This is how I got DNSCrypt and dnsmasq on Ubuntu 18.04 working together. dnsmasq is used for local domains and DHCP while we use DNSCrypt as our forwarding DNSD server. To quote from the OpenDNS website “DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security. It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.”.

As usual I do all my testing on Virtual machines, using an Ubuntu 18.04 Minimal Server Installation. This gives a known good starting point without the bloat of a full desktop install.

Install the software

We start off by installing dnsmasq on its own.

sudo apt-get update
sudo apt-get install dnsmasq

Now dnsmasq is installed we stop the daemon as it will use the same port as DNSCrypt. We want to test out DNSCrypt without dnsmasq to start with.

sudo systemctl stop dnsmasq.service

Install the package for DNSCrypt.

sudo apt-get install dnscrypt-proxy

Configure DNSCrypt

To configure DBNSCrypt is reasonably simple to do just a couple of files to update.

sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.conf

Update the line for ResolverName changing the value from fvz-anyone to cisco. Even though fvz-anyone is supposed to work from anywhere. It never working in my testing. You can ignore the setting for LocalAddress as it will not be used, or you can comment it out.

#ResolverName fvz-anyone
ResolverName ciso

Save the file and exit then reload the next file.

sudo nano /lib/systemd/system/dnscrypt-proxy.socket

Here we are changing the default listening IP address, leave the port number at 53. Port 53 it the default port for DNS queries. This is what we want as we need to check DNSCrypt is woring okay before adding in dnsmasq.

#ListenStream=127.0.2.1:53
#ListenDatagram=127.0.2.1:53
ListenStream=127.0.0.1:53
ListenDatagram=127.0.0.1:53

Save the file and exit. Tell systemd that some files have changed and then stop and restart DNSCrypt. I found using the restart could be problematic.

sudo systemctl daemon-reload
sudo systemctl stop dnscrypt-proxy.socket
sudo systemctl start dnscrypt-proxy

Turn off systemd-resolved

Next we turn off systemd-resolved, it gets in the way. Not sure what the benefits of ever having this new service it always seems to break working systems.

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved.service

Now systemd-resolved to turned off we can also remove the resolve.conf file, or simply comment out all the nameserver lines.

sudo rm -v /etc/resolv.conf

Test DNSCrypt

DNSCrypt should now be usable. we can test that out with a few commands.

nslookup -type=txt debug.opendns.com

Server:		192.168.0.3
Address:	192.168.0.3#53

Non-authoritative answer:
debug.opendns.com	text = "server m77.lon"
debug.opendns.com	text = "flags 20 0 70 180000000000000000007950800000000000000"
debug.opendns.com	text = "originid 0"
debug.opendns.com	text = "actype 0"
debug.opendns.com	text = "source 12.19.34.13:51162"
debug.opendns.com	text = "dnscrypt enabled (714E7A696D657555)"

Authoritative answers can be found from:

The important line is the last one saying “dnscrypt enabled (714E7A696D657555)”. We can also use dig to lookup IPs from host names as usual.

dig TXT debug.opendns.com

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> TXT debug.opendns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29415
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.		IN	TXT

;; ANSWER SECTION:
debug.opendns.com.	0	IN	TXT	"server m45.lon"
debug.opendns.com.	0	IN	TXT	"flags 20 0 70 180000000000000000007950800000000000000"
debug.opendns.com.	0	IN	TXT	"originid 0"
debug.opendns.com.	0	IN	TXT	"actype 0"
debug.opendns.com.	0	IN	TXT	"source 12.19.34.13:54232"
debug.opendns.com.	0	IN	TXT	"dnscrypt enabled (714E7A696D657555)"


;; Query time: 22 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 23 

Looking for the TXT record again we should again see the dnscrypt line at the end.

debug.opendns.com.	0	IN	TXT	"dnscrypt enabled (714E7A696D657555)"

To check that we are running on the right address and port, localhost:domain. as we know localhost is 127.0.0.1 and domain is listed in /etc/servers as port 53.

netstat -vat

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:domain        0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:smtp            0.0.0.0:*               LISTEN    

Another command to do a similar check.

sudo lsof -i -n | grep -i dnscrypt

dnscrypt- 505 _dnscrypt-proxy    3u  IPv4  16721      0t0  TCP 127.0.0.1:53 (LISTEN)
dnscrypt- 505 _dnscrypt-proxy    4u  IPv4  16725      0t0  UDP 127.0.0.1:53 
dnscrypt- 505 _dnscrypt-proxy    8u  IPv4  18612      0t0  UDP *:35363 

Now we can check that dig is working and looking up IP's for host names. You are looking for something in the answer section. If all that is working you should be able to browse the we with out problems.

dig bbc.co.uk
dig cnn.co.uk

Change DNSCrypt port

So all that was working and DNSCrpt was configured to work looking up IPs for hostnames. Now we can sort out putting DNSCrypt on the port we need it on and then configure dnsmasq for local host lookups.

