DNSCrypt

---

Hello,

I’ve tried seeking help on the manjaro forum since I’m still a member there and recently switched to Antergos. No one was able to help.
Also asked on the Arch forum, where I figured people would be the most tech-savvy, and they just deleted my thread because “Antergos is not Arch”.

I’ve had success using OpenDNS and DNScrypt together in the past.
I am using Opendns but cannot get DNScrypt to work again.
I’m on Gnome.
I’ve tried for hours while looking at instructions online.
I also have comcast, they recently moved all customers to DNSSEC servers. As a result, customers will see a new DNS IP address of either 75.75.75.75 and/or 75.75.76.76 rather than 127.0.0.1, 127.0.1.1

Really someone should write up an easy to understand step-by-step tutorial on getting OpenDNS and DNScrypt both working.
I’m sure it’d benefit many people wishing to enhance security.

But until then I’d be happy finding any help getting past the problems I’m experiencing.

I tried following the directions in the Arch wiki and installed dnscrypt-autoinstall.

start and enable the dnscrypt-proxy.service with:
“sudo systemctl start dnscrypt-proxy.service”
“sudo systemctl enable dnscrypt-proxy.service”

I get the return error of "Failed to execute operation: File exists.

Hello,

I’ve tried seeking help on the manjaro forum since I’m still a member there and recently switched to Antergos. No one was able to help.
Also asked on the Arch forum, where I figured people would be the most tech-savvy, and they just deleted my thread because “Antergos is not Arch”.

I’ve had success using OpenDNS and DNScrypt together in the past.
I am using Opendns but cannot get DNScrypt to work again.
I’m on Gnome.
I’ve tried for hours while looking at instructions online.
I also have comcast, they recently moved all customers to DNSSEC servers. As a result, customers will see a new DNS IP address of either 75.75.75.75 and/or 75.75.76.76 rather than 127.0.0.1, 127.0.1.1

Really someone should write up an easy to understand step-by-step tutorial on getting OpenDNS and DNScrypt both working.
I’m sure it’d benefit many people wishing to enhance security.

But until then I’d be happy finding any help getting past the problems I’m experiencing.

I tried following the directions in the Arch wiki and installed dnscrypt-autoinstall.

start and enable the dnscrypt-proxy.service with:
“sudo systemctl start dnscrypt-proxy.service”
“sudo systemctl enable dnscrypt-proxy.service”

I get the return error of "Failed to execute operation: File exists.

So changed the nameservers in resolv.conf to opendns ips. In my network settings under IPv4 I reset DNS to automatic rather than the OpenDNS ips.
Was that correct?
ran sudo systemctl restart NetworkManager
Trying to see if DNScrypt is working…
ran dnscrypt-proxy and got the return:
[ERROR] Resolver information required.
[ERROR] The easiest way to do so is to provide a resolver name.
[ERROR] Example: dnscrypt-proxy -R mydnsprovider
[ERROR] See the file [/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv] for a list of compatible public resolvers
[ERROR] The name is the first column in this table.
[ERROR] Alternatively, an IP address, a provider name and a provider key can be supplied.
[ERROR] Please consult [http://dnscrypt.org][0]">[http://dnscrypt.org][1] and the dnscrypt-proxy(8 ) man page for details.

ran sudo dnscrypt-proxy -R opendns
[NOTICE] Starting dnscrypt-proxy 1.4.3
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[ERROR] Unable to bind (UDP) [Address already in use]
dnscrypt-proxy daemonize
[ERROR] Resolver information required.
[ERROR] The easiest way to do so is to provide a resolver name.
[ERROR] Example: dnscrypt-proxy -R mydnsprovider
[ERROR] See the file [/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv] for a list of compatible public resolvers
[ERROR] The name is the first column in this table.
[ERROR] Alternatively, an IP address, a provider name and a provider key can be supplied.
[ERROR] Please consult [http://dnscrypt.org][0]">[http://dnscrypt.org][1] and the dnscrypt-proxy(8 ) man page for details.

I see that OpenDNS is working still, despite setting DNS to automatic in network settings. not sure if this is any indication of dnscrypt working properly.

[0]: <a href=
[1]: http://dnscrypt.org

Hi,

I can’t help with your problem, as I’ve never done a setup like the one you’re trying, but this error:

Unable to bind (UDP) [Address already in use]

means that you had already something running and using that UDP port. Maybe trying to run the same service twice?

