Home DNS [SOLVED] Since 1.6.0-2 the conf.d file is no longer in use. We have enabled systemd support and providing upstream systemd units. You will need to use the systemd way (overriding in /etc/systemd/system/dnscrypt-proxy.{service,socket}.d) to apply your customization.

[SOLVED] Since 1.6.0-2 the conf.d file is no longer in use. We have enabled systemd support and providing upstream systemd units. You will need to use the systemd way (overriding in /etc/systemd/system/dnscrypt-proxy.{service,socket}.d) to apply your customization.

, , ,

Edit 01: I’ve filed a bug report… FS#45970 - dnscrypt-proxy 1.6.0-2 sometimes it starts sometimes it fails + weird boot messages…

Edit 02: Its a fully functional HOW-TO now again ;)… Thanks FerikD!

Edit 03: Since Cisco now owns OpenDNS I moved away from it. Thanks for the config / idea MrRee!

I chose opennic.

ExecStart=/usr/bin/dnscrypt-proxy
--provider-name=2.dnscrypt-cert.resolver2.dnscrypt.eu
--resolver-address=77.66.84.233:443
--provider-key=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A:9955
--user=nobody

Reason?

[…] Opennic has a “round-robin dns server randomizer” in beta testing, which actually spits your dns lookups securely between 19 different dns servers […]

So…

After the latest upgrade dnscrypt-proxy no longer plays nice… I saw this message when after the upgrade:

Since 1.6.0-2 the conf.d file is no longer in use. We have enabled systemd support and providing upstream systemd units.
You will need to use the systemd way (overriding in /etc/systemd/system/dnscrypt-proxy.{service,socket}.d) to apply your customization

Here is how to fix it:

Stop dnscrypt-proxy

systemctl stop dnscrypt-proxy

Warning: Stopping dnscrypt-proxy.service, but it can still be activated by:
dnscrypt-proxy.socket

systemctl stop dnscrypt-proxy.socket

Disable dnscrypt-proxy

systemctl disable dnscrypt-proxy

Removed symlink /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service.
Removed symlink /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket.

systemctl disable dnscrypt-proxy.socket

Find the socket file:

updatedb

IF this fails:

pacman -S mlocate

and re-run updatedb command…

locate dnscrypt-proxy.socket

/usr/lib/systemd/system/dnscrypt-proxy.socket

Check its content:

cat /usr/lib/systemd/system/dnscrypt-proxy.socket

[Unit]
Description=dnscrypt-proxy listening socket

[Socket]
ListenStream=127.0.0.1:53
ListenDatagram=127.0.0.1:53

[Install]
WantedBy=sockets.target

Edit the socket file:

mcedit /usr/lib/systemd/system/dnscrypt-proxy.socket

by replacing:

After=network.target

with:

Before=network.target

It should now look like this:

cat /usr/lib/systemd/system/dnscrypt-proxy.socket

[Unit]
Description=dnscrypt-proxy listening socket
Before=network.target

[Socket]
ListenStream=127.0.0.1:53
ListenDatagram=127.0.0.1:53

[Install]
WantedBy=sockets.target

Find the service file:

locate dnscrypt-proxy.service

/usr/lib/systemd/system/dnscrypt-proxy.service

Edit the service file using your DNS provider details:

mcedit /usr/lib/systemd/system/dnscrypt-proxy.service

Here is what *my service file* looks like:

cat /usr/lib/systemd/system/dnscrypt-proxy.service

[Unit]
Description=DNSCrypt client proxy
Requires=dnscrypt-proxy.socket

[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target

[Service]
Type=simple
NonBlocking=true
ExecStart=/usr/bin/dnscrypt-proxy
--provider-name=2.dnscrypt-cert.opendns.com
--resolver-address=208.67.220.220:443
--provider-key=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
--user=nobody

