You are not logged in.

#1 2015-09-21 11:34:44

adventurer
Member
Registered: 2014-05-04
Posts: 119

[SOLVED] Can't make dnsmasq work with dnscrypt-proxy

Hello,

I'm using dnsmasq as a DNS cache as described in the wiki:

/etc/dnsmasq.conf contains

listen-address=127.0.0.1

and this is my /etc/resolv.conf :

nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 8.26.56.26

This works beautifully: All DNS queries are successfully cached.

However, after adding dnscrypt-proxy it doesn't work anymore. The configuration is exactly as the wiki suggests.

The override.conf file in /etc/systemd/system/dnscrypt-proxy.socket.d is:

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40

And /etc/dnsmasq.conf now contains:

no-resolv
server=127.0.0.1#40
listen-address=127.0.0.1

sytemctl status dnsmasq reports:

dnsmasq.service - A lightweight DHCP and caching DNS server
   Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
   Active: active (running) since Mo 2015-09-21 13:09:58 CEST; 15min ago
     Docs: man:dnsmasq(8)
  Process: 1807 ExecStartPre=/usr/bin/dnsmasq --test (code=exited, status=0/SUCCESS)
Main PID: 1810 (dnsmasq)
   CGroup: /system.slice/dnsmasq.service
           └─1810 /usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file

Sep 21 13:09:58 MYARCH systemd[1]: Starting A lightweight DHCP and caching DNS server...
Sep 21 13:09:58 MYARCH dnsmasq[1807]: dnsmasq: syntax check OK.
Sep 21 13:09:58 MYARCH systemd[1]: Started A lightweight DHCP and caching DNS server.
Sep 21 13:09:58 MYARCH dnsmasq[1810]: started, version 2.75 cachesize 500
Sep 21 13:09:58 MYARCH dnsmasq[1810]: compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify
Sep 21 13:09:58 MYARCH dnsmasq[1810]: DBus support enabled: connected to system bus
Sep 21 13:09:58 MYARCH dnsmasq[1810]: using nameserver 127.0.0.1#40
Sep 21 13:09:58 MYARCH dnsmasq[1810]: read /etc/hosts - 4 addresses

systemctl status dnscrypt-proxy reports:

dnscrypt-proxy.service - DNSCrypt client proxy
   Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: disabled)
   Active: active (running) since Mo 2015-09-21 13:05:55 CEST; 21min ago
Main PID: 580 (dnscrypt-proxy)
   CGroup: /system.slice/dnscrypt-proxy.service
           └─580 /usr/bin/dnscrypt-proxy -R dnscrypt.eu-nl

Sep 21 13:05:55 MYARCH dnscrypt-proxy[580]: [NOTICE] Starting dnscrypt-proxy 1.6.0
Sep 21 13:05:55 MYARCH dnscrypt-proxy[580]: [INFO] Generating a new session key pair
Sep 21 13:05:55 MYARCH dnscrypt-proxy[580]: [INFO] Done
Sep 21 13:06:10 MYARCH dnscrypt-proxy[580]: [ERROR] Unable to retrieve server certificates
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [INFO] Refetching server certificates
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [INFO] Server certificate #808464433 received
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [INFO] This certificate looks valid
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [INFO] Chosen certificate #808464433 is valid from [2015-09-11] to [2016-09-10]
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [INFO] Server key fingerprint is E7AC:5C21:A4E6:6A90:B254:DD73:5229:3BA1:5BE9:8EB3:4E8F:E538:52DE:A2FB:DDB6:1357
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [NOTICE] Proxying from 127.0.0.1:40 to 176.56.237.171:443

And systemctl status dnscrypt-proxy.socket reports:

dnscrypt-proxy.socket - dnscrypt-proxy listening socket
   Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.socket; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/dnscrypt-proxy.socket.d
           └─override.conf
   Active: active (running) since Mo 2015-09-21 13:05:55 CEST; 22min ago
   Listen: 127.0.0.1:40 (Stream)
           127.0.0.1:40 (Datagram)

Sep 21 13:05:55 MYARCH systemd[1]: Listening on dnscrypt-proxy listening socket.

