[Question] Help me to set DNSCrypt-proxy correctly !

[Nokia808]

Hi. I'm sorry to post this here but I did not find better place for it.
I'm on Fedora 30 X64 bit Cinnamon edition.
My Internet service provider enforce to use it's DNS even if I set different one using GUI of network manager !
I installed your dnscrypt-proxy from official Fedora repositories as following:

sudo dnf install dnscrypt-proxy
then
sudo systemctl start dnscrypt-proxy
then
sudo systemctl enable dnscrypt-proxy
then reboot my laptop

After that - from GUI of my DE for my network manager - I change my network connection as following:

• "Advanced Network Configuration" > select "IP4 setting > Automatic (DHCP) address only" > then set DNS to 127.0.0.1
  then switched to "IPV6" & select "ignore"
  then saved & close this window
  then reboot my laptop

It was working very very very well !

But then I did additional step:
sudo vi /etc/NetworkManager/NetworkManager.conf
& then add the following line to section [main]:
dns=default

this line "dns=default" was not existing by default. I added it according to the following link (when I conclude that it will provide better security though page does not talking about DNSCrypt-proxy):
https://www.azirevpn.com/support/guides/computer/linux/change-dns

then reboot. After reboot I visited https://ipleak.net & every thing was okay. Then I went to sleep & today I opened my laptop & rechecked at https://ipleak.net when I confronted when I saw among many DNS servers DNS POINTED TO MY COUNTRY & CITY !!!

I rebbot & recheck but at this current session no such DNS leak !!!

Please help me:

1. is adding "dns=default" responsible for this DNS leak ?

2. what is the best value for "/etc/NetworkManager/NetworkManager.conf" ? Is it:
   dns=default
   or
   dns=none
   or it is better to delete this line & return as it was not found ?

3. if dns-default line that I added not responsible, so what it was this DNS leak & how can I block & prevent it in future ?

Thank you very much for your great tool.

[TraderStf]

DNSCrypt is not a VPN, it changes/secures your DNS.
On ipleak
Your IP addresses, will be the same
DNS Addresses, will be different than usual if DNSCrypt is working.

Try to force quit DNSCrypt, I have this bug from time to time.
As it will restart automatically, the problem is solved.

Perhaps a smartdns or vpn would be easier for you.

[jedisct1]

Don't add dns=default. The guide you read is unrelated to dnscrypt-proxy.

The dnscrypt-proxy documentation is here: https://github.com/jedisct1/dnscrypt-proxy/wiki

[Nokia808]

@jedisct1
I did what you asked me to do. I delete "dns=default" & save then reboot. I did not confronted with the issue on 2 reboot till now.
But - before close this issue - can you inform me, what "dns=default" & "dns=none" mean ?
When I was on Fedora 28, I tried dnscrypt-proxy but not worked at all due to packaging error from Fedora side that resolved for Fedpra 29+, so I delayed my use till upgrading for Fedora 30.
When I was on Fedora 28, I read in Internet an older post said that we should use "dns=none" & I tried it (at time when dnscrypt-proxy not work at all) & it result in block all Internet traffic except Tor browser which was the only part of my system that can connect to Internet. But on Fedora 30 - & after install dnscrypt-proxy & enable it - I tried also "dns=none" & my Internet connection was not affected though I did not set DNS at "127.0.0.1" but to COMODO DNS server.
I asked about these because I did not find answers on Internet .....

@TraderStf
Dear I'm already using VPN by terminal & configuration files & I was treat DNS leak by manual setting of DNS to specific server like COMODO DNS or OpenDNS ..... & it was okay. But several months ago, ISPs changed their policy & became not responding to manual setting even from within WiFi routers !! For that I got interest in dnscrypt-proxy ......
By the way, in the issue of this thread the DNS address that shown on https://ipleak.net is the same IP address of my country that I have when VPN switched OFF. While before install dnscrypt-proxy & enable it & change my connection to 127.0.0.1 DNS address was differ from my IP address though they belong to same country but different cities ......

[eclipseo]

The only thing you need on Fedora is to set dns=none like you did and set up resolv.conf:

https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-linux#step-4-change-the-system-dns-settings

Now, make a backup of the /etc/resolv.conf file:

cp /etc/resolv.conf /etc/resolv.conf.backup

Then delete the /etc/resolv.conf file (important, since this can be a dangling link instead of an actual file):

rm -f /etc/resolv.conf

And create a new /etc/resolv.conf file with the following content:

nameserver 127.0.0.1
options edns0

Let's check that everything works by sending a first query using dnscrypt-proxy:

./dnscrypt-proxy -resolve example.com

[Nokia808]

@eclipseo

1. currently I deleted "dns=default" & DOES NOT SET "dns=none". Please see the following:

