{{note|Obtaining redundancy requires a simple edit to the above Unbound example and the addition of a second instance of the dnscrypt-proxy and service. Please be sure that the above Unbound example is working prior to proceeding, as this tip extends the previous example.}}
 
  
Extend the previous [[Unbound]] configuration in {{ic|/etc/unbound/unbound.conf}} to include an additional forward address that uses a different port. Port 41 is used in the below example:
+
To use several different dnscrypt providers, you may simply copy the original {{ic|dnscrypt-proxy.service}} and {{ic|dnscrypt-proxy.socket}}. Then in your new copy of the service change the command line parameters, either pointing to a new configuration file or naming a different resolver directly. From there change the port in the new copy of the socket. Lastly, update your local DNS cache program to point to new service's port. For example, with [[unbound]] the configuration file would look like if using ports {{ic|53000}} for the original socket and {{ic|53001}} for the new socket.
  
 +
{{hc|/etc/unbound/unbound.conf|
 
  do-not-query-localhost: no
 
  do-not-query-localhost: no
 
  forward-zone:
 
  forward-zone:
 
   name: "."
 
   name: "."
   forward-addr: 127.0.0.1@40
+
   forward-addr: 127.0.0.1@53000
   forward-addr: 127.0.0.1@41
+
   forward-addr: 127.0.0.1@53001
 +
}}
  
 
==== Create instanced systemd service ====
 
==== Create instanced systemd service ====
  
We will use an instanced systemd service to accomplish this. This will use one {{ic|dnscrypt-proxy@.service}} systemd service to handle as many distinct DNSCrypt resolves as we want.
+
An alternative option to copying the systemd service is to used an instanced service.
  
First, we need {{ic|/etc/systemd/system/dnscrypt-proxy@.service}} containing:
+
===== Create systemd file =====
 +
 
 +
First, create {{ic|/etc/systemd/system/dnscrypt-proxy@.service}} containing:
  
<pre>
 
 
  [Unit]
 
  [Unit]
 
  Description=DNSCrypt client proxy
 
  Description=DNSCrypt client proxy
 
  Documentation=man:dnscrypt-proxy(8)
 
  Documentation=man:dnscrypt-proxy(8)
 
  Requires=dnscrypt-proxy@%i.socket
 
  Requires=dnscrypt-proxy@%i.socket
 
+
 
  [Service]
 
  [Service]
 
  Type=notify
 
  Type=notify
Line 175: Line 250:
 
     --resolver-name=%i
 
     --resolver-name=%i
 
  Restart=always
 
  Restart=always
</pre>
 
  
 
This specifies an instanced systemd service that starts a dnscrypt-proxy using the service name specified after the @ symbol of a corresponding .socket file.
 
This specifies an instanced systemd service that starts a dnscrypt-proxy using the service name specified after the @ symbol of a corresponding .socket file.
  
==== Add first dnscrypt-socket ====
+
===== Add dnscrypt-sockets =====
  
You can now create two (or more!) socket files, specifying different DNSCrypt providers.
+
To create multiple dnscrypt-proxy sockets, copy {{ic|/usr/lib/systemd/system/dnscrypt-proxy.socket}} to a new file, {{ic|/etc/systemd/system/dnscrypt-proxy@''short-name.here''.socket}}, replacing the socket instance name with one of the short names listed in [[#Select_resolver|{{ic|dnscrypt-resolvers.csv}}]] and  [[#Change_port|change the port]].  Use a different port for each instance (53000, 53001, and so forth).
  
For the first dnscrypt-proxy socket, listening on 127.0.0.1@40 and connecting to the example dnscrypt.eu-nl provider, copy {{ic|/lib/systemd/system/dnscrypt-proxy.socket}} to {{ic|/etc/systemd/system/dnscrypt-proxy@dnscrypt.eu-nl.socket}}.
+
===== Apply new systemd configuration =====
 
 
==== Add additional dyscrypt-sockets ====
 
 
 
For the second (or more) dnscrypt-proxy socket, copy {{ic|/lib/systemd/system/dnscrypt-proxy.socket}} to eg. {{ic|/etc/systemd/system/dnscrypt-proxy@cloudns-syd.socket}}
 
 
 
Here you can replace the socket instance name to eg. '''cloudns-syd''' as one of those listed in {{ic|providers name}} column in {{ic|/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv}} and edit it to eg. port 41 and so forth.
 
