Even if you encrypt your traffic with HTTPS or even use a VPN, in some cases, your DNS traffic remains open and readily readable to your ISP and the rest of the world.
This is a companion discussion topic for the original entry at https://linuxconfig.org/how-to-encrypt-your-dns-with-dnscrypt-on-ubuntu-and-debian
Thanks for this tutorial. How can this be used with IPv6?
TIA
Tried to follow this on Ubuntu 18.04.1 LTS, but needed some alterations:
- The configuration file is /etc/dnscrypt-proxy/dnscrypt-proxy.conf
- The server option is called ResolverName, not server_names.
- The configuration is already set to a specific value âfvz-anyoneâ (not sure if it takes multiple values).
- This value âfvz-anyoneâ is not listed on the page linked in the article.
- There is a csv file that lists permitted values at a link I cannot post as a new user.
- In this list, âcloudflareâ does not occur.
Apparently very divergent versions exist�
Your queries are fully encrypted, but the DNSCrypt server that you are using can still see exactly what it is that you are querying for.
1 Like
Yes, a very divergent versions exists, because the first developer doesnât maintain it anymore, the version that is being maintained now is called dnscrypt-proxy 2, maintained by jedisct1. (I canât link Github repository because I just registered, you can find it easily with Google)
Thatâs why the software has a list of servers, if you test dnscypt-proxy with something like dnsleaktest you can see it uses many different DNS servers.
(You can argue that the list is hosted on a Github repository, but you can always configure it to use other servers.)
Thanks for the tutorial!
Iâve tried this on Debian 11, my first bare-metal (and dual boot) Linux system!
Some things are not the same (no âNetworkManagerâ and âresolvconfâ services apparentlyâŚ), but it worked anyway, after some guesswork.
I have installed the âdnscypt-proxyâ apt package.
Not sure if that is the latest project or the abandonware version, but thatâs all apt listings had to offerâŚ
I have verified that it works using âiftopâ and pressing âpâ to show the port numbers.
Using this method forced a switch from the default port, which was shown as ânameâ (if I am not mistaken), to âhttpsâ.
I had some doubts if this will add any delay or if it may fail to work sometimes (e.g. if an app could still uses some other DNS server directly).
For the delay, I guess it will not be great, since it is local proxying.
For the other thing I am still not sure how much this DNS setting in â/etc/resolv.confâ is forced upon applications. But at least browsers will use it (most likely always)âŚ