This looks all correct to me. But when I execute dig archlinux.org I get:

; <<>> DiG 9.10.3 <<>> archlinux.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60037
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;archlinux.org.                 IN      A

;; ANSWER SECTION:
archlinux.org.          27207   IN      A       66.211.214.131

;; Query time: 51 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mo Sep 21 13:29:31 CEST 2015
;; MSG SIZE  rcvd: 58

Obviously the second nameserver in /etc/resolv.conf is used and not 127.0.0.1, the request is not cached and not done through dnscrypt-proxy. But why?

I must be missing something very obvious.

Last edited by adventurer (2015-09-22 16:58:58)

Offline

#2 2015-09-22 16:58:30

adventurer
Member
Registered: 2014-05-04
Posts: 119

Re: [SOLVED] Can't make dnsmasq work with dnscrypt-proxy

I solved the problem by disabling dnscrypt-proxy.socket:

systemctl stop dnscrpyt-proxy.socket
systemctl disable dnscrpyt-proxy.socket

and modifying the override.conf for dnscrypt-proxy:

[Unit]
Requires=

[Install]
Also=

[Service]
ExecStart=
ExecStart=/usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.eu-nl --local-address=127.0.0.1:40 --user=nobody

Now it works with dnsmasq as it should.

So my guess is that either the ...socket part of the dnscrypt-proxy package is broken somehow or the instructions on the dnscrypt wiki page are incorrect. I can't tell.

Anyways I'll mark this issue as solved.

Offline

#3 2016-01-06 04:15:59

ice
Member
From: Argentina
Registered: 2015-12-10
Posts: 28
Website

Re: [SOLVED] Can't make dnsmasq work with dnscrypt-proxy

adventurer wrote:

I solved the problem by disabling dnscrypt-proxy.socket:

systemctl stop dnscrpyt-proxy.socket
systemctl disable dnscrpyt-proxy.socket

and modifying the override.conf for dnscrypt-proxy:

[Unit]
Requires=

[Install]
Also=

[Service]
ExecStart=
ExecStart=/usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.eu-nl --local-address=127.0.0.1:40 --user=nobody

Now it works with dnsmasq as it should.

So my guess is that either the ...socket part of the dnscrypt-proxy package is broken somehow or the instructions on the dnscrypt wiki page are incorrect. I can't tell.

Anyways I'll mark this issue as solved.

hi buddy,
when changing the port 40 in dnscrypt-proxy.socket , automatically cease to have internet connection. Why can it be?


My Blog Archer
Telegram Group Arch Linux in Spanish.
Telegram Group LinuxerOS GNU/Linux in Spanish.

Offline

#4 2016-01-07 11:47:14

adventurer
Member
Registered: 2014-05-04
Posts: 119

Re: [SOLVED] Can't make dnsmasq work with dnscrypt-proxy

ice wrote:

hi buddy,
when changing the port 40 in dnscrypt-proxy.socket , automatically cease to have internet connection. Why can it be?

Sorry, I don't know. As mentioned in my post above I disable dnscrypt-proxy.socket. I had problems using it, too. I suggest to try my approach - it works flawlessly for me.

Offline

#5 2018-06-18 00:59:33

ice
Member
From: Argentina
Registered: 2015-12-10
Posts: 28
Website

Re: [SOLVED] Can't make dnsmasq work with dnscrypt-proxy

adventurer wrote:
ice wrote:

hi buddy,
when changing the port 40 in dnscrypt-proxy.socket , automatically cease to have internet connection. Why can it be?

Sorry, I don't know. As mentioned in my post above I disable dnscrypt-proxy.socket. I had problems using it, too. I suggest to try my approach - it works flawlessly for me.

Does it make a downgrade?


My Blog Archer
Telegram Group Arch Linux in Spanish.
Telegram Group LinuxerOS GNU/Linux in Spanish.

Offline

Board footer

Powered by FluxBB