[Solved]DNSCrypt not working. Dnsmasq working fine.

hgwellsrf · 2016-06-05 03:46:06

So I'll try to explain everything I did to make dnscrypt+dnsmasq work.

Firstly I tried to set up dnsmasq following the wiki

1. First I installed dnsmasq.

2. Then I uncommented the listen-address directive in /etc/dnsmasq.conf adding in the localhost IP address: listen-address=127.0.0.1.

3. Now I edited /etc/resolv.conf, made the only nameserver there to point to localhost: nameserver 127.0.0.1.

4. Edited /etc/dhcpcd.conf and added nohook resolv.conf at the bottom.

5. Write protected resolv.conf with chattr +i /etc/resolv.conf.

6. Added resolv-file=/etc/resolv.dnsmasq.conf to /etc/dnsmasq.conf where resolv.dnsmasq.conf contains google's nameservers.

7. Edited /etc/NetworkManager/NetworkManager.conf and changed dns=default in the [main] section to dns=dnsmasq.

8. Restarted NetworkManager and verified that dnsmasq is working by doing the same DNS lookup twice with $ dig example.com.

PS: Upto this point I haven't enabled/started any dnsmasq service. I've done exactly what is described in the wiki.

Now I tried to setup dnscrypt following the wiki

1. Installed dnscrypt-proxy and enabled dnscrypt-proxy.socket. DNS resolver is the default one, dnscrypt.eu-nl.

2. Edited dnscrypt-proxy.socket and added-

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40

3. Restarted dnscrypt-proxy.socket and stopped dnscrypt-proxy.service.

4. According to the example configuration for dnsmasq, I added-

no-resolv
server=127.0.0.1#40
proxy-dnssec

And here I'm supposed to restart dnsmasq.service and I encounter a problem.

Trying systemctl restart dnsmasq.service gives me "Job for dnsmasq.service failed because the control process exited with error code. See "systemctl status dnsmasq.service" and "journalctl -xe" for details."

When I try systemctl status dnsmasq.service, I get this. When I try journalctl -xe I get this.

So since NetworkManager automatically starts dnsmasq I tried stopping dnsmasq.service (since I tried to restart it above) and restarted NetworkManager instead, in the hope that it will do the job restarting dnsmasq for me. Also on a hunch, I added port=0 to /etc/dnsmasq.conf, from the dnsmasq wiki. Since then the dnsmasq error is not showing up.

And now my internet is working fine but DNSSEC validation not working. I tried this and this websites to test DNSSEC validation.

Please help me in getting this work guys. If you need any further details kindly ask.

Last edited by hgwellsrf (2016-06-06 08:55:49)

hgwellsrf · 2016-06-06 08:55:15

Solved it myself. Uninstalled dnsmasq. Couldn't get it to work even after dilligently following the wiki. At last decided to fook dnsmasq. Uninstalled it and configured dnscrypt with unbound instead. Working perfectly fine. Dnsmasq is an optional dep of NM. So don't know the implication of uninstalling dnsmasq. But everything working fine for now.

GSF1200S · 2016-06-08 17:40:32

It failed because you had both dnsmasq and dnscrypt-proxy bound to listen on the same address. In your case dnscrypt-proxy loaded first, and then dnsmasq errored out because that address was in use. For me it was the opposite.

You need to "chain" them. For example dnsmasq needs to listen on 127.0.0.1 and needs to see the "server" as 128.0.0.1. Then dnscrypt-proxy needs to listen on 128.0.0.1 and the server needs to be whatever dns server youre using.

So: request from browser --> 127.0.0.1 --> picked up by dnsmasq which checks its cache (lets assume it has none) --> dnsmasq sends to 128.0.0.1 --> picked up by dnscrypt-proxy which is listening there --> request sent to external dns server via dnscrypt-proxy.

Maxiride · 2016-06-26 16:14:05

hgwellsrf wrote:

Solved it myself. Uninstalled dnsmasq. Couldn't get it to work even after dilligently following the wiki. At last decided to fook dnsmasq. Uninstalled it and configured dnscrypt with unbound instead. Working perfectly fine. Dnsmasq is an optional dep of NM. So don't know the implication of uninstalling dnsmasq. But everything working fine for now.

I'm trying to setup dnscrypt with unbound too but after following the whole wiki, even if I doesn't get any error the moment I change the resolv.conf and restart network manager I keep getting "err name not resolved in chromium" even if dnscrypt and unbound are set the same as in the wiki.
How did you managed to set it up properly? Any tip?

@GSF1200S if what you say is correct then the dnscrypt wiki needs a fix because the cross talk you mentioned it's said to be solved by just changing the default ports of dnscrypt to avoid overlap with unbound.