Maybe it is already working… but when I used to use the command "dnscrypt-proxy"
I used to get a return that it was working successfully, not that resolver info is required.
Thank you, I appreciate any feedback.

hi you can go to dnscrypt github to the newest server list:

[https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv][0]">[https://github.com/jedisct1/dnscrypt-pr][1] … olvers.csv
any way these are my config
edit accordingly
sudo gedit /etc/conf.d/dnscrypt-proxy

DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=53
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.d0wn.biz
DNSCRYPT_PROVIDER_KEY=F64D:AECA:A8AA:E31D:3896:8A93:1D96:EB54:9D70:CE57:A439:58B0:7685:6960:044B:EA62
DNSCRYPT_RESOLVERIP=128.199.248.105
DNSCRYPT_RESOLVERPORT=54

for openDNS
DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=53
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.opendns.com
DNSCRYPT_PROVIDER_KEY=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
DNSCRYPT_RESOLVERIP=208.67.220.220
DNSCRYPT_RESOLVERPORT=443

edit these files
DHCPCD(add to bottom)
sudo gedit /etc/dhcpcd.conf
nohook resolv.conf
noarp

resolv.conf
sudo gedit /etc/resolv.conf
nameserver 127.0.0.1 (add this bootom of file)

after editing
sudo systemctl daemon-reload

see if this helps

[0]: <a href=
[1]: https://github.com/jedisct1/dnscrypt-pr

I followed everything you said.
My /etc/conf.d/dnscrypt-proxy was already set to opendns
added
nohook resolv.conf
noarp
to the bottom of /etc/dhcpcd.conf

ran sudo chattr -i /etc/resolv.conf to make resolv.conf writeable, which otherwise it wasn’t
added nameserver 127.0.01 to the bottom (under the 2 opendns nameserver ips)

did sudo systemctl daemon-reload

Now tho @ [https://www.opendns.com/welcome/][0]">[https://www.opendns.com/welcome/][1]
it says OpenDns is no longer working.

running dnscrypt-proxy continues to return
"[ERROR] Resolver information required.
[ERROR] The easiest way to do so is to provide a resolver name.
[ERROR] Example: dnscrypt-proxy -R mydnsprovider
[ERROR] See the file [/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv] for a list of compatible public resolvers
[ERROR] The name is the first column in this table.
[ERROR] Alternatively, an IP address, a provider name and a provider key can be supplied.
[ERROR] Please consult [http://dnscrypt.org][0]">[http://dnscrypt.org][2] and the dnscrypt-proxy(8) man page for details."

Ran sudo systemctl restart NetworkManager
sudo systemctl stop dnscrypt-proxy.service
sudo systemctl disable dnscrypt-proxy.service
sudo systemctl start dnscrypt-proxy.service
sudo systemctl enable dnscrypt-proxy.service

To make sure everything is refreshed, and still.

So I guess I’ll undo the changes for now.
Where I added nohook resolv.conf
noarp
to the bottom of /etc/dhcpcd.conf,

was right beneath

“nohook lookup-hostname
noipv4ll”

which were already written in. assuming those scripts couldn’t be the problem, but I checked and removed the commands and left the ones you told me to write in, but still didn’t fix anything. So put everything back the way it was.

[0]: <a href=
[1]: https://www.opendns.com/welcome/
[2]: http://dnscrypt.org

Not sure if this helps, running "dig debug.opendns.com txt"
returns

; <<>> DiG 9.9.2-P2 <<>> debug.opendns.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15532
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT

;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server 3.nyc"
debug.opendns.com. 0 IN TXT "flags 20 0 2F4 5950800000000000000"
debug.opendns.com. 0 IN TXT "originid 0"
debug.opendns.com. 0 IN TXT "actype 0"
debug.opendns.com. 0 IN TXT “source 73.198.217.38:40184”

;; Query time: 12 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Jan 30 04:32:19 2015
;; MSG SIZE rcvd: 201

can you post
systemctl status dnscrypt-proxy.service -l
as per the link [https://www.opendns.com/welcome/][0]">[https://www.opendns.com/welcome/][1]
this shows that i am using opendns server after i changed the config

did u changed dns to 127.0.01 in network manager
under dns
server add 127.0.01 with automatic off and save and reboot
check the link to confirm opendns
sorry cant help u much as these are the config i tried and worked for me.

so if can once again follow these steps

1. systemctl status dnscrypt-proxy.service -l
   this shows its active(running)
   2)just remove the opendns ips and add nameserver 127.0.01
2. in network manager settings under dns
   server add 127.0.01 with automatic off and save
   4)sudo systemctl daemon-reload
   reboot and checck the opendns link

[0]: <a href=
[1]: https://www.opendns.com/welcome/

I just changed dns settings to 127.0.01, I had them set to automatic but in the ip input spaces 127.0.0.1 and 127.0.0.2 were written in, so I erased the 2nd one and set it to manual. But i think you mean 127.0.0.1 and not 127.0.01, right? you might have made a typo? that’s always how I see that IP written.

anyway after the change I tried the systemctl status dnscrypt-proxy.service -l and it says active (running) in green.

[http://i175.photobucket.com/albums/w158/Precision_Herp/Screenshotfrom2015-01-30121323_zpsdb269387.png][0]">[http://i175.photobucket.com/albums/w158][1] … 269387.png

2)just remove the opendns ips and add nameserver 127.0.01
you mean in /etc/resolv.conf?

I’ll go back and do everything you said to do in your first post, and just remove the opendns ips in resolv.conf.
If I’m understanding.