# Configuration file for NetworkManager.
#
# See "man 5 NetworkManager.conf" for details.
#
# The directories /usr/lib/NetworkManager/conf.d/ and /var/run/NetworkManager/conf.d/
# can contain additional configuration snippets installed by packages. These files are
# read before NetworkManager.conf and have thus lowest priority.
# The directory /etc/NetworkManager/conf.d/ can contain additional configuration
# snippets. Those snippets are merged last and overwrite the settings from this main
# file.
#
# The files within one conf.d/ directory are read in asciibetical order.
#
# If /etc/NetworkManager/conf.d/ contains a file with the same name as
# /usr/lib/NetworkManager/conf.d/, the latter file is shadowed and thus ignored.
# Hence, to disable loading a file from /usr/lib/NetworkManager/conf.d/ you can
# put an empty file to /etc with the same name. The same applies with respect
# to the directory /var/run/NetworkManager/conf.d where files in /var/run shadow
# /usr/lib and are themselves shadowed by files under /etc.
#
# If two files define the same key, the one that is read afterwards will overwrite
# the previous one.

[main]
#plugins=ifcfg-rh,ibft


[logging]
# When debugging NetworkManager, enabling debug logging is of great help.
#
# Logfiles contain no passwords and little sensitive information. But please
# check before posting the file online. You can also personally hand over the
# logfile to a NM developer to treat it confidential. Meet us on #nm on freenode.
# Please post full logfiles except minimal modifications of private data.
#
# You can also change the log-level at runtime via
#   $ nmcli general logging level TRACE domains ALL
# However, usually it's cleaner to enable debug logging
# in the configuration and restart NetworkManager so that
# debug logging is enabled from the start.
#
# You will find the logfiles in syslog, for example via
#   $ journalctl -u NetworkManager
#
# Note that debug logging of NetworkManager can be quite verbose. Some messages
# might be rate-limited by the logging daemon (see RateLimitIntervalSec, RateLimitBurst
# in man journald.conf).
#
#level=TRACE
#domains=ALL
                                                                                                                                    50,1          Bot

Is this okay or still I need to add "dns=none" ??

2. resolv.conf file on my system - after managed DNS from within GUI (advanced network configuration) is as bellow:

# Generated by NetworkManager
nameserver 127.0.0.1
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
                                                                                                                                    2,1           All

Is there need to do any further tweak ? I think no since both https://ipleak.net & https://dnsleaktest.com/ are okay (show DNS servers not related to my country = No DNS leak) ?

[jedisct1]

Looks good.

[Nokia808]

@jedisct1
Okay but since you delayed in replay me, I reached to conclusion that it is okay but regullarly it miss "dns=none" but although it missed but it is working okay !

For that I searched Internet about what mean "dns=none" but I found nothing ! So, I concluded by my imagination that "dns=none" will PREVENT usual (non-dnscrypt-proxy) DNS whither this usual DNS being the default of ISP or customized DNS that set by user via Network manager GUI, isn't it ?

And for all that I re-edited my file by re-adding line "dns=none" to achieve the maximum possible security & prevent any possible DNS leak, so is this okay ? Please, kindly, confirm this.

Now the output is as following:

1. vi /etc/NetworkManager/NetworkManager.conf

# Configuration file for NetworkManager.
#
# See "man 5 NetworkManager.conf" for details.
#
# The directories /usr/lib/NetworkManager/conf.d/ and /var/run/NetworkManager/conf.d/
# can contain additional configuration snippets installed by packages. These files are
# read before NetworkManager.conf and have thus lowest priority.
# The directory /etc/NetworkManager/conf.d/ can contain additional configuration
# snippets. Those snippets are merged last and overwrite the settings from this main
# file.
#
# The files within one conf.d/ directory are read in asciibetical order.
#
# If /etc/NetworkManager/conf.d/ contains a file with the same name as
# /usr/lib/NetworkManager/conf.d/, the latter file is shadowed and thus ignored.
# Hence, to disable loading a file from /usr/lib/NetworkManager/conf.d/ you can
# put an empty file to /etc with the same name. The same applies with respect
# to the directory /var/run/NetworkManager/conf.d where files in /var/run shadow
# /usr/lib and are themselves shadowed by files under /etc.
#
# If two files define the same key, the one that is read afterwards will overwrite
# the previous one.

[main]
#plugins=ifcfg-rh,ibft
dns=none

[logging]
# When debugging NetworkManager, enabling debug logging is of great help.
#
# Logfiles contain no passwords and little sensitive information. But please
# check before posting the file online. You can also personally hand over the
# logfile to a NM developer to treat it confidential. Meet us on #nm on freenode.
# Please post full logfiles except minimal modifications of private data.
#
# You can also change the log-level at runtime via
#   $ nmcli general logging level TRACE domains ALL
# However, usually it's cleaner to enable debug logging
# in the configuration and restart NetworkManager so that
# debug logging is enabled from the start.
#
# You will find the logfiles in syslog, for example via
#   $ journalctl -u NetworkManager
#
# Note that debug logging of NetworkManager can be quite verbose. Some messages
# might be rate-limited by the logging daemon (see RateLimitIntervalSec, RateLimitBurst
# in man journald.conf).
#
#level=TRACE
#domains=ALL
                                                                                                                                    50,1          Bot

2. vi /etc/resolv.conf

# Generated by NetworkManager
nameserver 127.0.0.1
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
~                                                                                                                                                     
"/etc/resolv.conf" [readonly] 2L, 51C                                                                                               2,14          All

Please just confirm, kindly, that "dns=none" is more secure !

