Installation Debian Ubuntu

Frank Denis edited this page Sep 20, 2018 · 34 revisions

Installation on Debian and Ubuntu

Debian Stretch and Ubuntu currently ship with old and unsupported dnscrypt-proxy package (1.9.x). Debian Testing and Unstable have up to date packages.

Generic Linux installation procedure

The generic instructions for Linux work fine on Debian and Ubuntu. The additional instructions below are not required if you are going that route.

However, if you had an old dnscrypt-proxy 1.x version installed, remove it first with:

apt-get purge dnscrypt-proxy

Ubuntu PPA installation

sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy && \
sudo apt update && \
sudo apt install dnscrypt-proxy

Do not upgrade from v1.x on Ubuntu Xenial. Instead first backup your systemd units (service and socket) then remove the old version and delete the systemd service file (keep the socket), then upgrade (replace artful with xenial in ppa sources.list). If you don't remove the old systemd unit service, the upgrade will not replace it and the new version will attempt to be started using the old systemd unit, which will fail.

Package also configures dnsmasq to use dnscrypt-proxy (see /etc/dnsmasq.d/dnscrypt-proxy).

The same package should also work fine on Debian.


If dnsmasq is already running

Option 1: remove dnsmasq

dnsmasq performs caching, as does dnscrypt-proxy v2. As such, the redundant caching is unnecessary, and dnsmasq can effectively be disabled. To disable dnsmasq for NetworkManager, make the /etc/NetworkManager/NetworkManager.conf file look like this:



Option 2: keep dnsmasq

If you want to continue to use dnsmasq (default on Ubuntu), some configuration is needed:

  • dnsmasq listens on, so configure dnscrypt-proxy to use something different (e.g., see listen_addresses in dnscrypt-proxy.toml)
  • configure dnsmasq to use dnscrypt-proxy if file not already configured:
$ sudo tee /etc/dnsmasq.d/dnscrypt-proxy << EOF
# Redirect everything to dnscrypt-proxy

Configure dnscrypt-proxy.toml

cd /etc/dnscrypt-proxy
sudo cp dnscrypt-proxy.toml dnscrypt-proxy.toml.original  # non-idempotent

In dnscrypt-proxy.toml, replace listen_addresses = [''] with listen_addresses = []. For some reason, the package installs systemd sockets instead of standard sockets.

Further configuration changes can be made later as needed, but in order to help with troubleshooting, keep the changes to a minimum for now.

Configure resolv.conf

Using the command line

This is just one way to get the nameserver persistently added to resolv.conf.

Create a file resolv.conf.override as below. Match the permissions and owner. Here, comes from listen_addresses in dnscrypt-proxy.toml.

$ cd /etc
$ ll resolv.conf.override
-rwxrwxrwx 1 root root 172 Jun 26 20:38 resolv.conf.override*
$ cat resolv.conf.override

Create a script 20-resolv-conf-override as below. Match the permissions and owner.

$ cd /etc/NetworkManager/dispatcher.d
$ ll 20-resolv-conf-override
-rwxr-xr-x 1 root root 101 Jun 26 20:45 20-resolv-conf-override*
$ cat 20-resolv-conf-override
cp -f /etc/resolv.conf.override /run/resolvconf/resolv.conf
$ sudo ln -f 20-resolv-conf-override ./pre-up.d/

Using the network configuration applet

  • Go to network configuration applet. Click Wifi Icon > Edit Connections > Click on Wired Connection 1 (if you use wired) or the Wifi name that you currently used and click Edit.
  • In the Editing... window, click IPv4 settings, choose Automatic (DHCP) address only on the method. Finally add in the DNS servers

Start services

If the PPA installer was used, restart the services:

sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy

The older commands for the same are:

sudo service network-manager restart
sudo service dnscrypt-proxy restart

If instead the installation was done manually:

sudo ./dnscrypt-proxy -service install
sudo ./dnscrypt-proxy -service start


dnscrypt-proxy -resolve
dig | grep SERVER # Must show matching nameserver, e.g., in resolv.conf
ping -c1 # Should show matching IP and ping successfully
sudo tcpdump  # Should show specific resolver if it is not rotating
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.