Enable DnsCrypt on your Ubuntu machine

For mirroring purposes, this is a working copy-paste of https://madebits.github.io/#blog/2014/2014-12-12-Using-DNSCrypt-on-Ubuntu-14.04.md

DNSCrypt enables making encrypted DNS quires to the DNS providers that support it. There is PPA for DnsCrypt for Ubuntu, but it is not maintained at the time of this writing and it has no binary for Ubuntu 14.04 LTS. To install DNSCryp I used these steps, that I tried on Lubuntu 14.04 LTS:

  • Visit DNSCryp PPA packages and download libsodium for trusty and dnscrypt-proxy for saucy (I used the 64 bit version for my machine, you may need the 32 bit versions).
  • I used gdebi-gtk tool to install first libsodium4_0.4.5-0~trusty5_amd64.deb and then dnscrypt-proxy_1.4.0-0~oldconf2+saucy1_amd64.deb (you can also use dpkg -i).
  • dnscrypt-proxy runs then locally in address on port 53 (use netstat -tuplen to verify).
  • The default DNSCryp PPA package apparmor profile prevents Ubuntu 14.04 from shutting down. To fix that I edited it (sudo leafpad /etc/apparmor.d/usr.sbin.dnscrypt-proxy) and replacing its content with the following:
 # Last Modified: Tue Dec 02 22:20:12 2014

  #include <tunables/global>

  /usr/sbin/dnscrypt-proxy {
    #include <abstractions/base>

    network inet stream,
    network inet6 stream,
    network inet dgram,
    network inet6 dgram,

    capability net_admin,
    capability net_bind_service,
    capability setgid,
    capability setuid,
    capability sys_chroot,
    capability ipc_lock,

    /bin/false r,
    /etc/ld.so.cache r,
    /etc/nsswitch.conf r,
    /etc/passwd r,

  # In case of custom libsodium installation
    /usr/local/lib/{@{multiarch}/,}libsodium.so* mr,

  # Reasonable pidfile location - tweak this if you prefer a different one
    /run/dnscrypt-proxy.pid rw,


(Ed.) You may want to which libsodium4 and which dnscrypt-proxy and check the actual paths.

  • Optional: dnscrypt-proxy configuration for the init service daemon is found in /etc/default/dnscrypt-proxy. The parameters (with — added) are documented in man dnscrypt-proxy. I edited /etc/default/dnscrypt-proxy as root to specify an alternative DNS server. The list of the official available servers can be found in GitHub, or locally in /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv. To verify that a given server works use dig -p 443 @ google.com (replace ip and port as needed). If you edit /etc/default/dnscrypt-proxy, you should run sudo restart dnscrypt-proxy afterwards.
  • Verify that dnscrypt-proxy runs by using ps -ef | grep dnscrypt. Then verify it can resolve addresses by using dig @ google.com (if you configured tcp-only for dnscrypt-proxy then use dig +vc @ google.com).
  • If all ok, you can replace you current DNS servers in the Network Manager UI. If you use DHCP, select Automatic (DHCP) addresses only, and set the in Additional DNS servers. Once done, run sudo service network-manager restart for it to take effect. Verify the server used with nm-tool | grep -i dns.

End of copy-paste. You could download the latest package of dnscrypt-proxy and libsodium and compile it locally – best advice so far.



Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s