Edit: according to /etc/resolvconf.conf to use the localhost modifying resolv.conf and locking it with the +i flag shouldn't be needed. Uncommeting it's last line does the job fine.

Last edited by Maxiride (2016-06-26 16:23:45)

GSF1200S · 2016-06-26 17:06:16

Maxiride wrote:

hgwellsrf wrote:
Solved it myself. Uninstalled dnsmasq. Couldn't get it to work even after dilligently following the wiki. At last decided to fook dnsmasq. Uninstalled it and configured dnscrypt with unbound instead. Working perfectly fine. Dnsmasq is an optional dep of NM. So don't know the implication of uninstalling dnsmasq. But everything working fine for now.
I'm trying to setup dnscrypt with unbound too but after following the whole wiki, even if I doesn't get any error the moment I change the resolv.conf and restart network manager I keep getting "err name not resolved in chromium" even if dnscrypt and unbound are set the same as in the wiki.
How did you managed to set it up properly? Any tip?

@GSF1200S if what you say is correct then the dnscrypt wiki needs a fix because the cross talk you mentioned it's said to be solved by just changing the default ports of dnscrypt to avoid overlap with unbound.
Edit: according to /etc/resolvconf.conf to use the localhost modifying resolv.conf and locking it with the +i flag shouldn't be needed. Uncommeting it's last line does the job fine.

Honestly I hesitate to "fix" the wiki sometimes because I tend to give more credit to a wiki contributor's linux knowledge than my own; im a user, not an expert. When I attempted to set it up, I tried following the wiki. The error messages I got despite not having overlapping ports always related to the IP being already in use- I decided to create an arbitrary alternative IP as I mentioned above, and everything started working for me

Give my way a shot and if it works for you, ill at least add it to the wiki until someone else with more experience clarifies what both of us did wrong following the wiki's original instructions.

Maxiride · 2016-06-27 07:20:57

GSF1200S wrote:

Give my way a shot and if it works for you, ill at least add it to the wiki until someone else with more experience clarifies what both of us did wrong following the wiki's original instructions.

Tried this morning doing the following:

Attempt #1

# systemctl edit dnscrypt-proxy.socket to modify ListenStream and ListenDatagram to 128.0.0.1 (first pair blank, second pair with the ip as explained in the note in the wiki)
# nano /etc/unbound/unbound.conf to change forward-addr to 128.0.0.1

# nano /etc/resolvconf.conf to enable the the use of 127.0.0.1 as a local dns resolver by uncommenting the last line (pasting the cat of the file to show what's in it - did the cat before uncommenting it:

[root@arch-anywhere-federico]: /home/federico># cat /etc/resolvconf.conf 
# Configuration for resolvconf(8)
# See resolvconf.conf(5) for details

resolv_conf=/etc/resolv.conf
# If you run a local name server, you should uncomment the below line and
# configure your subscribers configuration files below.
#name_servers=127.0.0.1
[root@arch-anywhere-federico]: /home/federico>#

Did a # resolvconf -u to update the changes in resolv.conf and restarted all the services with # systemctl restart dnscrypt-proxy unbound NetworkManager

At end when I try to load a page I get the ERR name not resolved error in Chromium, hence this setup is not working for me. The previous setup was the same but using 127.0.0.1:40 as listening and forward-addr, not working either.

Attempt #2

I also gave a shot to this blog post which basically does the same as in the wiki except for one step which is the one I did: instead of using # systemctl edit dnscrypt-proxy.socket to change the dnscrypt ip\port the author modify nano /etc/conf.d/dnscrypt-config (Step 5 in the linked guide) a config created by script dnscrypt-autoinstall.

Also this kind of approach is not working for me

I'm starting to guess that the issue lies somewhere else...

Edit:

I decided to try to use unbound alone and removed dnscrypt-proxy by doing yaourt -R dnscrypt-proxy.

I found then that unbound has a self-check command # unbound-checkconf /etc/unbound/unbound.conf, that lead me to an error regarding an invalid character (maybe UXTerm use a different codification than Xterm for some characters dunno). I removed it and re-run the checkconf -> no more errors in unbound.conf.

Then I modified the forward address of unbound to 8.8.8.8 and do-not-query-localhost to yes, and set 127.0.0.1 in resolv.conf, this setup should use unbound as a local cache but still redirect DNS queries to the google dns.. still name not resolved in the browser even after a systemctl restart unbound.

Even with this minimal setup something's wrong

Since my issue is starting to diverge from the original post, guess I'm making my own new post

Last edited by Maxiride (2016-06-27 10:33:00)

Arch Linux

#1 2016-06-05 03:46:06