This is how I got DNSCrypt and dnsmasq on Ubuntu 18.04 working together. dnsmasq is used for local domains and DHCP while we use DNSCrypt as our forwarding DNSD server. To quote from the OpenDNS website “DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security. It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.”.
As usual I do all my testing on Virtual machines, using an Ubuntu 18.04 Minimal Server Installation. This gives a known good starting point without the bloat of a full desktop install.
Install the software
We start off by installing dnsmasq on its own.
sudo apt-get update
sudo apt-get install dnsmasq
Now dnsmasq is installed we stop the daemon as it will use the same port as DNSCrypt. We want to test out DNSCrypt without dnsmasq to start with.
sudo systemctl stop dnsmasq.service
Install the package for DNSCrypt.
sudo apt-get install dnscrypt-proxy
Configure DNSCrypt
To configure DBNSCrypt is reasonably simple to do just a couple of files to update.
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.conf
Update the line for ResolverName changing the value from fvz-anyone to cisco. Even though fvz-anyone is supposed to work from anywhere. It never working in my testing. You can ignore the setting for LocalAddress as it will not be used, or you can comment it out.
#ResolverName fvz-anyone ResolverName ciso
Save the file and exit then reload the next file.
sudo nano /lib/systemd/system/dnscrypt-proxy.socket
Here we are changing the default listening IP address, leave the port number at 53. Port 53 it the default port for DNS queries. This is what we want as we need to check DNSCrypt is woring okay before adding in dnsmasq.
#ListenStream=127.0.2.1:53 #ListenDatagram=127.0.2.1:53 ListenStream=127.0.0.1:53 ListenDatagram=127.0.0.1:53
Save the file and exit. Tell systemd that some files have changed and then stop and restart DNSCrypt. I found using the restart could be problematic.
sudo systemctl daemon-reload
sudo systemctl stop dnscrypt-proxy.socket
sudo systemctl start dnscrypt-proxy
Turn off systemd-resolved
Next we turn off systemd-resolved, it gets in the way. Not sure what the benefits of ever having this new service it always seems to break working systems.
sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved.service
Now systemd-resolved to turned off we can also remove the resolve.conf file, or simply comment out all the nameserver lines.
sudo rm -v /etc/resolv.conf
Test DNSCrypt
DNSCrypt should now be usable. we can test that out with a few commands.
nslookup -type=txt debug.opendns.com
Server: 192.168.0.3 Address: 192.168.0.3#53 Non-authoritative answer: debug.opendns.com text = "server m77.lon" debug.opendns.com text = "flags 20 0 70 180000000000000000007950800000000000000" debug.opendns.com text = "originid 0" debug.opendns.com text = "actype 0" debug.opendns.com text = "source 12.19.34.13:51162" debug.opendns.com text = "dnscrypt enabled (714E7A696D657555)" Authoritative answers can be found from:
The important line is the last one saying “dnscrypt enabled (714E7A696D657555)”. We can also use dig to lookup IPs from host names as usual.
dig TXT debug.opendns.com
; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> TXT debug.opendns.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29415 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;debug.opendns.com. IN TXT ;; ANSWER SECTION: debug.opendns.com. 0 IN TXT "server m45.lon" debug.opendns.com. 0 IN TXT "flags 20 0 70 180000000000000000007950800000000000000" debug.opendns.com. 0 IN TXT "originid 0" debug.opendns.com. 0 IN TXT "actype 0" debug.opendns.com. 0 IN TXT "source 12.19.34.13:54232" debug.opendns.com. 0 IN TXT "dnscrypt enabled (714E7A696D657555)" ;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 23
Looking for the TXT record again we should again see the dnscrypt line at the end.
debug.opendns.com. 0 IN TXT "dnscrypt enabled (714E7A696D657555)"
To check that we are running on the right address and port, localhost:domain. as we know localhost is 127.0.0.1 and domain is listed in /etc/servers as port 53.
netstat -vat
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:smtp 0.0.0.0:* LISTEN
Another command to do a similar check.
sudo lsof -i -n | grep -i dnscrypt
dnscrypt- 505 _dnscrypt-proxy 3u IPv4 16721 0t0 TCP 127.0.0.1:53 (LISTEN) dnscrypt- 505 _dnscrypt-proxy 4u IPv4 16725 0t0 UDP 127.0.0.1:53 dnscrypt- 505 _dnscrypt-proxy 8u IPv4 18612 0t0 UDP *:35363
Now we can check that dig is working and looking up IP's for host names. You are looking for something in the answer section. If all that is working you should be able to browse the we with out problems.
dig bbc.co.uk
dig cnn.co.uk
Change DNSCrypt port
So all that was working and DNSCrpt was configured to work looking up IPs for hostnames. Now we can sort out putting DNSCrypt on the port we need it on and then configure dnsmasq for local host lookups.