By the way, I feel that your data about Fedora somewhat out of date because no any package for Fedora called "resolvconf" !! Your guide asking for "sudo apt-get remove resolvconf" which = "sudo dnf remove resolvconf" but no such package in Fedora/RPMFusion repositories & not existing on my system !

[MystesofEternity]

@Nokia808 Like you, I use fedora and as a 7-year old programmer and budding network admin I can assure you that you do not need to concern yourself so heavily about the "dns=none" or "dns=default" BECAUSE it does not really "add" to security. The main goal of using DNSCrypt is to secure DNS queries from MITM attacks or attacks involving manipulation of your DNS queries. I don't know how NetworkManager works as a whole but for starters it pays off to know what this NetworkManager is. It's that software being used to manage your network settings in linux and is being utilized when you modify your settings through the UI i.e. setting your IPv6 to ignore and etc.

My best guess on what happens with "dns=default" is NetworkManager does away with the defaults of picking up the DNS settings provided by your router/modem while "dns=none" means no DNS server is set in resolv.conf? I'm not really about "dns=none" but in any case it doesn't matter, what matters is to get that DNSCrypt being utilized properly by your system.

Since you've already removed "dns=default" on your NetworkManager.conf, the only thing left to do is to set the following lines to your /etc/resolv.conf

nameserver 127.0.0.1
options edns0

I'm not really sure what options edns0 does but that's what the instructions say and I'm pretty sure jedisct1 knows what he is doing so there is no need to worry about that.

[Nokia808]

@MystesofEternity
Thank you for your response.
But there is something: I tried to edit /etc/resolv.conf file by

sudo vi /etc/resolv.conf
then add:
options edns0

I noticed after save & exit by :qw the edns0 became RED in colour !
Then I restart my PC. After that, I inspect /etc/resolv.conf by "vi /etc/resolv.conf" & I confronted when I saw that my edit (line: options edns0) disappeared at all & file return as it was before my edition !

I think that what @eclipseo said is needed. He said:

Now, make a backup of the /etc/resolv.conf file:
cp /etc/resolv.conf /etc/resolv.conf.backup
Then delete the /etc/resolv.conf file (important, since this can be a dangling link instead of an actual file):
rm -f /etc/resolv.conf

But is there real need to do this ?? DNSCrypt seem to do well on my system: every time I visit any site to examine DNS, it never reveal my ISP DNS ... So, does really we need to add "options edns0" ??

[MystesofEternity]

The behavior of "options edns0" disappearing is because NetworkManager's automated behavior whenever a network connection has been established. This happens because it enforces whatever you have indicated in the GUI as your DNS servers and this is normal behavior that I have observed through almost a year of using Fedora.

I did some research about EDNS0. Take a look at this:

It seems setting "options edns0" is essential for making use of DNSSEC in your system. Since you are highly concerned about security, I believe you have DNSSEC set as true in your dnscrypt-proxy.toml file.

In this case it is essential for you to add "options edns0" to your resolv.conf file. I know the pain of having to do this every single time and what I did is to actually have a startup script copy the "correct" version of resolv.conf to /etc/resolv.conf
Do you know how to do scripting in linux?

[Nokia808]

@MystesofEternity
I have limited experience in writing scripts. In fact It was about 2 & 1/2 hrs since I write last script. However, I never know how to make autostart script at all. It will be very helpful if you post your script here & explain what are the line that needed to make it autostart script.

But why you did not inform me from 1st time that adding options edns0 by usual method will overrided on next boot/restart ?

[MystesofEternity]

Huh? I'm not sure why you're asking about why I informed you on the fact that it will be overridden on reboot. No need to delve on the details because I don't really bother to read much code on opensource software specifically the common day-to-day ones like NetworkManager.

As for autorun script I'll assume you have your resolv.conf.backup on your desktop and i'll assume your username in your linux installation is "Nokia808".

#!/bin/bash
sudo cp resolv.conf.backup /etc/resolv.conf

name the file fixResolvconf.sh and place it on your home directory or desktop
I assume you know how to use the cd command to traverse directories? If not just put it in your home directory(the directory where you can see folders like Desktop, Downloads, Documents, and etc.)
NOTE: Make sure your resolv.conf.backup file is in the home directory TOO!

Open a command line and type the command chmod +x fixResolvconf.sh
After that you just execute your new script through ./fixResolvconf.sh

As for automating it to become your startup script, I'm afraid I can't help you out with that just yet as I haven't spent much time understanding how to use cron to make cron jobs. I actually just run the script on my own instead of having it automatically execute. Since the command has to run as root user you will be prompted to type your password and unfortunately the only way to have a better life out of that is through making a cron job.

Best of luck!