 
 
<pre>
 
[Unit]
 
Description=dnscrypt-proxy-secondary listening socket
 
 
 
[Socket]
 
ListenStream=127.0.0.1:41
 
ListenDatagram=127.0.0.1:41
 
 
 
[Install]
 
WantedBy=sockets.target
 
</pre>
 
 
 
==== Apply new systemd configuration ====
 
  
 
Now we need to reload the systemd configuration.
 
Now we need to reload the systemd configuration.
Line 209: Line 263:
 
  # systemctl daemon-reload
 
  # systemctl daemon-reload
  
Since we are replacing the default service with a different name, we need to explicitly [[stop]] and [[disable]] {{ic|dnscrypt-proxy}} and {{ic|dnscrypt-proxy.socket}}.
+
Since we are replacing the default service with a different name, we need to explicitly [[stop]] and [[disable]] {{ic|dnscrypt-proxy.service}} and {{ic|dnscrypt-proxy.socket}}.
 
 
Now [[start/enable]] the new sockets, {{ic|dnscrypt-proxy@dnscrypt.eu-nl.socket}} and {{ic|dnscrypt-proxy@cloudns-syd.socket}}.
 
 
 
Finally [[restart]] {{ic|unbound.service}}
 
  
== Known issues ==
+
Now [[start/enable]] the new service(s), e.g., {{ic|dnscrypt-proxy@dnscrypt.eu-nl}}, etc.
  
=== dnscrypt runs with root privileges ===
+
Finally [[restart]] {{ic|unbound.service}}.
  
See {{Bug|49881}}. To work around this, create an unprivileged user manually.
+
== See also ==
  
[[Users_and_groups#User_management|Create the user]] as follows:
+
* [[Wikipedia:DNS over HTTPS]]
 
 
# useradd -r -d /var/dnscrypt -m -s /sbin/nologin dnscrypt
 
 
 
[[Systemd#Editing_provided_units|Edit]] {{ic|dnscrypt-proxy.service}}, pointing {{ic|--user}} to the new user:
 
 
 
[Service]
 
ExecStart=
 
ExecStart=/usr/bin/dnscrypt-proxy -R dnscrypt.eu-nl --user=dnscrypt
 

Revision as of 00:20, 30 June 2018

翻译状态: 本文是英文页面 DNSCrypt翻译,最后翻译时间:2018-06-30,点击这里可以查看翻译后英文页面的改动。

DNSCrypt 可以加密和认证用户和 DNS 解析服务器之间的数据传输。IP 数据本身没有任何变化,DNScrypt 可以避免 DNS 查询欺骗,确保 DNS 相应来自选择的 DNS 服务器。[1]

安装

安装 软件包 dnscrypt-proxy

Configuration

Startup

The service can be started in two mutually exclusive ways (i.e. only one of the two may be enabled):

  • With the .service file.
Note: The listen_addresses option must configured (e.g. listen_addresses = ['127.0.0.1:53', '[::1]:53']) in the configuration file when using the .service file.
  • Through the .socket activation.
Note: When using socket activation the listen_addresses option must be set to empty (i.e. listen_addresses = [ ]) in the configuration file, since systemd is taking care of the socket configuration.

Select resolver

By leaving server_names commented out in the configuration file /etc/dnscrypt-proxy/dnscrypt-proxy.toml, dnscrypt-proxy will choose the fastest server from the sources already configured under [sources] [2]. The lists will be downloaded, verified, and automatically updated. [3]. Thus, configuring a specific set of servers is optional.

