Hi,

Following this article in ArchWiki, I have tried to set up dnscrypt-proxy . Now I would like to verify that it is working as intended. How can I do this?

systemctl status dnscrypt.service outputs:

 dnscrypt-proxy.service - DNSCrypt-proxy client
     Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2020-09-04 11:55:17 CEST; 13s ago
       Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki
   Main PID: 303867 (dnscrypt-proxy)
      Tasks: 13 (limit: 19068)
     Memory: 18.6M
     CGroup: /system.slice/dnscrypt-proxy.service
             └─303867 /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

sep 04 11:55:17 eos dnscrypt-proxy[303867]: [2020-09-04 11:55:17] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
sep 04 11:55:17 eos dnscrypt-proxy[303867]: [2020-09-04 11:55:17] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
sep 04 11:55:17 eos dnscrypt-proxy[303867]: [2020-09-04 11:55:17] [NOTICE] Now listening to [::1]:53 [UDP]
sep 04 11:55:17 eos dnscrypt-proxy[303867]: [2020-09-04 11:55:17] [NOTICE] Now listening to [::1]:53 [TCP]
sep 04 11:55:17 eos dnscrypt-proxy[303867]: [2020-09-04 11:55:17] [NOTICE] Source [relays] loaded
sep 04 11:55:17 eos dnscrypt-proxy[303867]: [2020-09-04 11:55:17] [NOTICE] Source [public-resolvers] loaded
sep 04 11:55:17 eos dnscrypt-proxy[303867]: [2020-09-04 11:55:17] [NOTICE] Firefox workaround initialized
sep 04 11:55:18 eos dnscrypt-proxy[303867]: [2020-09-04 11:55:18] [NOTICE] [cloudflare] OK (DoH) - rtt: 67ms
sep 04 11:55:18 eos dnscrypt-proxy[303867]: [2020-09-04 11:55:18] [NOTICE] Server with the lowest initial latency: cloudf>
sep 04 11:55:18 eos dnscrypt-proxy[303867]: [2020-09-04 11:55:18] [NOTICE] dnscrypt-proxy is ready - live servers: 1

There is some checking method described here.

Thanks for quick reply and the info! I’ll look into it.

But now after the reboot the content of the /etc/resolv.conf which according to the Wiki post should be replaced by:

nameserver ::1
nameserver 127.0.0.1
options edns0 single-request-reopen

is back to the original:

# Generated by NetworkManager
nameserver 103.86.96.100
nameserver 103.86.99.100
nameserver 192.168.42.129

What should I do to make it survive a reboot?

Would it be possible to simply lock it by chattr +i /etc/resolv.conf?

Great, I’ll try that!

This worked!

I’ll check out the link you posted earlier, a bit later this evening. Hopefully it is working as expected.

Thank you!

A much better solution [1] is to edit NetworkManager config, by creating a file /etc/NetworkManager/conf.d/dns.conf with the following content:

[main]
dns=none

If you want to check if dnscrypt-proxy is running, simply go to browserleaks.com/ip or ipleak.net or similar sites.

[1] https://wiki.archlinux.org/index.php/NetworkManager#Unmanaged_/etc/resolv.conf

Great, thanks!
Do I need to revert this chattr +i /etc/resolv.conf? Is it done by changing the + to - ?

Yes.
Note that the chattr method is fine enough, it’s just a little “dirty”.

Sure. I will make the change as per your suggestion. And thanks for the link, I’ll look at it.

Yeah NetworkManager is a beast, has tons of options. Same as for DNS resolving methods. I found it to be quite hard to understand how they interact.

By the way, now that you have dnscrypt-proxy, you can add an “ad-blocker” list to it. It works in a similar way to an /etc/hosts file.
It’s in the config file under “pattern-based blocklist”, you just to have to add your existing list to it.

You can also create one yourself with a python script: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/utils/generate-domains-blocklists/generate-domains-blocklist.py

Thanks @anon31687413 for all the suggestions and help! This is a new area for me so I will need to do some homework. The possibility to add an “ad-blocker” list is great. I’ll certainly look into it. But will this eliminate the need of ad-blocker addons for the browser?

I keep the Firefox add-ons in case something gets through
The advantage of dnscrypt-proxy’s blocklist feature is that is active system-wide.

Great, thanks for the explanation!

I use uBlock Origin, and lately I have added uMatrix as well. With the latter I am making small progresses everyday and sometimes I have to switch it off to make some things work on some sites. But that is mostly because I am still learning how it works. uBlock is much more straight forward.

Good choice I have both, too. Have fun!

Thanks! You too! I may very well come back to this thread if I have some more questions, until then I wish you and @csteinforth a nice weekend. Thanks again to you both for helping out!

I did not configure any server_names, so I get a couple of servers listed on those pages. How I do I have to interpret those servers?

is dnscrypt the best option to enable DoH or DoT systemwide?
it seems not so easy to configure

I checked with ipleak.net and it seems to be working.

With server_names = ['Cloudflare'] I get only one IP address for DNS server belonging to Cloudflare. However when I comment out the server_names line, dnscrypt-proxy uses the servers specified in a remote list.

Checking again with iplek.net, I get 13 IP adresses for DNS servers from almost all over the world. I believe this is the same as mentioned above by @csteinforth. Is this ok?

By the way, is Cloudflare ok to use as DNS server? Do you have some recommendation on “privacy respecting” servers? Or I could just trust the ones from the remote file?

Yep, this is my question, too.