DNSCrypt Install on Ubuntu 12.04


For Windows, DNSCrypt is a simple install from an executable file. For Linux, not so much. This guide is for installing DNSCrypt in Ubuntu 12.04 (x86_64). 

I found several instructions on how to get this software working properly with no single bullet proof method. I pieced together several parts from different instructions and came up with the most simple solution possible.

First off download the dnscrypt tarball from http://download.dnscrypt.org/dnscrypt-proxy/  I found version 1.3.0 to work better as I had some issues installing 1.3.1.

You will probably need the libsodium package too which can be downloaded here https://download.libsodium.org/libsodium/releases/  The latest version should work fine and this will be installed first.

I also recommend installing the build-essential packages in case you’re missing compilers.

apt-get install build-essential

Untar the libsodium package and install

tar -xvzf libsodium-0.4.2.tar.gz

cd libsodium-libsodium-0.4.2

sudo ./configure

make && make install

Do the same for the dnscrypt package

tar -xvzf dnscrypt-proxy-1.3.0.tar.gz

cd dnscrypt-proxy-1.3.0

sudo ./configure

make

make install

You will need to make some changes to your DNS settings in the Connection Manager. Open it and Edit Connections. Find your connection Wired/Wireless and go to the IPv4 settings tab. Change method to ‘Automatic (DHCP) addresses only‘ and enter the IP 127.0.0.2 in the DNS Servers box. In Ubuntu 12.04, a local DNS cache is running on 127.0.0.1 so .2 is required.

In a terminal, issue the command :

sudo dnscrypt-proxy -a 127.0.0.2 –edns-payload-size=4096 –pidfile=/run/dnscrypt-proxy.pid –user=dnscrypt

If successful, you should see something similar to the following. I’m using OpenDNS through my router so the 208.67.220.220 DNS server shows up.

[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #1234567890 received
[INFO] This certificate looks valid
[INFO] Server key fingerprint is ……….
[INFO] Proxying from 127.0.0.2:53 to 208.67.220.220:443

A simple tcpdump will tell you if everything is working properly. If DNS requests are going over 443 with encrypted UDP packets, everything should be working, if its still using 53 and you can see the hosts being queried, somethings wrong.

‘tcpdump -i eth0 port 443’

Output should be similar to this….

20:22:02.070686 IP ubuntu.local.40117 > resolver2.opendns.com.https: UDP, length 324

E..`: ..@..G
….C…….L..q6fnvWjB…….OY…e..+.1.-P..v’.p.$2d..>Tx7[….hV…-..[/Q.~<.=…..@.Tp.d!!..>$j…’…1….?.
..U…b>.<…w…y…h…RC….=lt>n.BT…&..
.c..I.T”…m5._|.C..0.U.GA…..$V..2…T&.U…..o…0HO.{..K.L.%.G…K.’……    .}.!…..$.Ex….S.geN……….a.T….0..L..n..\..4..,..H4.~z…..!..6xu..-.i…U..+z…….;.”.n..

Advertisements

15 thoughts on “DNSCrypt Install on Ubuntu 12.04

  1. I’ve follow the instructions and everithing works fine, but the result of ‘tcpdump -i eth0 port 443′ give me the ’11:28:16.404538 IP UbuntuSecMail.local.55620 > resolver2.opendns.com.https: UDP, length 512’ line but I se no crypted part on the video (i mean nothing like “E..`: ..@..G
    ….C…….L..q6fnvWjB…….OY…e..+.1.-P..v’.p.$2d..>Tx7[….hV…-..”

    How can I be sure my dns req are crypted ?

    Thanks for any sugestion…

    JC

    • You won’t see that exact string of encrypted data. If you are seeing DNS requests on 443/https then it should be encrypted. If its not encrypted you will see the hostname you are requesting in plain text.

  2. sudo dnscrypt-proxy -a 127.0.0.2 –edns-payload-size=4096 –pidfile=/run/dnscrypt-proxy.pid –user=dnscrypt

    how do you put this so you don’t have to be login for it to work and also for start up as well. I have check the tcp dump seems to be resloving correctly.

    Also I know you have to edit /etc/rc.local but i have been unsuccessful with anything I put in. Another problem is that my /etc/resolve.conf doesn’t keep the same name-server of 127.0.0.2, it always changes back to another local DNS. How do you keep it from changing?

    thanks for any help

  3. How do you resolve your dns server. When I put it in the /etc/resolve.conf and restart it goes away and goes back to the default dhcp dns server which in my case is router. Everything is working on 127.0.0.2 but not when I restart until i edit the nameserver. I’m using ubuntu server not ubunte with a GUI. I guess you can use the Network manager gui and does the job but I don’t know how to do the same in the sever command line version.

    Any help would be great! THanks.

  4. thanks for the tutorial .
    when I start dnscrypt-proxy I get the error :[ERROR] Unable to bind (UDP) [Permission denied]

  5. Hi, have followed the tutorial, but its not encrypted on the tcp response, not sure what is wrong, this bit is fine:

    [INFO] Generating a new key pair
    [INFO] Done
    [INFO] Server certificate #1234567890 received
    [INFO] This certificate looks valid
    [INFO] Server key fingerprint is ……….
    [INFO] Proxying from 127.0.0.2:53 to 208.67.220.220:443

    its the next bit which seems to have hit a brick wall,any ideas as to what could be wrong?

    • After the [INFO] Proxying from 127.0.0.2:53 to 208.67.220.220:443, it should be working.
      Make sure you aren’t closing the terminal. Check your UFW firewall if enabled and run it as a root user.

  6. Pingback: DNScrypt with Ubuntu 12.04 on RPi 2 | Get Deep Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s