Setup DNSCrypt with Dnsmasq

Sun 19 January 2020 in Linuxconfig

#Linux #DNS

DNS is a very important service that is essential for using the Internet. In essence, DNS is simply a database that links meaningful names - known as host names such as https://pycycle.info - to a specific IP address. But DNS does not offer encryption per default. So an attacker with access to any component used accessing the internet, like routers, switches or firewalls could spy on you or manipulate the DNS responses. To protect against this threat DNSCrypt can be installed to encrypt the DNS traffic between your local network and the DNS server.

So this tutorial is about how to setup DNSCrypt in combination with the Dnsmasq service. The prerequisites are that you have a router in place, which has a Linux OS installed, for example a Raspberry Pi. So you can use the Raspberry Pi with an external Ethernet to USB adapter to get two network interfaces. Afterwards one interface can be connected to the internal network and the other interface can be connected to your router from your Internet Service Provider (ISP).

The first step is to install the required tools:

sudo apt install dnsmasq dnscrypt-proxy

Afterwards you have to adopt the configuration file of the Dnsmasq service. The configuration file is located at /etc/dnsmasq.conf. Just change the following lines within that file:

[...]
# ignore configured name servers located in resolv.conf
no-resolv
# forward all dns requests to the dnscrypt-proxy
server=127.0.0.1#40
[...]

By changing these lines, the DNS service will redirect all DNS requests to the dnscrypt-proxy listening on port 40. Also the configured nameserver located within /etc/resolv.con gets ignored.

The next required step is to customize the dnscrypt-proxy service file. The file is located at the following path /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket .

[...]
[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40
[...]

By default, the DNS server of Cloudflare is used by the dnscrypt-proxy. To change that you can pick a DNS resolver from the file /var/cache/dnscrypt-proxy/public-resolvers.md or take a look at online resolver list and adjust the configuration file /etc/dnscrypt-proxy/dnscrypt-proxy.toml .

[...]
server_names = ['cloudflare']
[...]

Now lets restart the Dnsmasq service and reload the systemd manager configuration.

sudo systemctl daemon-reload
sudo systemctl restart dnsmasq.service

To verify if the setup does work, you can have a look at the log files located at /var/log/dnscrypt-proxy/. If you encounter problems with the setup or have any questions, please feel free to contact me.