snork.ca ... making kittens cry since 2001
homeabouttoscanaryrssmansvalidatecontact

dnscrypt-proxy On Debian Maybe Final 2018-06-24


Over the last few years I have written up instructions for installing dnscrypt-proxy on Debian a few times. For Wheezy, and Jessie, and then again a couple more times on Jessie, blah blah blah. Lately I have been using the new dnscrypt-proxy-v2 client on one of my machines and it has been giving me trouble. It just stops working, provides no log entry to indicate a problem, and won't work again until the process is killed and restarted... at which time is is perfectly fine again. Like so many other pieces of software, it seems my best bet might be to just stick with the version that works best, even if haters want to call it old. So, the following instructions are basically a mixture of what I have written previously and are what I find works best on Debian Jessie.

pffft Yeah, last time... right.

These instructions assume that you are logged in as root and they use software downloaded from my web server (since dnscrypt-proxy v1.9.5 was abandoned by jedisct1 in December 2017). Start with an update:

# apt-get update
# apt-get upgrade

Download libsodium and dnscrypt-proxy, then build 'em:

# apt-get install build-essential
# mkdir ~/src && cd ~/src
# wget -O libsodium-1.0.15.tar.gz https://snork.ca/dl-libsodium
# wget -O dnscrypt-proxy-1.9.5.tar.gz https://snork.ca/dl-dnscrypt-proxy
# tar -xzf libsodium-1.0.15.tar.gz
# tar -xzf dnscrypt-proxy-1.9.5.tar.gz
# cd libsodium-1.0.15
# ./configure
# make && make check && make install
# ldconfig
# cd ../dnscrypt-proxy-1.9.5
# ./configure
# make && make check && make install

Seriously, don't miss the ldconfig command or you'll be banging your head on your keyboard about it. If you are planning to use this installation of dnscrypt-proxy with dnsmasq to provide DNS services for your local network, then you need to uncomment the following line in your dnsmasq.conf:

bind-interfaces

This will force dnsmasq to only bind to 127.0.0.1 (instead of 127.0.0.0/8) and will allow dnscrypt-proxy to bind to remaining localhost addresses on port 53. You then just need to set some lines like this in your dnsmasq.conf:

server=127.0.0.2
server=127.0.0.3

To tell dnsmasq which addresses dnscrypt-proxy is listening on. Of course you'll also need some servers to connect to. I don't know how many of the other publicly listed servers still work with dnscrypt-proxy v1.9.5, but to connect to the dnscrypt.ca servers you would use something like this:

dnscrypt-proxy --local-address=127.0.0.2:53 --resolver-address=199.167.130.118:5353 --provider-name=2.dnscrypt-cert.dnscrypt.ca-1 --provider-key=74F7:4555:17BC:26F7:1177:E56D:7293:2788:6C72:915B:3F46:2830:3F91:0C47:C38E:8279
dnscrypt-proxy --local-address=127.0.0.3:53 --resolver-address=199.167.128.112:5353 --provider-name=2.dnscrypt-cert.dnscrypt.ca-2 --provider-key=43D5:2C82:5922:96C2:DB6F:8D48:CE22:4FDC:C726:26E1:06F6:E388:6193:FA00:9029:631B

If anyone is still running Wheezy, another Debian release, a Debian derivative, or any other Linux version, I'd love to hear whether or not this works for you.

Made using Notepad++ & FastStone. Hosted on Debian with nginx & php. Powered by North Korean mushrooms.