To manually set which server is used, edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml and uncomment the server_names variable, selecting one or more of the servers. For example, to use Cloudflare's servers:

server_names = ['cloudflare', 'cloudflare-ipv6']

A full list of resolvers is located at the upstream page or Github. If dnscrypt-proxy has run successfully on the system before, /var/cache/dnscrypt-proxy/public-resolvers.md will also contain a list. Look at the description for servers note which validate DNSSEC, do not log, and are uncensored. These requirements can be configured globally with the require_dnssec, require_nolog, require_nofilter options.

Disable any services bound to port 53

Tip: If using #Unbound as your local DNS cache this section can be ignored, as unbound runs on port 53 by default.

To see if any programs are using port 53, run

 $ ss -lp 'sport = :domain'

If the output contains more than the first line of column names, you need to disable whatever service is using port 53. One common culprit is systemd-resolved.service, but other network managers may have analogous components. You are ready to proceed once the above command outputs nothing more than the following line:

 Netid               State                 Recv-Q                Send-Q                                 Local Address:Port                                   Peer Address:Port

Modify resolv.conf

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Explain what the options mean. (Discuss in Talk:DNSCrypt (简体中文)#)

Modify the resolv.conf file and replace the current set of resolver addresses with the address for localhost and options [4]:

nameserver 127.0.0.1
options edns0 single-request-reopen

Other programs may overwrite this setting; see resolv.conf#Preserve DNS settings for details.

Start systemd service

Finally, start/enable the dnscrypt-proxy.service unit or dnscrypt-proxy.socket, depending on which method you chose above.

Tips and tricks

Local DNS cache configuration

Tip: dnscrypt can cache entries without relying on another program. This feature is enabled by default with the line cache = true in your dnscrypt configuration file

It is recommended to run DNSCrypt as a forwarder for a local DNS cache if not using dnscrypt's cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up dnscrypt-proxy, you must setup your local DNS cache program.

Change port

In order to forward queries from a local DNS cache, dnscrypt-proxy should listen on a port different from the default 53, since the DNS cache itself needs to listen on 53 and query dnscrypt-proxy on a different port. Port number 53000 is used as an example in this section. In this example, the port number is larger than 1024 so dnscrypt-proxy is not required to be run by root.

There are two methods for changing the default port:

Socket method

Edit dnscrypt-proxy.socket with the following contents:

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:53000
ListenDatagram=127.0.0.1:53000

When queries are forwarded from the local DNS cache to 53000, dnscrypt-proxy.socket will start dnscrypt-proxy.service.

Service method

Edit the listen_addresses option in /etc/dnscrypt-proxy/dnscrypt-proxy.toml with the following:

listen_addresses = ['127.0.0.1:53000', '[::1]:53000']

Example local DNS cache configurations

The following configurations should work with dnscrypt-proxy and assume that it is listening on port 53000.

Unbound

Configure Unbound to your liking (in particular, see Unbound#Local DNS server) and add the following lines to the end of the server section in /etc/unbound/unbound.conf:

  do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: 127.0.0.1@53000
Tip: If you are setting up a server, add interface: 0.0.0.0@53 and access-control: your-network/subnet-mask allow inside the server: section so that the other computers can connect to the server. A client must be configured with nameserver address-of-your-server in /etc/resolv.conf.

Restart unbound.service to apply the changes.

dnsmasq

Configure dnsmasq as a local DNS cache. The basic configuration to work with DNSCrypt:

/etc/dnsmasq.conf
no-resolv
server=127.0.0.1#53000
listen-address=127.0.0.1

If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:

/etc/dnsmasq.conf
proxy-dnssec

Restart dnsmasq.service to apply the changes.

pdnsd

Install pdnsd. A basic configuration to work with DNSCrypt is:

/etc/pdnsd.conf
global {
    perm_cache = 1024;
    cache_dir = "/var/cache/pdnsd";
    run_as = "pdnsd";
    server_ip = 127.0.0.1;
    status_ctl = on;
    query_method = udp_tcp;
    min_ttl = 15m;       # Retain cached entries at least 15 minutes.
    max_ttl = 1w;        # One week.
    timeout = 10;        # Global timeout option (10 seconds).
    neg_domain_pol = on;
    udpbufsize = 1024;   # Upper limit on the size of UDP messages.
}

server {
    label = "dnscrypt-proxy";
    ip = 127.0.0.1;
    port = 53000;
    timeout = 4;
    proxy_only = on;
}

source {
    owner = localhost;
    file = "/etc/hosts";
}

Restart pdnsd.service to apply the changes.

