DNSCrypt Proxy is an open source application that aims to encrypt the DNS traffic of our connection to navigate with greater security. The program encrypts DNS requests locally and these are then decrypted by the DNS provider, so anyone who tries to intercept them along the way (for example, to perform a attack Man-in-the-middle) will have a very difficult time getting it.
There are currently a good number of DNS providers supported by DNSCrypt Proxy, and since it is free software, anyone with sufficient knowledge can set up their own DNS server and configure it with the program. However, by default it is already preconfigured for use with OpenDNS.
In this post I am going to show you the simplest and most basic installation in the case of Ubuntu and derivatives. Those who want a more advanced configuration can consult the project page y your repository on GitHub.
Installation
We start by installing the package DNSCrypt Proxy from the PPA repository maintained by Sergey «Shnatsel» Davidoff:
sudo add-apt-repository ppa:shnatsel/dnscrypt
sudo apt-get update
sudo apt-get install dnscrypt-proxy
With that it is already installed and running, now we can only tell the system to use it. For this we have two methods, the first by console and the second in graphic mode, choose the one you like the most:
Method 1
We deactivate the DNS that are currently being used:
sudo unlink /etc/resolv.conf
We create a new /etc/resolv.conf file with a text editor:
sudo gedit /etc/resolv.conf
And we paste this line to pass the DNS traffic through DNSCrypt:
nameserver 127.0.0.1
Now we protect the file to prevent Network Manager modify it:
sudo chattr +i /etc/resolv.conf
sudo chattr -i /etc/resolv.conf
Then they can go back to protecting it or not depending on what they want to do.
We save the changes and close the editor.
Method 2
We click on the network icon in our panel and press Edit connections. Now we select the connection that we have active and click on Edit. In the window that opens we go to the tab IPv4 settings and we will see something like this:
We configure the options as seen there, selecting in Method "Automatic addresses only (DHCP)", and in DNS servers putting 127.0.0.1
Activation
Whether you used the 1 method such as Method 2, the next step is to reboot Network Manager:
sudo service network-manager restart
We will see that the connection is cut and restarted. If everything has gone well, it will already be working DNSCrypt Proxy. To check it we are going to this page, and if the result is positive you will welcome us to OpenDNS:
Otherwise we will get an error message saying "Oops", or it will not load any page. To solve it we simply change the server 127.0.0.1 to 127.0.0.2 (or some other) and restart again Network Manager.
Only for Ubuntu 14.04
The maintainer of the PPA warns that there is a bug in Ubuntu 14.04 that prevents turning off the equipment when DNSCrypt Proxy is working. It indicates that you are working on a patch to resolve it, but in the meantime it can be fixed by running these commands:
sudo apt-get install apparmor-utils
sudo aa-complain /etc/apparmor.d/usr.sbin.dnscrypt-proxy
Uninstallation
If later we want to stop using DNSCrypt ProxyFirst of all, you will have to restore the connection options to how they were at the beginning.
If you used the Method 1 would be to remove the protection from the file and then re-enable the old DNS with this command:
sudo rm /etc/resolv.conf && sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf
If you used the Method 2, it would be to open the network configuration menu again and in Method select "Automatic (DHCP)".
In either case, you will have to restart later Network Manager with the above mentioned command, and finally uninstall DNSCrypt Proxy thus:
sudo apt-get autoremove --purge dnscrypt-proxy
Don't forget to also remove the PPA by going to Software Center> Edit> Other software.
Applies also for Opensuse could publish more information about this distro
Broadly speaking, it is a [almost] generic method that applies to [almost] any distribution (method 2 for those that use Network Manager), but obviously the repositories change and some things like how to start and restart services.
regards
1. the first comment is invisible or something because the count starts at 2
2. I saw it in perseos blog but a pure compilation, and incidentally the article is no longer
1. The first comment is a pingback.
2. I had also seen him on the Perseus blog a long time ago, but now he seems to be doing maintenance and deleted all his posts.
I just tried it, but without any success.
I did what this tutorial said, and then I had run out of internet, so I went back to the DNS I had before and everything was fine.
Did you miss a step, by chance? Because I can't understand how I could have run out of internet if I followed this tutorial to the letter.
Thank you.