To avoid service file being overwritten by upgrades copy /usr/lib/systemd/system/dnscrypt-proxy.service to the /etc/systemd/system/ as explained here at MrRee’s blog:

cp /usr/lib/systemd/system/dnscrypt-proxy.service /etc/systemd/system/

Enable, restart service file and check if DNSCrypt is working:

systemctl enable dnscrypt-proxy

Created symlink from /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service to /etc/systemd/system/dnscrypt-proxy.service.
Created symlink from /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket to /usr/lib/systemd/system/dnscrypt-proxy.socket.

systemctl daemon-reload && systemctl restart dnscrypt-proxy && systemctl status -l dnscrypt-proxy && nslookup -type=txt debug.opendns.com && dig debug.opendns.com txt

Status:

● dnscrypt-proxy.service - DNSCrypt client proxy
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2015-08-12 19:09:07 IST; 386ms ago
Main PID: 1589 (dnscrypt-proxy)
CGroup: /system.slice/dnscrypt-proxy.service
└─1589 /usr/bin/dnscrypt-proxy --provider-name=2.dnscrypt-cert.opendns.com --resolver-address=208.67.220.220:443 --provider-key=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79 --user=nobody

Aug 12 19:09:07 wishmasdell.loc systemd[1]: Started DNSCrypt client proxy.
Aug 12 19:09:08 wishmasdell.loc dnscrypt-proxy[1589]: [NOTICE] Starting dnscrypt-proxy 1.6.0
Aug 12 19:09:08 wishmasdell.loc dnscrypt-proxy[1589]: [INFO] Generating a new session key pair
Aug 12 19:09:08 wishmasdell.loc dnscrypt-proxy[1589]: [INFO] Done
Aug 12 19:09:08 wishmasdell.loc dnscrypt-proxy[1589]: [INFO] Server certificate #1435874751 received
Aug 12 19:09:08 wishmasdell.loc dnscrypt-proxy[1589]: [INFO] This certificate looks valid
Aug 12 19:09:08 wishmasdell.loc dnscrypt-proxy[1589]: [INFO] Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
Aug 12 19:09:08 wishmasdell.loc dnscrypt-proxy[1589]: [INFO] Server key fingerprint is ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
Aug 12 19:09:08 wishmasdell.loc dnscrypt-proxy[1589]: [NOTICE] Proxying from 127.0.0.1:53 to 208.67.220.220:443

nslookup test:

Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
debug.opendns.com text = “server 3.lon”
debug.opendns.com text = “flags 20 0 70 5950800000000000000”
debug.opendns.com text = “originid 0”
debug.opendns.com text = “actype 0”
debug.opendns.com text = “source 86.44.169.14:55427”
debug.opendns.com text = “dnscrypt enabled (717744506545635A)”

Authoritative answers can be found from:

dig test:

; <<>> DiG 9.10.2-P3 <<>> debug.opendns.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT

;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT “server 3.lon”
debug.opendns.com. 0 IN TXT “flags 20 0 70 5950800000000000000”
debug.opendns.com. 0 IN TXT “originid 0”
debug.opendns.com. 0 IN TXT “actype 0”
debug.opendns.com. 0 IN TXT “source 86.44.169.14:55427”
debug.opendns.com. 0 IN TXT “dnscrypt enabled (717744506545635A)”

;; Query time: 41 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 12 19:09:08 IST 2015
;; MSG SIZE rcvd: 247

OR if you chose to use opennic:

systemctl daemon-reload && systemctl restart dnscrypt-proxy && systemctl status -l dnscrypt-proxy && nslookup -type=txt 2.dnscrypt-cert.resolver2.dnscrypt.eu && dig 2.dnscrypt-cert.resolver2.dnscrypt.eu txt

Cheers.

Andrzej

P.S. *OpenDNS is only one of many available options…* Hint:

cat /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv

AndrzejL

"Never meet Your heroes. Most of the time you'll only end up disappointed." White Polak Male Husband Employee Hetero Carnivorous Fugly Geek @$$hole with ADD Catholic “Some men just want to watch the world burn.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.