Sandboxing

Edit dnscrypt-proxy.service to include the following lines:

[Service]
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io

See systemd.exec(5) and Systemd#Sandboxing application environments for more information. Additionally see upstream comments[dead link 2018-01-08].

Enable EDNS0

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Name the advantages/motivation for enabling this. (Discuss in Talk:DNSCrypt (简体中文)#)

Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.

Add the following line to your /etc/resolv.conf:

options edns0

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: dnscrypt-proxy2 uses different config file. (Discuss in Talk:DNSCrypt (简体中文)#)

You may also wish to append the following to /etc/dnscrypt-proxy.conf:

EDNSPayloadSize <bytes>

Where <bytes> is a number, the default size being 1252, with values up to 4096 bytes being purportedly safe. A value below or equal to 512 bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.

Test EDNS0

Make use of the DNS Reply Size Test Server, use the drill command line tool to issue a TXT query for the name rs.dns-oarc.net:

$ drill rs.dns-oarc.net TXT

With EDNS0 supported, the "answer section" of the output should look similar to this:

rst.x3827.rs.dns-oarc.net.
rst.x4049.x3827.rs.dns-oarc.net.
rst.x4055.x4049.x3827.rs.dns-oarc.net.
"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"

Redundant DNSCrypt providers

Tango-edit-cut.pngThis section is being considered for removal.Tango-edit-cut.png

Reason: Out of date and irrelevant since dnscrypt-proxy2 handles the configuration of multiple sources. (Discuss in Talk:DNSCrypt (简体中文)#)

To use several different dnscrypt providers, you may simply copy the original dnscrypt-proxy.service and dnscrypt-proxy.socket. Then in your new copy of the service change the command line parameters, either pointing to a new configuration file or naming a different resolver directly. From there change the port in the new copy of the socket. Lastly, update your local DNS cache program to point to new service's port. For example, with unbound the configuration file would look like if using ports 53000 for the original socket and 53001 for the new socket.

/etc/unbound/unbound.conf
 do-not-query-localhost: no
 forward-zone:
   name: "."
   forward-addr: 127.0.0.1@53000
   forward-addr: 127.0.0.1@53001

Create instanced systemd service

An alternative option to copying the systemd service is to used an instanced service.

Create systemd file

First, create /etc/systemd/system/dnscrypt-proxy@.service containing:

[Unit]
Description=DNSCrypt client proxy
Documentation=man:dnscrypt-proxy(8)
Requires=dnscrypt-proxy@%i.socket

[Service]
Type=notify
NonBlocking=true
ExecStart=/usr/bin/dnscrypt-proxy \
    --resolver-name=%i
Restart=always

This specifies an instanced systemd service that starts a dnscrypt-proxy using the service name specified after the @ symbol of a corresponding .socket file.

Add dnscrypt-sockets

To create multiple dnscrypt-proxy sockets, copy /usr/lib/systemd/system/dnscrypt-proxy.socket to a new file, /etc/systemd/system/dnscrypt-proxy@short-name.here.socket, replacing the socket instance name with one of the short names listed in dnscrypt-resolvers.csv and change the port. Use a different port for each instance (53000, 53001, and so forth).

Apply new systemd configuration

Now we need to reload the systemd configuration.

# systemctl daemon-reload

Since we are replacing the default service with a different name, we need to explicitly stop and disable dnscrypt-proxy.service and dnscrypt-proxy.socket.

Now start/enable the new service(s), e.g., dnscrypt-proxy@dnscrypt.eu-nl, etc.

Finally restart unbound.service.

See also