I answered: I was using DNSmasq and had to do a little more configuration. In the end I deleted it and followed this tutorial again and everything OK. Thanks 😀
I'm glad you managed to fix it. 🙂
Hello! You know I can't make it walk How is that from DNSmasq?
If I am behind a proxy, does it work?
Technically, it should work.
I am using Privoxy and its configuration to block ads, and at the same time I use DNScrypt proxy, and I have not had any dramas. Perhaps it is because there are 2 proxies for different purposes, one for DNS and the other for browsing the web.
Great! .. ..the truth is that I did not know the method .. ..super easy to configure in ArchLinux too .. ..thanks ..
That's right, Arch is also very easy; I didn't include it here because I don't have the updated steps, but the last time I used it there it was:
# pacman -S dnscrypt-proxy
# systemctl enable dnscrypt-proxy
# systemctl start dnscrypt-proxy
And the rest was the same as it is in the tutorial.
EDITORIAL: The complete instructions are here: Install DNSCrypt Proxy on Arch Linux
Sorry, but I can't do it in Arch ... I install, enable, start, use step 2 and restart Network Manager and I always get the message: OPPSS ... What could it be?
He answered: I use method 1 and it works for me. Thank you!
I have put here the instructions to do it in Arch Linux: https://blog.desdelinux.net/instalar-dnscrypt-proxy-en-arch-linux/
It looks good although I have not tried it yet.
Does this kind of thing affect the speed of the connection? Does it get slower?
Thank you.
On the contrary, it becomes faster because you start using OpenDNS DNS, which has a much higher response speed than your ISP's. Besides you benefit from the other attributes of OpenDNS such as protection against phishing and so on. 😉
Ok
Until now I used Google servers, I don't know how safe they will be but they are fast.
Yes, I have also used them, although I like the OpenDNS ones better because it gives me the feeling that they are faster and generate fewer errors; Although they are only my impressions, I have not done tests or anything to verify it. 😛
It's true, I've tried it on my other computer and it "seems" to go faster.
One thing I do not understand:
Why do you have to install dnscrypt-proxy? I mean, wouldn't it be enough to change the DNS that we have in our network configuration to OpenDNS DNS?
This is what I do to use Google DNS: I simply change that data in the computer configuration, I don't need to install anything or have to run another daemon ...
It is the only downside that I see.
In OpenDNS this can also be done, but what I describe is not the same. When you configure the DNS in this way, the queries are made by simple means, without any type of encryption or security. With this you add encryption and authentication. That is, with DNSCrypt Proxy you are using OpenDNS DNS Y encryption technology, both, not just the first.
I understand, thanks for your answer.
On the internet they recommend the use of Unbound together with dnscrypt but I don't know very well what that program does.
What can you tell me?
As I understand it is a DNS server that you install locally; Theoretically, it should increase your speed even more because it generates a cache and DNSCrypt makes the requests there instead of sending them to OpenDNS, but other than that I have not investigated thoroughly to see exactly what the process consists of.
Ok, thanks for the info.
Hmm I highly doubt this will work in a company where local DNS and Proxy servers are used. Anyway I will try to see how.
Great, working 100%.
It worked for me! : ') Thank you very much a long time ago I was looking for how to use a proxy or vpn (free) I still lack the vpn that I could not find one that I could install on my Ubuntu.
I don't know why you were looking for a proxy, but if it was to change your IP, this will not work for you, since it only takes care of encrypting the requests between your machine and the DNS provider. Your IP remains the same and with regard to the servers everything remains the same.
If I realized after I did the test, it is to change the IP address, with encryption it is already an advance in pursuit of security. Do you know of a post in a blog where it is explained more or less in a simple way how to use a vpn in Ubuntu? As I read and I could see there is an error that prevents uploading the file that contains the configuration already made so things get a little more complicated, I could not use one. When I was using windows I had one called hotspotshield and that doesn't have linux support or at least I don't know how to use it here. Thanks for the responses to anyone who can and wants to help me.
To use a VPN in Ubuntu you can use OpenVPN in the Network Manager or in the terminal by simply typing "openvpn –config file", where file is the configuration file that your provider will give you, it will also ask you for user and pass to enter. For example, there is the free vpnbook service. Of course, you have to install openvpn first if you don't have it installed.
Greetings.