We start of by changing the port configured in dnscrypt-proxy.socket from 53 to 40. we are using 40 as it is not normally used.
sudo nano /lib/systemd/system/dnscrypt-proxy.socket
#ListenStream=127.0.2.1:53 #ListenDatagram=127.0.2.1:53 ListenStream=127.0.0.1:40 ListenDatagram=127.0.0.1:40
Run the next few commands to, as before to stop and start DNSCrypt up again.
sudo systemctl daemon-reload
sudo systemctl stop dnscrypt-proxy.socket
sudo systemctl start dnscrypt-proxy
sudo lsof -i -n | grep -i dnscrypt
dnscrypt- 505 _dnscrypt-proxy 3u IPv4 16721 0t0 TCP 127.0.0.1:40 (LISTEN) dnscrypt- 505 _dnscrypt-proxy 4u IPv4 16725 0t0 UDP 127.0.0.1:40 dnscrypt- 505 _dnscrypt-proxy 8u IPv4 18612 0t0 UDP *:35363
Configure dnsmasq
As this post is, DNSCrypt and dnsmasq on Ubuntu 18.04, we better setup dnsmasq now that DNSCrypt is running on port 40.
sudo nano /etc/dnsmasq.conf
The setting in the dnsmasq configuration file we need to change are as follows. the comments in the file explain why these settings are bing changed.
no-resolv server=127.0.0.1#40 local=/dragon.lab/ addn-hosts=/etc/dnsmasq_static_hosts.conf expand-hosts domain=dragon.lab
The file addn-hosts is used by dnsmasq to hold the static IP addresses from your local LAN. Ist format is the same as for the /etc/hosts file. Some examples are shown below. Yours will be different.
sudo nano /etc/dnsmasq-static_hosts.conf
# Add dragon.lab servers here 10.1.200.1 lab-router1.dragon.lab lab-router1 10.1.200.7 mailserver.dragon.lab mailserver lab-mailserver.dragon.lab lab-mailserver 10.1.200.10 lab-server1.dragon.lab lab-server1 10.1.200.20 lab-desktop1.dragon.lab lab-desktop1
We can now restart dnsmasq and do some final testing.
sudo systemctl start dnsmasq.service
sudo lsof -i -n | grep -iP 'dns[cm]'
Note the command above is very similar to the one we used to check DNSrypt. This time we have used a Perl regex (-P) to search for both dnscrypt and dnsmasq. Again the domain part oft he output tells us we are using port 53 for dnsmasq.
dnscrypt- 505 _dnscrypt-proxy 3u IPv4 16721 0t0 TCP 127.0.0.1:40 (LISTEN) dnscrypt- 505 _dnscrypt-proxy 4u IPv4 16725 0t0 UDP 127.0.0.1:40 dnscrypt- 505 _dnscrypt-proxy 8u IPv4 18612 0t0 UDP *:35363 dnsmasq 606 dnsmasq 6u IPv4 17850 0t0 UDP *:domain dnsmasq 606 dnsmasq 7u IPv4 17851 0t0 TCP *:domain (LISTEN) dnsmasq 606 dnsmasq 8u IPv6 17852 0t0 UDP *:domain dnsmasq 606 dnsmasq 9u IPv6 17853 0t0 TCP *:domain (LISTEN)
Further testing can be done with dig to see the same out put as we did before but we can now also lookup local host IPs via dnsmasq. as dnsmasq is a caching server if you lookup say bbc.co.uk twice and note the Query time the first will be about 20-25 msecs the second lookup time will be zero.
Query time
dig lab-router.dragon.lab
dig lab-server1.dragon.lab
dig bbc.co.uk
dig TXT debug.opendns.com
There you have it, DNSCrypt and dnsmasq on Ubuntu 18.04 working together.
If you want to use dnsmasq for your DHCP see my post. For a more in depth look at Dnsmasq.
thanks this worked for me
Hello,
Excelente. It works but you should install dnscrypt-proxy-plugins if you want to set up other parameters like localcache or blockIPv6 in order to reduce the latency.