1

Due to my ISP intercepting some DNS requests and return 'redirected' A records, I want to use dnscrypt-proxy on my computer (my workstation, actually, running Ubuntu 16.04)

What I have done is install dnscrypt-proxy and point it to one of the public dnscrypt servers available. Then I change the DNS Server settings in Network Manager to point to 127.0.2.1 (the default listening address of dnscrypt-proxy)

It works, but it seems that every single resolve of FQDN goes to the dnscrypt server, and no caching is being performed.

So, I want to cache DNS resolution done by dnscrypt. I know I can do this using unbound, but dnsmasq is already installed on my workstation, so I want to use that instead. However, I'm a bit confused with the interaction between dnsmasq & resolvconf & Network Manager.

That leads to My Questions:

How do I configure my system so DNS Resolution will be done by dnscrypt-proxy but cached by dnsmasq?

pepoluan
  • 725
  • 7
  • 18
  • Which version of `dnscrypt-proxy` are you using exactly? Version 2 is supposed to do use a cache. How did you ascertain that caching is not being performed? – Asclepius Jun 27 '18 at 16:29

1 Answers1

0

You should first edit the NetworkManager config file in /etc/NetworkManager/NetworkManager.conf and change the line that says dns=dnsmasq to dns=none. Then restart the NetworkManager service using sudo systemctl restart NetworkManager.

Install dnsmasq with sudo apt update && sudo apt install dnsmasq -y. Edit the dnsmasq config in /etc/dnsmasq.conf using your preferred editor.
Delete the whole config, and replace it with this:

listen-address=127.0.0.1  
port=53  
domain-needed  
bogus-priv  
dnssec  
proxy-dnssec  
strict-order  
no-resolv  
no-poll  
server=127.0.2.1  
cache-size=1000  
neg-ttl=3600  
dns-forward-max=150  
bind-interfaces

Then, stop and disable resolvconf using sudo systemctl stop resolvconf && sudo systemctl disable resolvconf and restart and enable dnsmasq using sudo systemctl restart dnsmasq && sudo systemctl enable dnsmasq. Edit /etc/resolv.conf using your preferred editor. Change it to only have one line:

nameserver 127.0.0.1

Now, test your internet connection by pinging a web address, for example google.com. If you get a response, it means that your setup is working!

Mutantoe
  • 107
  • 4
Haxalicious
  • 363
  • 1
  • 4
  • 15