Thanks Keiller. Uninstall DNSCrypt Proxy as the post says, I downloaded openvpn, the configuration files and I entered through the terminal with the config command, I put username and password and it gives me this error: ERROR: Cannot ioctl TUNSETIFF tun1: Operation not permitted (errno = 1) ; Exiting due to fatal error
Do you know what I can do about it?
nameserver 127.0.0.1 It is left like this, it is only copied and pasted
It doesn't give me I can't use it: C
Read the instructions well:
You are probably better off doing it by Method 2.
Does this prevent my email from being hacked on a public wifi?
It helps you against man-in-the-middle attacks, but the best protection for public Wi-Fi is a VPN.
Many Thanks
The solution for this is to navigate with private and anonymous proxies, which do not keep user logs and, if possible, of dedicated use.
They are cheap and you ensure the total privacy of your browsing.
A greeting.
It does not work with VPN. A shame
No, because when browsing a VPN you are using the DNS of the VPN itself instead of those configured locally.
Great thank you very much it makes me feel a little more secure when I connect to wifis without passwords
Hi guys, I followed the tutorial to the letter and now I don't have the Internet as I reverse the problem because in the specified way you don't want the proxy dnsscript without such. Help please I'm without internet.
You did not follow the tutorial to the letter. You are offline because you uninstalled DNSCrypt without reverting the changes first. Read the uninstall instructions again.
I followed the tutorial as it should. Use method 1 with its respective uninstallation. But when it is being stirred it stays in the process. Any ideas?
Let's see, let's go over the uninstallation steps ...
Unprotect the file:
sudo chattr -i /etc/resolv.conf
Restore the old DNS:
sudo rm /etc/resolv.conf
sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf
Restart Network Manager:
sudo service network-manager restart
Uninstall DNSCrypt Proxy:
sudo apt-get autoremove --purge dnscrypt-proxy
In which command is it stuck?
In this :
sudo apt-get autoremove --purge dnscrypt-proxy
The uninstallation begins and then never ends.
There is a dash left over in the command, purge it should only go with two hyphens at the beginning, like this:
sudo apt-get autoremove --purge dnscrypt-proxy
Test if that solves your problem. Either way, if you followed the steps above you should have a connection regardless of whether that last command works or not.
Very good post helped me a lot. Excellent!!!
Interesting tutorial Manuel.
I have put it into practice and my connection is going great.
Thank you.
Hi friends of desdelinux I would like to ask a question when I try to do the installation process after adding the repositories and updating I put sudo apt-get install dnscrypt-proxy but it tells me:
E: The dnscrypt-proxy package could not be located I have ubuntu 14.04 I don't know why this happens helps
The same thing happens to me 🙁
Ubuntu 14.04
I could do it easily in Arch / Antergos but in Debian / Jessie from the first step it fails, I don't know if it is not compatible with Debian:
keos @ kaos: ~ $ su
Password:
root @ kaos: / home / keos # add-apt-repository ppa: shnatsel / dnscrypt
bash: add-apt-repository: command not found
root @ kaos: / home / keos #
Hello! The site is very good and I wanted to ask you:
I follow all the instructions but I can't get it to use the DNS that we changed in resolv.conf (127.0.0.1 or 127.0.0.2). So I am left without internet access. I use DEBIAN and WICD instead of Network Manager.
With "find / -name dnscrypt-proxy" I see that the program is installed where it is supposed to be (/ usr / local / sbin and / usr / local / share /).
With «ps aux | grep dnscrypt-proxy »throws me the following output:
root 6346 0.0 0.0 2808 672? SLs 09:45 0:00 dnscrypt-proxy –local-address = 127.0.0.1 –daemonize –resolver-address = 176.10.127.43: 443 –provider-name = 2.dnscrypt-cert.ns3.ca.dns.opennic.glue –Provider-key = 1C19: 7933: 1BE8: 23CC: CF08: 9A79: 0693: 7E5C: 3410: 2A56: AC7F: 6270: E046: 25B2: EDDB: 04E3
I don't understand where I'm failing. I have read the –help but can't find it back. From already thank you very much.
Perfect on Lubuntu 16.04, thank you very much for sharing the knowledge.
Hello, someone here who can help me with a vpn or proxy to do paid surveys in the United States, please