Time to setup dnscrypt-proxy on my new Ubuntu 22.04 LTS box. I found the best way to do this was to also install resolvconf and use that to ensure that /etc/resolv.conf always get the dnscrypt port of 127.0.2.1. Previously I’ve used a bunch of different methods, but for this distro, I’m happy with my results.
sudo apt udpate
sudo apt install dnscrypt-proxy resolvconf
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Here you can change the settings for dnscrypt, by altering the server_names line (e.g. [‘cisco’], [‘cloudflare’]). Also ensure that the listen_addresses is empty. Restart the service if you make changes.
sudo systemctl restart dnscrypt-proxy
Next, open your Network Manager and go to the IPv4 settings. Turn off Automatic DHCP and set the address to 127.0.2.1. Restart the NetworkManager service.
sudo systemctl restart NetworkManager
Finally, edit the following resolvconf file to use the dnscrypt’s address in /etc/resolv.conf by adding the following line: nameserver 127.0.2.1
sudo nano /etc/resolvconf/resolv.conf.d/head
Now restart your computer.
You can test a number of ways. If you used [‘cisco’] you can do the following. Note in the ANSWER section “dnscrypt enabled”.
dig txt debug.opendns.com
; <<>> DiG 9.18.1-1ubuntu1-Ubuntu <<>> txt debug.opendns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28688
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT
;; ANSWER SECTION:
debug.opendns.com. 59 IN TXT "server m45.chi"
debug.opendns.com. 59 IN TXT "flags 20040022 0 50 180000000000000000003950000000000000000"
debug.opendns.com. 59 IN TXT "originid 585506578"
debug.opendns.com. 59 IN TXT "actype 2"
debug.opendns.com. 59 IN TXT "bundle 13458843"
debug.opendns.com. 59 IN TXT "source 184.108.40.206:57968"
debug.opendns.com. 59 IN TXT "dnscrypt enabled (7158645166363443)"
;; Query time: 4 msec
;; SERVER: 127.0.2.1#53(127.0.2.1) (UDP)
;; WHEN: Fri May 06 10:48:39 CDT 2022
;; MSG SIZE rcvd: 313
Another way of checking is to visit https://www.dnsleaktest.com/ which will tell you your DNS resolver.
The only thing I don’t get is this: Why does this use the old address? For another day.
dnscrypt-proxy -resolve google.com -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Resolving [google.com] using 127.0.0.1 port 53
Unable to resolve: [read udp 127.0.0.1:35375->127.0.0.1:53: read: connection refused]