[0]: <a href=
[1]: http://i175.photobucket.com/albums/w158

So I did all that. When I wen/t to edit /etc/resolv.conf it already set itself to 127.0.0.1

“# Generated by resolvconf
nameserver 127.0.0.1”

It showed up like that the first time I had followed your instructions, when I went to put everything back to normal.
This time I left it.

Anyway now opendns.com/welcome gives me the oops error. Not detecting opendns.

If I run “systemctl status dnscrypt-proxy.service -l” , it still says it is active and running.

running dnscrypt-proxy continues to return
"[ERROR] Resolver information required.
[ERROR] The easiest way to do so is to provide a resolver name.
[ERROR] Example: dnscrypt-proxy -R mydnsprovider
[ERROR] See the file [/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv] for a list of compatible public resolvers
[ERROR] The name is the first column in this table.
[ERROR] Alternatively, an IP address, a provider name and a provider key can be supplied.
[ERROR] Please consult [http://dnscrypt.org][0]">[http://dnscrypt.org][1] and the dnscrypt-proxy(8) man page for details."

then I tried “dnscrypt-proxy -R opendns” as it mentions^ and as I’ve tried in the past and it returns:
[NOTICE] Starting dnscrypt-proxy 1.4.3
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[ERROR] Unable to bind (UDP) [Permission denied]

gah idk. I really appreciate your help tho. I’ve tried for hours uninstalling and reinstalling and messing around.

[0]: <a href=
[1]: http://dnscrypt.org

dnscrypt.eu-dk-port5353 DNSCrypt.eu Denmark (port 5353) Free, non-logged, uncensored. Hosted by Netgroup. Denmark [https://dnscrypt.eu][0]">[https://dnscrypt.eu][1] 1 yes yes no 77.66.84.233:5353 2.dnscrypt-cert.resolver2.dnscrypt.eu 3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A:9955 pubkey.resolver2.dnscrypt.eu

ok as per ur log i see that u are using denmark server not opendns
opendns is this

opendns OpenDNS Predict and prevent attacks before they happen Anycast [https://www.opendns.com][0]">[https://www.opendns.com][2] 1 no no no 208.67.220.220:443 2.dnscrypt-cert.opendns.com B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79

check this site for dnscrypt resolvers
[https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv][0]">[https://github.com/jedisct1/dnscrypt-pr][3] … olvers.csv

can u pls post ur
/etc/conf.d/dnscrypt-proxy and /usr/lib/systemd/system/dnscrypt-proxy.service

as ur systemctl status dnscrypt-proxy.service -l ( image u posted) doesnt show opendns

[0]: <a href=
[1]: https://dnscrypt.eu
[2]: https://www.opendns.com
[3]: https://github.com/jedisct1/dnscrypt-pr

/etc/conf.d/dnscrypt-proxy
DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=53
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.opendns.com
DNSCRYPT_PROVIDER_KEY=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
DNSCRYPT_RESOLVERIP=208.67.220.220
DNSCRYPT_RESOLVERPORT=443

/usr/lib/systemd/system/dnscrypt-proxy.service
[Unit]
Description=A tool for securing communications between a client and a DNS resolver.
After=network.target
# Only needed if you use pdnsd, other caching DNS servers can go here. Could be ignored too.
#Before=pdnsd.service

[Service]
EnvironmentFile=/etc/conf.d/dnscrypt-proxy
ExecStart=/usr/bin/dnscrypt-proxy \
–local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
–resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} \
–provider-name=${DNSCRYPT_PROVIDER_NAME} \
–provider-key=${DNSCRYPT_PROVIDER_KEY} \
–user=${DNSCRYPT_USER}
Restart=on-abort

[Install]
WantedBy=multi-user.target

The way I went about installing this was setting my IPv4 DNS ips as OpenDNS than installing DNSCrypt. I believe it causes dnscrypt-proxy to use opendns but perhaps that is not the right way to set it up?

hi
i am not able to understand that as per the link [http://i175.photobucket.com/albums/w158][0]">[http://i175.photobucket.com/albums/w158][1] … 269387.png, this doesnt show opendns
whereas ur /etc/conf.d/dnscrypt-proxy shows opendns
very strange

and bout "The way I went about installing this was setting my IPv4 DNS ips as OpenDNS than installing DNSCrypt. I believe it causes dnscrypt-proxy to use opendns but perhaps that is not the right way to set it up?"
i things u dont need to set IPv4 DNS ips as OpenDNS as dnscrypt will take care.
also in network manager have u changed dns to 127.0.0.1 with automatic off.
funny is that systemctl status dnscrypt-proxy.service -l it should show opendns ; whereas urs is not opendns!!!
i think my expertise on this is limited.
these are few things i know and i use to set up dnscrypt and with opendns thinks lookfine here and link does show me its fine.
sorry bro cant help u no more
cheers

[0]: <a href=
[1]: http://i175.photobucket.com/albums/w158

"also in network manager have u changed dns to 127.0.0.1 with automatic off."
yes.

Thanks for your help dude, I really appreciate all of your responses.
I think maybe I’ll try reinstalling DNSCrypt now that dns is set to 127.0.0.1 in network settings.
EDIT: after reinstalling, all settings are the same.