We start of by changing the port configured in dnscrypt-proxy.socket from 53 to 40. we are using 40 as it is not normally used.

sudo nano /lib/systemd/system/dnscrypt-proxy.socket

#ListenStream=127.0.2.1:53
#ListenDatagram=127.0.2.1:53
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40

Run the next few commands to, as before to stop and start DNSCrypt up again.

sudo systemctl daemon-reload
sudo systemctl stop dnscrypt-proxy.socket
sudo systemctl start dnscrypt-proxy

sudo lsof -i -n | grep -i dnscrypt

dnscrypt- 505 _dnscrypt-proxy    3u  IPv4  16721      0t0  TCP 127.0.0.1:40 (LISTEN)
dnscrypt- 505 _dnscrypt-proxy    4u  IPv4  16725      0t0  UDP 127.0.0.1:40 
dnscrypt- 505 _dnscrypt-proxy    8u  IPv4  18612      0t0  UDP *:35363 

Configure dnsmasq

As this post is, DNSCrypt and dnsmasq on Ubuntu 18.04, we better setup dnsmasq now that DNSCrypt is running on port 40.

sudo nano /etc/dnsmasq.conf

The setting in the dnsmasq configuration file we need to change are as follows. the comments in the file explain why these settings are bing changed.

no-resolv
server=127.0.0.1#40
local=/dragon.lab/
addn-hosts=/etc/dnsmasq_static_hosts.conf
expand-hosts
domain=dragon.lab 

The file addn-hosts is used by dnsmasq to hold the static IP addresses from your local LAN. Ist format is the same as for the /etc/hosts file. Some examples are shown below. Yours will be different.

sudo nano /etc/dnsmasq-static_hosts.conf

# Add dragon.lab servers here
10.1.200.1 lab-router1.dragon.lab   lab-router1

10.1.200.7 mailserver.dragon.lab  mailserver lab-mailserver.dragon.lab  lab-mailserver

10.1.200.10 lab-server1.dragon.lab  lab-server1
10.1.200.20 lab-desktop1.dragon.lab  lab-desktop1

We can now restart dnsmasq and do some final testing.

sudo systemctl start dnsmasq.service

sudo lsof -i -n | grep -iP 'dns[cm]'

Note the command above is very similar to the one we used to check DNSrypt. This time we have used a Perl regex (-P) to search for both dnscrypt and dnsmasq. Again the domain part oft he output tells us we are using port 53 for dnsmasq.

dnscrypt- 505 _dnscrypt-proxy    3u  IPv4  16721      0t0  TCP 127.0.0.1:40 (LISTEN)
dnscrypt- 505 _dnscrypt-proxy    4u  IPv4  16725      0t0  UDP 127.0.0.1:40 
dnscrypt- 505 _dnscrypt-proxy    8u  IPv4  18612      0t0  UDP *:35363 
dnsmasq   606         dnsmasq    6u  IPv4  17850      0t0  UDP *:domain 
dnsmasq   606         dnsmasq    7u  IPv4  17851      0t0  TCP *:domain (LISTEN)
dnsmasq   606         dnsmasq    8u  IPv6  17852      0t0  UDP *:domain 
dnsmasq   606         dnsmasq    9u  IPv6  17853      0t0  TCP *:domain (LISTEN)

Further testing can be done with dig to see the same out put as we did before but we can now also lookup local host IPs via dnsmasq. as dnsmasq is a caching server if you lookup say bbc.co.uk twice and note the Query time the first will be about 20-25 msecs the second lookup time will be zero.
Query time

dig lab-router.dragon.lab
dig lab-server1.dragon.lab
dig bbc.co.uk
dig TXT debug.opendns.com

There you have it, DNSCrypt and dnsmasq on Ubuntu 18.04 working together.

If you want to use dnsmasq for your DHCP see my post. For a more in depth look at Dnsmasq.