This script can be used to select and configure a public dnscrypt resolver to work with dnscrypt as described in http://nurdletech.com/linux-notes/dns/dnscrypt.html.
Before you can use it you must install the requests and docopt packages:
pip install --user requests docopt
To find a suitable resolver, change to the directory that contains this script and run:
./generate-dnscrypt-cmdline
This accesses the list of resolvers from https://github.com/jedisct1/dnscrypt-proxy and then prints out a summary of the available resolvers. You should choose one. Say, for example, the OpenNIC server in Dallas, which has the name fvz-rec-us-dal-01:
./generate-dnscrypt-cmdline fvz-rec-us-dal-01
This produces a command line that can configures dnscrypt-proxy so that it talks to the chosen resolver.
This script contains some assumptions that you can change by editing the script. One is that the location of the dnscrypt-proxy executable. Another is that dnscrypt-proxy should listen on port 2053. A third is that you would like a PID file (a file that contains the process ID of the dnscrypt-proxy process) and that it should be placed in /tmp.
Often one uses systemd to automatically start dnscrypt-proxy. To do so, add the generated command line to the ExecStart field in /etc/systemd/system/dnscrypt.service). The file should end up looking something like this:
[Unit] Description = DNScrypt After = network.target [Service] ExecStart = /usr/local/sbin/dnscrypt-proxy --provider-key=B00D:7AC0:1927:F4F7:519D:A0F1:CC8B:52B7:B331:815C:8D8E:6E30:49C4:FEDA:558A:A453 --provider-name=2.dnscrypt-cert.fvz-rec-us-sea-01.dnsrec.meo.ws --resolver-address=23.226.230.72 --local-address=127.0.0.1:2053 --pidfile=/tmp/dnscrypt.pid --daemonize Restart = always Type = forking User = nobody PIDfile = /tmp/dnscrypt.pid [Install] WantedBy = default.target
After updating the dnscrypt.service file, you should run:
systemctl daemon-reload
You can start (or restart) your dnscrypt-proxy service using:
systemctl restart dnscrypt systemctl status dnscrypt
Be sure the status messages include the message: 'This certificate looks valid'. If not, there may be a problem with the resolver you chose. You might try choosing another.